diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-08-21 10:09:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-21 10:09:46 +0200 |
| commit | 790d717543ae415ee30224644dd45fa408bba0c5 (patch) | |
| tree | a076bd865b660078740cef6f53f4d9890b49df77 | |
| parent | b1ebd62c78e81bcd0731782f102276e4af459cea (diff) | |
| download | afl++-790d717543ae415ee30224644dd45fa408bba0c5.tar.gz | |
update README.qemu with compcov levels
| -rw-r--r-- | qemu_mode/README.qemu | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/qemu_mode/README.qemu b/qemu_mode/README.qemu index 754c0259..cd8559ad 100644 --- a/qemu_mode/README.qemu +++ b/qemu_mode/README.qemu @@ -16,14 +16,16 @@ with afl-gcc. The usual performance cost is 2-5x, which is considerably better than seen so far in experiments with tools such as DynamoRIO and PIN. -The idea and much of the implementation comes from Andrew Griffiths. +The idea and much of the initial implementation comes from Andrew Griffiths. +The actual implementation on QEMU 3 (shipped with afl++) is from +Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining. 2) How to use ------------- -The feature is implemented with a fairly simple patch to QEMU 2.10.0. The -simplest way to build it is to run ./build_qemu_support.sh. The script will -download, configure, and compile the QEMU binary for you. +The feature is implemented with a patch to QEMU 3.1.0. The simplest way +to build it is to run ./build_qemu_support.sh. The script will download, +configure, and compile the QEMU binary for you. QEMU is a big project, so this will take a while, and you may have to resolve a couple of dependencies (most notably, you will definitely need @@ -53,10 +55,18 @@ There is ./libcompcov/ which implements laf-intel (splitting memcmp, strncmp, etc. to make these conditions easier solvable by afl-fuzz). Highly recommended. +The option that enables QEMU CompareCoverage is QEMU_COMPCOV_LEVEL. +QEMU_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate +values / read-only memory. QEMU_COMPCOV_LEVEL=2 instruments all +comparison instructions and memory comparison functions when libcompcov +is preloaded. Comparison instructions are currently instrumented only +on the x86 and x86_64 targets. + Another option is the environment variable AFL_ENTRYPOINT which allows move the forkserver to a different part, e.g. just before the file is opened (e.g. way after command line parsing and config file loading, etc) -which can be a huge speed improvement. +which can be a huge speed improvement. Note that the specified address +must be an address of a basic block. 4) Notes on linking ------------------- |