diff options
| author | van Hauser <vh@thc.org> | 2020-02-28 07:07:27 +0100 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-02-28 07:07:27 +0100 |
| commit | 7d0ae2939d8de880578ba088ec9892ce268237d0 (patch) | |
| tree | 122c78410b898874c79e623444b72d741a633931 | |
| parent | 7fa289316a52cec245433b22c54c3b86cd78e60e (diff) | |
| download | afl++-7d0ae2939d8de880578ba088ec9892ce268237d0.tar.gz | |
update todo
| -rw-r--r-- | TODO.md | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/TODO.md b/TODO.md index e9912475..83f37336 100644 --- a/TODO.md +++ b/TODO.md @@ -1,38 +1,37 @@ # TODO list for AFL++ -## Roadmap 2.61 +## Roadmap 2.63 Makefile: - -march=native -Ofast -flto=full (especially for afl-fuzz) llvm_mode: - - using lto + opt to instrument at link time, and using a sat solver to - select basic block IDs that do not result in collisions + - using lto + opt to instrument at link time and select basic block IDs + that do not result in collisions (Solution for "The far away future", see bottom of file) -qemu_mode: - - ensure redqueen implementation works fine - - ensure no issues in persistent mode - ## Further down the road afl-fuzz: - sync_fuzzers(): only masters sync from all, slaves only sync from master (@andrea: be careful, often people run all slaves) - - ascii_only mode + - ascii_only mode for mutation output + - setting min_len/max_len/start_offset/end_offset limits for mutation output gcc_plugin: - laf-intel - - better instrumentation + - better instrumentation (seems to be better with gcc-9+) qemu_mode: - update to 4.x (probably this will be skipped :( ) - instrim for QEMU mode via static analysis (with r2pipe? or angr?) Idea: The static analyzer outputs a map in which each edge that must be skipped is marked with 1. QEMU loads it at startup in the parent process. - - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?) - - add AFL_QEMU_EXITPOINT (maybe multiple?) + - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, + AFL_COMPCOV_LEVEL?) + - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as we have + persistent mode - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses @@ -53,26 +52,26 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. every +1 decreases fuzzing speed by ~10% and halfs the collisions birthday paradox predicts collisions at this # of edges: - | mapsize | collisions | - | :-----: | :--------: | - | 2^16 | 302 | - | 2^17 | 427 | - | 2^18 | 603 | - | 2^19 | 853 | - | 2^20 | 1207 | - | 2^21 | 1706 | - | 2^22 | 2412 | - | 2^23 | 3411 | - | 2^24 | 4823 | - - Increasing the map is an easy solution but also not a good one. + | mapsize | collisions at | speed decrease | + | :-----: | :-----------: | :-------------: | + | 2^16 | 302 | 0% | + | 2^17 | 427 | 10% | + | 2^18 | 603 | 25% | + | 2^19 | 853 | 43% | + | 2^20 | 1207 | 62% | + | 2^21 | 1706 | ?% | + | 2^22 | 2412 | ?% | + | 2^23 | 3411 | ?% | + | 2^24 | 4823 | ?% | + + Increasing the map is an easy solution but also not a complete and + efficient one. - Solution #2: use dynamic map size and collision free basic block IDs => This works and is the selected solution - This only works in llvm_mode and llvm >= 9 though - A potential good future solution. Heiko/hexcoder follows this up + This only works in llvm_mode - obviously. - Solution #3: write instruction pointers to a big shared map @@ -90,3 +89,6 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. Bad: completely changes how afl uses the map and the scheduling. Overall another very good solution, Marc Heuse/vanHauser follows this up + - Solution #4: ??? + + other ideas? |