diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-11-11 14:36:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-11 14:36:06 +0100 |
| commit | 659db7e421b47da4b04110a141d9c20307f74ecc (patch) | |
| tree | 18f9c38cc5270adcf445a62b974712cead4a01c4 /docs | |
| parent | cd84339bccc104a51a5da614a9f82cc4ae615cce (diff) | |
| parent | 01d55372441960c435af8f3bd6b61d1302042728 (diff) | |
| download | afl++-659db7e421b47da4b04110a141d9c20307f74ecc.tar.gz | |
Merge branch 'master' into radamsa
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ChangeLog | 35 | ||||
| -rw-r--r-- | docs/QuickStartGuide.txt | 2 | ||||
| -rw-r--r-- | docs/env_variables.txt | 31 | ||||
| -rw-r--r-- | docs/notes_for_asan.txt | 2 | ||||
| -rw-r--r-- | docs/perf_tips.txt | 17 | ||||
| -rw-r--r-- | docs/power_schedules.txt | 2 | ||||
| -rw-r--r-- | docs/sister_projects.txt | 2 |
7 files changed, 74 insertions, 17 deletions
diff --git a/docs/ChangeLog b/docs/ChangeLog index 7ccc8b66..7bc6dec4 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -14,11 +14,41 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ---------------------- -Version ++2.54d (dev): +Version ++2.58d (dev): ---------------------- + - afl-analyze: added AFL_SKIP_BIN_CHECK support + - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen) + - afl-fuzz: CPU affinity support for DragonFly + - llvm_mode: float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS + - libtokencap: support for *BSD/OSX added + - libcompcov floating point splitting support for qemu and unicorn + - Dockerfile by courtesy of devnexen + - ripped regex.dictionary from Google afl PR + - qemu and unicorn download scripts now try to download until the full + download succeeded. f*ckin travis fails downloading 40% of the time! + - removed unnecessary warnings + + +-------------------------- +Version ++2.58c (release): +-------------------------- + + - reverted patch to not unlink and recreate the input file, it resulted in + performance loss of ~10% + - added test/test-performance.sh script + - (re)added gcc_plugin, fast inline instrumentation is not yet finished, + however it includes the whitelisting and persistance feature! by hexcoder- + - gcc_plugin tests added to testing framework + + +-------------------------------- +Version ++2.54d-2.57c (release): +-------------------------------- + + - we jump to 2.57 instead of 2.55 to catch up with Google's versioning - persistent mode for QEMU (see qemu_mode/README.md) - - custom mutator library is now a standard mutator, to exclusivly use it + - custom mutator library is now an additional mutator, to exclusivly use it add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) - new library qemu_mode/unsigaction which filters sigaction events - afl-fuzz: new command line option -I to execute a command on a new crash @@ -41,6 +71,7 @@ Version ++2.54d (dev): - updated documentation - Wine mode to run Win32 binaries with the QEMU instrumentation (-W) - CompareCoverage for ARM target in QEMU/Unicorn + - laf-intel in llvm_mode now also handles floating point comparisons -------------------------- diff --git a/docs/QuickStartGuide.txt b/docs/QuickStartGuide.txt index 9190dc98..723611e3 100644 --- a/docs/QuickStartGuide.txt +++ b/docs/QuickStartGuide.txt @@ -45,6 +45,8 @@ how to hit the ground running: 7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way faster and has a few cool features +8) There is a basic docker build with 'docker build -t aflplusplus .' + That's it. Sit back, relax, and - time permitting - try to skim through the following files: diff --git a/docs/env_variables.txt b/docs/env_variables.txt index e763118e..427f8cca 100644 --- a/docs/env_variables.txt +++ b/docs/env_variables.txt @@ -71,11 +71,11 @@ tools make fairly broad use of environmental variables: - Setting AFL_CAL_FAST will speed up the initial calibration, if the application is very slow -2) Settings for afl-clang-fast / afl-clang-fast++ -------------------------------------------------- +2) Settings for afl-clang-fast / afl-clang-fast++ / afl-gcc-fast / afl-g++-fast +--------------------------------------------------------------------------------- -The native LLVM instrumentation helper accepts a subset of the settings -discussed in section #1, with the exception of: +The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset +of the settings discussed in section #1, with the exception of: - AFL_AS, since this toolchain does not directly invoke GNU as. @@ -100,7 +100,7 @@ Then there are a few specific features that are only available in llvm_mode: - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and 64, 32 and 16 bit integer CMP instructions - See llvm_mode/README.laf-intel for more information. + See llvm_mode/README.laf-intel.md for more information. WHITELIST ========= @@ -109,7 +109,7 @@ Then there are a few specific features that are only available in llvm_mode: - Setting AFL_LLVM_WHITELIST with a filename will only instrument those files that match the names listed in this file. - See llvm_mode/README.whitelist for more information. + See llvm_mode/README.whitelist.md for more information. INSTRIM ======= @@ -122,7 +122,7 @@ Then there are a few specific features that are only available in llvm_mode: afl-fuzz will only be able to see the path the loop took, but not how many times it was called (unless it is a complex loop). - See llvm_mode/README.instrim + See llvm_mode/README.instrim.md NOT_ZERO ======== @@ -133,7 +133,18 @@ Then there are a few specific features that are only available in llvm_mode: slowdown due a performance issue that is only fixed in llvm 9+. This feature increases path discovery by a little bit. - See llvm_mode/README.neverzero + See llvm_mode/README.neverzero.md + +Then there are a few specific features that are only available in the gcc_plugin: + + WHITELIST + ========= + This feature allows selective instrumentation of the source + + - Setting AFL_GCC_WHITELIST with a filename will only instrument those + files that match the names listed in this file (one filename per line). + + See gcc_plugin/README.whitelist.md for more information. 3) Settings for afl-fuzz ------------------------ @@ -257,7 +268,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - Setting AFL_COMPCOV_LEVEL enables the CompareCoverage tracing of all cmp and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, memcmp, ...) when libcompcov is preloaded using AFL_PRELOAD. - More info at qemu_mode/libcompcov/README.compcov. + More info at qemu_mode/libcompcov/README.md. There are two levels at the moment, AFL_COMPCOV_LEVEL=1 that instruments only comparisons with immediate values / read-only memory and AFL_COMPCOV_LEVEL=2 that instruments all the comparions. Level 2 is more @@ -318,7 +329,7 @@ of decimal. 8) Settings for libdislocator.so -------------------------------- -The library honors three environmental variables: +The library honors these environmental variables: - AFL_LD_LIMIT_MB caps the size of the maximum heap usage permitted by the library, in megabytes. The default value is 1 GB. Once this is exceeded, diff --git a/docs/notes_for_asan.txt b/docs/notes_for_asan.txt index 972ca909..09ca172e 100644 --- a/docs/notes_for_asan.txt +++ b/docs/notes_for_asan.txt @@ -34,7 +34,7 @@ Note that ASAN is incompatible with -static, so be mindful of that. There is also the option of generating a corpus using a non-ASAN binary, and then feeding it to an ASAN-instrumented one to check for bugs. This is faster, and can give you somewhat comparable results. You can also try using -libdislocator (see libdislocator/README.dislocator in the parent directory) as a +libdislocator (see libdislocator/README.dislocator.md in the parent directory) as a lightweight and hassle-free (but less thorough) alternative. 2) Long version diff --git a/docs/perf_tips.txt b/docs/perf_tips.txt index 215895b6..0cac8f7b 100644 --- a/docs/perf_tips.txt +++ b/docs/perf_tips.txt @@ -50,12 +50,15 @@ Even if you don't have a lightweight harness for a particular target, remember that you can always use another, related library to generate a corpus that will be then manually fed to a more resource-hungry program later on. +Also note that reading the fuzzing input via stdin is faster than reading from +a file. + 3) Use LLVM instrumentation --------------------------- -When fuzzing slow targets, you can gain 2x performance improvement by using -the LLVM-based instrumentation mode described in llvm_mode/README.llvm. Note -that this mode requires the use of clang and will not work with GCC. +When fuzzing slow targets, you can gain 20-100% performance improvement by +using the LLVM-based instrumentation mode described in llvm_mode/README.llvm. +Note that this mode requires the use of clang and will not work with GCC. The LLVM mode also offers a "persistent", in-process fuzzing mode that can work well for certain types of self-contained libraries, and for fast targets, @@ -72,6 +75,9 @@ If you are only intested in specific parts of the code being fuzzed, you can whitelist the files that are actually relevant. This improves the speed and accuracy of afl. See llvm_mode/README.whitelist +Also use the InsTrim mode on larger binaries, this improves performance and +coverage a lot. + 4) Profile and optimize the binary ---------------------------------- @@ -161,6 +167,11 @@ and not waste CPU time. There are several OS-level factors that may affect fuzzing speed: + - If you have no risk of power loss then run your fuzzing on a tmpfs + partition. This increases the performance noticably. + Alternatively you can use AFL_TMPDIR to point to a tmpfs location to + just write the input file to a tmpfs. + - High system load. Use idle machines where possible. Kill any non-essential CPU hogs (idle browser windows, media players, complex screensavers, etc). diff --git a/docs/power_schedules.txt b/docs/power_schedules.txt index f5f66bd6..7b9d34c4 100644 --- a/docs/power_schedules.txt +++ b/docs/power_schedules.txt @@ -2,7 +2,7 @@ afl++'s power schedules based on AFLfast <a href="https://comp.nus.edu.sg/~mboehme/paper/CCS16.pdf"><img src="https://comp.nus.edu.sg/~mboehme/paper/CCS16.png" align="right" width="250"></a> Power schedules implemented by Marcel Böhme \<marcel.boehme@acm.org\>. -AFLFast is an extension of AFL which was written by Michal Zalewski \<lcamtuf@google.com\>. +AFLFast is an extension of AFL which was written by Michal Zalewski. AFLfast has helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took **2nd place** in terms of #POVs proven (see red bar at https://www.cybergrandchallenge.com/event#results). AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes. diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index a2eb2a22..25e5560c 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -319,11 +319,13 @@ Fuzzer shell for SQLite (Richard Hipp) Support for Python mutation modules (Christian Holler) ------------------------------------------------------ +now integrated in AFL++, originally from here https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt Support for selective instrumentation (Christian Holler) -------------------------------------------------------- +now integrated in AFL++, originally from here https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt Kernel fuzzing (Dmitry Vyukov) |