added AFLfast power schedules from Marcel Boehme and updated the documenation

4 files changed, 49 insertions, 0 deletions

diff --git a/docs/ChangeLog b/docs/ChangeLog
index e0db8b71..558bb427 100644
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@@ -23,6 +23,9 @@ Version ++2.52c (2019-05-28):
       afl-fuzz: -e EXTENSION  commandline option
       llvm_mode: LAF-intel performance (needs activation, see llvm/README.laf-intel)
       a few new environment variables for afl-fuzz, llvm and qemu, see docs/env_variables.txt
+  - Added the power schedules of AFLfast by Marcel Boehme, but set the default
+    to the AFL schedule, not to the FAST schedule. So nothing changes unless
+    you use the new -p option :-) - see docs/power_schedules.txt
   - added afl-system-config script to set all system performance options for fuzzing
 
 
diff --git a/docs/README b/docs/README
index 3f8ae63e..2351f3ae 100644
--- a/docs/README
+++ b/docs/README
@@ -13,6 +13,12 @@ american fuzzy lop plus plus
   based on community patches from https://github.com/vanhauser-thc/afl-patches
   To see the list of which patches have been applied, see the PATCHES file.
 
+  Additionally AFLfast's power schedules by Marcel Boehme from
+  github.com/mboehme/aflfast have been incorporated.
+
+  So all in all this is the best-of AFL that is currently out there :-)
+
+
   Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
   Released under terms and conditions of Apache License, Version 2.0.
 
diff --git a/docs/parallel_fuzzing.txt b/docs/parallel_fuzzing.txt
index 58f8d2f4..1e65c01f 100644
--- a/docs/parallel_fuzzing.txt
+++ b/docs/parallel_fuzzing.txt
@@ -26,6 +26,13 @@ that input to guide their work.
 To help with this problem, afl-fuzz offers a simple way to synchronize test
 cases on the fly.
 
+Note that afl++ has AFLfast's power schedules implemented.
+It is therefore a good idea to use different power schedules if you run
+several instances in parallel. See docs/power_schedules.txt
+
+Alternatively running other AFL spinoffs in parallel can be of value,
+e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
+
 2) Single-system parallelization
 --------------------------------
 
diff --git a/docs/power_schedules.txt b/docs/power_schedules.txt
new file mode 100644
index 00000000..578ff020
--- /dev/null
+++ b/docs/power_schedules.txt
@@ -0,0 +1,33 @@
+This document was copied and modified from AFLfast at github.com/mboehme/aflfast
+
+
+Essentially, we observed that most generated inputs exercise the same few
+"high-frequency" paths and developed strategies to gravitate towards
+low-frequency paths, to stress significantly more program behavior in the
+same amount of time. We devised several **search strategies** that decide
+in which order the seeds should be fuzzed and **power schedules** that
+smartly regulate the number of inputs generated from a seed (i.e., the
+time spent fuzzing a seed). We call the number of inputs generated from a
+seed, the seed's **energy**. 
+
+Old AFL used -p exploit which had a too high cost, current AFL uses -p explore.
+
+AFLfast implemented 4 new power schedules which are highly recommended to run
+in parallel.
+
+| AFL flag | Power Schedule             | 
+| ------------- | -------------------------- |
+| `-p fast` (default)| ![FAST](http://latex.codecogs.com/gif.latex?p(i)=\\min\\left(\\frac{\\alpha(i)}{\\beta}\\cdot\\frac{2^{s(i)}}{f(i)},M\\right))  |
+| `-p coe` | ![COE](http://latex.codecogs.com/gif.latex?p%28i%29%3D%5Cbegin%7Bcases%7D%200%20%26%20%5Ctext%7B%20if%20%7D%20f%28i%29%20%3E%20%5Cmu%5C%5C%20%5Cmin%5Cleft%28%5Cfrac%7B%5Calpha%28i%29%7D%7B%5Cbeta%7D%5Ccdot%202%5E%7Bs%28i%29%7D%2C%20M%5Cright%29%20%26%20%5Ctext%7B%20otherwise.%7D%20%5Cend%7Bcases%7D) |
+| `-p explore` | ![EXPLORE](http://latex.codecogs.com/gif.latex?p%28i%29%3D%5Cfrac%7B%5Calpha%28i%29%7D%7B%5Cbeta%7D) |
+| `-p quad` | ![QUAD](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Cmin%5Cleft%28%5Cfrac%7B%5Calpha%28i%29%7D%7B%5Cbeta%7D%5Ccdot%5Cfrac%7Bs%28i%29%5E2%7D%7Bf%28i%29%7D%2CM%5Cright%29) |
+| `-p lin` | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Cmin%5Cleft%28%5Cfrac%7B%5Calpha%28i%29%7D%7B%5Cbeta%7D%5Ccdot%5Cfrac%7Bs%28i%29%7D%7Bf%28i%29%7D%2CM%5Cright%29) |
+| `-p exploit` (AFL) | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Calpha%28i%29) |
+where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path.
+  
+More details can be found in our paper that was recently accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/).
+
+PS: In parallel mode (several instances with shared queue), we suggest to run the master using the exploit schedule (-p exploit) and the slaves with a combination of cut-off-exponential (-p coe), exponential (-p fast; default), and explore (-p explore) schedules. In single mode, the default settings will do. **EDIT:** In parallel mode, AFLFast seems to perform poorly because the path probability estimates are incorrect for the imported seeds. Pull requests to fix this issue by syncing the estimates accross instances are appreciated :)
+
+Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
+Released under terms and conditions of Apache License, Version 2.0.