diff options
| author | van Hauser <vh@thc.org> | 2021-11-03 21:55:21 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-03 21:55:21 +0100 |
| commit | f5535e348d37460daa4c6ea43063b451aa83d9cc (patch) | |
| tree | 2339a99aa53f604cbe77b0dc88882f29ec9a6bf6 /docs | |
| parent | 25c947cd5ae93cb865081f9259255b4fdb3ca3ba (diff) | |
| parent | 9278f27d749bcf0852ba2629caa319375c9a60e4 (diff) | |
| download | afl++-f5535e348d37460daa4c6ea43063b451aa83d9cc.tar.gz | |
Merge pull request #1142 from AFLplusplus/dev
Dev
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 9 | ||||
| -rw-r--r-- | docs/INSTALL.md | 1 | ||||
| -rw-r--r-- | docs/binaryonly_fuzzing.md | 18 | ||||
| -rw-r--r-- | docs/branches.md | 3 | ||||
| -rw-r--r-- | docs/fuzzing_binary-only_targets.md | 2 | ||||
| -rw-r--r-- | docs/fuzzing_expert.md | 2 | ||||
| -rw-r--r-- | docs/parallel_fuzzing.md | 11 | ||||
| -rw-r--r-- | docs/triaging_crashes.md | 2 |
8 files changed, 29 insertions, 19 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index d8dac557..04b2fb2e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,14 +17,17 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. coverage being detected. thanks to Collin May for reporting! - fix -n dumb mode (nobody should use this) - fix stability issue with LTO and cmplog + - better banner - frida_mode: David Carlier added Android support :) - - afl-showmap, afl-tmin and afl-analyze now honor persistent mode - for more speed. thanks to dloffre-snl for reporting! + - afl-showmap, afl-tmin and afl-analyze: + - honor persistent mode for more speed. thanks to dloffre-snl for + reporting! + - fix bug where targets are not killed on timeouts - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: - fix for shared linking on MacOS - - llvm and LTO mode verified to work with new llvm 14-dev + - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b60a7048..960de1af 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -22,6 +22,7 @@ sudo apt-get install -y build-essential python3-dev automake git flex bison libg # try to install llvm 11 and install the distro default if that fails sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev +sudo apt-get install -y ninja-build # for qemu_mode git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make distrib diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 90ea3b66..de360543 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -96,12 +96,22 @@ It is slower than AFL FRIDA (see above). +## ZAFL + ZAFL is a static rewriting platform supporting x86-64 C/C++, stripped/unstripped, + and PIE/non-PIE binaries. Beyond conventional instrumentation, ZAFL's API enables + transformation passes (e.g., laf-Intel, context sensitivity, InsTrim, etc.). + + Its baseline instrumentation speed typically averages 90-95% of afl-clang-fast's. + + [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) + + ## DYNINST Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio (see far below). However whereas Pintool and Dynamorio work at runtime, dyninst instruments the target at load time, and then let it run - - or save the binary with the changes. + or save the binary with the changes. This is great for some things, e.g. fuzzing, and not so effective for others, e.g. malware analysis. @@ -116,13 +126,10 @@ The speed decrease is about 15-35%, depending on the optimization options used with afl-dyninst. - So if Dyninst works, it is the best option available. Otherwise it just - doesn't work well. - [https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) -## RETROWRITE, ZAFL, ... other binary rewriter +## RETROWRITE If you have an x86/x86_64 binary that still has its symbols, is compiled with position independant code (PIC/PIE) and does not use most of the C++ @@ -131,7 +138,6 @@ It is at about 80-85% performance. - [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) diff --git a/docs/branches.md b/docs/branches.md index 98fd6827..ae147b08 100644 --- a/docs/branches.md +++ b/docs/branches.md @@ -7,4 +7,5 @@ The following branches exist: * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* * (any other): experimental branches to work on specific features or testing new functionality or changes. -For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major changes in AFL++](important_changes.md). +For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. +Also take a look at the list of [important changes in AFL++](important_changes.md). \ No newline at end of file diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 8b3bbeff..ea262f6e 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -72,7 +72,7 @@ cd unicorn_mode If the goal is to fuzz a dynamic library then there are two options available. For both you need to write a small harness that loads and calls the library. Then you fuzz this with either frida_mode or qemu_mode, and either use -`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES` +`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES`. Another, less precise and slower option is using ptrace with debugger interrupt instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md). diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index ef3f8a4e..96193f88 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -625,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns. If you want to know more, the tons of texts in [docs/](./) will have you covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ -(some might be deprecated or unsupported), see [tools.md](tools.md). +(some might be deprecated or unsupported), see [tools.md](tools.md). \ No newline at end of file diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index e37276a5..d24f2837 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -27,9 +27,8 @@ will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. -Note that AFL++ has AFLfast's power schedules implemented. -It is therefore a good idea to use different power schedules if you run -several instances in parallel. See [power_schedules.md](power_schedules.md) +It is a good idea to use different power schedules if you run several instances +in parallel (`-p` option). Alternatively running other AFL spinoffs in parallel can be of value, e.g. Angora (https://github.com/AngoraFuzzer/Angora/) @@ -39,7 +38,7 @@ e.g. Angora (https://github.com/AngoraFuzzer/Angora/) If you wish to parallelize a single job across multiple cores on a local system, simply create a new, empty output directory ("sync dir") that will be shared by all the instances of afl-fuzz; and then come up with a naming scheme -for every instance - say, "fuzzer01", "fuzzer02", etc. +for every instance - say, "fuzzer01", "fuzzer02", etc. Run the first one ("main node", -M) like this: @@ -93,7 +92,7 @@ file name. There is support for parallelizing the deterministic checks. This is only needed where - + 1. many new paths are found fast over a long time and it looks unlikely that main node will ever catch up, and 2. deterministic fuzzing is actively helping path discovery (you can see this @@ -195,7 +194,7 @@ to keep in mind: - You do not want a "main" instance of afl-fuzz on every system; you should run them all with -S, and just designate a single process somewhere within the fleet to run with -M. - + - Syncing is only necessary for the main nodes on a system. It is possible to run main-less with only secondaries. However then you need to find out which secondary took over the temporary role to be the main node. Look for diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md index b0015c90..21ccecaa 100644 --- a/docs/triaging_crashes.md +++ b/docs/triaging_crashes.md @@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the tested program. It then color-codes the input based on which sections appear to be critical, and which are not; while not bulletproof, it can often offer quick insights into complex file formats. More info about its operation can be found -near the end of [technical_details.md](technical_details.md). +near the end of [technical_details.md](technical_details.md). \ No newline at end of file |