diff options
| -rw-r--r-- | docs/INSTALL.md | 4 | ||||
| -rw-r--r-- | docs/env_variables.md | 8 | ||||
| -rw-r--r-- | docs/fuzzing_in_depth.md | 7 | ||||
| -rw-r--r-- | docs/ideas.md | 12 | ||||
| -rw-r--r-- | docs/third_party_tools.md | 15 | ||||
| -rw-r--r-- | docs/tutorials.md | 1 |
6 files changed, 27 insertions, 20 deletions
diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 9036a1f1..312b41e9 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -21,7 +21,7 @@ development state of AFL++. If you want to build AFL++ yourself, you have many options. The easiest choice is to build and install everything: -NOTE: depending on your Debian/Ubuntu/Kali/... version replease `-12` with +NOTE: depending on your Debian/Ubuntu/Kali/... version release `-12` with whatever llvm version is available! ```shell @@ -148,7 +148,7 @@ and definitely don't look POSIX-compliant. This means two things: environment before starting afl-fuzz. User emulation mode of QEMU does not appear to be supported on MacOS X, so -black-box instrumentation mode (`-Q`) will not work. However, Frida mode (`-O`) +black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`) works on both x86 and arm64 MacOS boxes. MacOS X supports SYSV shared memory used by AFL's instrumentation, but the diff --git a/docs/env_variables.md b/docs/env_variables.md index c836a929..00948fc1 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -160,7 +160,7 @@ Available options: Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to produce a CmpLog binary. -For afl-gcc-fast set `AFL_GCC_CMPLOG=1` instead. +For afl-gcc-fast, set `AFL_GCC_CMPLOG=1` instead. For more information, see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). @@ -462,7 +462,7 @@ checks or alter some of the more exotic semantics of the tool: some basic stats. This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. - - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for + - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so. - If you are using persistent mode (you should, see @@ -555,10 +555,10 @@ checks or alter some of the more exotic semantics of the tool: in the target binary - If you need an early forkserver in your target because of early - constructors in your target you can set `AFL_EARLY_FORKSERVER`. + constructors in your target, you can set `AFL_EARLY_FORKSERVER`. Note that this is not a compile time option but a runtime option :-) - - set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0 + - Set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0 to disable although it is 1st of April. ## 5) Settings for afl-qemu-trace diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 2c27dfe1..37889137 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -838,9 +838,10 @@ Here are some of the most important caveats for AFL++: - There is no direct support for fuzzing network services, background daemons, or interactive apps that require UI interaction to work. You may need to make - simple code changes to make them behave in a more traditional way. Preeny or libdesock may - offer a relatively simple option, too - see: - [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock) + simple code changes to make them behave in a more traditional way. Preeny or + libdesock may offer a relatively simple option, too - see: + [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or + [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock) Some useful tips for modifying network-based services can be also found at: [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop) diff --git a/docs/ideas.md b/docs/ideas.md index e2360ab2..b5de637f 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -19,18 +19,18 @@ Mentor: vanhauser-thc ## WASM Instrumentation Currently, AFL++ can be used for source code fuzzing and traditional binaries. -With the rise of WASM as a compile target, however, a novel way of instrumentation -needs to be implemented for binaries compiled to Webassembly. This can either be -done by inserting instrumentation directly into the WASM AST, or by patching -feedback into a WASM VM of choice, similar to the current Unicorn +With the rise of WASM as a compile target, however, a novel way of +instrumentation needs to be implemented for binaries compiled to Webassembly. +This can either be done by inserting instrumentation directly into the WASM AST, +or by patching feedback into a WASM VM of choice, similar to the current Unicorn instrumentation. Mentor: any ## Support other programming languages -Other programming languages also use llvm hence they could be (easily?) supported -for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ... +Other programming languages also use llvm hence they could be (easily?) +supported for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ... GCC also supports: Objective-C, Fortran, Ada, Go, and D (according to [Gcc homepage](https://gcc.gnu.org/)) diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index 8d40c429..1175d9e5 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -1,11 +1,13 @@ # Tools that help fuzzing with AFL++ -Speeding up fuzzing: +## Speeding up fuzzing + * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory test case feature :-) - recommended. -Minimization of test cases: +## Minimization of test cases + * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores. @@ -14,7 +16,8 @@ Minimization of test cases: * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization. -Distributed execution: +## Distributed execution + * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL. * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing @@ -26,7 +29,8 @@ Distributed execution: * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS. -Deployment, management, monitoring, reporting +## Deployment, management, monitoring, reporting + * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases. @@ -44,7 +48,8 @@ Deployment, management, monitoring, reporting * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to parallelize afl-tmin, startup, and data collection. -Crash processing +## Crash processing + * [AFLTriage](https://github.com/quic/AFLTriage) - triage crashing input files using gdb. * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - diff --git a/docs/tutorials.md b/docs/tutorials.md index 477ff98b..758fddab 100644 --- a/docs/tutorials.md +++ b/docs/tutorials.md @@ -33,6 +33,7 @@ structure is), these links have you covered (some are outdated though): [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) ## Video Tutorials + * [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) * [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc) * [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4) |