diff options
| -rw-r--r-- | README.md | 3 | ||||
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | qemu_mode/README.md | 31 | ||||
| -rw-r--r-- | qemu_mode/README.persistent.md | 3 |
4 files changed, 29 insertions, 10 deletions
diff --git a/README.md b/README.md index e7b216e7..c3e8dc48 100644 --- a/README.md +++ b/README.md @@ -61,9 +61,10 @@ | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | | ----------------------- |:-------:|:---------:|:----------:|:---------:|:------------:| - | laf-intel / CompCov | | x | | x86/arm | x86/arm | | NeverZero | x | x(1) | (2) | x | x | | Persistent mode | | x | x | x86 | x | + | laf-intel / CompCov | | x | | x86/arm | x86/arm | + | CmpLog | | x | | x | | | Whitelist | | x | x | | | | InsTrim | | x | | | | diff --git a/docs/Changelog.md b/docs/Changelog.md index f2c39e65..8b56603f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -26,7 +26,9 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - LLVM 11 is supported - CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog) - qemu_mode: + - persistent mode is now also available for arm and aarch64 - CmpLog instrumentation for QEMU (-c afl-fuzz command line option) + for x86, x86_64, arm and aarch64 - AFL_PERSISTENT_HOOK callback module for persistent QEMU (see examples/qemu_persistent_hook) - added qemu_mode/README.persistent.md documentation diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 95b75e9c..4198af14 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -71,7 +71,8 @@ must be an address of a basic block. ## 4) Bonus feature #2: persistent mode -AFL++'s QEMU mode now supports also persistent mode for x86 and x86_64 targets. +AFL++'s QEMU mode now supports also persistent mode for x86, x86_64, arm +and aarch64 targets. This increases the speed by several factors, however it is a bit of work to set up - but worth the effort. @@ -85,6 +86,7 @@ The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL. There is also ./libcompcov/ which implements CompareCoverage for *cmp functions (splitting memcmp, strncmp, etc. to make these conditions easier solvable by afl-fuzz). + AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all comparison instructions and memory comparison functions when libcompcov @@ -93,11 +95,23 @@ AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables also the instrumentation of the floating-point comparisons on x86 and x86_64 (experimental). Integer comparison instructions are currently instrumented only -on the x86, x86_64 and ARM targets. +on the x86, x86_64, arm and aarch64 targets. Highly recommended. -## 6) Bonus feature #4: Wine mode +## 6) CMPLOG mode + +Another new feature is CMPLOG, which is based on the redqueen project. +Here all immidiates in CMP instructions are learned and put into a dynamic +dictionary and applied to all locations in the input that reached that +CMP, trying to solve and pass it. +This is a very effective feature and it is available for x86, x86_64, arm +and aarch64. + +To enable it you must pass on the command line of afl-fuzz: + -c /path/to/your/target + +## 7) Bonus feature #4: Wine mode AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz. @@ -105,7 +119,7 @@ Note that some binaries require user interaction with the GUI and must be patche For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO). -## 7) Notes on linking +## 8) Notes on linking The feature is supported only on Linux. Supporting BSD may amount to porting the changes made to linux-user/elfload.c and applying them to @@ -126,7 +140,7 @@ practice, this means two things: Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic and instrument every basic block encountered. -## 8) Benchmarking +## 9) Benchmarking If you want to compare the performance of the QEMU instrumentation with that of afl-gcc compiled code against the same target, you need to build the @@ -141,7 +155,7 @@ Comparative measurements of execution speed or instrumentation coverage will be fairly meaningless if the optimization levels or instrumentation scopes don't match. -## 9) Gotchas, feedback, bugs +## 10) Gotchas, feedback, bugs If you need to fix up checksums or do other cleanup on mutated test cases, see examples/post_library/ for a viable solution. @@ -162,7 +176,7 @@ with -march=core2, can help. Beyond that, this is an early-stage mechanism, so fields reports are welcome. You can send them to <afl-users@googlegroups.com>. -## 10) Alternatives: static rewriting +## 11) Alternatives: static rewriting Statically rewriting binaries just once, instead of attempting to translate them at run time, can be a faster alternative. That said, static rewriting is @@ -176,4 +190,5 @@ The best implementation is this one: The issue however is Dyninst which is not rewriting the binaries so that they run stable. A lot of crashes happen, especially in C++ programs that use throw/catch. Try it first, and if it works for you be happy as it is -2-3x as fast as qemu_mode. +2-3x as fast as qemu_mode, however usually not as fast as QEMU persistent mode. + diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index 6dba5a00..e2e372d8 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -7,7 +7,8 @@ addresses - without forking for every fuzzing attempt. This increases the speed by a factor between x2 and x5, hence it is very, very valuable. -The persistent mode is currently only available for x86/x86_64 targets. +The persistent mode is currently only available for x86/x86_64, arm +and aarch64 targets. ## 2) How use the persistent mode |