diff options
| -rw-r--r-- | GNUmakefile | 2 | ||||
| -rwxr-xr-x | afl-system-config | 2 | ||||
| -rw-r--r-- | docs/ci_fuzzing.md | 2 | ||||
| -rw-r--r-- | docs/fuzzing_binary-only_targets.md | 5 | ||||
| -rw-r--r-- | docs/fuzzing_expert.md | 2 |
5 files changed, 7 insertions, 6 deletions
diff --git a/GNUmakefile b/GNUmakefile index 376f6e9a..0a6f3950 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -541,7 +541,7 @@ test_build: afl-cc afl-gcc afl-as afl-showmap # echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr # @rm -f test-instr # @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \ -# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \ +# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option." ) || \ # ( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi # @echo # @echo "[+] All right, the instrumentation of afl-gcc seems to be working!" diff --git a/afl-system-config b/afl-system-config index dbdbbf1f..3c14ba55 100755 --- a/afl-system-config +++ b/afl-system-config @@ -52,7 +52,7 @@ if [ "$PLATFORM" = "Linux" ] ; then echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"' echo } - echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed + echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed. echo DONE=1 fi diff --git a/docs/ci_fuzzing.md b/docs/ci_fuzzing.md index 316059f8..8d1a2f99 100644 --- a/docs/ci_fuzzing.md +++ b/docs/ci_fuzzing.md @@ -26,4 +26,4 @@ Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing campaigns `-M` enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs. How this can look like can e.g. be seen at AFL++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl) -and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py). \ No newline at end of file +and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py). diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index a39e40a0..8b3bbeff 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -51,7 +51,7 @@ make ``` For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md). -If possible you should use the persistent mode, see [qemu_frida/README.persistent.md](../qemu_frida/README.persistent.md). +If possible you should use the persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md). The mode is approximately 2-5x slower than compile-time instrumentation, and is less conducive to parallelization. @@ -71,7 +71,8 @@ cd unicorn_mode If the goal is to fuzz a dynamic library then there are two options available. For both you need to write a small harness that loads and calls the library. -Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md) +Then you fuzz this with either frida_mode or qemu_mode, and either use +`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES` Another, less precise and slower option is using ptrace with debugger interrupt instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md). diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 23b24ad0..7695e21f 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -472,7 +472,7 @@ If you are using AFL spinoffs or AFL conforming fuzzers, then just use the same -o directory and give it a unique `-S` name. Examples are: * [Fuzzolic](https://github.com/season-lab/fuzzolic) - * [symcc](https://github.com/eurecom-s/symcc/) + * [symcc](https://github.com/eurecom-s3/symcc/) * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/) * [AFLsmart](https://github.com/aflsmart/aflsmart) * [FairFuzz](https://github.com/carolemieux/afl-rb) |