diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | README.md | 18 | ||||
| -rw-r--r-- | TODO | 15 | ||||
| -rw-r--r-- | docs/ChangeLog | 1 |
4 files changed, 25 insertions, 11 deletions
diff --git a/.gitignore b/.gitignore index e4d2346e..b2975a7e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.test +.test2 *.o *.so afl-analyze diff --git a/README.md b/README.md index 597ed8f0..c697da4f 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,9 @@ * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) - * the new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) + * The new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) - * instrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) + * InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) * C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl) @@ -40,12 +40,22 @@ * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) - * laf-intel (compcov) support for llvm_mode, qemu_mode and unicorn_mode + * laf-intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode - * neverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage (by Andrea Fioraldi) + * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage + + * Persistent mode and deferred forkserver for qemu_mode A more thorough list is available in the PATCHES file. + | Feature/Instrumentation | LLVM | GCC | QEMU | Unicorn | + | ----------------------- |:----:|:---:|:----:| -------:| + | laf-intel / CompCov | x | | x | x | + | NeverZero | x | x | x | x | + | Persistent mode | x | | x | | + | Whitelist | x | | | | + | InsTrim | x | | | | + So all in all this is the best-of AFL that is currently out there :-) For new versions and additional information, check out: diff --git a/TODO b/TODO index 26311713..87d1488c 100644 --- a/TODO +++ b/TODO @@ -20,6 +20,14 @@ gcc_plugin: qemu_mode: - update to 4.x (probably this will be skipped :( ) + - deferred mode with AFL_DEFERRED_QEMU=0xaddress + (AFL_ENTRYPOINT let you to specify only a basic block address as starting + point. This will be implemented togheter with the logic for persistent + mode.) + - instrim for QEMU mode via static analysis (with r2pipe? or angr?) + Idea: The static analyzer outputs a map in which each edge that must be + skipped is marked with 1. QEMU loads it at startup in the parent process. + unit testing / or large testcase campaign @@ -52,10 +60,3 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. Bad: completely changes how afl uses the map and the scheduling. Overall another very good solution, Marc Heuse/vanHauser follows this up -qemu_mode: - - persistent mode patching the return address (WinAFL style) - - deferred mode with AFL_DEFERRED_QEMU=0xaddress - (AFL_ENTRYPOINT let you to specify only a basic block address as starting - point. This will be implemented togheter with the logic for persistent - mode.) - diff --git a/docs/ChangeLog b/docs/ChangeLog index a407e253..fa05d1b8 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -20,6 +20,7 @@ Version ++2.54d (dev): - no more unlinking the input file, this way the input file can also be a FIFO or disk partition - reducing duplicate code in afl-fuzz + - persistent mode for QEMU -------------------------- |