about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README.md4
-rw-r--r--frida_mode/README.md48
2 files changed, 28 insertions, 24 deletions
diff --git a/README.md b/README.md
index 4a0f3574..c16216bf 100644
--- a/README.md
+++ b/README.md
@@ -91,9 +91,9 @@ behaviours and defaults:
   | Feature/Instrumentation  | afl-gcc | llvm      | gcc_plugin | frida_mode | qemu_mode        |unicorn_mode |
   | -------------------------|:-------:|:---------:|:----------:|:----------:|:----------------:|:------------:|
   | NeverZero                | x86[_64]|     x(1)  |     x      |            |         x        |       x      |
-  | Persistent Mode          |         |     x     |     x      |            | x86[_64]/arm[64] |       x      |
+  | Persistent Mode          |         |     x     |     x      |     x      | x86[_64]/arm[64] |       x      |
   | LAF-Intel / CompCov      |         |     x     |            |            | x86[_64]/arm[64] | x86[_64]/arm |
-  | CmpLog                   |         |     x     |            |            | x86[_64]/arm[64] |              |
+  | CmpLog                   |         |     x     |            |     x      | x86[_64]/arm[64] |              |
   | Selective Instrumentation|         |     x     |     x      |     x      |         x        |              |
   | Non-Colliding Coverage   |         |     x(4)  |            |            |        (x)(5)    |              |
   | Ngram prev_loc Coverage  |         |     x(6)  |            |            |                  |              |
diff --git a/frida_mode/README.md b/frida_mode/README.md
index d9634df2..9f574a4c 100644
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@@ -1,15 +1,19 @@
 # FRIDA MODE
-The purpose of FRIDA mode is to provide an alternative binary only fuzzer for AFL
-just like that provided by QEMU mode. The intention is to provide a very similar
-user experience, right down to the options provided through environment variables.
+
+The purpose of FRIDA mode is to provide an alternative binary only fuzzer for
+AFL just like that provided by QEMU mode. The intention is to provide a very
+similar user experience, right down to the options provided through environment
+variables.
 
 Whilst AFLplusplus already has some support for running on FRIDA [here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_frida)
 this requires the code to be fuzzed to be provided as a shared library, it
 cannot be used to fuzz executables. Additionally, it requires the user to write
-a small harness around their target code of interest, FRIDA mode instead takes a
-different approach to avoid these limitations.
+a small harness around their target code of interest.
+FRIDA mode instead takes a different approach to avoid these limitations.
+In Frida mode binary programs are instrumented, similarly to QEMU mode.
+
+## Current Progress
 
-# Current Progress
 As FRIDA mode is new, it is missing a lot of features. The design is such that it
 should be possible to add these features in a similar manner to QEMU mode and
 perhaps leverage some of its design and implementation.
@@ -28,7 +32,7 @@ perhaps leverage some of its design and implementation.
   | Snapshot LKM Support     |     -      |                                         |
   | In-Memory Test Cases     |     x      | (x64 only)                              |
 
-# Compatibility
+## Compatibility
 Currently FRIDA mode supports Linux and macOS targets on both x86/x64
 architecture and aarch64. Later releases may add support for aarch32 and Windows
 targets as well as embedded linux environments.
@@ -38,6 +42,7 @@ runtime libraries, so porting should be possible. However, the current build
 system does not support cross compilation.
 
 ## Getting Started
+
 To build everything run `make`.
 
 Various tests can be found in subfolders within the `test/` directory. To use
@@ -45,6 +50,7 @@ these, first run `make` to build any dependencies. Then run `make qemu` or
 `make frida` to run on either QEMU of FRIDA mode respectively.
 
 ## Usage
+
 FRIDA mode added some small modifications to `afl-fuzz` and similar tools
 in AFLplusplus. The intention was that it behaves identically to QEMU, but it uses
 the 'O' switch rather than 'Q'. Whilst the options 'f', 'F', 's' or 'S' may have
@@ -63,30 +69,26 @@ following options are currently supported:
 * `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT`
 * `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK`
 
+To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`.
 
-# Performance
+## Performance
 
 Additionally, the intention is to be able to make a direct performance
 comparison between the two approaches. Accordingly, FRIDA mode includes various
-test targets based on the [libpng](https://libpng.sourceforge.io/) benchmark used by
-[fuzzbench](https://google.github.io/fuzzbench/) and integrated with the
+test targets based on the [libpng](https://libpng.sourceforge.io/) benchmark
+used by [fuzzbench](https://google.github.io/fuzzbench/) and integrated with the
 [StandaloneFuzzTargetMain](https://raw.githubusercontent.com/llvm/llvm-project/main/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c)
-from the llvm project. These tests include basic fork-server support, persistent mode
-and persistent mode with in-memory test-cases. These are built and linked without
-any special modifications to suit FRIDA or QEMU. The test data provided with libpng
-is used as the corpus.
+from the llvm project. These tests include basic fork-server support, persistent
+mode and persistent mode with in-memory test-cases. These are built and linked
+without any special modifications to suit FRIDA or QEMU. The test data provided
+with libpng is used as the corpus.
 
 The intention is to add support for FRIDA mode to the FuzzBench project and
 perform a like-for-like comparison with QEMU mode to get an accurate
 appreciation of its performance.
 
-Whilst [afl_frida](https://github.com/AFLplusplus/AFLplusplus/tree/stable/utils/afl_frida)
-claims a 5-10x performance increase over QEMU, it has not been possible to
-reproduce these claims. It is thought that `afl_frida` was running a test case
-in persistent mode, whereas the qemu test it was compared against was not and
-this may account for the differences since it isn't a like-for-like comparison.
+## Design
 
-# Design
 FRIDA mode is supported by using `LD_PRELOAD` (`DYLD_INSERT_LIBRARIES` on macOS)
 to inject a shared library (`afl-frida-trace.so`) into the target. This shared
 library is built using the [frida-gum](https://github.com/frida/frida-gum)
@@ -117,7 +119,8 @@ makes use of a basic C function and is yet to be optimized. Since not all
 instances run CMPLOG mode and instrumentation of the binary is less frequent
 (only on CMP, SUB and CALL instructions) performance is not quite so critical.
 
-# Advanced configuration options
+## Advanced configuration options
+
 * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
 instrumentation (the default where available). Required to use
 `AFL_FRIDA_INST_TRACE`.
@@ -127,7 +130,8 @@ them and they be inherited by the next child on fork.
 * `AFL_FRIDA_INST_TRACE` - Generate some logging when running instrumented code.
 Requires `AFL_FRIDA_INST_NO_OPTIMIZE`.
 
-# TODO
+## TODO
+
 The next features to be added are x86 support, integration with FuzzBench and
 support for ASAN. The intention is to achieve feature parity with QEMU mode in
 due course. Contributions are welcome, but please get in touch to ensure that
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-19 17:49:02 +0000