diff options
| -rw-r--r-- | Dockerfile | 2 | ||||
| -rw-r--r-- | Makefile | 21 | ||||
| -rw-r--r-- | README.md | 34 | ||||
| -rwxr-xr-x | afl-cmin | 6 | ||||
| -rwxr-xr-x | afl-whatsup | 78 | ||||
| -rw-r--r-- | docs/Changelog.md | 8 | ||||
| -rw-r--r-- | docs/README.md | 8 | ||||
| -rw-r--r-- | docs/binaryonly_fuzzing.md | 2 | ||||
| -rw-r--r-- | docs/ideas.md | 8 | ||||
| -rw-r--r-- | docs/power_schedules.md | 1 | ||||
| -rw-r--r-- | examples/qemu_persistent_hook/read_into_rdi.c | 7 | ||||
| -rw-r--r-- | examples/qemu_persistent_hook/test.c | 2 | ||||
| -rw-r--r-- | gcc_plugin/Makefile | 20 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 1 | ||||
| -rw-r--r-- | libtokencap/Makefile | 4 | ||||
| -rw-r--r-- | llvm_mode/Makefile | 10 | ||||
| -rw-r--r-- | llvm_mode/README.lto.md | 2 | ||||
| -rw-r--r-- | llvm_mode/afl-clang-fast.c | 9 | ||||
| -rw-r--r-- | qemu_mode/README.persistent.md | 3 | ||||
| -rw-r--r-- | qemu_mode/libcompcov/Makefile | 4 | ||||
| -rw-r--r-- | qemu_mode/patches/afl-qemu-tcg-runtime-inl.h | 7 | ||||
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 69 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 49 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 11 | ||||
| -rwxr-xr-x | test/test.sh | 16 | ||||
| -rwxr-xr-x | unicorn_mode/build_unicorn_support.sh | 2 |
28 files changed, 268 insertions, 120 deletions
diff --git a/Dockerfile b/Dockerfile index 396954ab..1adc2167 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ ARG CC=gcc-9 ARG CXX=g++-9 ARG LLVM_CONFIG=llvm-config-9 -RUN git clone https://github.com/vanhauser-thc/AFLplusplus +RUN git clone https://github.com/AFLplusplus/AFLplusplus RUN cd AFLplusplus && make clean && make distrib && \ make install && cd .. && rm -rf AFLplusplus diff --git a/Makefile b/Makefile index e38efdb3..c8095b05 100644 --- a/Makefile +++ b/Makefile @@ -71,8 +71,8 @@ override CFLAGS += -Wall -g -Wno-pointer-sign -I include/ \ AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c) -ifneq "$(shell which python3m 2>/dev/null)" "" - ifneq "$(shell which python3m-config 2>/dev/null)" "" +ifneq "$(shell type python3m 2>/dev/null)" "" + ifneq "$(shell type python3m-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python3m-config --includes) PYTHON_VERSION ?= $(strip $(shell python3m --version 2>&1)) # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag. @@ -84,8 +84,8 @@ ifneq "$(shell which python3m 2>/dev/null)" "" endif endif -ifneq "$(shell which python3 2>/dev/null)" "" - ifneq "$(shell which python3-config 2>/dev/null)" "" +ifneq "$(shell type python3 2>/dev/null)" "" + ifneq "$(shell type python3-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python3-config --includes) PYTHON_VERSION ?= $(strip $(shell python3 --version 2>&1)) # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag. @@ -97,8 +97,8 @@ ifneq "$(shell which python3 2>/dev/null)" "" endif endif -ifneq "$(shell which python 2>/dev/null)" "" - ifneq "$(shell which python-config 2>/dev/null)" "" +ifneq "$(shell type python 2>/dev/null)" "" + ifneq "$(shell type python-config 2>/dev/null)" "" PYTHON_INCLUDE ?= $(shell python-config --includes) PYTHON_LIB ?= $(shell python-config --ldflags) PYTHON_VERSION ?= $(strip $(shell python --version 2>&1)) @@ -216,7 +216,7 @@ ifndef AFL_NO_X86 test_x86: @echo "[*] Checking for the default compiler cc..." - @which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 ) + @type $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 ) @echo "[*] Checking for the ability to compile x86 code..." @echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 ) @rm -f .test1 @@ -336,7 +336,7 @@ test_build: afl-gcc afl-as afl-showmap ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr - @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi + @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi @echo "[+] All right, the instrumentation seems to be working!" else @@ -348,7 +348,7 @@ endif all_done: test_build - @if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi + @if [ ! "`type clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi @echo "[+] All done! Be sure to review the README.md - it's pretty short and useful." @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi @! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null @@ -407,7 +407,7 @@ source-only: all radamsa @echo >> $@ @echo .SH AUTHOR >> $@ @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@ - @echo The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> $@ + @echo The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> $@ @echo >> $@ @echo .SH LICENSE >> $@ @echo Apache License Version 2.0, January 2004 >> $@ @@ -430,6 +430,7 @@ endif if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi + if [ -f cmplog-instructions-pass.so ]; then set -e; install -m 755 cmplog-*-pass.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi diff --git a/README.md b/README.md index 7b36249e..ca321f31 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo"> -  +  - Release Version: 2.62c + Release Version: [2.62c](https://github.com/AFLplusplus/AFLplusplus/releases) Github Version: 2.62d @@ -12,7 +12,7 @@ Originally developed by Michal "lcamtuf" Zalewski. - Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) + Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) afl++ is maintained by: * Marc "van Hauser" Heuse <mh@mh-sec.de>, @@ -23,6 +23,18 @@ Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl), it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288) +## Branches + + The following branches exist: + + * [master/trunk](https://github.com/AFLplusplus/AFLplusplus/) : stable state of afl++ - it is synced from dev from time to + time when we are satisfied with it's stability + * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of afl++ - bleeding edge and you might catch a + checkout which does not compile or has a bug. *We only accept PRs in dev!!* + * (any other) : experimental branches to work on specific features or testing + new functionality or changes + + For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. ## The enhancements compared to the original stock afl @@ -88,7 +100,7 @@ So all in all this is the best-of afl that is currently out there :-) For new versions and additional information, check out: - [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) + [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) To compare notes with other users or get notified about major new features, send a mail to <afl-users+subscribe@googlegroups.com>. @@ -353,14 +365,16 @@ The available schedules are: - quad - lin - exploit + - mmopt In parallel mode (-M/-S, several instances with shared queue), we suggest to -run the master using the exploit schedule (-p exploit) and the slaves with a -combination of cut-off-exponential (-p coe), exponential (-p fast; default), -and explore (-p explore) schedules. +run the master using the explore or fast schedule (-p explore) and the slaves +with a combination of cut-off-exponential (-p coe), exponential (-p fast), +explore (-p explore) and mmopt (-p mmopt) schedules. If a schedule does +not perform well for a target, restart the slave with a different schedule. -In single mode, using -p fast is usually more beneficial than the default -explore mode. +In single mode, using -p fast is usually slightly more beneficial than the +default explore mode. (We don't want to change the default behaviour of afl, so "fast" has not been made the default mode). @@ -728,7 +742,7 @@ Thank you! ## 18) Contact Questions? Concerns? Bug reports? The contributors can be reached via -[https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) +[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) There is also a mailing list for the afl project; to join, send a mail to <afl-users+subscribe@googlegroups.com>. Or, if you prefer to browse diff --git a/afl-cmin b/afl-cmin index e48dc7d8..d96a103f 100755 --- a/afl-cmin +++ b/afl-cmin @@ -25,7 +25,7 @@ awk -f - -- ${@+"$@"} <<'EOF' # ln # cp # pwd -# which +# type # cd # find # stat @@ -264,7 +264,7 @@ BEGIN { if (target_bin && !exists_and_is_executable(target_bin)) { - "which "target_bin" 2>/dev/null" | getline tnew + "type "target_bin" | awk '{print $NF}' 2>/dev/null" | getline tnew if (!tnew || !exists_and_is_executable(tnew)) { print "[-] Error: binary '"target_bin"' not found or not executable." > "/dev/stderr" exit 1 @@ -313,7 +313,7 @@ BEGIN { if (0 == system("test -f afl-cmin")) { showmap = "./afl-showmap" } else { - "which afl-showmap 2>/dev/null" | getline showmap + "type afl-showmap | awk '{print $NF}' 2>/dev/null" | getline showmap } } else { showmap = ENVIRON["AFL_PATH"] "/afl-showmap" diff --git a/afl-whatsup b/afl-whatsup index cc45423f..5983ca82 100755 --- a/afl-whatsup +++ b/afl-whatsup @@ -61,6 +61,9 @@ if [ -d queue ]; then fi +RED=`tput setaf 1 1 1` +NC=`tput sgr0` + CUR_TIME=`date +%s` TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1 @@ -75,6 +78,12 @@ TOTAL_CRASHES=0 TOTAL_PFAV=0 TOTAL_PENDING=0 +# Time since last path / crash / hang, formatted as string +FMT_TIME="0 days 0 hours" +FMT_PATH="${RED}none seen yet${NC}" +FMT_CRASH="none seen yet" +FMT_HANG="none seen yet" + if [ "$SUMMARY_ONLY" = "" ]; then echo "Individual fuzzers" @@ -83,6 +92,30 @@ if [ "$SUMMARY_ONLY" = "" ]; then fi +fmt_duration() +{ + DUR_STRING= + if [ $1 -eq 0 ]; then + return 1 + fi + + local duration=$((CUR_TIME - $1)) + local days=$((duration / 60 / 60 / 24)) + local hours=$(((duration / 60 / 60) % 24)) + local minutes=$(((duration / 60) % 60)) + local seconds=$((duration % 60)) + + if [ $days -gt 0 ]; then + DUR_STRING="$days days, $hours hours" + elif [ $hours -gt 0 ]; then + DUR_STRING="$hours hours, $minutes minutes" + elif [ $minutes -gt 0 ]; then + DUR_STRING="$minutes minutes, $seconds seconds" + else + DUR_STRING="$seconds seconds" + fi +} + for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP" @@ -94,7 +127,7 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do if [ "$SUMMARY_ONLY" = "" ]; then - echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<" + echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<" echo fi @@ -127,6 +160,28 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do if [ "$SUMMARY_ONLY" = "" ]; then + # Warnings in red + TIMEOUT_PERC=$((exec_timeout * 100 / execs_done)) + if [ $TIMEOUT_PERC -ge 10 ]; then + echo " ${RED}timeout_ratio $TIMEOUT_PERC%${NC}" + fi + + if [ $EXEC_SEC -lt 100 ]; then + echo " ${RED}slow execution, $EXEC_SEC execs/sec${NC}" + fi + + fmt_duration $last_path && FMT_PATH=$DUR_STRING + fmt_duration $last_crash && FMT_CRASH=$DUR_STRING + fmt_duration $last_hang && FMT_HANG=$DUR_STRING + + echo " last_path : $FMT_PATH" + echo " last_crash : $FMT_CRASH" + echo " last_hang : $FMT_HANG" + + CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}') + MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}') + + echo " cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%" echo " cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)" if [ "$unique_crashes" = "0" ]; then @@ -141,6 +196,20 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do done +# Formatting for total time, time since last path, crash, and hang +fmt_duration $((CUR_TIME - TOTAL_TIME)) && FMT_TIME=$DUR_STRING +# Formatting for total execution +FMT_EXECS="0 millions" +EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000)) +EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000)) +if [ $EXECS_MILLION -gt 9 ]; then + FMT_EXECS="$EXECS_MILLION millions" +elif [ $EXECS_MILLION -gt 0 ]; then + FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands" +else + FMT_EXECS="$EXECS_THOUSAND thousands" +fi + rm -f "$TMP" TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24)) @@ -157,9 +226,12 @@ if [ ! "$DEAD_CNT" = "0" ]; then echo " Dead or remote : $DEAD_CNT (excluded from stats)" fi -echo " Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours" -echo " Total execs : $((TOTAL_EXECS / 1000 / 1000)) million" +echo " Total run time : $FMT_TIME" +echo " Total execs : $FMT_EXECS" echo " Cumulative speed : $TOTAL_EPS execs/sec" +if [ "$ALIVE_CNT" -gt "0" ]; then + echo " Average speed : $((TOTAL_EPS / ALIVE_CNT)) execs/sec" +fi echo " Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total" if [ "$ALIVE_CNT" -gt "1" ]; then diff --git a/docs/Changelog.md b/docs/Changelog.md index 177054e2..e1f3cd7e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -20,17 +20,21 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - python mutator modules and custom mutator modules now use the same interface and hence the API changed - AFL_AUTORESUME will resume execution without the need to specify `-i -` + - added experimental power schedule -p mmopt that ignores the runtime of + queue entries and gives higher weighting to the last 5 queue entries + it is currently experimental and subject to change but preliminary + results are good - LTO collision free instrumented added in llvm_mode with afl-clang-lto - note that this mode is amazing, but quite some targets won't compile - llvm_mode InsTrim mode: - removed workaround for bug where paths were not instrumented and imported fix by author - made skipping 1 block functions an option and is disable by default, - set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to renable this + set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this - qemu_mode: - qemu_mode now uses solely the internal capstone version to fix builds on modern Linux distributions - - QEMU now logs routines arguments for CmpLog when the target is x86 + - QEMU now logs routine arguments for CmpLog when the target is x86 - afl-tmin: - now supports hang mode `-H` to minimize hangs - fixed potential afl-tmin missbehavior for targets with multiple hangs diff --git a/docs/README.md b/docs/README.md index 3b572d42..cfa1cfc6 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,6 +1,6 @@ # american fuzzy lop plus plus (afl++) -  +  Release Version: 2.60c @@ -11,7 +11,7 @@ Originally developed by Michal "lcamtuf" Zalewski. - Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) + Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) afl++ is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <mail@dmnk.co>. @@ -75,7 +75,7 @@ So all in all this is the best-of afl that is currently out there :-) For new versions and additional information, check out: - [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) + [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) To compare notes with other users or get notified about major new features, send a mail to <afl-users+subscribe@googlegroups.com>. @@ -675,7 +675,7 @@ Thank you! ## 16) Contact Questions? Concerns? Bug reports? The contributors can be reached via -[https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) +[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) There is also a mailing list for the afl project; to join, send a mail to <afl-users+subscribe@googlegroups.com>. Or, if you prefer to browse diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index e49c9b3e..f005a9b7 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -148,7 +148,7 @@ There is a WIP fuzzer available at [https://github.com/andreafioraldi/frida-fuzzer](https://github.com/andreafioraldi/frida-fuzzer) There is also an early implementation in an AFL++ test branch: - [https://github.com/vanhauser-thc/AFLplusplus/tree/frida](https://github.com/vanhauser-thc/AFLplusplus/tree/frida) + [https://github.com/AFLplusplus/AFLplusplus/tree/frida](https://github.com/AFLplusplus/AFLplusplus/tree/frida) ## PIN & DYNAMORIO diff --git a/docs/ideas.md b/docs/ideas.md index f18b0f6d..44dcccb2 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -4,7 +4,7 @@ In the following, we describe a variety of ideas that could be implemented for future AFL++ versions. For GSOC2020 interested students please see -[https://github.com/vanhauser-thc/AFLplusplus/issues/208](https://github.com/vanhauser-thc/AFLplusplus/issues/208) +[https://github.com/AFLplusplus/AFLplusplus/issues/208](https://github.com/AFLplusplus/AFLplusplus/issues/208) ## Flexible Grammar Mutator @@ -52,7 +52,7 @@ There also is/was a FreeBSD project at [https://github.com/veracode-research/fre This enables snapshot fuzzing on Linux with an incredible performance! Mentor: any -Idea/Issue tracker: [https://github.com/vanhauser-thc/AFLplusplus/issues/248](https://github.com/vanhauser-thc/AFLplusplus/issues/248) +Idea/Issue tracker: [https://github.com/AFLplusplus/AFLplusplus/issues/248](https://github.com/AFLplusplus/AFLplusplus/issues/248) ## QEMU 4-based Instrumentation @@ -111,10 +111,10 @@ Note: this is already in development for qemu by Andrea, so for people who want to contribute it might make more sense to port his solution to unicorn. Mentor: andreafioraldi or domenukk -Issue/idea tracker: [https://github.com/vanhauser-thc/AFLplusplus/issues/237](https://github.com/vanhauser-thc/AFLplusplus/issues/237) +Issue/idea tracker: [https://github.com/AFLplusplus/AFLplusplus/issues/237](https://github.com/AFLplusplus/AFLplusplus/issues/237) ## Your idea! Finally, we are open to proposals! -Create an issue at https://github.com/vanhauser-thc/AFLplusplus/issues and let's discuss :-) +Create an issue at https://github.com/AFLplusplus/AFLplusplus/issues and let's discuss :-) diff --git a/docs/power_schedules.md b/docs/power_schedules.md index 4026aedf..cdada0f6 100644 --- a/docs/power_schedules.md +++ b/docs/power_schedules.md @@ -19,6 +19,7 @@ We find that AFL's exploitation-based constant schedule assigns **too much energ | `-p quad` |  | | `-p lin` |  | | `-p exploit` (AFL) |  | +| `-p mmopt` | Experimental: `explore` with no weighting to runtime and increased weighting on the last 5 queue entries | where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path. More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/). diff --git a/examples/qemu_persistent_hook/read_into_rdi.c b/examples/qemu_persistent_hook/read_into_rdi.c index 43f1758f..6cf66ddf 100644 --- a/examples/qemu_persistent_hook/read_into_rdi.c +++ b/examples/qemu_persistent_hook/read_into_rdi.c @@ -38,12 +38,13 @@ enum { void afl_persistent_hook(uint64_t *regs, uint64_t guest_base) { // In this example the register RDI is pointing to the memory location - // of the target buffer, and the length of the input is in RAX. + // of the target buffer, and the length of the input is in RSI. + // This can be seen with a debugger, e.g. gdb (and "disass main") printf("reading into %p\n", regs[R_EDI]); size_t r = read(0, g2h(regs[R_EDI]), 1024); - regs[R_EAX] = r; - printf("readed %ld bytes\n", r); + regs[R_ESI] = r; + printf("read %ld bytes\n", r); } diff --git a/examples/qemu_persistent_hook/test.c b/examples/qemu_persistent_hook/test.c index 83001545..f6672027 100644 --- a/examples/qemu_persistent_hook/test.c +++ b/examples/qemu_persistent_hook/test.c @@ -1,6 +1,6 @@ #include <stdio.h> -int target_func(char *buf, int size) { +int target_func(unsigned char *buf, int size) { printf("buffer:%p, size:%p\n", buf, size); switch (buf[0]) { diff --git a/gcc_plugin/Makefile b/gcc_plugin/Makefile index 6e8821e1..17962401 100644 --- a/gcc_plugin/Makefile +++ b/gcc_plugin/Makefile @@ -21,8 +21,10 @@ # PREFIX ?= /usr/local -HELPER_PATH = $(PREFIX)/lib/afl -BIN_PATH = $(PREFIX)/bin +HELPER_PATH ?= $(PREFIX)/lib/afl +BIN_PATH ?= $(PREFIX)/bin +DOC_PATH ?= $(PREFIX)/share/doc/afl +MAN_PATH ?= $(PREFIX)/man/man8 VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2) @@ -42,7 +44,7 @@ PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include HASH=\# GCCVER = $(shell $(CC) --version 2>/dev/null | awk 'NR == 1 {print $$NF}') -GCCBINDIR = $(shell dirname `which $(CC)` 2>/dev/null ) +GCCBINDIR = $(shell dirname `type $(CC) | awk '{print $$NF}'` 2>/dev/null ) ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1" SHMAT_OK=1 @@ -79,7 +81,7 @@ endif test_deps: @echo "[*] Checking for working '$(CC)'..." - @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) + @type $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) # @echo "[*] Checking for gcc for plugin support..." # @$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 ) @echo "[*] Checking for gcc plugin development header files..." @@ -108,7 +110,7 @@ test_build: $(PROGS) ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr - @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi + @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi @echo "[+] All right, the instrumentation seems to be working!" all_done: test_build @@ -131,12 +133,18 @@ vpath % .. @echo >> ../$@ @echo .SH AUTHOR >> ../$@ @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@ - @echo The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@ + @echo The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ../$@ @echo >> ../$@ @echo .SH LICENSE >> ../$@ @echo Apache License Version 2.0, January 2004 >> ../$@ ln -sf afl-gcc-fast.8 ../afl-g++-fast.8 +install: all + install -m 755 ../afl-gcc-fast $${DESTDIR}$(BIN_PATH) + install -m 755 ../afl-gcc-pass.so ../afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH) + install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.md + install -m 644 -T README.whitelist.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin_whitelist.md + clean: rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2 rm -f $(PROGS) afl-common.o ../afl-g++-fast ../afl-g*-fast.8 diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 04a4e5cc..620f5062 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -230,6 +230,7 @@ enum { /* 03 */ LIN, /* Linear schedule */ /* 04 */ QUAD, /* Quadratic schedule */ /* 05 */ EXPLOIT, /* AFL's exploitation-based const. */ + /* 06 */ MMOPT, /* Modified MOPT schedule */ POWER_SCHEDULES_NUM diff --git a/libtokencap/Makefile b/libtokencap/Makefile index 0253d3d1..4889479b 100644 --- a/libtokencap/Makefile +++ b/libtokencap/Makefile @@ -15,6 +15,8 @@ PREFIX ?= /usr/local HELPER_PATH = $(PREFIX)/lib/afl +DOC_PATH ?= $(PREFIX)/share/doc/afl +MAN_PATH ?= $(PREFIX)/man/man8 VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) @@ -57,5 +59,5 @@ clean: install: all install -m 755 -d $${DESTDIR}$(HELPER_PATH) install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH) - install -m 644 README.tokencap.md $${DESTDIR}$(HELPER_PATH) + install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.tokencap.md diff --git a/llvm_mode/Makefile b/llvm_mode/Makefile index d975c300..5ce0e579 100644 --- a/llvm_mode/Makefile +++ b/llvm_mode/Makefile @@ -159,7 +159,7 @@ ifeq "$(shell uname)" "OpenBSD" CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so endif -ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -fuse-ld=`which ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" +ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -fuse-ld=`type ld | awk '{print $$NF}'` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1" CFLAGS += -DAFL_CLANG_FUSELD=1 endif @@ -220,13 +220,13 @@ test_deps: ifndef AFL_TRACE_PC @echo "[*] Checking for working 'llvm-config'..." ifneq "$(LLVM_APPLE)" "1" - @which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) + @type $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo " (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 ) endif else @echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM)." endif @echo "[*] Checking for working '$(CC)'..." - @which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) + @type $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 ) @echo "[*] Checking for matching versions of '$(CC)' and '$(LLVM_CONFIG)'" ifneq "$(CLANGVER)" "$(LLVMVER)" @echo "[!] WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)" @@ -309,7 +309,7 @@ test_build: $(PROGS) ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null echo 1 | ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr1 ./test-instr @rm -f test-instr - @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi + @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi @echo "[+] All right, the instrumentation seems to be working!" all_done: test_build @@ -332,7 +332,7 @@ vpath % .. @echo >> ../$@ @echo .SH AUTHOR >> ../$@ @echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@ - @echo The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@ + @echo The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ../$@ @echo >> ../$@ @echo .SH LICENSE >> ../$@ @echo Apache License Version 2.0, January 2004 >> ../$@ diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 66d0de79..28b3b045 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -210,7 +210,7 @@ be implemented ... afl-clang-lto is still work in progress. Complex targets are still likely not to compile and this needs to be fixed. Please report issues at: -[https://github.com/vanhauser-thc/AFLplusplus/issues/226](https://github.com/vanhauser-thc/AFLplusplus/issues/226) +[https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226) Known issues: * ffmpeg diff --git a/llvm_mode/afl-clang-fast.c b/llvm_mode/afl-clang-fast.c index 437f4656..313a2533 100644 --- a/llvm_mode/afl-clang-fast.c +++ b/llvm_mode/afl-clang-fast.c @@ -531,7 +531,9 @@ int main(int argc, char **argv, char **envp) { debug = 1; if (strcmp(getenv("AFL_DEBUG"), "0") == 0) unsetenv("AFL_DEBUG"); - } + } else if (getenv("AFL_QUIET")) + + be_quiet = 1; if (strstr(argv[0], "afl-clang-lto") != NULL) callname = "afl-clang-lto"; @@ -619,7 +621,7 @@ int main(int argc, char **argv, char **envp) { exit(1); - } else if ((isatty(2) && !getenv("AFL_QUIET")) || + } else if ((isatty(2) && !be_quiet) || getenv("AFL_DEBUG") != NULL) { @@ -654,7 +656,8 @@ int main(int argc, char **argv, char **envp) { check_environment_vars(envp); cmplog_mode = getenv("AFL_CMPLOG") || getenv("AFL_LLVM_CMPLOG"); - if (cmplog_mode) printf("CmpLog mode by <andreafioraldi@gmail.com>\n"); + if (!be_quiet && cmplog_mode) + printf("CmpLog mode by <andreafioraldi@gmail.com>\n"); #ifndef __ANDROID__ find_obj(argv[0]); diff --git a/qemu_mode/README.persistent.md b/qemu_mode/README.persistent.md index c96a451b..46077402 100644 --- a/qemu_mode/README.persistent.md +++ b/qemu_mode/README.persistent.md @@ -26,7 +26,8 @@ hexadecimal with the 0x prefix or as a decimal value. If the target is compiled with position independant code (PIE/PIC), you must add 0x4000000000 to that address, because qemu loads to this base address. On strange setups the base address set by QEMU for PIE executable may change, -you can check it printing the process map using AFL_QEMU_DEBUG_MAPS=1. +you can check it printing the process map using +`AFL_QEMU_DEBUG_MAPS=1 afl-qemu-trace TARGET-BINARY` If this address is not valid, afl-fuzz will error during startup with the message that the forkserver was not found. diff --git a/qemu_mode/libcompcov/Makefile b/qemu_mode/libcompcov/Makefile index 07bab99d..f06ac2af 100644 --- a/qemu_mode/libcompcov/Makefile +++ b/qemu_mode/libcompcov/Makefile @@ -15,6 +15,8 @@ PREFIX ?= /usr/local HELPER_PATH = $(PREFIX)/lib/afl +DOC_PATH ?= $(PREFIX)/share/doc/afl +MAN_PATH ?= $(PREFIX)/man/man8 VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) @@ -38,5 +40,5 @@ compcovtest: compcovtest.cc install: all install -m 755 ../../libcompcov.so $${DESTDIR}$(HELPER_PATH) - install -m 644 README.compcov $${DESTDIR}$(HELPER_PATH) + install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.compcov.md diff --git a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h index 04fcde4e..b7cd71bb 100644 --- a/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h +++ b/qemu_mode/patches/afl-qemu-tcg-runtime-inl.h @@ -171,7 +171,7 @@ static int area_is_mapped(void *ptr, size_t len) { } -void HELPER(afl_cmplog_rtn)(CPUX86State *env) { +void HELPER(afl_cmplog_rtn)(CPUArchState *env) { #if defined(TARGET_X86_64) @@ -199,7 +199,12 @@ void HELPER(afl_cmplog_rtn)(CPUX86State *env) { if (!area_is_mapped(ptr1, 32) || !area_is_mapped(ptr2, 32)) return; +#if defined(TARGET_X86_64) || defined(TARGET_I386) uintptr_t k = (uintptr_t)env->eip; +#else + uintptr_t k = 0; +#endif + k = (k >> 4) ^ (k << 8); k &= CMP_MAP_W - 1; diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f9f05131..7e2d3212 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -499,7 +499,7 @@ static void write_crash_readme(afl_state_t *afl) { "drop\n" "an mail at <afl-users@googlegroups.com> once the issues are fixed\n\n" - " https://github.com/vanhauser-thc/AFLplusplus\n\n", + " https://github.com/AFLplusplus/AFLplusplus\n\n", afl->orig_cmdline, DMS(afl->fsrv.mem_limit << 20)); /* ignore errors */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 1f207870..efffa749 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -30,8 +30,8 @@ s8 interesting_8[] = {INTERESTING_8}; s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; -char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", - "lin", "quad", "exploit"}; +char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", "lin", + "quad", "exploit", "mmopt"}; u8 *doc_path = NULL; /* gath to documentation dir */ @@ -148,130 +148,151 @@ void read_afl_environment(afl_state_t *afl, char **envp) { match = 1; if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) { - afl->afl_env.afl_skip_cpufreq = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_skip_cpufreq = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE", afl_environment_variable_len)) { - afl->afl_env.afl_exit_when_done = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_exit_when_done = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_NO_AFFINITY", afl_environment_variable_len)) { - afl->afl_env.afl_no_affinity = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_no_affinity = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_SKIP_CRASHES", afl_environment_variable_len)) { - afl->afl_env.afl_skip_crashes = (u8 *)get_afl_env(env); + afl->afl_env.afl_skip_crashes = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_HANG_TMOUT", afl_environment_variable_len)) { - afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(env); + afl->afl_env.afl_hang_tmout = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { - afl->afl_env.afl_skip_bin_check = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_skip_bin_check = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_DUMB_FORKSRV", afl_environment_variable_len)) { - afl->afl_env.afl_dumb_forksrv = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_dumb_forksrv = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_IMPORT_FIRST", afl_environment_variable_len)) { - afl->afl_env.afl_import_first = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_import_first = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY", afl_environment_variable_len)) { - afl->afl_env.afl_custom_mutator_only = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_custom_mutator_only = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { - afl->afl_env.afl_no_ui = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_no_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_FORCE_UI", afl_environment_variable_len)) { - afl->afl_env.afl_force_ui = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_force_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { afl->afl_env.afl_i_dont_care_about_missing_crashes = - get_afl_env(env) ? 1 : 0; + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_BENCH_JUST_ONE", afl_environment_variable_len)) { - afl->afl_env.afl_bench_just_one = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_bench_just_one = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH", afl_environment_variable_len)) { - afl->afl_env.afl_bench_until_crash = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_bench_until_crash = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", afl_environment_variable_len)) { - afl->afl_env.afl_debug_child_output = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_debug_child_output = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_AUTORESUME", afl_environment_variable_len)) { - afl->afl_env.afl_autoresume = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_autoresume = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_TMPDIR", afl_environment_variable_len)) { - afl->afl_env.afl_tmpdir = (u8 *)get_afl_env(env); + afl->afl_env.afl_tmpdir = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_POST_LIBRARY", afl_environment_variable_len)) { - afl->afl_env.afl_post_library = (u8 *)get_afl_env(env); + afl->afl_env.afl_post_library = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", afl_environment_variable_len)) { - afl->afl_env.afl_custom_mutator_library = (u8 *)get_afl_env(env); + afl->afl_env.afl_custom_mutator_library = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PYTHON_MODULE", afl_environment_variable_len)) { - afl->afl_env.afl_python_module = (u8 *)get_afl_env(env); + afl->afl_env.afl_python_module = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) { - afl->afl_env.afl_path = (u8 *)get_afl_env(env); + afl->afl_env.afl_path = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PRELOAD", afl_environment_variable_len)) { - afl->afl_env.afl_preload = (u8 *)get_afl_env(env); + afl->afl_env.afl_preload = + (u8 *)get_afl_env(afl_environment_variables[i]); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 40ee7d7f..6b5fa24f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -181,7 +181,7 @@ void bind_to_free_cpu(afl_state_t *afl) { ck_free(procs); #else #warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/vanhauser-thc/AFLplusplus" + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" #endif size_t cpu_start = 0; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 37d18a2d..cfeab798 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -328,20 +328,24 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (q->exec_us * 0.1 > avg_exec_us) - perf_score = 10; - else if (q->exec_us * 0.25 > avg_exec_us) - perf_score = 25; - else if (q->exec_us * 0.5 > avg_exec_us) - perf_score = 50; - else if (q->exec_us * 0.75 > avg_exec_us) - perf_score = 75; - else if (q->exec_us * 4 < avg_exec_us) - perf_score = 300; - else if (q->exec_us * 3 < avg_exec_us) - perf_score = 200; - else if (q->exec_us * 2 < avg_exec_us) - perf_score = 150; + if (afl->schedule != MMOPT) { + + if (q->exec_us * 0.1 > avg_exec_us) + perf_score = 10; + else if (q->exec_us * 0.25 > avg_exec_us) + perf_score = 25; + else if (q->exec_us * 0.5 > avg_exec_us) + perf_score = 50; + else if (q->exec_us * 0.75 > avg_exec_us) + perf_score = 75; + else if (q->exec_us * 4 < avg_exec_us) + perf_score = 300; + else if (q->exec_us * 3 < avg_exec_us) + perf_score = 200; + else if (q->exec_us * 2 < avg_exec_us) + perf_score = 150; + + } /* Adjust score based on bitmap size. The working theory is that better coverage translates to better targets. Multiplier from 0.25x to 3x. */ @@ -431,12 +435,9 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { break; case FAST: - if (q->fuzz_level < 16) { - + if (q->fuzz_level < 16) factor = ((u32)(1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz); - - } else - + else factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_p2(fuzz)); break; @@ -446,6 +447,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { factor = q->fuzz_level * q->fuzz_level / (fuzz == 0 ? 1 : fuzz); break; + case MMOPT: + + if (afl->max_depth - q->depth < 5) perf_score *= 1.5; + + break; + default: PFATAL("Unknown Power Schedule"); } @@ -458,8 +465,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) perf_score *= 2; else if (perf_score < 1) - perf_score = - 1; // Add a lower bound to AFLFast's energy assignment strategies + // Add a lower bound to AFLFast's energy assignment strategies + perf_score = 1; /* Make sure that we don't go over limit. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5e2b89ad..10fee76c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -96,8 +96,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Execution control settings:\n" " -p schedule - power schedules recompute a seed's performance " "score.\n" - " <explore (default), fast, coe, lin, quad, or " - "exploit>\n" + " <explore (default), fast, coe, lin, quad, exploit, " + "mmopt>\n" " see docs/power_schedules.md\n" " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" @@ -300,6 +300,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = QUAD; + } else if (!stricmp(optarg, "mopt") || !stricmp(optarg, "mmopt")) { + + afl->schedule = MMOPT; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -671,7 +675,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " "Eißfeldt, Andrea Fioraldi and Dominik Maier"); OKF("afl++ is open source, get it at " - "https://github.com/vanhauser-thc/AFLplusplus"); + "https://github.com/AFLplusplus/AFLplusplus"); OKF("Power schedules from github.com/mboehme/aflfast"); OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); @@ -755,6 +759,7 @@ int main(int argc, char **argv_orig, char **envp) { break; case LIN: OKF("Using linear power schedule (LIN)"); break; case QUAD: OKF("Using quadratic power schedule (QUAD)"); break; + case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break; case EXPLORE: OKF("Using exploration-based constant power schedule (EXPLORE)"); break; diff --git a/test/test.sh b/test/test.sh index 6dcf3e67..49dfb1a9 100755 --- a/test/test.sh +++ b/test/test.sh @@ -222,8 +222,8 @@ $ECHO "$BLUE[*] Testing: llvm_mode, afl-showmap, afl-fuzz, afl-cmin and afl-tmin test -e ../afl-clang-fast -a -e ../split-switches-pass.so && { # on FreeBSD need to set AFL_CC test `uname -s` = 'FreeBSD' && { - if which clang >/dev/null; then - export AFL_CC=`which clang` + if type clang >/dev/null; then + export AFL_CC=`type clang | awk '{print $NF}'` else export AFL_CC=`$LLVM_CONFIG --bindir`/clang fi @@ -400,8 +400,8 @@ $ECHO "$BLUE[*] Testing: LTO llvm_mode" test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { # on FreeBSD need to set AFL_CC test `uname -s` = 'FreeBSD' && { - if which clang >/dev/null; then - export AFL_CC=`which clang` + if type clang >/dev/null; then + export AFL_CC=`type clang | awk '{print $NF}'` else export AFL_CC=`$LLVM_CONFIG --bindir`/clang fi @@ -471,7 +471,7 @@ test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { } $ECHO "$BLUE[*] Testing: gcc_plugin" -export AFL_CC=`which gcc` +export AFL_CC=`type gcc | awk '{print $NF}'` test -e ../afl-gcc-fast -a -e ../afl-gcc-rt.o && { ../afl-gcc-fast -o test-instr.plain.gccpi ../test-instr.c > /dev/null 2>&1 AFL_HARDEN=1 ../afl-gcc-fast -o test-compcov.harden.gccpi test-compcov.c > /dev/null 2>&1 @@ -616,8 +616,8 @@ test -e ../libradamsa.so && { # on FreeBSD need to set AFL_CC test `uname -s` = 'FreeBSD' && { - if which clang >/dev/null; then - export AFL_CC=`which clang` + if type clang >/dev/null; then + export AFL_CC=`type clang | awk '{print $NF}'` else export AFL_CC=`$LLVM_CONFIG --bindir`/clang fi @@ -835,7 +835,7 @@ test -d ../unicorn_mode/unicornafl && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { # travis workaround - PY=`which python` + PY=`type python | awk '{print $NF}'` test "$PY" = "/opt/pyenv/shims/python" -a -x /usr/bin/python && PY=/usr/bin/python mkdir -p in echo 0 > in/in diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh index 0b6bee62..7b82055c 100755 --- a/unicorn_mode/build_unicorn_support.sh +++ b/unicorn_mode/build_unicorn_support.sh @@ -131,7 +131,7 @@ test -d unicornafl || { CNT=1 while [ '!' -d unicornafl -a "$CNT" -lt 4 ]; do echo "Trying to clone unicornafl (attempt $CNT/3)" - git clone https://github.com/vanhauser-thc/unicornafl + git clone https://github.com/AFLplusplus/unicornafl CNT=`expr "$CNT" + 1` done } |