diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 6 | ||||
| -rw-r--r-- | docs/INSTALL.md | 1 | ||||
| -rw-r--r-- | docs/custom_mutators.md | 5 | ||||
| -rw-r--r-- | docs/env_variables.md | 6 | ||||
| -rw-r--r-- | docs/fuzzing_in_depth.md | 38 |
5 files changed, 39 insertions, 17 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index bccc6748..c74a9ad7 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,10 @@ before terminating. - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead of exiting with an error message + - allow -S/-M naming up to 50 characters (from 24) + - added scale support to CMPLOG (-l S) + - added --version and --help command line parameters + - fixed endless loop when reading malformed dictionaries - afl-whatsup: - detect instanced that are starting up and show them as such as not dead - now also shows coverage reached @@ -18,6 +22,8 @@ - fix for a few string compare transform functions for LAF - frida_mode: - fixes support for large map offsets + - afl-cmin/afl-cmin.bash: prevent unneeded file errors + - added new tool afl-addseeds that adds new seeds to a running campaign - added benchmark/benchmark.sh if you want to see how good your fuzzing speed is in comparison to other setups. diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 9005a7eb..41f512ed 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -87,6 +87,7 @@ These build options exist: * INTROSPECTION - compile afl-fuzz with mutation introspection * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL) * NO_NYX - disable building nyx mode dependencies * NO_CORESIGHT - disable building coresight (arm64 only) * NO_UNICORN_ARM64 - disable building unicorn on arm64 diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index c5a64622..1c4ab2cf 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -125,8 +125,9 @@ def deinit(): # optional for Python - `queue_get` (optional): - This method determines whether the custom fuzzer should fuzz the current - queue entry or not + This method determines whether AFL++ should fuzz the current + queue entry or not: all defined custom mutators as well as + all AFL++'s mutators. - `fuzz_count` (optional): diff --git a/docs/env_variables.md b/docs/env_variables.md index 3bb4e844..a7636511 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -135,6 +135,12 @@ subset of the settings discussed in section 1, with the exception of: - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. + - LLVM modes compiling C++ will normally set rpath in the binary if LLVM is + not in a usual location (/usr or /lib). Setting `AFL_LLVM_NO_RPATH=1` + disables this behaviour in case it isn't desired. For example, the compiling + toolchain might be in a custom location, but the target machine has LLVM + runtime libs in the search path. + Then there are a few specific features that are only available in instrumentation mode: diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 5a5acbb2..6a217641 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -599,32 +599,40 @@ during fuzzing) and their number, a value between 50-500MB is recommended. You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`. -There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many -secondary fuzzers (e.g., `-S variant1`) as you have cores that you use. Every -`-M`/`-S` entry needs a unique name (that can be whatever), however, the same -`-o` output directory location has to be used for all instances. +There should be one main fuzzer (`-M main-$HOSTNAME` option - set also +`AFL_FINAL_SYNC=1`) and as many secondary fuzzers (e.g., `-S variant1`) as you +have cores that you use. Every `-M`/`-S` entry needs a unique name (that can be +whatever), however, the same `-o` output directory location has to be used for +all instances. For every secondary fuzzer there should be a variation, e.g.: -* one should fuzz the target that was compiled differently: with sanitizers - activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; export - AFL_USE_CFISAN=1`) +* one should fuzz the target that was compiled with sanitizers activated + (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; export AFL_USE_CFISAN=1`) * one or two should fuzz the target with CMPLOG/redqueen (see above), at least - one cmplog instance should follow transformations (`-l AT`) + one cmplog instance should follow transformations (`-l 2AT`) * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV (see above). Important note: If you run more than one laf-intel/COMPCOV fuzzer and you want them to share their intermediate results, the main fuzzer (`-M`) must - be one of them! (Although this is not really recommended.) - -All other secondaries should be used like this: -* 10-20% with the MOpt mutator enabled: `-L 0` -* run with a different power schedule, recommended are: `fast` (default), + be one of them (although this is not really recommended). + +The other secondaries should be run like this: +* 10% with the MOpt mutator enabled: `-L 0` +* 10% should use the old queue cycling with `-Z` +* 50-70% should run with `AFL_DISABLE_TRIM` +* 40% should run with `-P explore` and 20% with `-P exploit` +* If you use `-a` then set 30% of the instances to not use `-a`; if you did + not set `-a` (why??), then set 30% to `-a ascii` and 30% to `-a binary`. +* run each with a different power schedule, recommended are: `fast` (default), `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with the `-p` option, e.g., `-p explore`. See the [FAQ](FAQ.md#what-are-power-schedules) for details. -* a few instances should use the old queue cycling with `-Z` + +It can be useful to set `AFL_IGNORE_SEED_PROBLEMS=1` to skip over seeds that +crash or timeout during startup. Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases -from other fuzzers in the campaign first. +from other fuzzers in the campaign first. But note that can slow down the start +of the first fuzz by quite a lot of you have many fuzzers and/or many seeds. If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. |