diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 2 | ||||
| -rw-r--r-- | docs/FAQ.md | 21 | ||||
| -rw-r--r-- | docs/env_variables.md | 3 | ||||
| -rw-r--r-- | docs/features.md | 29 | ||||
| -rw-r--r-- | docs/fuzzing_binary-only_targets.md | 10 | ||||
| -rw-r--r-- | docs/fuzzing_in_depth.md | 10 | ||||
| -rw-r--r-- | docs/important_changes.md | 4 |
7 files changed, 57 insertions, 22 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 58eef2ee..c4786bf3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". This might need changing custom scripting! + - Nyx mode (full system emulation with snapshot capability) has been + added - thanks to @schumilo and @eqv! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you diff --git a/docs/FAQ.md b/docs/FAQ.md index f1cffe00..3d3dce20 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -180,6 +180,27 @@ If you find an interesting or important question missing, submit it via [best_practices.md#improving-stability](best_practices.md#improving-stability). </p></details> +<details> + <summary id="what-are-power-schedules">What are power schedules?</summary><p> + + Not every item in our queue/corpus is the same, some are more interesting, + others provide little value. + A power schedule measures how "interesting" a value is, and depending on + the calculated value spends more or less time mutating it. + + AFL++ comes with several power schedules, initially ported from [AFLFast](https://github.com/mboehme/aflfast) + however modified to be more effective and several more modes added. + + The most effective modes are '-p fast` (default) and `-p explore`. + + If you fuzz with several parallel afl-fuzz instances, then it is beneficial + to assign a different schedule to each instance, however the majority should + be `fast` and `explore`. + + It does not make sense to explain the details of the calculation and + reasoning behind all of the schedules. If you are interested, read the source + code and the AFLFast paper. + ## Troubleshooting <details> diff --git a/docs/env_variables.md b/docs/env_variables.md index dc79bf9e..7ab5351c 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -105,7 +105,8 @@ fairly broad use of environment variables instead: within your program at a certain point (such as at the end of an `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will cause an abort if any memory is leaked (you can combine this with the - `LSAN_OPTIONS=...` suppression option to suppress some known leaks). + `__AFL_LSAN_OFF();` and `__AFL_LSAN_ON();` macros to avoid checking for + memory leaks from memory allocated between these two calls. - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory) - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race conditions diff --git a/docs/features.md b/docs/features.md index 431d9eb1..6104ca63 100644 --- a/docs/features.md +++ b/docs/features.md @@ -4,20 +4,20 @@ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full *BSD, Mac OS, Solaris and Android support and much, much, much more. -| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |coresight_mode(11)| -| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------------:| -| Threadsafe counters | | x(3) | | | | | | -| NeverZero | x86[_64]| x(1) | x | x | x | x | | -| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | -| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | | -| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | -| Selective Instrumentation| | x | x | x | x | | | -| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | -| Ngram prev_loc Coverage | | x(6) | | | | | | -| Context Coverage | | x(6) | | | | | | -| Auto Dictionary | | x(7) | | | | | | -| Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | | -| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | | +| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)| +| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:| +| Threadsafe counters | | x(3) | | | | | x | | +| NeverZero | x86[_64]| x(1) | x | x | x | x | | | +| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | | +| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | | +| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | | +| Selective Instrumentation| | x | x | x | x | | | | +| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | | +| Ngram prev_loc Coverage | | x(6) | | | | | | | +| Context Coverage | | x(6) | | | | | | | +| Auto Dictionary | | x(7) | | | | | | | +| Snapshot Support | | (x)(8) | (x)(8) | | (x)(5) | | x | | +| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | x | | 1. default for LLVM >= 9.0, environment variable for older version due an efficiency bug in previous llvm versions @@ -34,6 +34,7 @@ QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full 10. QEMU/Unicorn is only supported on Linux 11. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight extension +12. Nyx mode is only supported on Linux and currently restricted to x86_x64 Among others, the following features and patches have been integrated: diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 0f2f84f6..855d7756 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -125,6 +125,16 @@ to check out our sister project libafl which supports Frida, too: [https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL). Working examples already exist :-) +### Nyx mode + +Nyx is a full system emulation fuzzing environment with snapshot support that +is built upon KVM and QEMU. +It is only available on Linux and currently restricted to x86_x64. + +For binary-only fuzzing a special 5.10 kernel is required. + +See [nyx_mode/README.md](../nyx_mode/README.md) + ### Unicorn Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar. In diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 2db6cfda..65a6de3d 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -201,7 +201,10 @@ The following sanitizers have built-in support in AFL++: security issue, but for developers this can be very valuable. Note that unlike the other sanitizers above this needs `__AFL_LEAK_CHECK();` added to all areas of the target source code where you find a leak check necessary! Enabled with - `export AFL_USE_LSAN=1` before compiling. + `export AFL_USE_LSAN=1` before compiling. To ignore the memory-leaking check + for certain allocations, `__AFL_LSAN_OFF();` can be used before memory is + allocated, and `__AFL_LSAN_OFF;` afterwards. Memory allocated between these + two macros will not be checked for memory leaks. It is possible to further modify the behavior of the sanitizers at run-time by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters can @@ -562,7 +565,8 @@ All other secondaries should be used like this: * a quarter to a third with the MOpt mutator enabled: `-L 0` * run with a different power schedule, recommended are: `fast (default), explore, coe, lin, quad, exploit and rare` which you can set - with, e.g., `-p explore` + with the `-p` option, e.g., `-p explore`. See the [FAQ](FAQ.md#what-are-power-schedules) + for details. * a few instances should use the old queue cycling with `-Z` Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases @@ -889,4 +893,4 @@ covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ (some might be deprecated or unsupported), see -[third_party_tools.md](third_party_tools.md). \ No newline at end of file +[third_party_tools.md](third_party_tools.md). diff --git a/docs/important_changes.md b/docs/important_changes.md index facaf3c1..0c1c34ef 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -5,10 +5,6 @@ changes. ## From version 3.00 onwards -With AFL++ 3.13-3.20, we introduce FRIDA mode (`-O`) to have an alternative for -binary-only fuzzing. It is a bit faster than QEMU mode and works on MacOS, -Android, iOS etc. - With AFL++ 4.00, we introduced the following changes from previous behaviors: * the complete documenation was overhauled and restructured thanks to @llzmb! * a new CMPLOG target format requires recompiling CMPLOG targets for use |