diff options
Diffstat (limited to 'docs')
84 files changed, 129 insertions, 127 deletions
| diff --git a/docs/Changelog.md b/docs/Changelog.md index fcfd2ce8..7ccae7c2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,6 +8,26 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. +### Version ++3.15a (dev) + - afl-fuzz: + - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries + - afl-cc: + - fix for shared linking on MacOS + - added the very good grammar mutator "GramaTron" to the + custom_mutators + - added optimin, a faster and better corpus minimizer by + Adrian Herrera. Thank you! + - added afl-persistent-config script to set perform permanent system + configuration settings for fuzzing, for Linux and Macos. + thanks to jhertz! + - added xml, curl and exotic string functions to llvm dictionary features + - fix AFL_PRELOAD issues on MacOS + - removed utils/afl_frida because frida_mode/ is now so much better + - added uninstall target to makefile (todo: update new readme!) + + ### Version ++3.14c (release) - afl-fuzz: - fix -F when a '/' was part of the parameter @@ -70,7 +90,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - on a crashing seed potentially the wrong input was disabled - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in -i dir crashes the target or results in a timeout. By default - afl++ ignores these and uses them for splicing instead. + AFL++ ignores these and uses them for splicing instead. - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after no new paths have been found for n seconds - when AFL_FAST_CAL is set a variable path will now be calibrated @@ -224,7 +244,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Updated utils/afl_frida to be 5% faster, 7% on x86_x64 - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b) - @Edznux added a nice documentation on how to use rpc.statsd with - afl++ in docs/rpc_statsd.md, thanks! + AFL++ in docs/rpc_statsd.md, thanks! ### Version ++3.00c (release) - llvm_mode/ and gcc_plugin/ moved to instrumentation/ @@ -280,7 +300,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - custom mutators - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ - added a new custom mutator: libfuzzer that integrates libfuzzer mutations - - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ + - Our AFL++ Grammar-Mutator is now better integrated into custom_mutators/ - added INTROSPECTION support for custom modules - python fuzz function was not optional, fixed - some python mutator speed improvements @@ -291,7 +311,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++2.68c (release) - - added the GSoC excellent afl++ grammar mutator by Shengtuo to our + - added the GSoC excellent AFL++ grammar mutator by Shengtuo to our custom_mutators/ (see custom_mutators/README.md) - or get it here: https://github.com/AFLplusplus/Grammar-Mutator - a few QOL changes for Apple and its outdated gmake @@ -314,12 +334,12 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - llvm_mode: - ported SanCov to LTO, and made it the default for LTO. better instrumentation locations - - Further llvm 12 support (fast moving target like afl++ :-) ) + - Further llvm 12 support (fast moving target like AFL++ :-) ) - deprecated LLVM SKIPSINGLEBLOCK env environment ### Version ++2.67c (release) - - Support for improved afl++ snapshot module: + - Support for improved AFL++ snapshot module: https://github.com/AFLplusplus/AFL-Snapshot-LKM - Due to the instrumentation needing more memory, the initial memory sizes for -m have been increased @@ -421,7 +441,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. - fix afl-cmin.bash - - slightly better performance compilation options for afl++ and targets + - slightly better performance compilation options for AFL++ and targets - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk @@ -434,7 +454,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - afl-fuzz: - AFL_MAP_SIZE was not working correctly - better python detection - - an old, old bug in afl that would show negative stability in rare + - an old, old bug in AFL that would show negative stability in rare circumstances is now hopefully fixed - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY instead (see docs/custom_mutators.md) @@ -493,8 +513,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - extended forkserver: map_size and more information is communicated to afl-fuzz (and afl-fuzz acts accordingly) - new environment variable: AFL_MAP_SIZE to specify the size of the shared map - - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed - (this bug is in vanilla afl too) + - if AFL_CC/AFL_CXX is set but empty AFL compilers did fail, fixed + (this bug is in vanilla AFL too) - added NO_PYTHON flag to disable python support when building afl-fuzz - more refactoring @@ -508,7 +528,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - all: - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library - - afl basic tools now report on the environment variables picked up + - AFL basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - force all output to stdout (some OK/SAY/WARN messages were sent to stdout, some to stderr) @@ -657,7 +677,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - qemu and unicorn download scripts now try to download until the full download succeeded. f*ckin travis fails downloading 40% of the time! - more support for Android (please test!) - - added the few Android stuff we didnt have already from Google afl repository + - added the few Android stuff we didnt have already from Google AFL repository - removed unnecessary warnings @@ -705,7 +725,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - big code refactoring: * all includes are now in include/ - * all afl sources are now in src/ - see src/README.md + * all AFL sources are now in src/ - see src/README.md * afl-fuzz was split up in various individual files for including functionality in other programs (e.g. forkserver, memory map, etc.) for better readability. @@ -721,7 +741,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - fix building on *BSD (thanks to tobias.kortkamp for the patch) - fix for a few features to support different map sized than 2^16 - afl-showmap: new option -r now shows the real values in the buckets (stock - afl never did), plus shows tuple content summary information now + AFL never did), plus shows tuple content summary information now - small docu updates - NeverZero counters for QEMU - NeverZero counters for Unicorn @@ -764,7 +784,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. debugging - added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions. - - added a -s seed switch to allow afl run with a fixed initial + - added a -s seed switch to allow AFL run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then - llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_... @@ -1585,7 +1605,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version 1.63b: - Updated cgroups_asan/ with a new version from Sam, made a couple changes - to streamline it and keep parallel afl instances in separate groups. + to streamline it and keep parallel AFL instances in separate groups. - Fixed typos, thanks to Jakub Wilk. @@ -2383,7 +2403,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Added AFL_KEEP_ASSEMBLY for easier troubleshooting. - - Added an override for AFL_USE_ASAN if set at afl compile time. Requested by + - Added an override for AFL_USE_ASAN if set at AFL compile time. Requested by Hanno Boeck. ### Version 0.79b: diff --git a/docs/FAQ.md b/docs/FAQ.md index 0f447044..0e816062 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -1,8 +1,8 @@ -# Frequently asked questions about afl++ +# Frequently asked questions about AFL++ ## Contents - * [What is the difference between afl and afl++?](#what-is-the-difference-between-afl-and-afl) + * [What is the difference between AFL and AFL++?](#what-is-the-difference-between-afl-and-afl) * [I got a weird compile error from clang](#i-got-a-weird-compile-error-from-clang) * [How to improve the fuzzing speed?](#how-to-improve-the-fuzzing-speed) * [How do I fuzz a network service?](#how-do-i-fuzz-a-network-service) @@ -14,7 +14,7 @@ If you find an interesting or important question missing, submit it via [https://github.com/AFLplusplus/AFLplusplus/issues](https://github.com/AFLplusplus/AFLplusplus/issues) -## What is the difference between afl and afl++? +## What is the difference between AFL and AFL++? American Fuzzy Lop (AFL) was developed by MichaÅ‚ "lcamtuf" Zalewski starting in 2013/2014, and when he left Google end of 2017 he stopped developing it. @@ -24,13 +24,13 @@ it is only accepting PRs from the community and is not developing enhancements anymore. In the second quarter of 2019, 1 1/2 year later when no further development of -AFL had happened and it became clear there would none be coming, afl++ +AFL had happened and it became clear there would none be coming, AFL++ was born, where initially community patches were collected and applied for bug fixes and enhancements. Then from various AFL spin-offs - mostly academic research - features were integrated. This already resulted in a much advanced AFL. -Until the end of 2019 the afl++ team had grown to four active developers which +Until the end of 2019 the AFL++ team had grown to four active developers which then implemented their own research and features, making it now by far the most flexible and feature rich guided fuzzer available as open source. And in independent fuzzing benchmarks it is one of the best fuzzers available, @@ -52,15 +52,15 @@ clang-13: note: diagnostic msg: ******************** ``` Then this means that your OS updated the clang installation from an upgrade -package and because of that the afl++ llvm plugins do not match anymore. +package and because of that the AFL++ llvm plugins do not match anymore. -Solution: `git pull ; make clean install` of afl++ +Solution: `git pull ; make clean install` of AFL++ ## How to improve the fuzzing speed? - 1. Use [llvm_mode](docs/llvm_mode/README.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) - 2. Use [persistent mode](llvm_mode/README.persistent_mode.md) (x2-x20 speed increase) - 3. Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) + 1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) + 2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) + 3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) 4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md) 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure) 6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem @@ -77,7 +77,7 @@ Using a network channel is inadequate for several reasons: The established method to fuzz network services is to modify the source code to read from a file or stdin (fd 0) (or even faster via shared memory, combine -this with persistent mode [llvm_mode/README.persistent_mode.md](llvm_mode/README.persistent_mode.md) +this with persistent mode [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) and you have a performance gain of x10 instead of a performance loss of over x10 - that is a x100 difference!). @@ -86,7 +86,7 @@ and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD to emulate the network. This is also much faster than the real network would be. See [utils/socket_fuzzing/](../utils/socket_fuzzing/). -There is an outdated afl++ branch that implements networking if you are +There is an outdated AFL++ branch that implements networking if you are desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet)) which allows you to define network state with different type of data packets. @@ -158,7 +158,7 @@ reaction to timing, etc. then in some of the re-executions with the same data the edge coverage result will be different accross runs. Those edges that change are then flagged "unstable". -The more "unstable" edges, the more difficult for afl++ to identify valid new +The more "unstable" edges, the more difficult for AFL++ to identify valid new paths. A value above 90% is usually fine and a value above 80% is also still ok, and @@ -197,7 +197,7 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. b) For PCGUARD instrumented binaries it is much more difficult. Here you can either modify the __sanitizer_cov_trace_pc_guard function in - llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in + instrumentation/afl-llvm-rt.o.c to write a backtrace to a file if the ID in __afl_area_ptr[*guard] is one of the unstable edge IDs. (Example code is already there). Then recompile and reinstall llvm_mode and rebuild your target. @@ -225,7 +225,7 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. remove from instrumentation, or just specify the functions you want to skip for instrumentation. Note that optimization might inline functions! - Simply follow this document on how to do this: [llvm_mode/README.instrument_list.md](llvm_mode/README.instrument_list.md) + Simply follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) If PCGUARD is used, then you need to follow this guide (needs llvm 12+!): [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index fc57f546..17af532a 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,12 +74,32 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. +`brew install wget git make cmake llvm gdb` + +Be sure to setup PATH to point to the correct clang binaries and use the +freshly installed clang, clang++ and gmake, e.g.: + +``` +export PATH="/usr/local/Cellar/llvm/12.0.1/bin/:$PATH" +export CC=clang +export CXX=clang++ +gmake +cd frida_mode +gmake +cd .. +gmake install +``` + afl-gcc will fail unless you have GCC installed, but that is using outdated instrumentation anyway. You don't want that. +Note that afl-clang-lto, afl-gcc-fast and qemu_mode are not working on MacOS. The crash reporting daemon that comes by default with MacOS X will cause -problems with fuzzing. You need to turn it off by following the instructions -provided here: http://goo.gl/CCcd5u +problems with fuzzing. You need to turn it off: +``` +launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist +sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist +``` The `fork()` semantics on OS X are a bit unusual compared to other unix systems and definitely don't look POSIX-compliant. This means two things: diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 3b32f5ed..90ea3b66 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -1,12 +1,12 @@ -# Fuzzing binary-only programs with afl++ +# Fuzzing binary-only programs with AFL++ - afl++, libfuzzer and others are great if you have the source code, and + AFL++, libfuzzer and others are great if you have the source code, and it allows for very fast and coverage guided fuzzing. However, if there is only the binary program and no source code available, then standard `afl-fuzz -n` (non-instrumented mode) is not effective. - The following is a description of how these binaries can be fuzzed with afl++. + The following is a description of how these binaries can be fuzzed with AFL++. ## TL;DR: @@ -39,7 +39,7 @@ Note that there is also honggfuzz: [https://github.com/google/honggfuzz](https://github.com/google/honggfuzz) which now has a qemu_mode, but its performance is just 1.5% ... - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. If you like to code a customized fuzzer without much work, we highly recommend to check out our sister project libafl which will support QEMU @@ -56,12 +56,12 @@ frida-gum via utils/afl_frida/, you will have to write a harness to call the target function in the library, use afl-frida.c as a template. - Both come with afl++ so this needs no URL. + Both come with AFL++ so this needs no URL. You can also perform remote fuzzing with frida, e.g. if you want to fuzz on iPhone or Android devices, for this you can use [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) - as an intermediate that uses afl++ for fuzzing. + as an intermediate that uses AFL++ for fuzzing. If you like to code a customized fuzzer without much work, we highly recommend to check out our sister project libafl which supports Frida too: @@ -74,7 +74,7 @@ Wine mode can run Win32 PE binaries with the QEMU instrumentation. It needs Wine, python3 and the pefile python package installed. - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. ## UNICORN @@ -83,10 +83,10 @@ In contrast to QEMU, Unicorn does not offer a full system or even userland emulation. Runtime environment and/or loaders have to be written from scratch, if needed. On top, block chaining has been removed. This means the speed boost - introduced in the patched QEMU Mode of afl++ cannot simply be ported over to + introduced in the patched QEMU Mode of AFL++ cannot simply be ported over to Unicorn. For further information, check out [unicorn_mode/README.md](../unicorn_mode/README.md). - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. ## AFL UNTRACER @@ -153,7 +153,7 @@ As a result, the overall speed decrease is about 70-90% (depending on the implementation and other factors). - There are two afl intel-pt implementations: + There are two AFL intel-pt implementations: 1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt) => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel. @@ -175,7 +175,7 @@ the ARM chip is difficult too. My guess is that it is slower than Qemu, but faster than Intel PT. - If anyone finds any coresight implementation for afl please ping me: vh@thc.org + If anyone finds any coresight implementation for AFL please ping me: vh@thc.org ## PIN & DYNAMORIO diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 2c0ca3c5..8b5a4068 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -21,7 +21,7 @@ fuzzing by using libraries that perform mutations according to a given grammar. The custom mutator is passed to `afl-fuzz` via the `AFL_CUSTOM_MUTATOR_LIBRARY` or `AFL_PYTHON_MODULE` environment variable, and must export a fuzz function. -Now afl also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. +Now AFL also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. ```bash export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mutator_second.so" ``` @@ -47,7 +47,7 @@ int afl_custom_post_trim(void *data, unsigned char success); size_t afl_custom_havoc_mutation(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, size_t max_size); unsigned char afl_custom_havoc_mutation_probability(void *data); unsigned char afl_custom_queue_get(void *data, const unsigned char *filename); -void afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue); +u8 afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue); const char* afl_custom_introspection(my_mutator_t *data); void afl_custom_deinit(void *data); ``` @@ -88,7 +88,7 @@ def queue_get(filename): return True def queue_new_entry(filename_new_queue, filename_orig_queue): - pass + return False def introspection(): return string @@ -156,6 +156,7 @@ def deinit(): # optional for Python - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. + If the contents of the file was changed return True, False otherwise. - `introspection` (optional): diff --git a/docs/docs.md b/docs/docs.md index ed6ec85e..aa8a4d48 100644 --- a/docs/docs.md +++ b/docs/docs.md @@ -1,9 +1,9 @@ -# Restructure afl++'s documentation +# Restructure AFL++'s documentation ## About us We are dedicated to everything around fuzzing, our main and most well known -contribution is the fuzzer `afl++` which is part of all major Unix +contribution is the fuzzer `AFL++` which is part of all major Unix distributions (e.g. Debian, Arch, FreeBSD, etc.) and is deployed on Google's oss-fuzz and clusterfuzz. It is rated the top fuzzer on Google's fuzzbench. @@ -11,27 +11,27 @@ We are four individuals from Europe supported by a large community. All our tools are open source. -## About the afl++ fuzzer project +## About the AFL++ fuzzer project -afl++ inherited it's documentation from the original Google afl project. +AFL++ inherited it's documentation from the original Google AFL project. Since then it has been massively improved - feature and performance wise - and although the documenation has likewise been continued it has grown out of proportion. The documentation is done by non-natives to the English language, plus none of us has a writer background. -We see questions on afl++ usage on mailing lists (e.g. afl-users), discord +We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord channels, web forums and as issues in our repository. -This only increases as afl++ has been on the top of Google's fuzzbench +This only increases as AFL++ has been on the top of Google's fuzzbench statistics (which measures the performance of fuzzers) and is now being integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix packaging repositories, e.g. Debian, FreeBSD, etc. -afl++ now has 44 (!) documentation files with 13k total lines of content. +AFL++ now has 44 (!) documentation files with 13k total lines of content. This is way too much. -Hence afl++ needs a complete overhaul of it's documentation, both on a +Hence AFL++ needs a complete overhaul of it's documentation, both on a organisation/structural level as well as the content. Overall the following actions have to be performed: @@ -44,9 +44,9 @@ Overall the following actions have to be performed: * The documents have been written and modified by a lot of different people, most of them non-native English speaker. Hence an overall review where parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of afl++ + * Create a cheat-sheet for a very short best-setup build and run of AFL++ * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with afl++: + explain the workflow with AFL++: - the build workflow - the fuzzing workflow - the fuzzing campaign management workflow @@ -65,8 +65,8 @@ us. ## Metrics -afl++ is a the highest performant fuzzer publicly available - but is also the -most feature rich and complex. With the publicity of afl++' success and +AFL++ is a the highest performant fuzzer publicly available - but is also the +most feature rich and complex. With the publicity of AFL++' success and deployment in Google projects internally and externally and availability as a package on most Linux distributions we see more and more issues being created and help requests on our Discord channel that would not be @@ -75,7 +75,7 @@ is unrealistic. We expect the the new documenation after this project to be cleaner, easier accessible and lighter to digest by our users, resulting in much less -help requests. On the other hand the amount of users using afl++ should +help requests. On the other hand the amount of users using AFL++ should increase as well as it will be more accessible which would also increase questions again - but overall resulting in a reduction of help requests. @@ -103,7 +103,7 @@ graphics (but again - this is basically just guessing). Technical Writer 10000$ Volunteer stipends 0$ (waved) T-Shirts for the top 10 contributors and helpers to this documentation project: - 10 afl++ logo t-shirts 20$ each 200$ + 10 AFL++ logo t-shirts 20$ each 200$ 10 shipping cost of t-shirts 10$ each 100$ Total: 10.300$ @@ -118,5 +118,5 @@ We have no experience with a technical writer, but we will support that person with video calls, chats, emails and messaging, provide all necessary information and write technical contents that is required for the success of this project. It is clear to us that a technical writer knows how to write, but cannot know -the technical details in a complex tooling like in afl++. This guidance, input, +the technical details in a complex tooling like in AFL++. This guidance, input, etc. has to come from us. diff --git a/docs/env_variables.md b/docs/env_variables.md index e058f377..0686f1a8 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -11,7 +11,7 @@ ## 1) Settings for all compilers -Starting with afl++ 3.0 there is only one compiler: afl-cc +Starting with AFL++ 3.0 there is only one compiler: afl-cc To select the different instrumentation modes this can be done by 1. passing the --afl-MODE command line option to the compiler 2. or using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, @@ -23,10 +23,10 @@ To select the different instrumentation modes this can be done by (afl-g*-fast) or `GCC` (afl-gcc/afl-g++). Because (with the exception of the --afl-MODE command line option) the -compile-time tools do not accept afl specific command-line options, they +compile-time tools do not accept AFL specific command-line options, they make fairly broad use of environmental variables instead: - - Some build/configure scripts break with afl++ compilers. To be able to + - Some build/configure scripts break with AFL++ compilers. To be able to pass them, do: ``` export CC=afl-cc @@ -37,7 +37,7 @@ make fairly broad use of environmental variables instead: make ``` - - Most afl tools do not print any output if stdout/stderr are redirected. + - Most AFL tools do not print any output if stdout/stderr are redirected. If you want to get the output into a file then set the `AFL_DEBUG` environment variable. This is sadly necessary for various build processes which fail otherwise. @@ -55,8 +55,7 @@ make fairly broad use of environmental variables instead: overridden. - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports it. Note that fuzzing with ASAN is mildly challenging - - see [notes_for_asan.md](notes_for_asan.md). + compiler supports it. (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the same gotchas; the modes are mutually exclusive. UBSAN can be enabled @@ -149,7 +148,7 @@ Then there are a few specific features that are only available in instrumentatio This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue - in afl and afl-like instrumentations). This is performed by using + in AFL and AFL-like instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. @@ -167,7 +166,7 @@ Then there are a few specific features that are only available in instrumentatio or which functions were touched by an input. - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than the default `0x10000`. A value of 0 or empty sets the map address to be - dynamic (the original afl way, which is slower) + dynamic (the original AFL way, which is slower) - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. This defaults to 1 @@ -372,7 +371,7 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with afl_custom_fuzz() creates additional mutations through this library. - If afl-fuzz is compiled with Python (which is autodetected during builing + If afl-fuzz is compiled with Python (which is autodetected during building afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be @@ -433,6 +432,10 @@ checks or alter some of the more exotic semantics of the tool: and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this then you can + set `AFL_IGNORE_PROBLEMS`. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply, unless they also want to disable the `/proc/sys/kernel/core_pattern` check. @@ -456,8 +459,8 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will - kick off. In probabilistic mode not all dictionary entires will be used all - of the times for fuzzing mutations to not slow down fuzzing. + kick off. In probabilistic mode, not all dictionary entries will be used all + of the time for fuzzing mutations to not slow down fuzzing. The default count is `200` elements. So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly. @@ -480,11 +483,11 @@ checks or alter some of the more exotic semantics of the tool: allows you to add tags to your fuzzing instances. This is especially useful when running multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. - `afl_version` corresponds to the currently running afl version (e.g `++3.0c`). + `afl_version` corresponds to the currently running AFL version (e.g `++3.0c`). Default (empty/non present) will add no tags to the metrics. See [rpc_statsd.md](rpc_statsd.md) for more information. - - Setting `AFL_CRASH_EXITCODE` sets the exit code afl treats as crash. + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash had ocurred. diff --git a/docs/ideas.md b/docs/ideas.md index 0ee69851..325e7031 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -1,4 +1,4 @@ -# Ideas for afl++ +# Ideas for AFL++ In the following, we describe a variety of ideas that could be implemented for future AFL++ versions. diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 23872899..90e12e89 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -27,7 +27,7 @@ will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. -Note that afl++ has AFLfast's power schedules implemented. +Note that AFL++ has AFLfast's power schedules implemented. It is therefore a good idea to use different power schedules if you run several instances in parallel. See [power_schedules.md](power_schedules.md) @@ -116,7 +116,7 @@ distribute the deterministic fuzzing across. Note that if you boot up fewer fuzzers than indicated by the second number passed to -M, you may end up with poor coverage. -## 4) Syncing with non-afl fuzzers or independant instances +## 4) Syncing with non-AFL fuzzers or independant instances A -M main node can be told with the `-F other_fuzzer_queue_directory` option to sync results from other fuzzers, e.g. libfuzzer or honggfuzz. diff --git a/docs/perf_tips.md b/docs/perf_tips.md index 9c31e56b..1e8fd4d0 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -170,6 +170,7 @@ spectre_v2=off stf_barrier=off ``` In most Linux distributions you can put this into a `/etc/default/grub` variable. + You can use `sudo afl-persistent-config` to set these options for you. The following list of changes are made when executing `afl-system-config`: diff --git a/docs/visualization/afl_gzip.png b/docs/resources/afl_gzip.png index 7c461d8f..7c461d8f 100644 --- a/docs/visualization/afl_gzip.png +++ b/docs/resources/afl_gzip.png Binary files differdiff --git a/docs/statsd/grafana-afl++.json b/docs/resources/grafana-afl++.json index 96e824de..96e824de 100644 --- a/docs/statsd/grafana-afl++.json +++ b/docs/resources/grafana-afl++.json diff --git a/docs/screenshot.png b/docs/resources/screenshot.png index 7b4dd7e4..7b4dd7e4 100644 --- a/docs/screenshot.png +++ b/docs/resources/screenshot.png Binary files differdiff --git a/docs/visualization/statsd-grafana.png b/docs/resources/statsd-grafana.png index 1bdc1722..1bdc1722 100644 --- a/docs/visualization/statsd-grafana.png +++ b/docs/resources/statsd-grafana.png Binary files differdiff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index fb97aa09..898ad099 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -31,9 +31,9 @@ By doing so, you might be able to see when the fuzzing process has reached a sta (according to your own criteria) for your targets, etc. And doing so without requiring to log into each instance manually. An example visualisation may look like the following: - + -*Notes: The exact same dashboard can be imported with [this JSON template](statsd/grafana-afl++.json).* +*Notes: The exact same dashboard can be imported with [this JSON template](resources/grafana-afl++.json).* ## How to use diff --git a/docs/status_screen.md b/docs/status_screen.md index e3abcc5f..b1cb9696 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -35,7 +35,7 @@ american fuzzy lop ++3.01a (default) [fast] {0} The top line shows you which mode afl-fuzz is running in (normal: "american fuzy lop", crash exploration mode: "peruvian rabbit mode") -and the version of afl++. +and the version of AFL++. Next to the version is the banner, which, if not set with -T by hand, will either show the binary name being fuzzed, or the -M/-S main/secondary name for parallel fuzzing. @@ -409,7 +409,7 @@ directory. This includes: - `edges_found` - how many edges have been found - `var_byte_count` - how many edges are non-deterministic - `afl_banner` - banner text (e.g. the target name) - - `afl_version` - the version of afl used + - `afl_version` - the version of AFL used - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - `command_line` - full command line used for the fuzzing session diff --git a/docs/technical_details.md b/docs/technical_details.md index 6a4660a2..b0ca493e 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -156,7 +156,7 @@ In contrast to more greedy genetic algorithms, this approach allows the tool to progressively explore various disjoint and possibly mutually incompatible features of the underlying data format, as shown in this image: -  +  Several practical examples of the results of this algorithm are discussed here: diff --git a/docs/vuln_samples/bash-cmd-exec.var b/docs/vuln_samples/bash-cmd-exec.var deleted file mode 100644 index 6422d427..00000000 --- a/docs/vuln_samples/bash-cmd-exec.var +++ /dev/null @@ -1 +0,0 @@ -() { _; } >_[$($())] { id; } \ No newline at end of file diff --git a/docs/vuln_samples/bash-uninit-mem.var b/docs/vuln_samples/bash-uninit-mem.var deleted file mode 100644 index 6d7d5360..00000000 --- a/docs/vuln_samples/bash-uninit-mem.var +++ /dev/null @@ -1 +0,0 @@ -() { x() { _; }; x() { _; } <<a; } \ No newline at end of file diff --git a/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 b/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 deleted file mode 100644 index ce23a8bd..00000000 --- a/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/ffmpeg-h264-bad-read.mp4 b/docs/vuln_samples/ffmpeg-h264-bad-read.mp4 deleted file mode 100644 index 57a0ac90..00000000 --- a/docs/vuln_samples/ffmpeg-h264-bad-read.mp4 +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 b/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 deleted file mode 100644 index 5471105e..00000000 --- a/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/file-fpu-exception.elf b/docs/vuln_samples/file-fpu-exception.elf deleted file mode 100644 index f3a36ef8..00000000 --- a/docs/vuln_samples/file-fpu-exception.elf +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/firefox-bmp-leak.bmp b/docs/vuln_samples/firefox-bmp-leak.bmp deleted file mode 100644 index 857e2426..00000000 --- a/docs/vuln_samples/firefox-bmp-leak.bmp +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/firefox-chrome-leak.jpg b/docs/vuln_samples/firefox-chrome-leak.jpg deleted file mode 100644 index a642d98e..00000000 --- a/docs/vuln_samples/firefox-chrome-leak.jpg +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/firefox-gif-leak.gif b/docs/vuln_samples/firefox-gif-leak.gif deleted file mode 100644 index 310cd366..00000000 --- a/docs/vuln_samples/firefox-gif-leak.gif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/firefox-gif-leak2.gif b/docs/vuln_samples/firefox-gif-leak2.gif deleted file mode 100644 index bb41696c..00000000 --- a/docs/vuln_samples/firefox-gif-leak2.gif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/jxrlib-crash.jxr b/docs/vuln_samples/jxrlib-crash.jxr deleted file mode 100644 index 71d190e3..00000000 --- a/docs/vuln_samples/jxrlib-crash.jxr +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/jxrlib-crash2.jxr b/docs/vuln_samples/jxrlib-crash2.jxr deleted file mode 100644 index 08313258..00000000 --- a/docs/vuln_samples/jxrlib-crash2.jxr +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/jxrlib-crash3.jxr b/docs/vuln_samples/jxrlib-crash3.jxr deleted file mode 100644 index 47af7f1e..00000000 --- a/docs/vuln_samples/jxrlib-crash3.jxr +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/jxrlib-crash4.jxr b/docs/vuln_samples/jxrlib-crash4.jxr deleted file mode 100644 index 51daf47d..00000000 --- a/docs/vuln_samples/jxrlib-crash4.jxr +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/lesspipe-cpio-bad-write.cpio b/docs/vuln_samples/lesspipe-cpio-bad-write.cpio deleted file mode 100644 index ec5a992d..00000000 --- a/docs/vuln_samples/lesspipe-cpio-bad-write.cpio +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libjpeg-sos-leak.jpg b/docs/vuln_samples/libjpeg-sos-leak.jpg deleted file mode 100644 index 02653b87..00000000 --- a/docs/vuln_samples/libjpeg-sos-leak.jpg +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg b/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg deleted file mode 100644 index cfc21a8a..00000000 --- a/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libtiff-bad-write.tif b/docs/vuln_samples/libtiff-bad-write.tif deleted file mode 100644 index 45027cd1..00000000 --- a/docs/vuln_samples/libtiff-bad-write.tif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libtiff-uninit-mem.tif b/docs/vuln_samples/libtiff-uninit-mem.tif deleted file mode 100644 index b94e2a93..00000000 --- a/docs/vuln_samples/libtiff-uninit-mem.tif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libtiff-uninit-mem2.tif b/docs/vuln_samples/libtiff-uninit-mem2.tif deleted file mode 100644 index 0f9711bf..00000000 --- a/docs/vuln_samples/libtiff-uninit-mem2.tif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libtiff-uninit-mem3.tif b/docs/vuln_samples/libtiff-uninit-mem3.tif deleted file mode 100644 index 6889a3de..00000000 --- a/docs/vuln_samples/libtiff-uninit-mem3.tif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libtiff-uninit-mem4.tif b/docs/vuln_samples/libtiff-uninit-mem4.tif deleted file mode 100644 index 98af970f..00000000 --- a/docs/vuln_samples/libtiff-uninit-mem4.tif +++ /dev/null Binary files differdiff --git a/docs/vuln_samples/libxml2-bad-read.xml b/docs/vuln_samples/libxml2-bad-read.xml deleted file mode 100644 index d46fd128..00000000 --- a/docs/vuln_samples/libxml2-bad-read.xml +++ /dev/null @@ -1,3 +0,0 @@ -<!DOCTYPEd[<!ENTITY -S ""><!ENTITY % -N "<!ELEMENT<