diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 12 | ||||
| -rw-r--r-- | docs/binaryonly_fuzzing.md | 2 | ||||
| -rw-r--r-- | docs/notes_for_asan.md | 6 | ||||
| -rw-r--r-- | docs/parallel_fuzzing.md | 38 | ||||
| -rw-r--r-- | docs/power_schedules.md | 2 | ||||
| -rw-r--r-- | docs/status_screen.md | 4 |
6 files changed, 32 insertions, 32 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index f96adfa3..87e02938 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -11,11 +11,11 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++2.65d (dev) - afl-fuzz: - - -S slaves now only sync from the master to increase performance, - the -M master still syncs from everyone. Added checks that ensure - exactly one master is present and warn otherwise - - If no master is present at a sync one slave automatically becomes - a temporary master until a real master shows up + - -S secondary nodes now only sync from the main node to increase performance, + the -M main node still syncs from everyone. Added checks that ensure + exactly one main node is present and warn otherwise + - If no main node is present at a sync one secondary node automatically becomes + a temporary main node until a real main nodes shows up - fix/update to MOpt (thanks to arnow117) - llvm_mode: - the default instrumentation is now PCGUARD, as it is faster and provides @@ -912,7 +912,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Switched from exit() to _exit() in injected code to avoid snafus with destructors in C++ code. Spotted by sunblate. - - Made a change to avoid spuriously setting __AFL_SHM_ID when + - Made a change to avoid spuriously setting __AFL_SHM_ID when AFL_DUMB_FORKSRV is set in conjunction with -n. Spotted by Jakub Wilk. ### Version 1.94b: diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index f005a9b7..7c9be418 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -4,7 +4,7 @@ it allows for very fast and coverage guided fuzzing. However, if there is only the binary program and no source code available, - then standard `afl-fuzz -n` (dumb mode) is not effective. + then standard `afl-fuzz -n` (non-instrumented mode) is not effective. The following is a description of how these binaries can be fuzzed with afl++ diff --git a/docs/notes_for_asan.md b/docs/notes_for_asan.md index 6a4806c0..2e18c15f 100644 --- a/docs/notes_for_asan.md +++ b/docs/notes_for_asan.md @@ -28,9 +28,9 @@ Note that ASAN is incompatible with -static, so be mindful of that. (You can also use AFL_USE_MSAN=1 to enable MSAN instead.) -NOTE: if you run several slaves only one should run the target compiled with -ASAN (and UBSAN, CFISAN), the others should run the target with no sanitizers -compiled in. +NOTE: if you run several secondary instances, only one should run the target +compiled with ASAN (and UBSAN, CFISAN), the others should run the target with +no sanitizers compiled in. There is also the option of generating a corpus using a non-ASAN binary, and then feeding it to an ASAN-instrumented one to check for bugs. This is faster, diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index c6e54218..271f8369 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -13,12 +13,12 @@ In fact, if you rely on just a single job on a multi-core system, you will be underutilizing the hardware. So, parallelization is usually the right way to go. -When targeting multiple unrelated binaries or using the tool in "dumb" (-n) -mode, it is perfectly fine to just start up several fully separate instances -of afl-fuzz. The picture gets more complicated when you want to have multiple -fuzzers hammering a common target: if a hard-to-hit but interesting test case -is synthesized by one fuzzer, the remaining instances will not be able to use -that input to guide their work. +When targeting multiple unrelated binaries or using the tool in +"non-instrumented" (-n) mode, it is perfectly fine to just start up several +fully separate instances of afl-fuzz. The picture gets more complicated when +you want to have multiple fuzzers hammering a common target: if a hard-to-hit +but interesting test case is synthesized by one fuzzer, the remaining instances +will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. @@ -37,7 +37,7 @@ system, simply create a new, empty output directory ("sync dir") that will be shared by all the instances of afl-fuzz; and then come up with a naming scheme for every instance - say, "fuzzer01", "fuzzer02", etc. -Run the first one ("master", -M) like this: +Run the first one ("main node", -M) like this: ``` ./afl-fuzz -i testcase_dir -o sync_dir -M fuzzer01 [...other stuff...] @@ -57,26 +57,26 @@ Each fuzzer will keep its state in a separate subdirectory, like so: Each instance will also periodically rescan the top-level sync directory for any test cases found by other fuzzers - and will incorporate them into its own fuzzing when they are deemed interesting enough. -For performance reasons only -M masters sync the queue with everyone, the --S slaves will only sync from the master. +For performance reasons only -M main node syncs the queue with everyone, the +-S secondary nodes will only sync from the main node. -The difference between the -M and -S modes is that the master instance will +The difference between the -M and -S modes is that the main instance will still perform deterministic checks; while the secondary instances will proceed straight to random tweaks. -Note that you must always have one -M master instance! +Note that you must always have one -M main instance! Note that running multiple -M instances is wasteful, although there is an experimental support for parallelizing the deterministic checks. To leverage that, you need to create -M instances like so: ``` -./afl-fuzz -i testcase_dir -o sync_dir -M masterA:1/3 [...] -./afl-fuzz -i testcase_dir -o sync_dir -M masterB:2/3 [...] -./afl-fuzz -i testcase_dir -o sync_dir -M masterC:3/3 [...] +./afl-fuzz -i testcase_dir -o sync_dir -M mainA:1/3 [...] +./afl-fuzz -i testcase_dir -o sync_dir -M mainB:2/3 [...] +./afl-fuzz -i testcase_dir -o sync_dir -M mainC:3/3 [...] ``` -...where the first value after ':' is the sequential ID of a particular master +...where the first value after ':' is the sequential ID of a particular main instance (starting at 1), and the second value is the total number of fuzzers to distribute the deterministic fuzzing across. Note that if you boot up fewer fuzzers than indicated by the second number passed to -M, you may end up with @@ -168,7 +168,7 @@ to keep in mind: This arrangement would allow test interesting cases to propagate across the fleet without having to copy every fuzzer queue to every single host. - - You do not want a "master" instance of afl-fuzz on every system; you should + - You do not want a "main" instance of afl-fuzz on every system; you should run them all with -S, and just designate a single process somewhere within the fleet to run with -M. @@ -185,10 +185,10 @@ also basic machine-readable information always written to the fuzzer_stats file in the output directory. Locally, that information can be interpreted with afl-whatsup. -In principle, you can use the status screen of the master (-M) instance to +In principle, you can use the status screen of the main (-M) instance to monitor the overall fuzzing progress and decide when to stop. In this mode, the most important signal is just that no new paths are being found -for a longer while. If you do not have a master instance, just pick any +for a longer while. If you do not have a main instance, just pick any single secondary instance to watch and go by that. You can also rely on that instance's output directory to collect the @@ -197,7 +197,7 @@ within the fleet. Secondary (-S) instances do not require any special monitoring, other than just making sure that they are up. Keep in mind that crashing inputs are *not* automatically propagated to the -master instance, so you may still want to monitor for crashes fleet-wide +main instance, so you may still want to monitor for crashes fleet-wide from within your synchronization or health checking scripts (see afl-whatsup). ## 5) Asymmetric setups diff --git a/docs/power_schedules.md b/docs/power_schedules.md index c69c64d2..067a1d91 100644 --- a/docs/power_schedules.md +++ b/docs/power_schedules.md @@ -25,7 +25,7 @@ where *α(i)* is the performance score that AFL uses to compute for the seed inp More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/). -PS: In parallel mode (several instances with shared queue), we suggest to run the master using the exploit schedule (-p exploit) and the slaves with a combination of cut-off-exponential (-p coe), exponential (-p fast; default), and explore (-p explore) schedules. In single mode, the default settings will do. **EDIT:** In parallel mode, AFLFast seems to perform poorly because the path probability estimates are incorrect for the imported seeds. Pull requests to fix this issue by syncing the estimates accross instances are appreciated :) +PS: In parallel mode (several instances with shared queue), we suggest to run the main node using the exploit schedule (-p exploit) and the secondary nodes with a combination of cut-off-exponential (-p coe), exponential (-p fast; default), and explore (-p explore) schedules. In single mode, the default settings will do. **EDIT:** In parallel mode, AFLFast seems to perform poorly because the path probability estimates are incorrect for the imported seeds. Pull requests to fix this issue by syncing the estimates across instances are appreciated :) Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. Released under terms and conditions of Apache License, Version 2.0. diff --git a/docs/status_screen.md b/docs/status_screen.md index a66558b9..b89468ce 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -33,7 +33,7 @@ The top line shows you which mode afl-fuzz is running in (normal: "american fuzy lop", crash exploration mode: "peruvian rabbit mode") and the version of afl++. Next to the version is the banner, which, if not set with -T by hand, will -either show the binary name being fuzzed, or the -M/-S master/slave name for +either show the binary name being fuzzed, or the -M/-S main/secondary name for parallel fuzzing. Finally, the last item is the power schedule mode being run (default: explore). @@ -404,7 +404,7 @@ directory. This includes: - `var_byte_count` - how many edges are non-deterministic - `afl_banner` - banner text (e.g. the target name) - `afl_version` - the version of afl used - - `target_mode` - default, persistent, qemu, unicorn, dumb + - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - `command_line` - full command line used for the fuzzing session Most of these map directly to the UI elements discussed earlier on. |