diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 36 | ||||
| -rw-r--r-- | docs/PATCHES.md | 2 | ||||
| -rw-r--r-- | docs/README.radamsa.md | 9 | ||||
| -rw-r--r-- | docs/env_variables.md | 12 | ||||
| -rw-r--r-- | docs/ideas.md | 36 | ||||
| -rw-r--r-- | docs/perf_tips.md | 4 | ||||
| -rw-r--r-- | docs/power_schedules.md | 1 |
7 files changed, 46 insertions, 54 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index efc18ab5..57b2b4a2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,11 +9,21 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. -### Version ++2.65d (dev) +### Version ++2.66d (devel) + - ... ? + + +### Version ++2.66c (release) + - renamed the main branch on Github to "stable" + - renamed master/slave to main/secondary + - renamed blacklist/whitelist to ignorelist/instrumentlist -> + AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE + - warn on deprecated environment variables - afl-fuzz: - -S secondary nodes now only sync from the main node to increase performance, the -M main node still syncs from everyone. Added checks that ensure exactly one main node is present and warn otherwise + - Add -D after -S to force a secondary to perform deterministic fuzzing - If no main node is present at a sync one secondary node automatically becomes a temporary main node until a real main nodes shows up - Fixed a mayor performance issue we inherited from AFLfast @@ -23,20 +33,24 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Ensure that the targets are killed on exit - fix/update to MOpt (thanks to arnow117) - added MOpt dictionary support from repo + - added experimental SEEK power schedule. It is EXPLORE with ignoring + the runtime and less focus on the length of the test case - llvm_mode: - the default instrumentation is now PCGUARD if the llvm version is >= 7, as it is faster and provides better coverage. The original afl instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is - automatically done when the WHITELIST feature is used. + automatically done when the instrument_file list feature is used. + - PCGUARD mode is now even better because we made it collision free - plus + it has a fixed map size, so it is also faster! :) - some targets want a ld variant for LD that is not gcc/clang but ld, added afl-ld-lto to solve this - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which needs 3.8.0) - - WHITELIST feature now supports wildcards (thanks to sirmc) + - instrument_file list feature now supports wildcards (thanks to sirmc) - small change to cmplog to make it work with current llvm 11-dev - added AFL_LLVM_LAF_ALL, sets all laf-intel settings - - LTO whitelist functionality rewritten, now main, _init etc functions - need not to be whitelisted anymore + - LTO instrument_files functionality rewritten, now main, _init etc functions + need not to be listed anymore - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was tried to be instrumented with LTO - fixed crash in cmplog with LTO @@ -44,9 +58,15 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Unicornafl - Added powerPC support from unicorn/next - rust bindings! + - CMPLOG/Redqueen now also works for MMAP sharedmem + - ensure shmem is released on errors + - we moved radamsa to be a custom mutator in ./custom_mutators/. It is not + compiled by default anymore. + - allow running in /tmp (only unsafe with umask 0) - persistent mode shared memory testcase handover (instead of via files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. + - fix afl-cmin.bash - slightly better performance compilation options for afl++ and targets - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second @@ -238,7 +258,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. the original script is still present as afl-cmin.bash - afl-showmap: -i dir option now allows processing multiple inputs using the forkserver. This is for enhanced speed in afl-cmin. - - added blacklist and whitelisting function check in all modules of llvm_mode + - added blacklist and instrument_filesing function check in all modules of llvm_mode - added fix from Debian project to compile libdislocator and libtokencap - libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t @@ -293,7 +313,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. performance loss of ~10% - added test/test-performance.sh script - (re)added gcc_plugin, fast inline instrumentation is not yet finished, - however it includes the whitelisting and persistance feature! by hexcoder- + however it includes the instrument_filesing and persistance feature! by hexcoder- - gcc_plugin tests added to testing framework @@ -381,7 +401,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - more cpu power for afl-system-config - added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL) - - added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow + - added instrument_files support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla) - added Python Module mutator support, python2.7-dev is autodetected. diff --git a/docs/PATCHES.md b/docs/PATCHES.md index a6783523..b2cff43a 100644 --- a/docs/PATCHES.md +++ b/docs/PATCHES.md @@ -28,7 +28,7 @@ afl-qemu-optimize-map.diff by mh(at)mh-sec(dot)de + AFLfast additions (github.com/mboehme/aflfast) were incorporated. + Qemu 3.1 upgrade with enhancement patches (github.com/andreafioraldi/afl) + Python mutator modules support (github.com/choller/afl) -+ Whitelisting in LLVM mode (github.com/choller/afl) ++ Instrument file list in LLVM mode (github.com/choller/afl) + forkserver patch for afl-tmin (github.com/nccgroup/TriforceAFL) diff --git a/docs/README.radamsa.md b/docs/README.radamsa.md deleted file mode 100644 index b01a4c83..00000000 --- a/docs/README.radamsa.md +++ /dev/null @@ -1,9 +0,0 @@ -# libradamsa - -Pretranslated radamsa library. This code belongs to the radamsa author. - -> Original repository: https://gitlab.com/akihe/radamsa - -> Source commit: 7b2cc2d0 - -> The code here is adapted for AFL++ with minor changes respect the original version diff --git a/docs/env_variables.md b/docs/env_variables.md index 867e937e..87344331 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -204,14 +204,14 @@ Then there are a few specific features that are only available in llvm_mode: See llvm_mode/README.laf-intel.md for more information. -### WHITELIST +### INSTRUMENT_FILE This feature allows selectively instrumentation of the source - - Setting AFL_LLVM_WHITELIST with a filename will only instrument those + - Setting AFL_LLVM_INSTRUMENT_FILE with a filename will only instrument those files that match the names listed in this file. - See llvm_mode/README.whitelist.md for more information. + See llvm_mode/README.instrument_file.md for more information. ### NOT_ZERO @@ -236,14 +236,14 @@ Then there are a few specific features that are only available in llvm_mode: Then there are a few specific features that are only available in the gcc_plugin: -### WHITELIST +### INSTRUMENT_FILE This feature allows selective instrumentation of the source - - Setting AFL_GCC_WHITELIST with a filename will only instrument those + - Setting AFL_GCC_INSTRUMENT_FILE with a filename will only instrument those files that match the names listed in this file (one filename per line). - See gcc_plugin/README.whitelist.md for more information. + See gcc_plugin/README.instrument_file.md for more information. ## 3) Settings for afl-fuzz diff --git a/docs/ideas.md b/docs/ideas.md index 686c262d..65e2e8e6 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -6,7 +6,7 @@ for future AFL++ versions. For GSOC2020 interested students please see [https://github.com/AFLplusplus/AFLplusplus/issues/208](https://github.com/AFLplusplus/AFLplusplus/issues/208) -## Flexible Grammar Mutator +## Flexible Grammar Mutator (currently in development) Currently, AFL++'s mutation does not have deeper knowledge about the fuzzed binary, apart from feedback, even though the developer may have insights @@ -25,41 +25,21 @@ various results. Mentor: andreafioraldi -## Expand on the MOpt mutator - -Work on the MOpt mutator that is already in AFL++. - -This is an excellent mutations scheduler based on Particle Swarm -Optimization but the current implementation schedule only the mutations -that were present on AFL. - -AFL++ added a lot of optional mutators like the Input-2-State one based -on Redqueen, the Radamsa mutator, the Custom mutator (the user can define -its own mutator) and the work is to generalize MOpt for all the current -and future mutators. - -Mentor: vanhauser-thc or andreafioraldi - ## perf-fuzz Linux Kernel Module -Either Port the patch to the upcoming Ubuntu LTS 20.04 default kernel -and provide a qemu-kvm image or find a different userspace snapshot -solution that has a good performance and is reliable, e.g. with docker. -[perf-fuzz](https://gts3.org/assets/papers/2017/xu:os-fuzz.pdf) -The perf-fuzz kernel can be found at [https://github.com/sslab-gatech/perf-fuzz](https://github.com/sslab-gatech/perf-fuzz) -There also is/was a FreeBSD project at [https://github.com/veracode-research/freebsd-perf-fuzz](https://github.com/veracode-research/freebsd-perf-fuzz) - -This enables snapshot fuzzing on Linux with an incredible performance! +Expand on [snapshot LKM](https://github.com/AFLplusplus/AFL-Snapshot-LKM) +To make it thread safe, can snapshot several processes at once and increase +overall performance. Mentor: any -Idea/Issue tracker: [https://github.com/AFLplusplus/AFLplusplus/issues/248](https://github.com/AFLplusplus/AFLplusplus/issues/248) -## QEMU 4-based Instrumentation +## QEMU 5-based Instrumentation First tests to use QEMU 4 for binary-only AFL++ showed that caching behavior changed, which vastly decreases fuzzing speeds. -This is the cause why, right now, we cannot switch to QEMU 4.2. +In this task test if QEMU 5 performs better and port the afl++ QEMU 3.1 +patches to QEMU 5. Understanding the current instrumentation and fixing the current caching issues will be needed. @@ -86,7 +66,7 @@ Either improve a single mutator thorugh learning of many different bugs Mentor: domenukk -## Reengineer `afl-fuzz` as Thread Safe, Embeddable Library +## Reengineer `afl-fuzz` as Thread Safe, Embeddable Library (currently in development) Right now, afl-fuzz is single threaded, cannot safely be embedded in tools, and not multi-threaded. It makes use of a large number of globals, must always diff --git a/docs/perf_tips.md b/docs/perf_tips.md index fcd03db7..7a690b77 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -66,8 +66,8 @@ then using laf-intel (see llvm_mode/README.laf-intel.md) will help `afl-fuzz` a to get to the important parts in the code. If you are only interested in specific parts of the code being fuzzed, you can -whitelist the files that are actually relevant. This improves the speed and -accuracy of afl. See llvm_mode/README.whitelist.md +instrument_files the files that are actually relevant. This improves the speed and +accuracy of afl. See llvm_mode/README.instrument_file.md Also use the InsTrim mode on larger binaries, this improves performance and coverage a lot. diff --git a/docs/power_schedules.md b/docs/power_schedules.md index 067a1d91..06fefa12 100644 --- a/docs/power_schedules.md +++ b/docs/power_schedules.md @@ -21,6 +21,7 @@ We find that AFL's exploitation-based constant schedule assigns **too much energ | `-p exploit` (AFL) |  | | `-p mmopt` | Experimental: `explore` with no weighting to runtime and increased weighting on the last 5 queue entries | | `-p rare` | Experimental: `rare` puts focus on queue entries that hit rare edges | +| `-p seek` | Experimental: `seek` is EXPLORE but ignoring the runtime of the queue input and less focus on the size | where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path. More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/). |