diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/Changelog.md | 37 | ||||
| -rw-r--r-- | docs/FAQ.md | 390 | ||||
| -rw-r--r-- | docs/INSTALL.md | 242 | ||||
| -rw-r--r-- | docs/QuickStartGuide.md | 50 | ||||
| -rw-r--r-- | docs/afl-fuzz_approach.md | 37 | ||||
| -rw-r--r-- | docs/best_practices.md | 120 | ||||
| -rw-r--r-- | docs/beyond_crashes.md | 23 | ||||
| -rw-r--r-- | docs/binaryonly_fuzzing.md | 28 | ||||
| -rw-r--r-- | docs/branches.md | 11 | ||||
| -rw-r--r-- | docs/choosing_testcases.md | 19 | ||||
| -rw-r--r-- | docs/ci_fuzzing.md | 29 | ||||
| -rw-r--r-- | docs/common_sense_risks.md | 36 | ||||
| -rw-r--r-- | docs/docs2.md | 124 | ||||
| -rw-r--r-- | docs/env_variables.md | 907 | ||||
| -rw-r--r-- | docs/features.md | 49 | ||||
| -rw-r--r-- | docs/fuzzing_binary-only_targets.md | 83 | ||||
| -rw-r--r-- | docs/fuzzing_expert.md | 630 | ||||
| -rw-r--r-- | docs/important_changes.md | 56 | ||||
| -rw-r--r-- | docs/interpreting_output.md | 71 | ||||
| -rw-r--r-- | docs/known_limitations.md | 36 | ||||
| -rw-r--r-- | docs/life_pro_tips.md | 87 | ||||
| -rw-r--r-- | docs/parallel_fuzzing.md | 13 | ||||
| -rw-r--r-- | docs/rpc_statsd.md | 230 | ||||
| -rw-r--r-- | docs/sister_projects.md | 12 | ||||
| -rw-r--r-- | docs/technical_details.md | 14 | ||||
| -rw-r--r-- | docs/tools.md | 33 | ||||
| -rw-r--r-- | docs/triaging_crashes.md | 46 | ||||
| -rw-r--r-- | docs/tutorials.md | 26 |
28 files changed, 2310 insertions, 1129 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md index 0ffbef05..054f0fef 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,16 +9,39 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to <afl-users+subscribe@googlegroups.com>. ### Version ++3.15a (dev) + - documentation restructuring, made possible by Google Season of Docs :) + - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) + thanks to RICSecLab submitting! - afl-fuzz: - - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on - incorrect LTO usage setups and enhanced the READMEs for better - information on how to deal with instrumenting libraries + - cmplog binaries will need to be recompiled for this version + (it is better!) - fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting! - + - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries + - fix -n dumb mode (nobody should use this) + - fix stability issue with LTO and cmplog + - better banner + - more effective cmplog mode + - more often update the UI when in input2stage mode + - frida_mode: + - better performance, bug fixes + - David Carlier added Android support :) + - afl-showmap, afl-tmin and afl-analyze: + - honor persistent mode for more speed. thanks to dloffre-snl + for reporting! + - fix bug where targets are not killed on timeouts + - moved hidden afl-showmap -A option to -H to be used for + coresight_mode + - Prevent accidently killing non-afl/fuzz services when aborting + afl-showmap and other tools. - afl-cc: + - new cmplog mode (incompatible with older afl++ versions) + - support llvm IR select instrumentation for default PCGUARD and LTO - fix for shared linking on MacOS - - llvm and LTO mode verified to work with new llvm 14-dev + - added AFL_USE_TSAN thread sanitizer support + - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by @@ -30,7 +53,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) - + - removed indirections in rust callbacks for unicornafl ### Version ++3.14c (release) - afl-fuzz: @@ -2748,7 +2771,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>. - Updated the documentation and added notes_for_asan.txt. Based on feedback from Hanno Boeck, Ben Laurie, and others. - - Moved the project to http://lcamtuf.coredump.cx/afl/. + - Moved the project to https://lcamtuf.coredump.cx/afl/. ### Version 0.46b: diff --git a/docs/FAQ.md b/docs/FAQ.md index 0e816062..68ca3bad 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -1,243 +1,153 @@ -# Frequently asked questions about AFL++ - -## Contents - - * [What is the difference between AFL and AFL++?](#what-is-the-difference-between-afl-and-afl) - * [I got a weird compile error from clang](#i-got-a-weird-compile-error-from-clang) - * [How to improve the fuzzing speed?](#how-to-improve-the-fuzzing-speed) - * [How do I fuzz a network service?](#how-do-i-fuzz-a-network-service) - * [How do I fuzz a GUI program?](#how-do-i-fuzz-a-gui-program) - * [What is an edge?](#what-is-an-edge) - * [Why is my stability below 100%?](#why-is-my-stability-below-100) - * [How can I improve the stability value?](#how-can-i-improve-the-stability-value) +# Frequently asked questions (FAQ) If you find an interesting or important question missing, submit it via -[https://github.com/AFLplusplus/AFLplusplus/issues](https://github.com/AFLplusplus/AFLplusplus/issues) - -## What is the difference between AFL and AFL++? - -American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting in -2013/2014, and when he left Google end of 2017 he stopped developing it. - -At the end of 2019 the Google fuzzing team took over maintenance of AFL, however -it is only accepting PRs from the community and is not developing enhancements -anymore. - -In the second quarter of 2019, 1 1/2 year later when no further development of -AFL had happened and it became clear there would none be coming, AFL++ -was born, where initially community patches were collected and applied -for bug fixes and enhancements. Then from various AFL spin-offs - mostly academic -research - features were integrated. This already resulted in a much advanced -AFL. - -Until the end of 2019 the AFL++ team had grown to four active developers which -then implemented their own research and features, making it now by far the most -flexible and feature rich guided fuzzer available as open source. -And in independent fuzzing benchmarks it is one of the best fuzzers available, -e.g. [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html) - -## I got a weird compile error from clang - -If you see this kind of error when trying to instrument a target with afl-cc/ -afl-clang-fast/afl-clang-lto: -``` -/prg/tmp/llvm-project/build/bin/clang-13: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv -clang-13: error: unable to execute command: No such file or directory -clang-13: error: clang frontend command failed due to signal (use -v to see invocation) -clang version 13.0.0 (https://github.com/llvm/llvm-project 1d7cf550721c51030144f3cd295c5789d51c4aad) -Target: x86_64-unknown-linux-gnu -Thread model: posix -InstalledDir: /prg/tmp/llvm-project/build/bin -clang-13: note: diagnostic msg: -******************** -``` -Then this means that your OS updated the clang installation from an upgrade -package and because of that the AFL++ llvm plugins do not match anymore. - -Solution: `git pull ; make clean install` of AFL++ - -## How to improve the fuzzing speed? - - 1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) - 2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) - 3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) - 4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md) - 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure) - 6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem - 7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads) - -## How do I fuzz a network service? - -The short answer is - you cannot, at least not "out of the box". - -Using a network channel is inadequate for several reasons: -- it has a slow-down of x10-20 on the fuzzing speed -- it does not scale to fuzzing multiple instances easily, -- instead of one initial data packet often a back-and-forth interplay of packets is needed for stateful protocols (which is totally unsupported by most coverage aware fuzzers). - -The established method to fuzz network services is to modify the source code -to read from a file or stdin (fd 0) (or even faster via shared memory, combine -this with persistent mode [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) -and you have a performance gain of x10 instead of a performance loss of over -x10 - that is a x100 difference!). - -If modifying the source is not an option (e.g. because you only have a binary -and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD -to emulate the network. This is also much faster than the real network would be. -See [utils/socket_fuzzing/](../utils/socket_fuzzing/). - -There is an outdated AFL++ branch that implements networking if you are -desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - -however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet)) -which allows you to define network state with different type of data packets. - -## How do I fuzz a GUI program? - -If the GUI program can read the fuzz data from a file (via the command line, -a fixed location or via an environment variable) without needing any user -interaction then it would be suitable for fuzzing. - -Otherwise it is not possible without modifying the source code - which is a -very good idea anyway as the GUI functionality is a huge CPU/time overhead -for the fuzzing. - -So create a new `main()` that just reads the test case and calls the -functionality for processing the input that the GUI program is using. - -## What is an "edge"? - -A program contains `functions`, `functions` contain the compiled machine code. -The compiled machine code in a `function` can be in a single or many `basic blocks`. -A `basic block` is the largest possible number of subsequent machine code -instructions that has exactly one entrypoint (which can be be entered by multiple other basic blocks) -and runs linearly without branching or jumping to other addresses (except at the end). -``` -function() { - A: - some - code - B: - if (x) goto C; else goto D; - C: - some code - goto E - D: - some code - goto B - E: - return -} -``` -Every code block between two jump locations is a `basic block`. - -An `edge` is then the unique relationship between two directly connected `basic blocks` (from the -code example above): -``` - Block A - | +[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions). + +## General + +<details> + <summary id="what-is-the-difference-between-afl-and-aflplusplus">What is the difference between AFL and AFL++?</summary><p> + + AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. + + American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting in 2013/2014, and when he left Google end of 2017 he stopped developing it. + + At the end of 2019, the Google fuzzing team took over maintenance of AFL, however it is only accepting PRs from the community and is not developing enhancements anymore. + + In the second quarter of 2019, 1 1/2 years later, when no further development of AFL had happened and it became clear there would none be coming, AFL++ was born, where initially community patches were collected and applied for bug fixes and enhancements. + Then from various AFL spin-offs - mostly academic research - features were integrated. + This already resulted in a much advanced AFL. + + Until the end of 2019, the AFL++ team had grown to four active developers which then implemented their own research and features, making it now by far the most flexible and feature rich guided fuzzer available as open source. + And in independent fuzzing benchmarks it is one of the best fuzzers available, e.g. [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html). +</p></details> + +<details> + <summary id="where-can-i-find-tutorials">Where can I find tutorials?</summary><p> + + We compiled a list of tutorials and exercises, see [tutorials.md](tutorials.md). +</p></details> + +<details> + <summary id="what-is-an-edge">What is an "edge"?</summary><p> + + A program contains `functions`, `functions` contain the compiled machine code. + The compiled machine code in a `function` can be in a single or many `basic blocks`. + A `basic block` is the largest possible number of subsequent machine code instructions that has exactly one entrypoint (which can be be entered by multiple other basic blocks) and runs linearly without branching or jumping to other addresses (except at the end). + + ``` + function() { + A: + some + code + B: + if (x) goto C; else goto D; + C: + some code + goto E + D: + some code + goto B + E: + return + } + ``` + + Every code block between two jump locations is a `basic block`. + + An `edge` is then the unique relationship between two directly connected `basic blocks` (from the code example above): + + ``` + Block A + | + v + Block B <------+ + / \ | + v v | + Block C Block D --+ + \ v - Block B <------+ - / \ | - v v | - Block C Block D --+ - \ - v - Block E -``` -Every line between two blocks is an `edge`. -Note that a few basic block loop to itself, this too would be an edge. - -## Why is my stability below 100%? - -Stability is measured by how many percent of the edges in the target are -"stable". Sending the same input again and again should take the exact same -path through the target every time. If that is the case, the stability is 100%. - -If however randomness happens, e.g. a thread reading other external data, -reaction to timing, etc. then in some of the re-executions with the same data -the edge coverage result will be different accross runs. -Those edges that change are then flagged "unstable". - -The more "unstable" edges, the more difficult for AFL++ to identify valid new -paths. - -A value above 90% is usually fine and a value above 80% is also still ok, and -even a value above 20% can still result in successful finds of bugs. -However, it is recommended that for values below 90% or 80% you should take -countermeasures to improve stability. - -## How can I improve the stability value? - -For fuzzing a 100% stable target that covers all edges is the best case. -A 90% stable target that covers all edges is however better than a 100% stable -target that ignores 10% of the edges. - -With instability you basically have a partial coverage loss on an edge, with -ignored functions you have a full loss on that edges. - -There are functions that are unstable, but also provide value to coverage, eg -init functions that use fuzz data as input for example. -If however a function that has nothing to do with the input data is the -source of instability, e.g. checking jitter, or is a hash map function etc. -then it should not be instrumented. - -To be able to exclude these functions (based on AFL++'s measured stability) -the following process will allow to identify functions with variable edges. - -Four steps are required to do this and it also requires quite some knowledge -of coding and/or disassembly and is effectively possible only with -afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. - - 1. First step: Instrument to be able to find the responsible function(s). - - a) For LTO instrumented binaries this can be documented during compile - time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/a/file`. - This file will have one assigned edge ID and the corresponding - function per line. - - b) For PCGUARD instrumented binaries it is much more difficult. Here you - can either modify the __sanitizer_cov_trace_pc_guard function in - instrumentation/afl-llvm-rt.o.c to write a backtrace to a file if the ID in - __afl_area_ptr[*guard] is one of the unstable edge IDs. - (Example code is already there). - Then recompile and reinstall llvm_mode and rebuild your target. - Run the recompiled target with afl-fuzz for a while and then check the - file that you wrote with the backtrace information. - Alternatively you can use `gdb` to hook __sanitizer_cov_trace_pc_guard_init - on start, check to which memory address the edge ID value is written - and set a write breakpoint to that address (`watch 0x.....`). - - c) in all other instrumentation types this is not possible. So just - recompile with the two mentioned above. This is just for - identifying the functions that have unstable edges. - - 2. Second step: Identify which edge ID numbers are unstable - - run the target with `export AFL_DEBUG=1` for a few minutes then terminate. - The out/fuzzer_stats file will then show the edge IDs that were identified - as unstable in the `var_bytes` entry. You can match these numbers - directly to the data you created in the first step. - Now you know which functions are responsible for the instability - - 3. Third step: create a text file with the filenames/functions - - Identify which source code files contain the functions that you need to - remove from instrumentation, or just specify the functions you want to - skip for instrumentation. Note that optimization might inline functions! - - Simply follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) - If PCGUARD is used, then you need to follow this guide (needs llvm 12+!): - [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) - - Only exclude those functions from instrumentation that provide no value - for coverage - that is if it does not process any fuzz data directly - or indirectly (e.g. hash maps, thread management etc.). - If however a function directly or indirectly handles fuzz data then you - should not put the function in a deny instrumentation list and rather - live with the instability it comes with. - - 4. Fourth step: recompile the target - - Recompile, fuzz it, be happy :) - - This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677) + Block E + ``` + + Every line between two blocks is an `edge`. + Note that a few basic block loop to itself, this too would be an edge. +</p></details> + +## Targets + +<details> + <summary id="how-can-i-fuzz-a-binary-only-target">How can I fuzz a binary-only target?</summary><p> + + AFL++ is a great fuzzer if you have the source code available. + + However, if there is only the binary program and no source code available, then the standard non-instrumented mode is not effective. + + To learn how these binaries can be fuzzed, read [binaryonly_fuzzing.md](binaryonly_fuzzing.md). +</p></details> + +<details> + <summary id="how-can-i-fuzz-a-network-service">How can I fuzz a network service?</summary><p> + + The short answer is - you cannot, at least not "out of the box". + + For more information on fuzzing network services, see [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service). +</p></details> + +<details> + <summary id="how-can-i-fuzz-a-gui-program">How can I fuzz a GUI program?</summary><p> + + Not all GUI programs are suitable for fuzzing. If the GUI program can read the fuzz data from a file without needing any user interaction, then it would be suitable for fuzzing. + + For more information on fuzzing GUI programs, see [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program). +</p></details> + +## Performance + +<details> + <summary id="how-can-i-improve-the-fuzzing-speed">How can I improve the fuzzing speed?</summary><p> + + There are a few things you can do to improve the fuzzing speed, see [best_practices.md#improving-speed](best_practices.md#improving-speed). +</p></details> + +<details> + <summary id="why-is-my-stability-below-100percent">Why is my stability below 100%?</summary><p> + + Stability is measured by how many percent of the edges in the target are "stable". + Sending the same input again and again should take the exact same path through the target every time. + If that is the case, the stability is 100%. + + If however randomness happens, e.g. a thread reading other external data, reaction to timing, etc., then in some of the re-executions with the same data the edge coverage result will be different accross runs. + Those edges that change are then flagged "unstable". + + The more "unstable" edges, the more difficult for AFL++ to identify valid new paths. + + A value above 90% is usually fine and a value above 80% is also still ok, and even a value above 20% can still result in successful finds of bugs. + However, it is recommended that for values below 90% or 80% you should take countermeasures to improve stability. + + For more information on stability and how to improve the stability value, see [best_practices.md#improving-stability](best_practices.md#improving-stability). +</p></details> + +## Troubleshooting + +<details> + <summary id="i-got-a-weird-compile-error-from-clang">I got a weird compile error from clang.</summary><p> + + If you see this kind of error when trying to instrument a target with afl-cc/afl-clang-fast/afl-clang-lto: + + ``` + /prg/tmp/llvm-project/build/bin/clang-13: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv + clang-13: error: unable to execute command: No such file or directory + clang-13: error: clang frontend command failed due to signal (use -v to see invocation) + clang version 13.0.0 (https://github.com/llvm/llvm-project 1d7cf550721c51030144f3cd295c5789d51c4aad) + Target: x86_64-unknown-linux-gnu + Thread model: posix + InstalledDir: /prg/tmp/llvm-project/build/bin + clang-13: note: diagnostic msg: + ******************** + ``` + + Then this means that your OS updated the clang installation from an upgrade package and because of that the AFL++ llvm plugins do not match anymore. + + Solution: `git pull ; make clean install` of AFL++. +</p></details> \ No newline at end of file diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 17af532a..cfa20dea 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -1,83 +1,89 @@ -# Installation instructions +# Building and installing AFL++ - This document provides basic installation instructions and discusses known - issues for a variety of platforms. See README.md for the general instruction - manual. +## Linux on x86 -## 1. Linux on x86 ---------------- +An easy way to install AFL++ with everything compiled is available via docker: +You can use the [Dockerfile](../Dockerfile) (which has gcc-10 and clang-11 - hence afl-clang-lto is available!) or just pull directly from the Docker Hub: -This platform is expected to work well. Compile the program with: - -```bash -make +```shell +docker pull aflplusplus/aflplusplus +docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` -You can start using the fuzzer without installation, but it is also possible to -install it with: - -```bash +This image is automatically generated when a push to the stable repo happens. +You will find your target source code in /src in the container. + +If you want to build AFL++ yourself, you have many options. +The easiest choice is to build and install everything: + +```shell +sudo apt-get update +sudo apt-get install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools +# try to install llvm 11 and install the distro default if that fails +sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev +sudo apt-get install -y ninja-build # for qemu_mode +git clone https://github.com/AFLplusplus/AFLplusplus +cd AFLplusplus +make distrib sudo make install ``` -There are no special dependencies to speak of; you will need GNU make and a -working compiler (gcc or clang). Some of the optional scripts bundled with the -program may depend on bash, gdb, and similar basic tools. - -If you are using clang, please review README.llvm.md; the LLVM -integration mode can offer substantial performance gains compared to the -traditional approach. +It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! -Likewise, if you are using GCC, please review instrumentation/README.gcc_plugin.md. +Note that "make distrib" also builds instrumentation, qemu_mode, unicorn_mode and more. +If you just want plain AFL++, then do "make all". However, compiling and using at least instrumentation is highly recommended for much better results - hence in this case choose: -You may have to change several settings to get optimal results (most notably, -disable crash reporting utilities and switch to a different CPU governor), but -afl-fuzz will guide you through that if necessary. - -## 2. OpenBSD, FreeBSD, NetBSD on x86 - -Similarly to Linux, these platforms are expected to work well and are -regularly tested. Compile everything with GNU make: - -```bash -gmake +```shell +make source-only ``` -Note that BSD make will *not* work; if you do not have gmake on your system, -please install it first. As on Linux, you can use the fuzzer itself without -installation, or install it with: - -``` -sudo gmake install +These build targets exist: + +* all: just the main AFL++ binaries +* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap +* source-only: everything for source code fuzzing: instrumentation, libdislocator, libtokencap +* distrib: everything (for both binary-only and source code fuzzing) +* man: creates simple man pages from the help option of the programs +* install: installs everything you have compiled with the build options above +* clean: cleans everything compiled, not downloads (unless not on a checkout) +* deepclean: cleans everything including downloads +* code-format: format the code, do this before you commit and send a PR please! +* tests: runs test cases to ensure that all features are still working as they should +* unit: perform unit tests (based on cmocka) +* help: shows these build options + +[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), you can also build statically linked versions of the AFL++ binaries by passing the `STATIC=1` argument to make: + +```shell +make STATIC=1 ``` -Keep in mind that if you are using csh as your shell, the syntax of some of the -shell commands given in the README.md and other docs will be different. - -The `llvm` requires a dynamically linked, fully-operational installation of -clang. At least on FreeBSD, the clang binaries are static and do not include -some of the essential tools, so if you want to make it work, you may need to -follow the instructions in README.llvm.md. +These build options exist: -Beyond that, everything should work as advertised. +* STATIC - compile AFL++ static +* ASAN_BUILD - compiles with memory sanitizer for debug purposes +* DEBUG - no optimization, -ggdb3, all warnings and -Werror +* PROFILING - compile with profiling information (gprof) +* INTROSPECTION - compile afl-fuzz with mutation introspection +* NO_PYTHON - disable python support +* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* AFL_NO_X86 - if compiling on non-intel/amd platforms +* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian) -The QEMU mode is currently supported only on Linux. I think it's just a QEMU -problem, I couldn't get a vanilla copy of user-mode emulation support working -correctly on BSD at all. +e.g.: `make ASAN_BUILD=1` -## 3. MacOS X on x86 and arm64 (M1) +## MacOS X on x86 and arm64 (M1) -MacOS X should work, but there are some gotchas due to the idiosyncrasies of -the platform. On top of this, I have limited release testing capabilities -and depend mostly on user feedback. +MacOS X should work, but there are some gotchas due to the idiosyncrasies of the platform. +On top of this, we have limited release testing capabilities and depend mostly on user feedback. -To build AFL, install llvm (and perhaps gcc) from brew and follow the general -instructions for Linux. If possible avoid Xcode at all cost. +To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. +If possible, avoid Xcode at all cost. `brew install wget git make cmake llvm gdb` -Be sure to setup PATH to point to the correct clang binaries and use the -freshly installed clang, clang++ and gmake, e.g.: +Be sure to setup `PATH` to point to the correct clang binaries and use the freshly installed clang, clang++ and gmake, e.g.: ``` export PATH="/usr/local/Cellar/llvm/12.0.1/bin/:$PATH" @@ -90,19 +96,20 @@ cd .. gmake install ``` -afl-gcc will fail unless you have GCC installed, but that is using outdated -instrumentation anyway. You don't want that. -Note that afl-clang-lto, afl-gcc-fast and qemu_mode are not working on MacOS. +`afl-gcc` will fail unless you have GCC installed, but that is using outdated instrumentation anyway. +You don't want that. +Note that `afl-clang-lto`, `afl-gcc-fast` and `qemu_mode` are not working on MacOS. + +The crash reporting daemon that comes by default with MacOS X will cause problems with fuzzing. +You need to turn it off: -The crash reporting daemon that comes by default with MacOS X will cause -problems with fuzzing. You need to turn it off: ``` launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist ``` -The `fork()` semantics on OS X are a bit unusual compared to other unix systems -and definitely don't look POSIX-compliant. This means two things: +The `fork()` semantics on OS X are a bit unusual compared to other unix systems and definitely don't look POSIX-compliant. +This means two things: - Fuzzing will be probably slower than on Linux. In fact, some folks report considerable performance gains by running the jobs inside a Linux VM on @@ -111,13 +118,11 @@ and definitely don't look POSIX-compliant. This means two things: AFL forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the environment before starting afl-fuzz. -User emulation mode of QEMU does not appear to be supported on MacOS X, so -black-box instrumentation mode (`-Q`) will not work. -However Frida mode (`-O`) should work on x86 and arm64 MacOS boxes. +User emulation mode of QEMU does not appear to be supported on MacOS X, so black-box instrumentation mode (`-Q`) will not work. +However, Frida mode (`-O`) should work on x86 and arm64 MacOS boxes. -MacOS X supports SYSV shared memory used by AFL's instrumentation, but the -default settings aren't usable with AFL++. The default settings on 10.14 seem -to be: +MacOS X supports SYSV shared memory used by AFL's instrumentation, but the default settings aren't usable with AFL++. +The default settings on 10.14 seem to be: ```bash $ ipcs -M @@ -130,16 +135,14 @@ shminfo: shmall: 1024 (max amount of shared memory in pages) ``` -To temporarily change your settings to something minimally usable with AFL++, -run these commands as root: +To temporarily change your settings to something minimally usable with AFL++, run these commands as root: ```bash sysctl kern.sysv.shmmax=8388608 sysctl kern.sysv.shmall=4096 ``` -If you're running more than one instance of AFL you likely want to make `shmall` -bigger and increase `shmseg` as well: +If you're running more than one instance of AFL, you likely want to make `shmall` bigger and increase `shmseg` as well: ```bash sysctl kern.sysv.shmmax=8388608 @@ -147,91 +150,4 @@ sysctl kern.sysv.shmseg=48 sysctl kern.sysv.shmall=98304 ``` -See http://www.spy-hill.com/help/apple/SharedMemory.html for documentation for -these settings and how to make them permanent. - -## 4. Linux or *BSD on non-x86 systems - -Standard build will fail on non-x86 systems, but you should be able to -leverage two other options: - - - The LLVM mode (see README.llvm.md), which does not rely on - x86-specific assembly shims. It's fast and robust, but requires a - complete installation of clang. - - The QEMU mode (see qemu_mode/README.md), which can be also used for - fuzzing cross-platform binaries. It's slower and more fragile, but - can be used even when you don't have the source for the tested app. - -If you're not sure what you need, you need the LLVM mode, which is built by -default. - -...and compile your target program with afl-clang-fast or afl-clang-fast++ -instead of the traditional afl-gcc or afl-clang wrappers. - -## 5. Solaris on x86 - -The fuzzer reportedly works on Solaris, but I have not tested this first-hand, -and the user base is fairly small, so I don't have a lot of feedback. - -To get the ball rolling, you will need to use GNU make and GCC or clang. I'm -being told that the stock version of GCC that comes with the platform does not -work properly due to its reliance on a hardcoded location for 'as' (completely -ignoring the `-B` parameter or `$PATH`). - -To fix this, you may want to build stock GCC from the source, like so: - -```sh -./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \ - --with-gmp-include=/usr/include/gmp --with-mpfr-include=/usr/include/mpfr -make -sudo make install -``` - -Do *not* specify `--with-as=/usr/gnu/bin/as` - this will produce a GCC binary that -ignores the `-B` flag and you will be back to square one. - -Note that Solaris reportedly comes with crash reporting enabled, which causes -problems with crashes being misinterpreted as hangs, similarly to the gotchas -for Linux and MacOS X. AFL does not auto-detect crash reporting on this -particular platform, but you may need to run the following command: - -```sh -coreadm -d global -d global-setid -d process -d proc-setid \ - -d kzone -d log -``` - -User emulation mode of QEMU is not available on Solaris, so black-box -instrumentation mode (`-Q`) will not work. - -## 6. Everything else - -You're on your own. On POSIX-compliant systems, you may be able to compile and -run the fuzzer; and the LLVM and GCC plugin modes may offer a way to instrument -non-x86 code. - -The fuzzer will run on Windows in WSL only. It will not work under Cygwin on in the normal Windows world. It -could be ported to the latter platform fairly easily, but it's a pretty bad -idea, because Cygwin is extremely slow. It makes much more sense to use -VirtualBox or so to run a hardware-accelerated Linux VM; it will run around -20x faster or so. If you have a *really* compelling use case for Cygwin, let -me know. - -Although Android on x86 should theoretically work, the stock kernel may have -SHM support compiled out, and if so, you may have to address that issue first. -It's possible that all you need is this workaround: - - https://github.com/pelya/android-shmem - -Joshua J. Drake notes that the Android linker adds a shim that automatically -intercepts `SIGSEGV` and related signals. To fix this issue and be able to see -crashes, you need to put this at the beginning of the fuzzed program: - -```sh - signal(SIGILL, SIG_DFL); - signal(SIGABRT, SIG_DFL); - signal(SIGBUS, SIG_DFL); - signal(SIGFPE, SIG_DFL); - signal(SIGSEGV, SIG_DFL); -``` - -You may need to `#include <signal.h>` first. +See [https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent. \ No newline at end of file diff --git a/docs/QuickStartGuide.md b/docs/QuickStartGuide.md deleted file mode 100644 index 2d056ecf..00000000 --- a/docs/QuickStartGuide.md +++ /dev/null @@ -1,50 +0,0 @@ -# AFL quick start guide - -You should read [README.md](../README.md) - it's pretty short. If you really can't, here's -how to hit the ground running: - -1) Compile AFL with 'make'. If build fails, see [INSTALL.md](INSTALL.md) for tips. - -2) Find or write a reasonably fast and simple program that takes data from - a file or stdin, processes it in a test-worthy way, then exits cleanly. - If testing a network service, modify it to run in the foreground and read - from stdin. When fuzzing a format that uses checksums, comment out the - checksum verification code, too. - - If this is not possible (e.g. in -Q(emu) mode) then use - AFL_CUSTOM_MUTATOR_LIBRARY to calculate the values with your own library. - - The program must crash properly when a fault is encountered. Watch out for - custom SIGSEGV or SIGABRT handlers and background processes. For tips on - detecting non-crashing flaws, see section 11 in [README.md](README.md) . - -3) Compile the program / library to be fuzzed using afl-cc. A common way to - do this would be: - - CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared - make clean all - -4) Get a small but valid input file that makes sense to the program. When - fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in - dictionaries/README.md, too. - -5) If the program reads from stdin, run 'afl-fuzz' like so: - - ./afl-fuzz -i testcase_dir -o findings_dir -- \ - /path/to/tested/program [...program's cmdline...] - - If the program takes input from a file, you can put @@ in the program's - command line; AFL will put an auto-generated file name in there for you. - -6) Investigate anything shown in red in the fuzzer UI by promptly consulting - [status_screen.md](status_screen.md). - -8) There is a basic docker build with 'docker build -t aflplusplus .' - -That's it. Sit back, relax, and - time permitting - try to skim through the -following files: - - - README.md - A general introduction to AFL, - - docs/perf_tips.md - Simple tips on how to fuzz more quickly, - - docs/status_screen.md - An explanation of the tidbits shown in the UI, - - docs/parallel_fuzzing.md - Advice on running AFL on multiple cores. diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md new file mode 100644 index 00000000..5652816b --- /dev/null +++ b/docs/afl-fuzz_approach.md @@ -0,0 +1,37 @@ +# The afl-fuzz approach + +American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple +but rock-solid instrumentation-guided genetic algorithm. It uses a modified +form of edge coverage to effortlessly pick up subtle, local-scale changes to +program control flow. + +Simplifying a bit, the overall algorithm can be summed up as: + + 1) Load user-supplied initial test cases into the queue, + + 2) Take the next input file from the queue, + + 3) Attempt to trim the test case to the smallest size that doesn't alter + the measured behavior of the program, + + 4) Repeatedly mutate the file using a balanced and well-researched variety + of traditional fuzzing strategies, + + 5) If any of the generated mutations resulted in a new state transition + recorded by the instrumentation, add mutated output as a new entry in the + queue. + + 6) Go to 2. + +The discovered test cases are also periodically culled to eliminate ones that +have been obsoleted by newer, higher-coverage finds; and undergo several other +instrumentation-driven effort minimization steps. + +As a side result of the fuzzing process, the tool creates a small, +self-contained corpus of interesting test cases. These are extremely useful +for seeding other, labor- or resource-intensive testing regimes - for example, +for stress-testing browsers, office applications, graphics suites, or +closed-source tools. + +The fuzzer is thoroughly tested to deliver out-of-the-box performance far +superior to blind fuzzing or coverage-only tools. \ No newline at end of file diff --git a/docs/best_practices.md b/docs/best_practices.md new file mode 100644 index 00000000..5d07dd14 --- /dev/null +++ b/docs/best_practices.md @@ -0,0 +1,120 @@ +# Best practices + +## Contents + +### Targets + + * [Fuzzing a binary-only target](#fuzzing-a-binary-only-target) + * [Fuzzing a GUI program](#fuzzing-a-gui-program) + * [Fuzzing a network service](#fuzzing-a-network-service) + +### Improvements + + * [Improving speed](#improving-speed) + * [Improving stability](#improving-stability) + +## Targets + +### Fuzzing a binary-only target + +For a comprehensive guide, see [binaryonly_fuzzing.md](binaryonly_fuzzing.md). + +### Fuzzing a GUI program + +If the GUI program can read the fuzz data from a file (via the command line, a fixed location or via an environment variable) without needing any user interaction, then it would be suitable for fuzzing. + +Otherwise, it is not possible without modifying the source code - which is a very good idea anyway as the GUI functionality is a huge CPU/time overhead for the fuzzing. + +So create a new `main()` that just reads the test case and calls the functionality for processing the input that the GUI program is using. + +### Fuzzing a network service + +Fuzzing a network service does not work "out of the box". + +Using a network channel is inadequate for several reasons: +- it has a slow-down of x10-20 on the fuzzing speed +- it does not scale to fuzzing multiple instances easily, +- instead of one initial data packet often a back-and-forth interplay of packets is needed for stateful protocols (which is totally unsupported by most coverage aware fuzzers). + +The established method to fuzz network services is to modify the source code +to read from a file or stdin (fd 0) (or even faster via shared memory, combine +this with persistent mode [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) +and you have a performance gain of x10 instead of a performance loss of over +x10 - that is a x100 difference!). + +If modifying the source is not an option (e.g. because you only have a binary +and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD +to emulate the network. This is also much faster than the real network would be. +See [utils/socket_fuzzing/](../utils/socket_fuzzing/). + +There is an outdated AFL++ branch that implements networking if you are +desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - +however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet)) +which allows you to define network state with different type of data packets. + +## Improvements + +### Improving speed + +1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended). +2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase). +3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase). +4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md). +5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure). +6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem. +7. Use your cores! [fuzzing_expert.md:b) Using multiple cores](fuzzing_expert.md#b-using-multiple-cores). + +### Improving stability + +For fuzzing a 100% stable target that covers all edges is the best case. +A 90% stable target that covers all edges is however better than a 100% stable target that ignores 10% of the edges. + +With instability, you basically have a partial coverage loss on an edge, with ignored functions you have a full loss on that edges. + +There are functions that are unstable, but also provide value to coverage, e.g., init functions that use fuzz data as input. +If however a function that has nothing to do with the input data is the source of instability, e.g., checking jitter, or is a hash map function etc., then it should not be instrumented. + +To be able to exclude these functions (based on AFL++'s measured stability), the following process will allow to identify functions with variable edges. + +Four steps are required to do this and it also requires quite some knowledge of coding and/or disassembly and is effectively possible only with `afl-clang-fast` `PCGUARD` and `afl-clang-lto` `LTO` instrumentation. + + 1. Instrument to be able to find the responsible function(s): + + a) For LTO instrumented binaries, this can be documented during compile time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/a/file`. + This file will have one assigned edge ID and the corresponding function per line. + + b) For PCGUARD instrumented binaries, it is much more difficult. Here you can either modify the `__sanitizer_cov_trace_pc_guard` function in `instrumentation/afl-llvm-rt.o.c` to write a backtrace to a file if the ID in `__afl_area_ptr[*guard]` is one of the unstable edge IDs. + (Example code is already there). + Then recompile and reinstall `llvm_mode` and rebuild your target. + Run the recompiled target with `afl-fuzz` for a while and then check the file that you wrote with the backtrace information. + Alternatively, you can use `gdb` to hook `__sanitizer_cov_trace_pc_guard_init` on start, check to which memory address the edge ID value is written, and set a write breakpoint to that address (`watch 0x.....`). + + c) In other instrumentation types, this is not possible. + So just recompile with the two mentioned above. + This is just for identifying the functions that have unstable edges. + + 2. Identify which edge ID numbers are unstable. + + Run the target with `export AFL_DEBUG=1` for a few minutes then terminate. + The out/fuzzer_stats file will then show the edge IDs that were identified + as unstable in the `var_bytes` entry. You can match these numbers + directly to the data you created in the first step. + Now you know which functions are responsible for the instability + + 3. Create a text file with the filenames/functions + + Identify which source code files contain the functions that you need to remove from instrumentation, or just specify the functions you want to skip for instrumentation. + Note that optimization might inline functions! + + Follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). + If `PCGUARD` is used, then you need to follow this guide (needs llvm 12+!): + [https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) + + Only exclude those functions from instrumentation that provide no value for coverage - that is if it does not process any fuzz data directly or indirectly (e.g. hash maps, thread management etc.). + If however a function directly or indirectly handles fuzz data, then you should not put the function in a deny instrumentation list and rather live with the instability it comes with. + + 4. Recompile the target + + Recompile, fuzz it, be happy :) + + This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677). diff --git a/docs/beyond_crashes.md b/docs/beyond_crashes.md new file mode 100644 index 00000000..4836419c --- /dev/null +++ b/docs/beyond_crashes.md @@ -0,0 +1,23 @@ +# Going beyond crashes + +Fuzzing is a wonderful and underutilized technique for discovering non-crashing +design and implementation errors, too. Quite a few interesting bugs have been +found by modifying the target programs to call abort() when say: + + - Two bignum libraries produce different outputs when given the same + fuzzer-generated input, + + - An image library produces different outputs when asked to decode the same + input image several times in a row, + + - A serialization / deserialization library fails to produce stable outputs + when iteratively serializing and deserializing fuzzer-supplied data, + + - A compression library produces an output inconsistent with the input file + when asked to compress and then decompress a particular blob. + +Implementing these or similar sanity checks usually takes very little time; +if you are the maintainer of a particular package, you can make this code +conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also +shared with libfuzzer and honggfuzz) or `#ifdef __AFL_COMPILER` (this one is +just for AFL). \ No newline at end of file diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 90ea3b66..2c0872cf 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -96,12 +96,22 @@ It is slower than AFL FRIDA (see above). +## ZAFL + ZAFL is a static rewriting platform supporting x86-64 C/C++, stripped/unstripped, + and PIE/non-PIE binaries. Beyond conventional instrumentation, ZAFL's API enables + transformation passes (e.g., laf-Intel, context sensitivity, InsTrim, etc.). + + Its baseline instrumentation speed typically averages 90-95% of afl-clang-fast's. + + [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) + + ## DYNINST Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio (see far below). However whereas Pintool and Dynamorio work at runtime, dyninst instruments the target at load time, and then let it run - - or save the binary with the changes. + or save the binary with the changes. This is great for some things, e.g. fuzzing, and not so effective for others, e.g. malware analysis. @@ -116,13 +126,10 @@ The speed decrease is about 15-35%, depending on the optimization options used with afl-dyninst. - So if Dyninst works, it is the best option available. Otherwise it just - doesn't work well. - [https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) -## RETROWRITE, ZAFL, ... other binary rewriter +## RETROWRITE If you have an x86/x86_64 binary that still has its symbols, is compiled with position independant code (PIC/PIE) and does not use most of the C++ @@ -131,7 +138,6 @@ It is at about 80-85% performance. - [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) @@ -169,13 +175,9 @@ ## CORESIGHT Coresight is ARM's answer to Intel's PT. - There is no implementation so far which handles coresight and getting - it working on an ARM Linux is very difficult due to custom kernel building - on embedded systems is difficult. And finding one that has coresight in - the ARM chip is difficult too. - My guess is that it is slower than Qemu, but faster than Intel PT. - - If anyone finds any coresight implementation for AFL please ping me: vh@thc.org + With afl++ v3.15 there is a coresight tracer implementation available in + `coresight_mode/` which is faster than QEMU, however can not run in parallel. + Currently only one process can be traced, it is WIP. ## PIN & DYNAMORIO diff --git a/docs/branches.md b/docs/branches.md new file mode 100644 index 00000000..ae147b08 --- /dev/null +++ b/docs/branches.md @@ -0,0 +1,11 @@ +# Branches + +The following branches exist: + +* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest release +* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability +* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* +* (any other): experimental branches to work on specific features or testing new functionality or changes. + +For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. +Also take a look at the list of [important changes in AFL++](important_changes.md). \ No newline at end of file diff --git a/docs/choosing_testcases.md b/docs/choosing_testcases.md new file mode 100644 index 00000000..25002929 --- /dev/null +++ b/docs/choosing_testcases.md @@ -0,0 +1,19 @@ +# Choosing initial test cases + +To operate correctly, the fuzzer requires one or more starting file that +contains a good example of the input data normally expected by the targeted +application. There are two basic rules: + + - Keep the files small. Under 1 kB is ideal, although not strictly necessary. + For a discussion of why size matters, see [perf_tips.md](perf_tips.md). + + - Use multiple test cases only if they are functionally different from + each other. There is no point in using fifty different vacation photos + to fuzz an image library. + +You can find many good examples of starting files in the testcases/ subdirectory +that comes with this tool. + +PS. If a large corpus of data is available for screening, you may want to use +the afl-cmin utility to identify a subset of functionally distinct files that +exercise different code paths in the target binary. \ No newline at end of file diff --git a/docs/ci_fuzzing.md b/docs/ci_fuzzing.md new file mode 100644 index 00000000..8d1a2f99 --- /dev/null +++ b/docs/ci_fuzzing.md @@ -0,0 +1,29 @@ +# CI Fuzzing + +Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing campaigns as these are much shorter runnings. + +1. Always: + * LTO has a much longer compile time which is diametrical to short fuzzing - hence use afl-clang-fast instead. + * If you compile with CMPLOG then you can save fuzzing time and reuse that compiled target for both the -c option and the main fuzz target. + This will impact the speed by ~15% though. + * `AFL_FAST_CAL` - Enable fast calibration, this halfs the time the saturated corpus needs to be loaded. + * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the initial corpus as this very likely has been done for them already. + * Keep the generated corpus, use afl-cmin and reuse it every time! + +2. Additionally randomize the AFL++ compilation options, e.g. + * 40% for `AFL_LLVM_CMPLOG` + * 10% for `AFL_LLVM_LAF_ALL` + +3. Also randomize the afl-fuzz runtime options, e.g. + * 65% for `AFL_DISABLE_TRIM` + * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` + * 40% use MOpt (`-L 0`) + * 40% for `AFL_EXPAND_HAVOC_NOW` + * 20% for old queue processing (`-Z`) + * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + +4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. +`-M` enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs. + +How this can look like can e.g. be seen at AFL++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl) +and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py). diff --git a/docs/common_sense_risks.md b/docs/common_sense_risks.md new file mode 100644 index 00000000..a8d68d7a --- /dev/null +++ b/docs/common_sense_risks.md @@ -0,0 +1,36 @@ +# Common sense risks + +Please keep in mind that, similarly to many other computationally-intensive +tasks, fuzzing may put a strain on your hardware and on the OS. In particular: + + - Your CPU will run hot and will need adequate cooling. In most cases, if + cooling is insufficient or stops working properly, CPU speeds will be + automatically throttled. That said, especially when fuzzing on less + suitable hardware (laptops, smartphones, etc), it's not entirely impossible + for something to blow up. + + - Targeted programs may end up erratically grabbing gigabytes of memory or + filling up disk space with junk files. AFL++ tries to enforce basic memory + limits, but can't prevent each and every possible mishap. The bottom line + is that you shouldn't be fuzzing on systems where the prospect of data loss + is not an acceptable risk. + + - Fuzzing involves billions of reads and writes to the filesystem. On modern + systems, this will be usually heavily cached, resulting in fairly modest + "physical" I/O - but there are many factors that may alter this equation. + It is your responsibility to monitor for potential trouble; with very heavy + I/O, the lifespan of many HDDs and SSDs may be reduced. + + A good way to monitor disk I/O on Linux is the 'iostat' command: + +```shell + $ iostat -d 3 -x -k [...optional disk ID...] +``` + + Using the `AFL_TMPDIR` environment variable and a RAM-disk you can have the + heavy writing done in RAM to prevent the aforementioned wear and tear. For + example the following line will run a Docker container with all this preset: + + ```shell + # docker run -ti --mount type=tmpfs,destination=/ramdisk -e AFL_TMPDIR=/ramdisk aflplusplus/aflplusplus + ``` \ No newline at end of file diff --git a/docs/docs2.md b/docs/docs2.md new file mode 100644 index 00000000..23ef61c5 --- /dev/null +++ b/docs/docs2.md @@ -0,0 +1,124 @@ +# Restructure AFL++'s documentation - Case Study + +## Problem statement + +AFL++ inherited it's documentation from the original Google AFL project. +Since then it has been massively improved - feature and performance wise - +and although the documenation has likewise been continued it has grown out +of proportion. +The documentation is done by non-natives to the English language, plus +none of us has a writer background. + +We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord +channels, web forums and as issues in our repository. +Most of them could be answered if people would read through all the +documentation. + +This only increases as AFL++ has been on the top of Google's fuzzbench +statistics (which measures the performance of fuzzers) and has been +integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix +packaging repositories, e.g. Debian, FreeBSD, etc. + +AFL++ had 44 (!) documentation files with 13k total lines of content. +This was way too much. + +## Proposal abstract + +AFL++'s documentatin needs a complete overhaul, both on a +organisation/structural level as well as the content. + +Overall the following actions have to be performed: + * Create a better structure of documentation so it is easier to find the + information that is being looked for, combining and/or splitting up the + existing documents as needed. + * Rewrite some documentation to remove duplication. Several information is + present several times in the documentation. These should be removed to + where needed so that we have as little bloat as possible. + * The documents have been written and modified by a lot of different people, + most of them non-native English speaker. Hence an overall review where + parts should be rewritten has to be performed and then the rewrite done. + * Create a cheat-sheet for a very short best-setup build and run of AFL++ + * Pictures explain more than 1000 words. We need at least 4 images that + explain the workflow with AFL++: + - the build workflow + - the fuzzing workflow + - the fuzzing campaign management workflow + - the overall workflow that is an overview of the above + - maybe more? where the technical writes seems it necessary for + understanding. + +Requirements: + * Documentation has to be in Markdown format + * Images have to be either in SVG or PNG format. + * All documentation should be (moved) in(to) docs/ + +## Project description + +We created our proposal by discussing in the team what the issues are and +what was needed to fix it. +This resulted in the [project proposal](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/docs.md). + +We did not want to be selected by a writer but select a writer ourselves, so +we combed through the list and reviewed every single one of them. +We were not looking for coders writing technical documentation, but rather +someone who is an experienced writer and has documented experience with +structuring documentation. +Few fit that profile and we sent out messages to 6 people. +We finally decided on Jana because she had a strong background in technical +documentation and structuring information. +She had no technical experience in fuzzing whatsoever, but we saw that as +a plus - of course this made the whole process longer to explain details, +but overall ensured that the documentation can be read by (mostly) everyone. + +We communicated via video calls every few weeks and she kept a public kanban +board about her todos, additional we used a Signal channel. +Her changes were imported via PRs where we discussed details. + +The project was off to a good start, but then Jana got pregnant with serious +side effects that made working impossible for her for a longer time, hence +the schedule was thrown back. +She offered to rescind the payment and we select a new writer, but we saw +little opportunity in that, as that would mean a new selection of a writer, +someone else with a different vision on how the result should look like so +basically a full restart of the project and a large impact on our own time. +So we agreed on - after discussion with the Google GSoD team - that she +continues the project after the GSoD completion deadline as best as she can. + +End of November she took one week off from work and fully dedicated her time +for the documenation which brought the project a big step forward. + +Originally the project should have been ended begin of October, but now - at +nearing the end of November, we are at about 85% completion, with the end +being expected around mid of December. + +## Metrics + +We merged most of the changes in our development branch and are getting +close to a state where the user documentation part is completed and we +can create a new release. Only then the new documentatin is actually visible +to users. Therefore no metrics could be collected so far. + +We plan on a user-assisted QA review end of November/begin of December. + +The documentation was reviewed by a few test users so far however who gave +it a thumbs up. + +## Summary + +The GSoD project itself is great. It helps to get the documentation back in +line. +It was and is a larger time investment from our side, but we expected that. +When the project is done, the documentation will be more accessible by users +and also need less maintenance by us. +There is still follow-up work to be done by us afterwards (web site for the +docs, etc.). + +Not sure what we would do differently next time. I think we prepared best as +possible and reacted best as possible to the unexpected. + +Recommendations for other organizations who would like to participate in GSoD: + - expect the process to take a larger part of your time. the writer needs + your full support. + - have someone dedicated from the dev/org side to support, educate and + supervice the writer + - set clear goals and expectations diff --git a/docs/env_variables.md b/docs/env_variables.md index 0686f1a8..65cca0dc 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -1,88 +1,78 @@ -# Environmental variables +# Environment variables - This document discusses the environment variables used by American Fuzzy Lop++ - to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See [README.md](README.md) for the general - instruction manual. + This document discusses the environment variables used by AFL++ to expose + various exotic functions that may be (rarely) useful for power users or for + some types of custom fuzzing setups. For general information about AFL++, see + [README.md](../README.md). - Note that most tools will warn on any unknown AFL environment variables. - This is for warning on typos that can happen. If you want to disable this - check then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable. + Note: Most tools will warn on any unknown AFL++ environment variables; for + example, because of typos. If you want to disable this check, then set the + `AFL_IGNORE_UNKNOWN_ENVS` environment variable. ## 1) Settings for all compilers -Starting with AFL++ 3.0 there is only one compiler: afl-cc -To select the different instrumentation modes this can be done by - 1. passing the --afl-MODE command line option to the compiler - 2. or using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, - afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, - afl-gcc-fast, afl-g++-fast - 3. or using the environment variable `AFL_CC_COMPILER` with `MODE` - -`MODE` can be one of `LTO` (afl-clang-lto*), `LLVM` (afl-clang-fast*), `GCC_PLUGIN` -(afl-g*-fast) or `GCC` (afl-gcc/afl-g++). - -Because (with the exception of the --afl-MODE command line option) the -compile-time tools do not accept AFL specific command-line options, they -make fairly broad use of environmental variables instead: - - - Some build/configure scripts break with AFL++ compilers. To be able to - pass them, do: -``` - export CC=afl-cc - export CXX=afl-c++ - export AFL_NOOPT=1 - ./configure --disable-shared --disabler-werror - unset AFL_NOOPT - make -``` - - - Most AFL tools do not print any output if stdout/stderr are redirected. - If you want to get the output into a file then set the `AFL_DEBUG` - environment variable. - This is sadly necessary for various build processes which fail otherwise. +Starting with AFL++ 3.0, there is only one compiler: afl-cc. + +To select the different instrumentation modes, use one of the following options: + + - Pass the --afl-MODE command-line option to the compiler. Only this option + accepts further AFL-specific command-line options. + - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, + afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-g++, afl-g++-fast, + afl-gcc, afl-gcc-fast. This option does not accept AFL-specific command-line + options. Instead, use environment variables. + - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select + `MODE`, use one of the following values: + + - `GCC` (afl-gcc/afl-g++) + - `GCC_PLUGIN` (afl-g*-fast) + - `LLVM` (afl-clang-fast*) + - `LTO` (afl-clang-lto*). + +The compile-time tools do not accept AFL-specific command-line options. The +--afl-MODE command line option is the only exception. The other options make +fairly broad use of environment variables instead: + + - Some build/configure scripts break with AFL++ compilers. To be able to pass + them, do: + + ``` + export CC=afl-cc + export CXX=afl-c++ + export AFL_NOOPT=1 + ./configure --disable-shared --disabler-werror + unset AFL_NOOPT + make + ``` + + - Setting `AFL_AS`, `AFL_CC`, and `AFL_CXX` lets you use alternate downstream + compilation tools, rather than the default 'as', 'clang', or 'gcc' binaries + in your `$PATH`. - - Setting `AFL_HARDEN` automatically adds code hardening options when invoking - the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and - `-fstack-protector-all`. The setting is useful for catching non-crashing - memory bugs at the expense of a very slight (sub-5%) performance loss. + - If you are a weird person that wants to compile and instrument asm text + files, then use the `AFL_AS_FORCE_INSTRUMENT` variable: + `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` + + - Most AFL tools do not print any output if stdout/stderr are redirected. If + you want to get the output into a file, then set the `AFL_DEBUG` environment + variable. This is sadly necessary for various build processes which fail + otherwise. - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this will cause problems in programs built with -Werror, simply because `-O3` - enables more thorough code analysis and can spew out additional warnings. - To disable optimizations, set `AFL_DONT_OPTIMIZE`. - However if `-O...` and/or `-fno-unroll-loops` are set, these are not - overridden. - - - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports it. - - (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the - same gotchas; the modes are mutually exclusive. UBSAN can be enabled - similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally - there is the Control Flow Integrity sanitizer that can be activated by - `AFL_USE_CFISAN=1`) - - - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided - that your compiler supports it. To perform a leak check within your - program at a certain point (such as at the end of an __AFL_LOOP), - you can run the macro __AFL_LEAK_CHECK(); which will cause - an abort if any memory is leaked (you can combine this with the - LSAN_OPTIONS=suppressions option to supress some known leaks). - - - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream - compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries - in your `$PATH`. + enables more thorough code analysis and can spew out additional warnings. To + disable optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or + `-fno-unroll-loops` are set, these are not overridden. - - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. - One possible use of this is utils/clang_asm_normalize/, which lets - you instrument hand-written assembly when compiling clang code by plugging - a normalizer into the chain. (There is no equivalent feature for GCC.) + - Setting `AFL_HARDEN` automatically adds code hardening options when invoking + the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and + `-fstack-protector-all`. The setting is useful for catching non-crashing + memory bugs at the expense of a very slight (sub-5%) performance loss. - Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the - probability of instrumenting every branch. This is (very rarely) useful - when dealing with exceptionally complex programs that saturate the output - bitmap. Examples include v8, ffmpeg, and perl. + probability of instrumenting every branch. This is (very rarely) useful when + dealing with exceptionally complex programs that saturate the output bitmap. + Examples include ffmpeg, perl, and v8. (If this ever happens, afl-fuzz will warn you ahead of the time by displaying the "bitmap density" field in fiery red.) @@ -90,491 +80,524 @@ make fairly broad use of environmental variables instead: Setting `AFL_INST_RATIO` to 0 is a valid choice. This will instrument only the transitions between function entry points, but not individual branches. - Note that this is an outdated variable. A few instances (e.g. afl-gcc) - still support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) - do not need this. + Note that this is an outdated variable. A few instances (e.g. afl-gcc) still + support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) do not + need this. - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with libtokencap.so (but perhaps running a bit slower than without the flag). + - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. + One possible use of this is utils/clang_asm_normalize/, which lets you + instrument hand-written assembly when compiling clang code by plugging a + normalizer into the chain. (There is no equivalent feature for GCC.) + + - Setting `AFL_QUIET` will prevent afl-as and afl-cc banners from being + displayed during compilation, in case you find them distracting. + + - Setting `AFL_USE_...` automatically enables supported sanitizers - provided + that your compiler supports it. Available are: + - `AFL_USE_ASAN=1` - activates the address sanitizer (memory corruption + detection) + - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g. + type confusion vulnerabilities) + - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check + within your program at a certain point (such as at the end of an + `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will + cause an abort if any memory is leaked (you can combine this with the + `LSAN_OPTIONS=...` suppression option to suppress some known leaks). + - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory) + - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race + conditions + - `AFL_USE_UBSAN=1` - activates the undefined behaviour sanitizer + - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. - - If you are a weird person that wants to compile and instrument asm - text files then use the `AFL_AS_FORCE_INSTRUMENT` variable: - `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` +## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++ - - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being - displayed during compilation, in case you find them distracting. +The native instrumentation helpers (instrumentation and gcc_plugin) accept a +subset of the settings discussed in section 1, with the exception of: -## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++ + - `AFL_AS`, since this toolchain does not directly invoke GNU `as`. -The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset -of the settings discussed in section 1, with the exception of: + - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not + all passes support this option though as it is an outdated feature. - LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will - write all constant string comparisons to this file to be used later with + write all constant string comparisons to this file to be used later with afl-fuzz' `-x` option. - - `AFL_AS`, since this toolchain does not directly invoke GNU as. - - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. - - `AFL_INST_RATIO`, as we by default use collision free instrumentation. - Not all passes support this option though as it is an outdated feature. - -Then there are a few specific features that are only available in instrumentation mode: +Then there are a few specific features that are only available in +instrumentation mode: ### Select the instrumentation mode - - `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. - Available options: - PCGUARD - our own pcgard based instrumentation (default) - NATIVE - clang's original pcguard based instrumentation - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) - LTO - LTO instrumentation (see below) - CTX - context sensitive instrumentation (see below) - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16) - GCC - outdated gcc instrumentation - CLANG - outdated clang instrumentation - In CLASSIC you can also specify CTX and/or NGRAM, seperate the options - with a comma "," then, e.g.: - `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` - Note that this is actually not a good idea to use both CTX and NGRAM :) +`AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. + +Available options: -### LTO + - CLANG - outdated clang instrumentation + - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) - This is a different kind way of instrumentation: first it compiles all - code in LTO (link time optimization) and then performs an edge inserting - instrumentation which is 100% collision free (collisions are a big issue - in AFL and AFL-like instrumentations). This is performed by using - afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only - built if LLVM 11 or newer is used. + You can also specify CTX and/or NGRAM, seperate the options with a comma "," + then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` - - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. - (not recommended for afl-clang-fast, default for afl-clang-lto as there - it is a different and better kind of instrumentation.) + Note: It is actually not a good idea to use both CTX and NGRAM. :) + - CTX - context sensitive instrumentation + - GCC - outdated gcc instrumentation + - LTO - LTO instrumentation + - NATIVE - clang's original pcguard based instrumentation + - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16) + - PCGUARD - our own pcgard based instrumentation (default) - None of the following options are necessary to be used and are rather for - manual use (which only ever the author of this LTO implementation will use). - These are used if several separated instrumentations are performed which - are then later combined. +#### CMPLOG - - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given - to which function. This helps to identify functions with variable bytes - or which functions were touched by an input. - - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than - the default `0x10000`. A value of 0 or empty sets the map address to be - dynamic (the original AFL way, which is slower) - - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. - This defaults to 1 - - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written - into the instrumentation is set in a global variable +Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to +produce a CmpLog binary. - See [instrumentation/README.lto.md](../instrumentation/README.lto.md) for more information. +For more information, see +[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). -### NGRAM +#### CTX - - Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` - activates ngram prev_loc coverage, good values are 2, 4 or 8 - (any value between 2 and 16 is valid). - It is highly recommended to increase the `MAP_SIZE_POW2` definition in - config.h to at least 18 and maybe up to 20 for this as otherwise too - many map collisions occur. +Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive +branch coverage - meaning that each edge is additionally combined with its +caller. It is highly recommended to increase the `MAP_SIZE_POW2` definition in +config.h to at least 18 and maybe up to 20 for this as otherwise too many map +collisions occur. - See [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) +For more information, see +[instrumentation/README.ctx.md](../instrumentation/README.ctx.md). -### CTX +#### INSTRUMENT LIST (selectively instrument files and functions) - - Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` - activates context sensitive branch coverage - meaning that each edge - is additionally combined with its caller. - It is highly recommended to increase the `MAP_SIZE_POW2` definition in - config.h to at least 18 and maybe up to 20 for this as otherwise too - many map collisions occur. +This feature allows selective instrumentation of the source. - See [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) +Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a file name and/or +function will only instrument (or skip) those files that match the names listed +in the specified file. -### LAF-INTEL +For more information, see +[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). - This great feature will split compares into series of single byte comparisons - to allow afl-fuzz to find otherwise rather impossible paths. It is not - restricted to Intel CPUs ;-) +#### LAF-INTEL - - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions +This great feature will split compares into series of single byte comparisons to +allow afl-fuzz to find otherwise rather impossible paths. It is not restricted +to Intel CPUs. ;-) - - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs + - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare + functions. - - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and - 64, 32 and 16 bit integer CMP instructions + - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64, + 32 and 16 bit integer CMP instructions. - - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs - AFL_LLVM_LAF_SPLIT_COMPARES to be set + - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs + `AFL_LLVM_LAF_SPLIT_COMPARES` to be set. - - Setting `AFL_LLVM_LAF_ALL` sets all of the above + - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs. - See [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) for more information. + - Setting `AFL_LLVM_LAF_ALL` sets all of the above. -### INSTRUMENT LIST (selectively instrument files and functions) +For more information, see +[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). - This feature allows selective instrumentation of the source +#### LTO - - Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or - function will only instrument (or skip) those files that match the names - listed in the specified file. +This is a different way of instrumentation: first it compiles all code in LTO +(link time optimization) and then performs an edge inserting instrumentation +which is 100% collision free (collisions are a big issue in AFL and AFL-like +instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ +instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. +`AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (Not +recommended for afl-clang-fast, default for afl-clang-lto as there it is a +different and better kind of instrumentation.) -### Thread safe instrumentation counters (in all modes) +None of the following options are necessary to be used and are rather for manual +use (which only ever the author of this LTO implementation will use). These are +used if several separated instrumentations are performed which are then later +combined. - - Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread - safe counters. The overhead is a little bit higher compared to the older - non-thread safe case. Note that this disables neverzero (see below). + - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given + to which function. This helps to identify functions with variable bytes or + which functions were touched by an input. + - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written + into the instrumentation is set in a global variable. + - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the + instrumentation. This defaults to 1. + - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than + the default `0x10000`. A value of 0 or empty sets the map address to be + dynamic (the original AFL way, which is slower). + - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic. -### NOT_ZERO + For more information, see + [instrumentation/README.lto.md](../instrumentation/README.lto.md). - - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters - that skip zero on overflow. This is the default for llvm >= 9, - however for llvm versions below that this will increase an unnecessary - slowdown due a performance issue that is only fixed in llvm 9+. - This feature increases path discovery by a little bit. +#### NGRAM - - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero - test. If the target performs only few loops then this will give a - small performance boost. +Setting `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or `AFL_LLVM_NGRAM_SIZE` activates +ngram prev_loc coverage. Good values are 2, 4, or 8 (any value between 2 and 16 +is valid). It is highly recommended to increase the `MAP_SIZE_POW2` definition +in config.h to at least 18 and maybe up to 20 for this as otherwise too many map +collisions occur. - See [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) +For more information, see +[instrumentation/README.ngram.md](../instrumentation/README.ngram.md). -### CMPLOG +#### NOT_ZERO - - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to - produce a CmpLog binary. + - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip + zero on overflow. This is the default for llvm >= 9, however, for llvm + versions below that this will increase an unnecessary slowdown due a + performance issue that is only fixed in llvm 9+. This feature increases path + discovery by a little bit. - See [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md) + - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test. + If the target performs only a few loops, then this will give a small + performance boost. + +For more information, see +[instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). + +#### Thread safe instrumentation counters (in all modes) + +Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe +counters. The overhead is a little bit higher compared to the older non-thread +safe case. Note that this disables neverzero (see NOT_ZERO). ## 3) Settings for GCC / GCC_PLUGIN modes -Then there are a few specific features that are only available in GCC and -GCC_PLUGIN mode. +There are a few specific features that are only available in GCC and GCC_PLUGIN +mode. + + - GCC mode only: Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting + instrumented assembly files. Useful for troubleshooting problems or + understanding how the tool works. - - Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented - assembly files. Useful for troubleshooting problems or understanding how - the tool works. (GCC mode only) To get them in a predictable place, try something like: -``` + + ``` mkdir assembly_here TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all -``` - - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those - files that match the names listed in this file (one filename per line). - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. - (GCC_PLUGIN mode only) + ``` + + - GCC_PLUGIN mode only: Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will + only instrument those files that match the names listed in this file (one + filename per line). See + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + for more information. ## 4) Settings for afl-fuzz The main fuzzer binary accepts several options that disable a couple of sanity checks or alter some of the more exotic semantics of the tool: - - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is - useful if you can't change the defaults (e.g., no root access to the - system) and are OK with some performance loss. + - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`) + for an existing out folder, even if a different `-i` was provided. Without + this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. - - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths - have been fuzzed and there were no new finds for a while. This would be - normally indicated by the cycle counter in the UI turning green. May be - convenient for some types of automated jobs. + - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after + processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to + exit soon after the first crash is found. - - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were - found within a specified period of time (in seconds). May be convenient - for some types of automated jobs. + - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for + newly found testcases and not for testcases that are loaded on startup (`-i + in`). This is an important feature to set when resuming a fuzzing session. - - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour - which does not allow crashes or timeout seeds in the initial -i corpus. + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For + example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1` + return code (i.e. `exit(-1)` got called), will be treated as if a crash had + occurred. This may be beneficial if you look for higher-level faulty + conditions in which your target still exits gracefully. - - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap, - afl-tmin and afl-analyze create to gather instrumentation data from - the target. This must be equal or larger than the size the target was - compiled with. + - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with + afl_custom_fuzz() creates additional mutations through this library. If + afl-fuzz is compiled with Python (which is autodetected during building + afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide + additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all + mutations will solely be performed with the custom mutator. This feature + allows to configure custom mutators which can be very helpful, e.g. fuzzing + XML or other highly flexible structured input. Please see + [custom_mutators.md](custom_mutators.md). - - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for - newly found testcases and not for testcases that are loaded on startup - (`-i in`). This is an important feature to set when resuming a fuzzing - session. + - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time + a cycle is finished. - - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` - in config.h. Recommended values are 50-250MB - or more if your fuzzing - finds a huge amount of paths for large inputs. + - Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you + see all output of the child, making setup issues obvious. For example, in an + unicornafl harness, you might see python stacktraces. You may also see other + logs that way, indicating why the forkserver won't start. Not pretty but + good for debugging purposes. Note that `AFL_DEBUG_CHILD_OUTPUT` is + deprecated. - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! - - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core - on Linux systems. This slows things down, but lets you run more instances - of afl-fuzz than would be prudent (if you really want to). + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which + does not allow crashes or timeout seeds in the initial -i corpus. - - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core - on Linux systems, but will not terminate if that fails. + - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found + within a specified period of time (in seconds). May be convenient for some + types of automated jobs. - - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary - that is compiled into the target. + - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths + have been fuzzed and there were no new finds for a while. This would be + normally indicated by the cycle counter in the UI turning green. May be + convenient for some types of automated jobs. - - Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for - deciding if a particular test case is a "hang". The default is 1 second - or the value of the `-t` parameter, whichever is larger. Dialing the value - down can be useful if you are very concerned about slow inputs, or if you - don't want AFL++ to spend too much time classifying that stuff and just - rapidly put all timeouts in that bin. + - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that + includes costly mutations. afl-fuzz automatically enables this mode when + deemed useful otherwise. + + - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less + precise), which can help when starting a session against a slow target. + `AFL_CAL_FAST` works too. + + - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no + valid terminal was detected (for virtual consoles). - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout to wait for the forkserver to spin up. The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the - default would wait for `1000` milliseconds. Setting a different time here is useful - if the target has a very slow startup time, for example when doing - full-system fuzzing or emulation, but you don't want the actual runs - to wait too long for timeouts. - - - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. - This can be useful to speed up the fuzzing of text-based file formats. + default would wait for `1000` milliseconds. Setting a different time here is + useful if the target has a very slow startup time, for example, when doing + full-system fuzzing or emulation, but you don't want the actual runs to wait + too long for timeouts. - - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature - if the snapshot lkm is loaded - - - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested - by some users for unorthodox parallelized fuzzing setups, but not - advisable otherwise. + - Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for + deciding if a particular test case is a "hang". The default is 1 second or + the value of the `-t` parameter, whichever is larger. Dialing the value down + can be useful if you are very concerned about slow inputs, or if you don't + want AFL++ to spend too much time classifying that stuff and just rapidly + put all timeouts in that bin. - - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in - the normal output directory otherwise. You would use this to point to - a ramdisk/tmpfs. This increases the speed by a small value but also - reduces the stress on SSDs. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. + Others need not apply, unless they also want to disable the + `/proc/sys/kernel/core_pattern` check. - - When developing custom instrumentation on top of afl-fuzz, you can use - `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries - and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` - setting to instruct afl-fuzz to still follow the fork server protocol - without expecting any instrumentation data in return. - Note that this also turns off auto map size detection. + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this, then you can + set `AFL_IGNORE_PROBLEMS`. - When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the - fuzzer to import test cases from other instances before doing anything - else. This makes the "own finds" counter in the UI more accurate. - Beyond counter aesthetics, not much else should change. + fuzzer to import test cases from other instances before doing anything else. + This makes the "own finds" counter in the UI more accurate. Beyond counter + aesthetics, not much else should change. + + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on + timeout. Unless you implement your own targets or instrumentation, you + likely don't have to set it. By default, on timeout and on exit, `SIGKILL` + (`AFL_KILL_SIGNAL=9`) will be delivered to the child. + + - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz, + afl-showmap, and afl-tmin create to gather instrumentation data from the + target. This must be equal or larger than the size the target was compiled + with. + + - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of + elements in the `-x` dictionary and LTO autodict (combined) the + probabilistic mode will kick off. In probabilistic mode, not all dictionary + entries will be used all of the time for fuzzing mutations to not slow down + fuzzing. The default count is `200` elements. So for the 200 + 1st element, + there is a 1 in 201 chance, that one of the dictionary entries will not be + used directly. - - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` - instead (see below). + - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core + on Linux systems. This slows things down, but lets you run more instances of + afl-fuzz than would be prudent (if you really want to). - - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. - Unless you implement your own targets or instrumentation, you likely don't have to set it. - By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. + - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. + This can be useful to speed up the fuzzing of text-based file formats. - - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with - afl_custom_fuzz() creates additional mutations through this library. - If afl-fuzz is compiled with Python (which is autodetected during building - afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide - additional mutations. - If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be - performed with the custom mutator. - This feature allows to configure custom mutators which can be very helpful, - e.g. fuzzing XML or other highly flexible structured input. - Please see [custom_mutators.md](custom_mutators.md). + - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary + that is compiled into the target. - - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less - precise), which can help when starting a session against a slow target. - `AFL_CAL_FAST` works too. + - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for + coloring console output when configured with USE_COLOR and not + ALWAYS_COLORED. - The CPU widget shown at the bottom of the screen is fairly simplistic and may complain of high load prematurely, especially on systems with low core - counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`. - - - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will - be searched for afl-qemu-trace and afl-frida-trace.so. - - - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip - prepending `afl-qemu-trace` to your command line. Use this if you wish to use a - custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments. + counts. To avoid the alarming red color for very high CPU usages, you can + set `AFL_NO_CPU_RED`. - - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime - a cycle is finished. - - - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that - includes costly mutations. afl-fuzz automatically enables this mode when - deemed useful otherwise. + - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to + fork + execve() call for every tested input. This is useful mostly when + working with unruly libraries that create threads or do other crazy things + when initializing (before the instrumentation has a chance to run). - - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary - without disrupting the afl-fuzz process itself. This is useful, among other - things, for bootstrapping libdislocator.so. + Note that this setting inhibits some of the user-friendly diagnostics + normally done when starting up the forkserver and causes a pretty + significant performance drop. - - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables - for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... ` - This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically - allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that - would disrupt work of 'fuzzer' AFL++). + - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if + the snapshot lkm is loaded. - - Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints + - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints some basic stats. This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. - - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for - coloring console output when configured with USE_COLOR and not ALWAYS_COLORED. - - - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if - no valid terminal was detected (for virtual consoles) + - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for + afl-qemu-trace and afl-frida-trace.so. - - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md)) + - If you are using persistent mode (you should, see + [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given. To be able to still - re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable - with a value of how many previous fuzz cases to keep prio a crash. - if set to e.g. 10, then the 9 previous inputs are written to - out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 - and RECORD:000000,cnt:000009 being the crash case. - NOTE: This option needs to be enabled in config.h first! + re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable + with a value of how many previous fuzz cases to keep prio a crash. If set to + e.g. 10, then the 9 previous inputs are written to out/default/crashes as + RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and + RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be + enabled in config.h first! - - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session - (not at startup), it will terminate. If you do not want this then you can - set `AFL_IGNORE_PROBLEMS`. - - - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. - Others need not apply, unless they also want to disable the - `/proc/sys/kernel/core_pattern` check. - - - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after - processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to - exit soon after the first crash is found. - - - Setting `AFL_DEBUG_CHILD` will not suppress the child output. - This lets you see all output of the child, making setup issues obvious. - For example, in an unicornafl harness, you might see python stacktraces. - You may also see other logs that way, indicating why the forkserver won't start. - Not pretty but good for debugging purposes. - Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated. + - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` + instead. - - Setting `AFL_NO_CPU_RED` will not display very high cpu usages in red color. + - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary + without disrupting the afl-fuzz process itself. This is useful, among other + things, for bootstrapping libdislocator.so. - - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`) - for an existing out folder, even if a different `-i` was provided. - Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. + - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip + prepending `afl-qemu-trace` to your command line. Use this if you wish to + use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace + arguments. - - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements - in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will - kick off. In probabilistic mode, not all dictionary entries will be used all - of the time for fuzzing mutations to not slow down fuzzing. - The default count is `200` elements. So for the 200 + 1st element, there is a - 1 in 201 chance, that one of the dictionary entries will not be used directly. + - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested + by some users for unorthodox parallelized fuzzing setups, but not advisable + otherwise. - - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to - fork + execve() call for every tested input. This is useful mostly when - working with unruly libraries that create threads or do other crazy - things when initializing (before the instrumentation has a chance to run). + - When developing custom instrumentation on top of afl-fuzz, you can use + `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries and + shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` setting + to instruct afl-fuzz to still follow the fork server protocol without + expecting any instrumentation data in return. Note that this also turns off + auto map size detection. - Note that this setting inhibits some of the user-friendly diagnostics - normally done when starting up the forkserver and causes a pretty - significant performance drop. + - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is + useful if you can't change the defaults (e.g., no root access to the system) + and are OK with some performance loss. + + - Setting `AFL_STATSD` enables StatsD metrics collection. By default, AFL++ + will send these metrics over UDP to 127.0.0.1:8125. The host and port are + configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. To + enable tags (banner and afl_version), you should provide + `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see + `AFL_STATSD_TAGS_FLAVOR`). + + - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `influxdb`, + `librato`, or `signalfx` allows you to add tags to your fuzzing instances. + This is especially useful when running multiple instances (`-M/-S` for + example). Applied tags are `banner` and `afl_version`. `banner` corresponds + to the name of the fuzzer provided through `-M/-S`. `afl_version` + corresponds to the currently running AFL version (e.g. `++3.0c`). Default + (empty/non present) will add no tags to the metrics. For more information, + see [rpc_statsd.md](rpc_statsd.md). + + - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables for + the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz + ... `. This exists mostly for things like `LD_LIBRARY_PATH` but it would + theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some + AFL_ vars that would disrupt work of 'fuzzer' AFL++). + + - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define + TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if + your fuzzing finds a huge amount of paths for large inputs. + + - `AFL_TMPDIR` is used to write the `.cur_input` file to if it exists, and in + the normal output directory otherwise. You would use this to point to a + ramdisk/tmpfs. This increases the speed by a small value but also reduces + the stress on SSDs. - - Setting `AFL_STATSD` enables StatsD metrics collection. - By default AFL++ will send these metrics over UDP to 127.0.0.1:8125. - The host and port are configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. - To enable tags (banner and afl_version) you should provide `AFL_STATSD_TAGS_FLAVOR` that matches - your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`) - - - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` - allows you to add tags to your fuzzing instances. This is especially useful when running - multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. - `banner` corresponds to the name of the fuzzer provided through `-M/-S`. - `afl_version` corresponds to the currently running AFL version (e.g `++3.0c`). - Default (empty/non present) will add no tags to the metrics. - See [rpc_statsd.md](rpc_statsd.md) for more information. - - - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. - For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting - in an `-1` return code (i.e. `exit(-1)` got called), will be treated - as if a crash had ocurred. - This may be beneficial if you look for higher-level faulty conditions in which your - target still exits gracefully. + - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core + on Linux systems, but will not terminate if that fails. - Outdated environment variables that are not supported anymore: - `AFL_DEFER_FORKSRV` - `AFL_PERSISTENT` + - `AFL_DEFER_FORKSRV` + - `AFL_PERSISTENT` ## 5) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: - - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some - of the basic blocks, which can be useful when dealing with very complex - binaries. - - - Setting `AFL_INST_LIBS` causes the translator to also instrument the code - inside any dynamically linked libraries (notably including glibc). - - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, - memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. - More info at qemu_mode/libcompcov/README.md. + memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at + [qemu_mode/libcompcov/README.md](../qemu_mode/libcompcov/README.md). + There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate values / read-only memory and `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more accurate but may need a larger shared memory. - - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all - cmp and sub in x86 and x86_64. - This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is - not specified. + - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use + this if you are unsure if the entrypoint might be wrong - but use it + directly, e.g. `afl-qemu-trace ./program`. - - The underlying QEMU binary will recognize any standard "user space - emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no - reason to touch them. + - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary + (this can be very good for the performance!). The entrypoint is specified as + hex address, e.g. `0x4004110`. Note that the address must be the address of + a basic block. + + - Setting `AFL_INST_LIBS` causes the translator to also instrument the code + inside any dynamically linked libraries (notably including glibc). + + - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some + of the basic blocks, which can be useful when dealing with very complex + binaries. - - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. - Use this if you are unsure if the entrypoint might be wrong - but - use it directly, e.g. `afl-qemu-trace ./program` + - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all cmp + and sub in x86 and x86_64. This is an alias of `AFL_COMPCOV_LEVEL=1` when + `AFL_COMPCOV_LEVEL` is not specified. - - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the - binary (this can be very good for the performance!). - The entrypoint is specified as hex address, e.g. `0x4004110` - Note that the address must be the address of a basic block. + - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal + handlers of the target. - - When the target is i386/x86_64 you can specify the address of the function + - When the target is i386/x86_64, you can specify the address of the function that has to be the body of the persistent loop using `AFL_QEMU_PERSISTENT_ADDR=start addr`. - - Another modality to execute the persistent loop is to specify also the - `AFL_QEMU_PERSISTENT_RET=end addr` env variable. - With this variable assigned, instead of patching the return address, the - specified instruction is transformed to a jump towards `start addr`. + - With `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of + general purpose registers and restore them in each persistent cycle. - - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general - purpose registers and restore them in each persistent cycle. + - Another modality to execute the persistent loop is to specify also the + `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable + assigned, instead of patching the return address, the specified instruction + is transformed to a jump towards `start addr`. - - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the - stack pointer in which QEMU can find the return address when `start addr` is - hit. + - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from + the stack pointer in which QEMU can find the return address when `start + addr` is hit. - With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically linked binaries. - - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal - handlers of the target. + - The underlying QEMU binary will recognize any standard "user space + emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no + reason to touch them. ## 6) Settings for afl-cmin The corpus minimization script offers very little customization: - - Setting `AFL_PATH` offers a way to specify the location of afl-showmap - and afl-qemu-trace (the latter only in `-Q` mode). + - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is + a modest security risk on multi-user systems with rogue users, but should be + safe on dedicated fuzzing boxes. - `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for minimization and normally deleted at exit. The files can be found in the `<out_dir>/.traces/` directory. - - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is - a modest security risk on multi-user systems with rogue users, but should - be safe on dedicated fuzzing boxes. + - Setting `AFL_PATH` offers a way to specify the location of afl-showmap and + afl-qemu-trace (the latter only in `-Q` mode). - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. - This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting. + This can help when embedding `afl-cmin` or `afl-showmap` in other scripts. ## 7) Settings for afl-tmin @@ -594,25 +617,25 @@ of decimal. ## 9) Settings for libdislocator -The library honors these environmental variables: +The library honors these environment variables: - - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the - library, in megabytes. The default value is 1 GB. Once this is exceeded, - allocations will return NULL. + - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to + `max_align_t` to be compliant with the C standard. - `AFL_LD_HARD_FAIL` alters the behavior by calling `abort()` on excessive allocations, thus causing what AFL++ would perceive as a crash. Useful for programs that are supposed to maintain a specific memory footprint. - - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages - that may be useful for pinpointing the cause of any observed issues. + - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the + library, in megabytes. The default value is 1 GB. Once this is exceeded, + allocations will return NULL. - - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most - of the common allocators check for that internally and return NULL, so - it's a security risk only in more exotic setups. + - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most of + the common allocators check for that internally and return NULL, so it's a + security risk only in more exotic setups. - - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to - `max_align_t` to be compliant with the C standard. + - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that + may be useful for pinpointing the cause of any observed issues. ## 10) Settings for libtokencap @@ -624,40 +647,44 @@ discovered tokens should be written. Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: - - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the - linker to do all the work before the fork server kicks in. You can - override this by setting `LD_BIND_LAZY` beforehand, but it is almost - certainly pointless. - - By default, `ASAN_OPTIONS` are set to (among others): -``` + + ``` abort_on_error=1 detect_leaks=0 malloc_context_size=0 symbolize=0 allocator_may_return_null=1 -``` - If you want to set your own options, be sure to include `abort_on_error=1` - - otherwise, the fuzzer will not be able to detect crashes in the tested - app. Similarly, include `symbolize=0`, since without it, AFL++ may have + ``` + + If you want to set your own options, be sure to include `abort_on_error=1` - + otherwise, the fuzzer will not be able to detect crashes in the tested app. + Similarly, include `symbolize=0`, since without it, AFL++ may have difficulty telling crashes and hangs apart. + - Similarly, the default `LSAN_OPTIONS` are set to: + + ``` + exit_code=23 + fast_unwind_on_malloc=0 + symbolize=0 + print_suppressions=0 + ``` + + Be sure to include the first ones for LSAN and MSAN when customizing + anything, since some MSAN and LSAN versions don't call `abort()` on error, + and we need a way to detect faults. + - In the same vein, by default, `MSAN_OPTIONS` are set to: -``` + + ``` exit_code=86 (required for legacy reasons) abort_on_error=1 symbolize=0 msan_track_origins=0 allocator_may_return_null=1 -``` - - Similarly, the default `LSAN_OPTIONS` are set to: -``` - exit_code=23 - fast_unwind_on_malloc=0 - symbolize=0 - print_suppressions=0 -``` - Be sure to include the first ones for LSAN and MSAN when customizing - anything, since some MSAN and LSAN versions don't call `abort()` on - error, and we need a way to detect faults. + ``` + - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker + to do all the work before the fork server kicks in. You can override this by + setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. \ No newline at end of file diff --git a/docs/features.md b/docs/features.md new file mode 100644 index 00000000..f44e32ff --- /dev/null +++ b/docs/features.md @@ -0,0 +1,49 @@ +# Important features of AFL++ + + AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1 + with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full *BSD, + Mac OS, Solaris and Android support and much, much, much more. + + | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | frida_mode(9) | qemu_mode(10) |unicorn_mode(10) |coresight_mode(11)| + | -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------------:| + | Threadsafe counters | | x(3) | | | | | | + | NeverZero | x86[_64]| x(1) | x | x | x | x | | + | Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | + | LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | | + | CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | + | Selective Instrumentation| | x | x | x | x | | | + | Non-Colliding Coverage | | x(4) | | | (x)(5) | | | + | Ngram prev_loc Coverage | | x(6) | | | | | | + | Context Coverage | | x(6) | | | | | | + | Auto Dictionary | | x(7) | | | | | | + | Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | | + | Shared Memory Testcases | | x | x | x86[_64]/arm64 | x | x | | + + 1. default for LLVM >= 9.0, env var for older version due an efficiency bug in previous llvm versions + 2. GCC creates non-performant code, hence it is disabled in gcc_plugin + 3. with `AFL_LLVM_THREADSAFE_INST`, disables NeverZero + 4. with pcguard mode and LTO mode for LLVM 11 and newer + 5. upcoming, development in the branch + 6. not compatible with LTO instrumentation and needs at least LLVM v4.1 + 7. automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM versions that write to a file to use with afl-fuzz' `-x` + 8. the snapshot LKM is currently unmaintained due to too many kernel changes coming too fast :-( + 9. frida mode is supported on Linux and MacOS for Intel and ARM + 10. QEMU/Unicorn is only supported on Linux + 11. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight extension + + Among others, the following features and patches have been integrated: + + * NeverZero patch for afl-gcc, instrumentation, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage + * Persistent mode, deferred forkserver and in-memory fuzzing for qemu_mode + * Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) + * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf) + * Win32 PE binary-only fuzzing with QEMU and Wine + * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) + * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) + * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass) + * LAF-Intel/CompCov support for instrumentation, qemu_mode and unicorn_mode (with enhanced capabilities) + * Radamsa and honggfuzz mutators (as custom mutators). + * QBDI mode to fuzz android native libraries via Quarkslab's [QBDI](https://github.com/QBDI/QBDI) framework + * Frida and ptrace mode to fuzz binary-only libraries, etc. + + So all in all this is the best-of AFL that is out there :-) \ No newline at end of file diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md new file mode 100644 index 00000000..ea262f6e --- /dev/null +++ b/docs/fuzzing_binary-only_targets.md @@ -0,0 +1,83 @@ +# Fuzzing binary-only targets + +When source code is *NOT* available, AFL++ offers various support for fast, +on-the-fly instrumentation of black-box binaries. + +If you do not have to use Unicorn the following setup is recommended to use +qemu_mode: + * run 1 afl-fuzz -Q instance with CMPLOG (`-c 0` + `AFL_COMPCOV_LEVEL=2`) + * run 1 afl-fuzz -Q instance with QASAN (`AFL_USE_QASAN=1`) + * run 1 afl-fuzz -Q instance with LAF (`AFL_PRELOAD=libcmpcov.so` + `AFL_COMPCOV_LEVEL=2`) +Alternatively you can use frida_mode, just switch `-Q` with `-O` and remove the +LAF instance. + +Then run as many instances as you have cores left with either -Q mode or - better - +use a binary rewriter like afl-dyninst, retrowrite, zafl, etc. + +For Qemu and Frida mode, check out the persistent mode, it gives a huge speed +improvement if it is possible to use. + +### QEMU + +For linux programs and its libraries this is accomplished with a version of +QEMU running in the lesser-known "user space emulation" mode. +QEMU is a project separate from AFL, but you can conveniently build the +feature by doing: + +```shell +cd qemu_mode +./build_qemu_support.sh +``` + +For additional instructions and caveats, see [qemu_mode/README.md](../qemu_mode/README.md). +If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md). +The mode is approximately 2-5x slower than compile-time instrumentation, and is +less conducive to parallelization. + +If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for +your binary, then you can use afl-fuzz normally and it will have twice +the speed compared to qemu_mode (but slower than qemu persistent mode). +Note that several other binary rewriters exist, all with their advantages and +caveats. + +### Frida + +Frida mode is sometimes faster and sometimes slower than Qemu mode. +It is also newer, lacks COMPCOV, but supports MacOS. + +```shell +cd frida_mode +make +``` + +For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md). +If possible you should use the persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md). +The mode is approximately 2-5x slower than compile-time instrumentation, and is +less conducive to parallelization. + +### Unicorn + +For non-Linux binaries you can use AFL++'s unicorn mode which can emulate +anything you want - for the price of speed and user written scripts. +See [unicorn_mode/README.md](../unicorn_mode/README.md). + +It can be easily built by: +```shell +cd unicorn_mode +./build_unicorn_support.sh +``` + +### Shared libraries + +If the goal is to fuzz a dynamic library then there are two options available. +For both you need to write a small harness that loads and calls the library. +Then you fuzz this with either frida_mode or qemu_mode, and either use +`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES`. + +Another, less precise and slower option is using ptrace with debugger interrupt +instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md). + +### More + +A more comprehensive description of these and other options can be found in +[binaryonly_fuzzing.md](binaryonly_fuzzing.md). \ No newline at end of file diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md new file mode 100644 index 00000000..876c5fbb --- /dev/null +++ b/docs/fuzzing_expert.md @@ -0,0 +1,630 @@ +# Fuzzing with AFL++ + +The following describes how to fuzz with a target if source code is available. +If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps) + +Fuzzing source code is a three-step process. + +1. Compile the target with a special compiler that prepares the target to be + fuzzed efficiently. This step is called "instrumenting a target". +2. Prepare the fuzzing by selecting and optimizing the input corpus for the + target. +3. Perform the fuzzing of the target by randomly mutating input and assessing + if a generated input was processed in a new path in the target binary. + +### 1. Instrumenting that target + +#### a) Selecting the best AFL++ compiler for instrumenting the target + +AFL++ comes with a central compiler `afl-cc` that incorporates various different +kinds of compiler targets and and instrumentation options. +The following evaluation flow will help you to select the best possible. + +It is highly recommended to have the newest llvm version possible installed, +anything below 9 is not recommended. + +``` ++--------------------------------+ +| clang/clang++ 11+ is available | --> use LTO mode (afl-clang-lto/afl-clang-lto++) ++--------------------------------+ see [instrumentation/README.lto.md](instrumentation/README.lto.md) + | + | if not, or if the target fails with LTO afl-clang-lto/++ + | + v ++---------------------------------+ +| clang/clang++ 3.8+ is available | --> use LLVM mode (afl-clang-fast/afl-clang-fast++) ++---------------------------------+ see [instrumentation/README.llvm.md](instrumentation/README.llvm.md) + | + | if not, or if the target fails with LLVM afl-clang-fast/++ + | + v + +--------------------------------+ + | gcc 5+ is available | -> use GCC_PLUGIN mode (afl-gcc-fast/afl-g++-fast) + +--------------------------------+ see [instrumentation/README.gcc_plugin.md](instrumentation/README.gcc_plugin.md) and + [instrumentation/README.instrument_list.md](instrumentation/README.instrument_list.md) + | + | if not, or if you do not have a gcc with plugin support + | + v + use GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang) +``` + +Clickable README links for the chosen compiler: + + * [LTO mode - afl-clang-lto](../instrumentation/README.lto.md) + * [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md) + * [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md) + * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features + +You can select the mode for the afl-cc compiler by: + 1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, + afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, + afl-gcc-fast, afl-g++-fast (recommended!) + 2. using the environment variable AFL_CC_COMPILER with MODE + 3. passing --afl-MODE command line options to the compiler via CFLAGS/CXXFLAGS/CPPFLAGS + +MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN +(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). + +Because no AFL specific command-line options are accepted (beside the +--afl-MODE command), the compile-time tools make fairly broad use of environment +variables, which can be listed with `afl-cc -hh` or by reading [env_variables.md](env_variables.md). + +#### b) Selecting instrumentation options + +The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto): + + * Splitting integer, string, float and switch comparisons so AFL++ can easier + solve these. This is an important option if you do not have a very good + and large input corpus. This technique is called laf-intel or COMPCOV. + To use this set the following environment variable before compiling the + target: `export AFL_LLVM_LAF_ALL=1` + You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) + * A different technique (and usually a better one than laf-intel) is to + instrument the target so that any compare values in the target are sent to + AFL++ which then tries to put these values into the fuzzing data at different + locations. This technique is very fast and good - if the target does not + transform input data before comparison. Therefore this technique is called + `input to state` or `redqueen`. + If you want to use this technique, then you have to compile the target + twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`, + and pass this binary to afl-fuzz via the `-c` parameter. + Note that you can compile also just a cmplog binary and use that for both + however there will be a performance penality. + You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md) + +If you use LTO, LLVM or GCC_PLUGIN mode (afl-clang-fast/afl-clang-lto/afl-gcc-fast) +you have the option to selectively only instrument parts of the target that you +are interested in: + + * To instrument only those parts of the target that you are interested in + create a file with all the filenames of the source code that should be + instrumented. + For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than + DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one + filename or function per line (no directory information necessary for + filenames9, and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** + `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per + default to instrument unless noted (DENYLIST) or not perform instrumentation + unless requested (ALLOWLIST). + **NOTE:** During optimization functions might be inlined and then would not match! + See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + +There are many more options and modes available however these are most of the +time less effective. See: + * [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) + * [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) + +AFL++ performs "never zero" counting in its bitmap. You can read more about this +here: + * [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) + +#### c) Sanitizers + +It is possible to use sanitizers when instrumenting targets for fuzzing, +which allows you to find bugs that would not necessarily result in a crash. + +Note that sanitizers have a huge impact on CPU (= less executions per second) +and RAM usage. Also you should only run one afl-fuzz instance per sanitizer type. +This is enough because a use-after-free bug will be picked up, e.g. by +ASAN (address sanitizer) anyway when syncing to other fuzzing instances, +so not all fuzzing instances need to be instrumented with ASAN. + +The following sanitizers have built-in support in AFL++: + * ASAN = Address SANitizer, finds memory corruption vulnerabilities like + use-after-free, NULL pointer dereference, buffer overruns, etc. + Enabled with `export AFL_USE_ASAN=1` before compiling. + * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg. + a local variable that is defined and read before it is even set. + Enabled with `export AFL_USE_MSAN=1` before compiling. + * UBSAN = Undefined Behaviour SANitizer, finds instances where - by the + C and C++ standards - undefined behaviour happens, e.g. adding two + signed integers together where the result is larger than a signed integer + can hold. + Enabled with `export AFL_USE_UBSAN=1` before compiling. + * CFISAN = Control Flow Integrity SANitizer, finds instances where the + control flow is found to be illegal. Originally this was rather to + prevent return oriented programming exploit chains from functioning, + in fuzzing this is mostly reduced to detecting type confusion + vulnerabilities - which is however one of the most important and dangerous + C++ memory corruption classes! + Enabled with `export AFL_USE_CFISAN=1` before compiling. + * TSAN = Thread SANitizer, finds thread race conditions. + Enabled with `export AFL_USE_TSAN=1` before compiling. + * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really + a security issue, but for developers this can be very valuable. + Note that unlike the other sanitizers above this needs + `__AFL_LEAK_CHECK();` added to all areas of the target source code where you + find a leak check necessary! + Enabled with `export AFL_USE_LSAN=1` before compiling. + +It is possible to further modify the behaviour of the sanitizers at run-time +by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters +can be looked up in the sanitizer documentation of llvm/clang. +afl-fuzz however requires some specific parameters important for fuzzing to be +set. If you want to set your own, it might bail and report what it is missing. + +Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and +others often cannot work together because of target weirdness, e.g. ASAN and +CFISAN. You might need to experiment which sanitizers you can combine in a +target (which means more instances can be run without a sanitized target, +which is more effective). + +#### d) Modify the target + +If the target has features that make fuzzing more difficult, e.g. +checksums, HMAC, etc. then modify the source code so that checks for these +values are removed. +This can even be done safely for source code used in operational products +by eliminating these checks within these AFL specific blocks: + +``` +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + // say that the checksum or HMAC was fine - or whatever is required + // to eliminate the need for the fuzzer to guess the right checksum + return 0; +#endif +``` + +All AFL++ compilers will set this preprocessor definition automatically. + +#### e) Instrument the target + +In this step the target source code is compiled so that it can be fuzzed. + +Basically you have to tell the target build system that the selected AFL++ +compiler is used. Also - if possible - you should always configure the +build system such that the target is compiled statically and not dynamically. +How to do this is described below. + +The #1 rule when instrumenting a target is: avoid instrumenting shared +libraries at all cost. You would need to set LD_LIBRARY_PATH to point to +these, you could accidently type "make install" and install them system wide - +so don't. Really don't. +**Always compile libraries you want to have instrumented as static and link +these to the target program!** + +Then build the target. (Usually with `make`) + +**NOTES** + +1. sometimes configure and build systems are fickle and do not like + stderr output (and think this means a test failure) - which is something + AFL++ likes to do to show statistics. It is recommended to disable AFL++ + instrumentation reporting via `export AFL_QUIET=1`. + +2. sometimes configure and build systems error on warnings - these should be + disabled (e.g. `--disable-werror` for some configure scripts). + +3. in case the configure/build system complains about AFL++'s compiler and + aborts then set `export AFL_NOOPT=1` which will then just behave like the + real compiler. This option has to be unset again before building the target! + +##### configure + +For `configure` build systems this is usually done by: +`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` + +Note that if you are using the (better) afl-clang-lto compiler you also have to +set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is +described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). + +##### cmake + +For `cmake` build systems this is usually done by: +`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..` + +Note that if you are using the (better) afl-clang-lto compiler you also have to +set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is +described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). + +##### meson + +For meson you have to set the AFL++ compiler with the very first command! +`CC=afl-cc CXX=afl-c++ meson` + +##### other build systems or if configure/cmake didn't work + +Sometimes cmake and configure do not pick up the AFL++ compiler, or the +ranlib/ar that is needed - because this was just not foreseen by the developer +of the target. Or they have non-standard options. Figure out if there is a +non-standard way to set this, otherwise set up the build normally and edit the +generated build environment afterwards manually to point it to the right compiler +(and/or ranlib and ar). + +#### f) Better instrumentation + +If you just fuzz a target program as-is you are wasting a great opportunity for +much more fuzzing speed. + +This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast. + +It is the so-called `persistent mode`, which is much, much faster but +requires that you code a source file that is specifically calling the target +functions that you want to fuzz, plus a few specific AFL++ functions around +it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details. + +Basically if you do not fuzz a target in persistent mode then you are just +doing it for a hobby and not professionally :-). + +#### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() + +libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard +for fuzzing, and they can be used with AFL++ (and honggfuzz) as well! +Compiling them is as simple as: +``` +afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a +``` +You can even use advanced libfuzzer features like `FuzzedDataProvider`, +`LLVMFuzzerMutate()` etc. and they will work! + +The generated binary is fuzzed with afl-fuzz like any other fuzz target. + +Bonus: the target is already optimized for fuzzing due to persistent mode and +shared-memory testcases and hence gives you the fastest speed possible. + +For more information see [utils/aflpp_driver/README.md](../utils/aflpp_driver/README.md) + +### 2. Preparing the fuzzing campaign + +As you fuzz the target with mutated input, having as diverse inputs for the +target as possible improves the efficiency a lot. + +#### a) Collect inputs + +Try to gather valid inputs for the target from wherever you can. E.g. if it is +the PNG picture format try to find as many png files as possible, e.g. from +reported bugs, test suites, random downloads from the internet, unit test +case data - from all kind of PNG software. + +If the input format is not known, you can also modify a target program to write +normal data it receives and processes to a file and use these. + +#### b) Making the input corpus unique + +Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not +produce a new path in the target. + +Put all files from step a) into one directory, e.g. INPUTS. + +If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` +the run afl-cmin like this: +`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` +Note that the INPUTFILE argument that the target program would read from has to be set as `@@`. + +If the target reads from stdin instead, just omit the `@@` as this is the +default. + +This step is highly recommended! + +#### c) Minimizing all corpus files + +The shorter the input files that still traverse the same path +within the target, the better the fuzzing will be. This minimization +is done with `afl-tmin` however it is a long process as this has to +be done for every file: + +``` +mkdir input +cd INPUTS_UNIQUE +for i in *; do + afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@ +done +``` + +This step can also be parallelized, e.g. with `parallel`. +Note that this step is rather optional though. + +#### Done! + +The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/ +if you minimized the corpus in step c) - is the resulting input corpus directory +to be used in fuzzing! :-) + +### 3. Fuzzing the target + +In this final step we fuzz the target. +There are not that many important options to run the target - unless you want +to use many CPU cores/threads for the fuzzing, which will make the fuzzing much +more useful. + +If you just use one CPU for fuzzing, then you are fuzzing just for fun and not +seriously :-) + +#### a) Running afl-fuzz + +Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on +the host if you execute afl-fuzz in a docker container). This reconfigures the +system for optimal speed - which afl-fuzz checks and bails otherwise. +Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot +run afl-system-config with root privileges on the host for whatever reason. + +Note there is also `sudo afl-persistent-config` which sets additional permanent +boot options for a much better fuzzing performance. + +Note that both scripts improve your fuzzing performance but also decrease your +system protection against attacks! So set strong firewall rules and only +expose SSH as a network service if you use these (which is highly recommended). + +If you have an input corpus from step 2 then specify this directory with the `-i` +option. Otherwise create a new directory and create a file with any content +as test data in there. + +If you do not want anything special, the defaults are already usually best, +hence all you need is to specify the seed input directory with the result of +step [2a. Collect inputs](#a-collect-inputs): +`afl-fuzz -i input -o output -- bin/target -d @@` +Note that the directory specified with -o will be created if it does not exist. + +It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off, +or afl-fuzz is not aborted if you are running it in a remote ssh session where +the connection fails in between. +Only do that though once you have verified that your fuzzing setup works! +Simply run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...` +and it will start away in a screen session. To enter this session simply type +`screen -r afl-main`. You see - it makes sense to name the screen session +same as the afl-fuzz -M/-S naming :-) +For more information on screen or tmux please check their documentation. + +If you need to stop and re-start the fuzzing, use the same command line options +(or even change them by selecting a different power schedule or another +mutation mode!) and switch the input directory with a dash (`-`): +`afl-fuzz -i - -o output -- bin/target -d @@` + +Memory limits are not enforced by afl-fuzz by default and the system may run +out of memory. You can decrease the memory with the `-m` option, the value is +in MB. If this is too small for the target, you can usually see this by +afl-fuzz bailing with the message that it could not connect to the forkserver. + +Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if +something is already included for your data format, and tell afl-fuzz to load +that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto +you have an autodictionary generation for which you need to do nothing except +to use afl-clang-lto as the compiler. You also have the option to generate +a dictionary yourself, see [utils/libtokencap/README.md](../utils/libtokencap/README.md). + +afl-fuzz has a variety of options that help to workaround target quirks like +specific locations for the input file (`-f`), performing deterministic +fuzzing (`-D`) and many more. Check out `afl-fuzz -h`. + +We highly recommend that you set a memory limit for running the target with `-m` +which defines the maximum memory in MB. This prevents a potential +out-of-memory problem for your system plus helps you detect missing `malloc()` +failure handling in the target. +Play around with various -m values until you find one that safely works for all +your input seeds (if you have good ones and then double or quadrouple that. + +By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press Control-C +or send a signal SIGINT. You can limit the number of executions or approximate runtime +in seconds with options also. + +When you start afl-fuzz you will see a user interface that shows what the status +is: + + +All labels are explained in [status_screen.md](status_screen.md). + +#### b) Using multiple cores + +If you want to seriously fuzz then use as many cores/threads as possible to +fuzz your target. + +On the same machine - due to the design of how AFL++ works - there is a maximum +number of CPU cores/threads that are useful, use more and the overall performance +degrades instead. This value depends on the target, and the limit is between 32 +and 64 cores per machine. + +If you have the RAM, it is highly recommended run the instances with a caching +of the testcases. Depending on the average testcase size (and those found +during fuzzing) and their number, a value between 50-500MB is recommended. +You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`. + +There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many secondary +fuzzers (eg `-S variant1`) as you have cores that you use. +Every -M/-S entry needs a unique name (that can be whatever), however the same +-o output directory location has to be used for all instances. + +For every secondary fuzzer there should be a variation, e.g.: + * one should fuzz the target that was compiled differently: with sanitizers + activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; + export AFL_USE_CFISAN=1`) + * one or two should fuzz the target with CMPLOG/redqueen (see above), at + least one cmplog instance should follow transformations (`-l AT`) + * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV + (see above). Important note: If you run more than one laf-intel/COMPCOV + fuzzer and you want them to share their intermediate results, the main + fuzzer (`-M`) must be one of the them! (Although this is not really + recommended.) + +All other secondaries should be used like this: + * A quarter to a third with the MOpt mutator enabled: `-L 0` + * run with a different power schedule, recommended are: + `fast (default), explore, coe, lin, quad, exploit and rare` + which you can set with e.g. `-p explore` + * a few instances should use the old queue cycling with `-Z` + +Also it is recommended to set `export AFL_IMPORT_FIRST=1` to load testcases +from other fuzzers in the campaign first. + +If you have a large corpus, a corpus from a previous run or are fuzzing in +a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. + +You can also use different fuzzers. +If you are using AFL spinoffs or AFL conforming fuzzers, then just use the +same -o directory and give it a unique `-S` name. +Examples are: + * [Fuzzolic](https://github.com/season-lab/fuzzolic) + * [symcc](https://github.com/eurecom-s3/symcc/) + * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/) + * [AFLsmart](https://github.com/aflsmart/aflsmart) + * [FairFuzz](https://github.com/carolemieux/afl-rb) + * [Neuzz](https://github.com/Dongdongshe/neuzz) + * [Angora](https://github.com/AngoraFuzzer/Angora) + +A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL) + +However you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc. +Just show the main fuzzer (-M) with the `-F` option where the queue/work +directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`. +Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly +recommended! + +#### c) Using multiple machines for fuzzing + +Maybe you have more than one machine you want to fuzz the same target on. +Simply start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...) +orchestra as you like, just ensure that your have one and only one `-M` +instance per server, and that its name is unique, hence the recommendation +for `-M main-$HOSTNAME`. + +Now there are three strategies on how you can sync between the servers: + * never: sounds weird, but this makes every server an island and has the + chance the each follow different paths into the target. You can make + this even more interesting by even giving different seeds to each server. + * regularly (~4h): this ensures that all fuzzing campaigns on the servers + "see" the same thing. It is like fuzzing on a huge server. + * in intervals of 1/10th of the overall expected runtime of the fuzzing you + sync. This tries a bit to combine both. have some individuality of the + paths each campaign on a server explores, on the other hand if one + gets stuck where another found progress this is handed over making it + unstuck. + +The syncing process itself is very simple. +As the `-M main-$HOSTNAME` instance syncs to all `-S` secondaries as well +as to other fuzzers, you have to copy only this directory to the other +machines. + +Lets say all servers have the `-o out` directory in /target/foo/out, and +you created a file `servers.txt` which contains the hostnames of all +participating servers, plus you have an ssh key deployed to all of them, +then run: +```bash +for FROM in `cat servers.txt`; do + for TO in `cat servers.txt`; do + rsync -rlpogtz --rsh=ssh $FROM:/target/foo/out/main-$FROM $TO:target/foo/out/ + done +done +``` +You can run this manually, per cron job - as you need it. +There is a more complex and configurable script in `utils/distributed_fuzzing`. + +#### d) The status of the fuzz campaign + +AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing +campaign. + +Just supply the directory that afl-fuzz is given with the -o option and +you will see a detailed status of every fuzzer in that campaign plus +a summary. + +To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/` + +If you have multiple servers then use the command after a sync, or you have +to execute this script per server. + +Another tool to inspect the current state and history of a specific instance +is afl-plot, which generates an index.html file and a graphs that show how +the fuzzing instance is performing. +The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot` + +#### e) Stopping fuzzing, restarting fuzzing, adding new seeds + +To stop an afl-fuzz run, simply press Control-C. + +To restart an afl-fuzz run, just reuse the same command line but replace the +`-i directory` with `-i -` or set `AFL_AUTORESUME=1`. + +If you want to add new seeds to a fuzzing campaign you can run a temporary +fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new +seeds are in `newseeds/` directory: +``` +AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- ./target +``` + +#### f) Checking the coverage of the fuzzing + +The `paths found` value is a bad indicator for checking how good the coverage is. + +A better indicator - if you use default llvm instrumentation with at least +version 9 - is to use `afl-showmap` with the collect coverage option `-C` on +the output directory: +``` +$ afl-showmap -C -i out -o /dev/null -- ./target -params @@ +... +[*] Using SHARED MEMORY FUZZING feature. +[*] Target map size: 9960 +[+] Processed 7849 input files. +[+] Captured 4331 tuples (highest value 255, total values 67130596) in '/dev/nul +l'. +[+] A coverage of 4331 edges were achieved out of 9960 existing (43.48%) with 7849 input files. +``` +It is even better to check out the exact lines of code that have been reached - +and which have not been found so far. + +An "easy" helper script for this is [https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov), +just follow the README of that separate project. + +If you see that an important area or a feature has not been covered so far then +try to find an input that is able to reach that and start a new secondary in +that fuzzing campaign with that seed as input, let it run for a few minutes, +then terminate it. The main node will pick it up and make it available to the +other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or +`export AFL_TRY_AFFINITY=1` if you have no free core. + +Note that in nearly all cases you can never reach full coverage. A lot of +functionality is usually dependent on exclusive options that would need individual +fuzzing campaigns each with one of these options set. E.g. if you fuzz a library to +convert image formats and your target is the png to tiff API then you will not +touch any of the other library APIs and features. + +#### g) How long to fuzz a target? + +This is a difficult question. +Basically if no new path is found for a long time (e.g. for a day or a week) +then you can expect that your fuzzing won't be fruitful anymore. +However often this just means that you should switch out secondaries for +others, e.g. custom mutator modules, sync to very different fuzzers, etc. + +Keep the queue/ directory (for future fuzzings of the same or similar targets) +and use them to seed other good fuzzers like libfuzzer with the -entropic +switch or honggfuzz. + +#### h) Improve the speed! + + * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) + * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md) + * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config` + * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem + * Use your cores! [b) Using multiple cores](#b-using-multiple-cores) + * Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot + +### The End + +Check out the [FAQ](FAQ.md) if it maybe answers your question (that +you might not even have known you had ;-) ). + +This is basically all you need to know to professionally run fuzzing campaigns. +If you want to know more, the tons of texts in [docs/](./) will have you covered. + +Note that there are also a lot of tools out there that help fuzzing with AFL++ +(some might be deprecated or unsupported), see [tools.md](tools.md). \ No newline at end of file diff --git a/docs/important_changes.md b/docs/important_changes.md new file mode 100644 index 00000000..0c5c2243 --- /dev/null +++ b/docs/important_changes.md @@ -0,0 +1,56 @@ +# Important changes in AFL++ + +This document lists important changes in AFL++, for example, major behaviour changes. + +## From version 3.00 onwards + +With AFL++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for +binary-only fuzzing. It is slower than Qemu mode but works on MacOS, Android, +iOS etc. + +With AFL++ 3.15 we introduced the following changes from previous behaviours: + * Also -M main mode does not do deterministic fuzzing by default anymore + * afl-cmin and afl-showmap -Ci now descent into subdirectories like + afl-fuzz -i does (but note that afl-cmin.bash does not) + +With AFL++ 3.14 we introduced the following changes from previous behaviours: + * afl-fuzz: deterministic fuzzing it not a default for -M main anymore + * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash + however does not) + +With AFL++ 3.10 we introduced the following changes from previous behaviours: + * The '+' feature of the '-t' option now means to auto-calculate the timeout + with the value given being the maximum timeout. The original meaning of + "skipping timeouts instead of abort" is now inherent to the -t option. + +With AFL++ 3.00 we introduced changes that break some previous AFL and AFL++ +behaviours and defaults: + * There are no llvm_mode and gcc_plugin subdirectories anymore and there is + only one compiler: afl-cc. All previous compilers now symlink to this one. + All instrumentation source code is now in the `instrumentation/` folder. + * The gcc_plugin was replaced with a new version submitted by AdaCore that + supports more features. Thank you! + * qemu_mode got upgraded to QEMU 5.1, but to be able to build this a current + ninja build tool version and python3 setuptools are required. + qemu_mode also got new options like snapshotting, instrumenting specific + shared libraries, etc. Additionally QEMU 5.1 supports more CPU targets so + this is really worth it. + * When instrumenting targets, afl-cc will not supersede optimizations anymore + if any were given. This allows to fuzz targets build regularly like those + for debug or release versions. + * afl-fuzz: + * if neither -M or -S is specified, `-S default` is assumed, so more + fuzzers can easily be added later + * `-i` input directory option now descends into subdirectories. It also + does not fatal on crashes and too large files, instead it skips them + and uses them for splicing mutations + * -m none is now default, set memory limits (in MB) with e.g. -m 250 + * deterministic fuzzing is now disabled by default (unless using -M) and + can be enabled with -D + * a caching of testcases can now be performed and can be modified by + editing config.h for TESTCASE_CACHE or by specifying the env variable + `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50). + * -M mains do not perform trimming + * examples/ got renamed to utils/ + * libtokencap/ libdislocator/ and qdbi_mode/ were moved to utils/ + * afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH \ No newline at end of file diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md new file mode 100644 index 00000000..4bd705f2 --- /dev/null +++ b/docs/interpreting_output.md @@ -0,0 +1,71 @@ +# Interpreting output + +See the [status_screen.md](status_screen.md) file for information on +how to interpret the displayed stats and monitor the health of the process. Be +sure to consult this file especially if any UI elements are highlighted in red. + +The fuzzing process will continue until you press Ctrl-C. At a minimum, you want +to allow the fuzzer to complete one queue cycle, which may take anywhere from a +couple of hours to a week or so. + +There are three subdirectories created within the output directory and updated +in real-time: + + - queue/ - test cases for every distinctive execution path, plus all the + starting files given by the user. This is the synthesized corpus + mentioned in section 2. + + Before using this corpus for any other purposes, you can shrink + it to a smaller size using the afl-cmin tool. The tool will find + a smaller subset of files offering equivalent edge coverage. + + - crashes/ - unique test cases that cause the tested program to receive a + fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are + grouped by the received signal. + + - hangs/ - unique test cases that cause the tested program to time out. The + default time limit before something is classified as a hang is + the larger of 1 second and the value of the -t parameter. + The value can be fine-tuned by setting AFL_HANG_TMOUT, but this + is rarely necessary. + +Crashes and hangs are considered "unique" if the associated execution paths +involve any state transitions not seen in previously-recorded faults. If a +single bug can be reached in multiple ways, there will be some count inflation +early in the process, but this should quickly taper off. + +The file names for crashes and hangs are correlated with the parent, non-faulting +queue entries. This should help with debugging. + +When you can't reproduce a crash found by afl-fuzz, the most likely cause is +that you are not setting the same memory limit as used by the tool. Try: + +```shell +LIMIT_MB=50 +( ulimit -Sv $[LIMIT_MB << 10]; /path/to/tested_binary ... ) +``` + +Change LIMIT_MB to match the -m parameter passed to afl-fuzz. On OpenBSD, +also change -Sv to -Sd. + +Any existing output directory can be also used to resume aborted jobs; try: + +```shell +./afl-fuzz -i- -o existing_output_dir [...etc...] +``` + +If you have gnuplot installed, you can also generate some pretty graphs for any +active fuzzing task using afl-plot. For an example of how this looks like, +see [https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/). + +You can also manually build and install afl-plot-ui, which is a helper utility +for showing the graphs generated by afl-plot in a graphical window using GTK. +You can build and install it as follows + +```shell +sudo apt install libgtk-3-0 libgtk-3-dev pkg-config +cd utils/plot_ui +make +cd ../../ +sudo make install +``` diff --git a/docs/known_limitations.md b/docs/known_limitations.md new file mode 100644 index 00000000..a68c0a85 --- /dev/null +++ b/docs/known_limitations.md @@ -0,0 +1,36 @@ +# Known limitations & areas for improvement + +Here are some of the most important caveats for AFL: + + - AFL++ detects faults by checking for the first spawned process dying due to + a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for + these signals may need to have the relevant code commented out. In the same + vein, faults in child processes spawned by the fuzzed target may evade + detection unless you manually add some code to catch that. + + - As with any other brute-force tool, the fuzzer offers limited coverage if + encryption, checksums, cryptographic signatures, or compression are used to + wholly wrap the actual data format to be tested. + + To work around this, you can comment out the relevant checks (see + utils/libpng_no_checksum/ for inspiration); if this is not possible, + you can also write a postprocessor, one of the hooks of custom mutators. + See [custom_mutators.md](custom_mutators.md) on how to use + `AFL_CUSTOM_MUTATOR_LIBRARY` + + - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This + isn't due to any specific fault of afl-fuzz. + + - There is no direct support for fuzzing network services, background + daemons, or interactive apps that require UI interaction to work. You may + need to make simple code changes to make them behave in a more traditional + way. Preeny may offer a relatively simple option, too - see: + [https://github.com/zardus/preeny](https://github.com/zardus/preeny) + + Some useful tips for modifying network-based services can be also found at: + [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop) + + - Occasionally, sentient machines rise against their creators. If this + happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/). + +Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips. diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md deleted file mode 100644 index 13ffcea0..00000000 --- a/docs/life_pro_tips.md +++ /dev/null @@ -1,87 +0,0 @@ -# AFL "Life Pro Tips" - -Bite-sized advice for those who understand the basics, but can't be bothered -to read or memorize every other piece of documentation for AFL. - -## Get more bang for your buck by using fuzzing dictionaries. - -See [dictionaries/README.md](../dictionaries/README.md) to learn how. - -## You can get the most out of your hardware by parallelizing AFL jobs. - -See [parallel_fuzzing.md](parallel_fuzzing.md) for step-by-step tips. - -## Improve the odds of spotting memory corruption bugs with libdislocator.so! - -It's easy. Consult [utils/libdislocator/README.md](../utils/libdislocator/README.md) for usage tips. - -## Want to understand how your target parses a particular input file? - -Try the bundled `afl-analyze` tool; it's got colors and all! - -## You can visually monitor the progress of your fuzzing jobs. - -Run the bundled `afl-plot` utility to generate browser-friendly graphs. - -## Need to monitor AFL jobs programmatically? -Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`. - -## Puzzled by something showing up in red or purple in the AFL UI? -It could be important - consult docs/status_screen.md right away! - -## Know your target? Convert it to persistent mode for a huge performance gain! -Consult section #5 in README.llvm.md for tips. - -## Using clang? -Check out instrumentation/ for a faster alternative to afl-gcc! - -## Did you know that AFL can fuzz closed-source or cross-platform binaries? -Check out qemu_mode/README.md and unicorn_mode/README.md for more. - -## Did you know that afl-fuzz can minimize any test case for you? -Try the bundled `afl-tmin` tool - and get small repro files fast! - -## Not sure if a crash is exploitable? AFL can help you figure it out. Specify -`-C` to enable the peruvian were-rabbit mode. - -## Trouble dealing with a machine uprising? Relax, we've all been there. - -Find essential survival tips at http://lcamtuf.coredump.cx/prep/. - -## Want to automatically spot non-crashing memory handling bugs? - -Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind. - -## Good selection of input files is critical to a successful fuzzing job. - -See docs/perf_tips.md for pro tips. - -## You can improve the odds of automatically spotting stack corruption issues. - -Specify `AFL_HARDEN=1` in the environment to enable hardening flags. - -## Bumping into problems with non-reproducible crashes? -It happens, but usually -isn't hard to diagnose. See section #7 in README.md for tips. - -## Fuzzing is not just about memory corruption issues in the codebase. -Add some -sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bugs. - -## Hey kid... pssst... want to figure out how AFL really works? - -Check out docs/technical_details.md for all the gory details in one place! - -## There's a ton of third-party helper tools designed to work with AFL! - -Be sure to check out docs/sister_projects.md before writing your own. - -## Need to fuzz the command-line arguments of a particular program? - -You can find a simple solution in utils/argv_fuzzing. - -## Attacking a format that uses checksums? - -Remove the checksum-checking code or use a postprocessor! -See `afl_custom_post_process` in custom_mutators/examples/example.c for more. - diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 90e12e89..d24f2837 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -4,7 +4,7 @@ This document talks about synchronizing afl-fuzz jobs on a single machine or across a fleet of systems. See README.md for the general instruction manual. Note that this document is rather outdated. please refer to the main document -section on multiple core usage [../README.md#Using multiple cores](../README.md#b-using-multiple-coresthreads) +section on multiple core usage [fuzzing_expert.md#Using multiple cores](fuzzing_expert.md#b-using-multiple-cores) for up to date strategies! ## 1) Introduction @@ -27,9 +27,8 @@ will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. -Note that AFL++ has AFLfast's power schedules implemented. -It is therefore a good idea to use different power schedules if you run -several instances in parallel. See [power_schedules.md](power_schedules.md) +It is a good idea to use different power schedules if you run several instances +in parallel (`-p` option). Alternatively running other AFL spinoffs in parallel can be of value, e.g. Angora (https://github.com/AngoraFuzzer/Angora/) @@ -39,7 +38,7 @@ e.g. Angora (https://github.com/AngoraFuzzer/Angora/) If you wish to parallelize a single job across multiple cores on a local system, simply create a new, empty output directory ("sync dir") that will be shared by all the instances of afl-fuzz; and then come up with a naming scheme -for every instance - say, "fuzzer01", "fuzzer02", etc. +for every instance - say, "fuzzer01", "fuzzer02", etc. Run the first one ("main node", -M) like this: @@ -93,7 +92,7 @@ file name. There is support for parallelizing the deterministic checks. This is only needed where - + 1. many new paths are found fast over a long time and it looks unlikely that main node will ever catch up, and 2. deterministic fuzzing is actively helping path discovery (you can see this @@ -195,7 +194,7 @@ to keep in mind: - You do not want a "main" instance of afl-fuzz on every system; you should run them all with -S, and just designate a single process somewhere within the fleet to run with -M. - + - Syncing is only necessary for the main nodes on a system. It is possible to run main-less with only secondaries. However then you need to find out which secondary took over the temporary role to be the main node. Look for diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index 898ad099..9b3d8d40 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -1,143 +1,155 @@ -# Remote monitoring with StatsD +# Remote monitoring and metrics visualization -StatsD allows you to receive and aggregate metrics from a wide range of applications and retransmit them to the backend of your choice. -This enables you to create nice and readable dashboards containing all the information you need on your fuzzer instances. -No need to write your own statistics parsing system, deploy and maintain it to all your instances, sync with your graph rendering system... +AFL++ can send out metrics as StatsD messages. For remote monitoring and visualization of the metrics, you can set up a tool chain. For example, with Prometheus and Grafana. All tools are free and open source. -The available metrics are : +This enables you to create nice and readable dashboards containing all the information you need on your fuzzer instances. There is no need to write your own statistics parsing system, deploy and maintain it to all your instances, and sync with your graph rendering system. + +Compared to the default integrated UI of AFL++, this can help you to visualize trends and the fuzzing state over time. You might be able to see when the fuzzing process has reached a state of no progress and visualize what are the "best strategies" for your targets (according to your own criteria). You can do so without logging into each instance individually. + + + +This is an example visualization with Grafana. The dashboard can be imported with [this JSON template](resources/grafana-afl++.json). + +## AFL++ metrics and StatsD + +StatsD allows you to receive and aggregate metrics from a wide range of applications and retransmit them to a backend of your choice. + +From AFL++, StatsD can receive the following metrics: +- cur_path - cycle_done - cycles_wo_finds +- edges_found - execs_done - execs_per_sec -- paths_total +- havoc_expansion +- max_depth - paths_favored - paths_found - paths_imported -- max_depth -- cur_path +- paths_total - pending_favs - pending_total -- variable_paths +- slowest_exec_ms +- total_crashes - unique_crashes - unique_hangs -- total_crashes -- slowest_exec_ms -- edges_found - var_byte_count -- havoc_expansion +- variable_paths -Compared to the default integrated UI, these metrics give you the opportunity to visualize trends and fuzzing state over time. -By doing so, you might be able to see when the fuzzing process has reached a state of no progress, visualize what are the "best strategies" -(according to your own criteria) for your targets, etc. And doing so without requiring to log into each instance manually. +Depending on your StatsD server, you will be able to monitor, trigger alerts, or perform actions based on these metrics (for example: alert on slow exec/s for a new build, threshold of crashes, time since last crash > X, and so on). -An example visualisation may look like the following: - +## Setting environment variables in AFL++ -*Notes: The exact same dashboard can be imported with [this JSON template](resources/grafana-afl++.json).* +1. To enable the StatsD metrics collection on your fuzzer instances, set the environment variable `AFL_STATSD=1`. By default, AFL++ will send the metrics over UDP to 127.0.0.1:8125. -## How to use +2. To enable tags for each metric based on their format (banner and afl_version), set the environment variable `AFL_STATSD_TAGS_FLAVOR`. By default, no tags will be added to the metrics. -To enable the StatsD reporting on your fuzzer instances, you need to set the environment variable `AFL_STATSD=1`. + The available values are the following: + - `dogstatsd` + - `influxdb` + - `librato` + - `signalfx` + + For more information on environment variables, see [env_variables.md](env_variables.md). -Setting `AFL_STATSD_TAGS_FLAVOR` to the provider of your choice will assign tags / labels to each metric based on their format. -The possible values are `dogstatsd`, `librato`, `signalfx` or `influxdb`. -For more information on these env vars, check out `docs/env_variables.md`. + Note: When using multiple fuzzer instances with StatsD it is *strongly* recommended to set up `AFL_STATSD_TAGS_FLAVOR` to match your StatsD server. This will allow you to see individual fuzzer performance, detect bad ones, and see the progress of each strategy. -The simplest way of using this feature is to use any metric provider and change the host/port of your StatsD daemon, -with `AFL_STATSD_HOST` and `AFL_STATSD_PORT`, if required (defaults are `localhost` and port `8125`). -To get started, here are some instructions with free and open source tools. -The following setup is based on Prometheus, statsd_exporter and Grafana. -Grafana here is not mandatory, but gives you some nice graphs and features. +3. Optional: To set the host and port of your StatsD daemon, set `AFL_STATSD_HOST` and `AFL_STATSD_PORT`. The default values are `localhost` and `8125`. -Depending on your setup and infrastructure, you may want to run these applications not on your fuzzer instances. -Only one instance of these 3 application is required for all your fuzzers. +## Installing and setting up StatsD, Prometheus, and Grafana -To simplify everything, we will use Docker and docker-compose. -Make sure you have them both installed. On most common Linux distributions, it's as simple as: +The easiest way to install and set up the infrastructure is with Docker and Docker Compose. -```sh -curl -fsSL https://get.docker.com -o get-docker.sh -sh get-docker.sh -``` +Depending on your fuzzing setup and infrastructure, you may not want to run these applications on your fuzzer instances. This setup may be modified before use in a production environment; for example, adding passwords, creating volumes for storage, tweaking the metrics gathering to get host metrics (CPU, RAM, and so on). -Once that's done, we can create the infrastructure. -Create and move into the directory of your choice. This will store all the configurations files required. - -First, create a `docker-compose.yml` containing the following: -```yml -version: '3' - -networks: - statsd-net: - driver: bridge - -services: - prometheus: - image: prom/prometheus - container_name: prometheus - volumes: - - ./prometheus.yml:/prometheus.yml - command: - - '--config.file=/prometheus.yml' - restart: unless-stopped - ports: - - "9090:9090" - networks: - - statsd-net - - statsd_exporter: - image: prom/statsd-exporter - container_name: statsd_exporter - volumes: - - ./statsd_mapping.yml:/statsd_mapping.yml - command: - - "--statsd.mapping-config=/statsd_mapping.yml" - ports: - - "9102:9102/tcp" - - "8125:9125/udp" - networks: - - statsd-net - - grafana: - image: grafana/grafana - container_name: grafana - restart: unless-stopped - ports: - - "3000:3000" - networks: - - statsd-net -``` +For all your fuzzing instances, only one instance of Prometheus and Grafana is required. The [statsd exporter](https://registry.hub.docker.com/r/prom/statsd-exporter) converts the StatsD metrics to Prometheus. If you are using a provider that supports StatsD directly, you can skip this part of the setup." -Then `prometheus.yml` -```yml -global: - scrape_interval: 15s - evaluation_interval: 15s +You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files. -scrape_configs: - - job_name: 'fuzzing_metrics' - static_configs: - - targets: ['statsd_exporter:9102'] -``` +To install and set up Prometheus and Grafana: -And finally `statsd_mapping.yml` -```yml -mappings: -- match: "fuzzing.*" - name: "fuzzing" - labels: - type: "$1" -``` +1. Install Docker and Docker Compose: + + ```sh + curl -fsSL https://get.docker.com -o get-docker.sh + sh get-docker.sh + ``` -Run `docker-compose up -d`. +2. Create a `docker-compose.yml` containing the following: + ```yml + version: '3' -Everything should now be setup, you are now able to run your fuzzers with + networks: + statsd-net: + driver: bridge + + services: + prometheus: + image: prom/prometheus + container_name: prometheus + volumes: + - ./prometheus.yml:/prometheus.yml + command: + - '--config.file=/prometheus.yml' + restart: unless-stopped + ports: + - "9090:9090" + networks: + - statsd-net + + statsd_exporter: + image: prom/statsd-exporter + container_name: statsd_exporter + volumes: + - ./statsd_mapping.yml:/statsd_mapping.yml + command: + - "--statsd.mapping-config=/statsd_mapping.yml" + ports: + - "9102:9102/tcp" + - "8125:9125/udp" + networks: + - statsd-net + + grafana: + image: grafana/grafana + container_name: grafana + restart: unless-stopped + ports: + - "3000:3000" + networks: + - statsd-net + ``` + +3. Create a `prometheus.yml` containing the following: + + ```yml + global: + scrape_interval: 15s + evaluation_interval: 15s + + scrape_configs: + - job_name: 'fuzzing_metrics' + static_configs: + - targets: ['statsd_exporter:9102'] + ``` + +4. Create a `statsd_mapping.yml` containing the following: + ```yml + mappings: + - match: "fuzzing.*" + name: "fuzzing" + labels: + type: "$1" + ``` + +5. Run `docker-compose up -d`. + +## Running AFL++ with StatsD + +To run your fuzzing instances: ``` -AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -M test-fuzzer-1 -i i -o o ./bin/my-application @@ -AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -S test-fuzzer-2 -i i -o o ./bin/my-application @@ +AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -M test-fuzzer-1 -i i -o o [./bin/my-application] @@ +AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -S test-fuzzer-2 -i i -o o [./bin/my-application] @@ ... ``` - -This setup may be modified before use in a production environment. Depending on your needs: adding passwords, creating volumes for storage, -tweaking the metrics gathering to get host metrics (CPU, RAM ...). diff --git a/docs/sister_projects.md b/docs/sister_projects.md index 5cb3a102..613bc778 100644 --- a/docs/sister_projects.md +++ b/docs/sister_projects.md @@ -15,7 +15,7 @@ instruction manual. Allows fuzz-testing of Python programs. Uses custom instrumentation and its own forkserver. -http://jwilk.net/software/python-afl +https://jwilk.net/software/python-afl ### Go-fuzz (Dmitry Vyukov) @@ -34,7 +34,7 @@ https://github.com/kmcallister/afl.rs Adds AFL-compatible instrumentation to OCaml programs. https://github.com/ocamllabs/opam-repo-dev/pull/23 -http://canopy.mirage.io/Posts/Fuzzing +https://canopy.mirage.io/Posts/Fuzzing ### AFL for GCJ Java and other GCC frontends (-) @@ -54,7 +54,7 @@ some programs to be fuzzed without the fork / execve overhead. (Similar functionality is now available as the "persistent" feature described in [the llvm_mode readme](../instrumentation/README.llvm.md)) -http://llvm.org/docs/LibFuzzer.html +https://llvm.org/docs/LibFuzzer.html ## TriforceAFL (Tim Newsham and Jesse Hertz) @@ -189,7 +189,7 @@ https://github.com/bshastry/afl-sancov Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN. -http://jwilk.net/software/recidivm +https://jwilk.net/software/recidivm ### aflize (Jacek Wielemborek) @@ -274,7 +274,7 @@ https://goo.gl/j9EgFf A simple SQL shell designed specifically for fuzzing the underlying library. -http://www.sqlite.org/src/artifact/9e7e273da2030371 +https://www.sqlite.org/src/artifact/9e7e273da2030371 ### Support for Python mutation modules (Christian Holler) @@ -292,7 +292,7 @@ A similar guided approach as applied to fuzzing syscalls: https://github.com/google/syzkaller/wiki/Found-Bugs https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 -http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf +https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf ### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications) diff --git a/docs/technical_details.md b/docs/technical_details.md index b0ca493e..994ffe9f 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -1,7 +1,7 @@ # Technical "whitepaper" for afl-fuzz -NOTE: this document is rather outdated! +NOTE: this document is mostly outdated! This document provides a quick overview of the guts of American Fuzzy Lop. @@ -161,8 +161,8 @@ features of the underlying data format, as shown in this image: Several practical examples of the results of this algorithm are discussed here: - http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html - http://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html + https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html + https://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html The synthetic corpus produced by this process is essentially a compact collection of "hmm, this does something new!" input files, and can be used to @@ -323,7 +323,7 @@ value of various fuzzing strategies and optimize their parameters so that they work equally well across a wide range of file types. The strategies used by afl-fuzz are generally format-agnostic and are discussed in more detail here: - http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html + https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html It is somewhat notable that especially early on, most of the work done by `afl-fuzz` is actually highly deterministic, and progresses to random stacked @@ -376,7 +376,7 @@ valid grammar for the tested parser. A discussion of how these features are implemented within afl-fuzz can be found here: - http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html + https://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html In essence, when basic, typically easily-obtained syntax tokens are combined together in a purely random manner, the instrumentation and the evolutionary @@ -429,7 +429,7 @@ thrown away. A detailed discussion of the value of this approach can be found here: - http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html + https://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html The method uses instrumentation feedback to explore the state of the crashing program to get past the ambiguous faulting condition and then isolate the @@ -447,7 +447,7 @@ goes through `execve()`, linking, and libc initialization only once, and is then cloned from a stopped process image by leveraging copy-on-write. The implementation is described in more detail here: - http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html + https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html The fork server is an integral aspect of the injected instrumentation and simply stops at the first instrumented function to await commands from diff --git a/docs/tools.md b/docs/tools.md new file mode 100644 index 00000000..ba96d0ce --- /dev/null +++ b/docs/tools.md @@ -0,0 +1,33 @@ +# Tools that help fuzzing with AFL++ + +Speeding up fuzzing: + * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory testcase feature :-) - recommended. + +Minimization of test cases: + * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores. + * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm. + * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization. + +Distributed execution: + * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL. + * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing framework. + * [afl-launch](https://github.com/bnagy/afl-launch) - a tool for the execution of many AFL instances. + * [afl-mothership](https://github.com/afl-mothership/afl-mothership) - management and execution of many synchronized AFL fuzzers on AWS cloud. + * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS. + +Deployment, management, monitoring, reporting + * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases. + * [afl-other-arch](https://github.com/shellphish/afl-other-arch) - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL. + * [afl-trivia](https://github.com/bnagy/afl-trivia) - a few small scripts to simplify the management of AFL. + * [afl-monitor](https://github.com/reflare/afl-monitor) - a script for monitoring AFL. + * [afl-manager](https://github.com/zx1340/afl-manager) - a web server on Python for managing multi-afl. + * [afl-remote](https://github.com/block8437/afl-remote) - a web server for the remote management of AFL instances. + * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to parallelize afl-tmin, startup, and data collection. + +Crash processing + * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL. + * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of scripts for the analysis of results. + * [atriage](https://github.com/Ayrx/atriage) - a simple triage tool. + * [afl-kit](https://github.com/kcwu/afl-kit) - afl-cmin on Python. + * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL. + * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data. \ No newline at end of file diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md new file mode 100644 index 00000000..21ccecaa --- /dev/null +++ b/docs/triaging_crashes.md @@ -0,0 +1,46 @@ +# Triaging crashes + +The coverage-based grouping of crashes usually produces a small data set that +can be quickly triaged manually or with a very simple GDB or Valgrind script. +Every crash is also traceable to its parent non-crashing test case in the +queue, making it easier to diagnose faults. + +Having said that, it's important to acknowledge that some fuzzing crashes can be +difficult to quickly evaluate for exploitability without a lot of debugging and +code analysis work. To assist with this task, afl-fuzz supports a very unique +"crash exploration" mode enabled with the -C flag. + +In this mode, the fuzzer takes one or more crashing test cases as the input +and uses its feedback-driven fuzzing strategies to very quickly enumerate all +code paths that can be reached in the program while keeping it in the +crashing state. + +Mutations that do not result in a crash are rejected; so are any changes that +do not affect the execution path. + +The output is a small corpus of files that can be very rapidly examined to see +what degree of control the attacker has over the faulting address, or whether +it is possible to get past an initial out-of-bounds read - and see what lies +beneath. + +Oh, one more thing: for test case minimization, give afl-tmin a try. The tool +can be operated in a very simple way: + +```shell +./afl-tmin -i test_case -o minimized_result -- /path/to/program [...] +``` + +The tool works with crashing and non-crashing test cases alike. In the crash +mode, it will happily accept instrumented and non-instrumented binaries. In the +non-crashing mode, the minimizer relies on standard AFL++ instrumentation to make +the file simpler without altering the execution path. + +The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with +afl-fuzz. + +Another tool in AFL++ is the afl-analyze tool. It takes an input +file, attempts to sequentially flip bytes, and observes the behavior of the +tested program. It then color-codes the input based on which sections appear to +be critical, and which are not; while not bulletproof, it can often offer quick +insights into complex file formats. More info about its operation can be found +near the end of [technical_details.md](technical_details.md). \ No newline at end of file diff --git a/docs/tutorials.md b/docs/tutorials.md new file mode 100644 index 00000000..cc7ed130 --- /dev/null +++ b/docs/tutorials.md @@ -0,0 +1,26 @@ +# Tutorials + +Here are some good writeups to show how to effectively use AFL++: + +* [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) +* [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/) +* [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1) +* [https://securitylab.github.com/research/fuzzing-software-2](https://securitylab.github.com/research/fuzzing-software-2) +* [https://securitylab.github.com/research/fuzzing-sockets-FTP](https://securitylab.github.com/research/fuzzing-sockets-FTP) +* [https://securitylab.github.com/research/fuzzing-sockets-FreeRDP](https://securitylab.github.com/research/fuzzing-sockets-FreeRDP) +* [https://securitylab.github.com/research/fuzzing-apache-1](https://securitylab.github.com/research/fuzzing-apache-1) + +If you do not want to follow a tutorial but rather try an exercise type of +training, then we can highly recommend the following: + +* [https://github.com/antonio-morales/Fuzzing101](https://github.com/antonio-morales/Fuzzing101) + +If you are interested in fuzzing structured data (where you define what the +structure is), these links have you covered: + +* Superion for AFL++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) +* libprotobuf for AFL++: [https://github.com/P1umer/AFLplusplus-protobuf-mutator](https://github.com/P1umer/AFLplusplus-protobuf-mutator) +* libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) +* libprotobuf for old AFL++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) + +If you find other good ones, please send them to us :-) \ No newline at end of file |