about summary refs log tree commit diff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/Changelog.md8
-rw-r--r--docs/FAQ.md45
2 files changed, 48 insertions, 5 deletions
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 25c7a761..3c28ff98 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -19,18 +19,22 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
      - eliminated CPU affinity race condition for -S/-M runs
      - expanded havoc mode added, on no cycle finds add extra splicing and
        MOpt into the mix
-     - fixed a bug in redqueen for strings
+     - fixed a bug in redqueen for strings and made deterministic with -s
   - llvm_mode:
      - now supports llvm 12!
      - support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
        AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and
        are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm
        sancov, and also supports function matching!
+     - added neverzero counting to trace-pc/pcgard
      - fixes for laf-intel float splitting (thanks to mark-griffin for
        reporting)
+     - fixes for llvm 4.0
+     - skipping ctors and ifuncs for instrumentation
      - LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
             for a fixed map address (eg. 0x10000)
-     - LTO: skipping ctors and ifuncs in fix map address instrumentation
+     - LTO: laf-intel and redqueen/cmplog are now applied at link time
+            to prevent llvm optimizing away the splits
      - LTO: autodictionary mode is a default
      - LTO: instrim instrumentation disabled, only classic support used
             as it is always better
diff --git a/docs/FAQ.md b/docs/FAQ.md
index e690635a..997f4c40 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -3,9 +3,11 @@
 ## Contents
 
   1. [How to improve the fuzzing speed?](#how-to-improve-the-fuzzing-speed)
-  2. [What is an edge?](#what-is-an-edge)
-  3. [Why is my stability below 100%?](#why-is-my-stability-below-100)
-  4. [How can I improve the stability value](#how-can-i-improve-the-stability-value)
+  2. [How do I fuzz a network service?](#how-to-fuzz-a-network-service)
+  3. [How do I fuzz a GUI program?](#how-to-fuzz-a-gui-program)
+  4. [What is an edge?](#what-is-an-edge)
+  5. [Why is my stability below 100%?](#why-is-my-stability-below-100)
+  6. [How can I improve the stability value](#how-can-i-improve-the-stability-value)
 
 If you find an interesting or important question missing, submit it via
 [https://github.com/AFLplusplus/AFLplusplus/issues](https://github.com/AFLplusplus/AFLplusplus/issues)
@@ -20,6 +22,43 @@ If you find an interesting or important question missing, submit it via
   6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
   7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads)
 
+## How do I fuzz a network service?
+
+The short answer is - you cannot, at least "out of the box".
+
+Using network has a slow-down of x10-20 on the fuzzing speed, does not scale,
+and finally usually it is more than one initial data packet but a back-and-forth
+which is totally unsupported by most coverage aware fuzzers.
+
+The established method to fuzz network services is to modify the source code
+to read from a file or stdin (fd 0) (or even faster via shared memory, combine
+this with persistent mode [llvm_mode/README.persistent_mode.md](llvm_mode/README.persistent_mode.md)
+and you have a performance gain of x10 instead of a performance loss of over
+x10 - that is a x100 difference!
+
+If modifying the source is not an option (e.g. because you only have a binary
+and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD
+to emulate the network. This is also much faster than network would be.
+See [examples/socket_fuzzing/](../examples/socket_fuzzing/)
+
+There is an outdated afl++ branch that implements networking if you are
+desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - 
+however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet))
+which allows you to define network state with different type of data packets.
+
+## How do I fuzz a GUI program?
+
+If the GUI program can read the fuzz data from a file (via the command line,
+a fixed location or via an environment variable) without needing any user
+interaction then then yes.
+
+Otherwise it is not possible without modifying the source code - which is a
+very good idea anyway as the GUI functionality is a huge CPU/time overhead
+for the fuzzing.
+
+So create a new `main()` that just reads the test case and calls the
+functionality for processing the input that the GUI program is using.
+
 ## What is an "edge"
 
 A program contains `functions`, `functions` contain the compiled machine code.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-29 06:14:22 +0000