diff options
Diffstat (limited to 'qemu_mode/README.md')
| -rw-r--r-- | qemu_mode/README.md | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/qemu_mode/README.md b/qemu_mode/README.md index a14cbe64..d28479d9 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -110,22 +110,23 @@ takes priority over any included ranges or AFL_INST_LIBS. CompareCoverage is a sub-instrumentation with effects similar to laf-intel. -The environment variable that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL. -There is also ./libcompcov/ which implements CompareCoverage for *cmp functions -(splitting memcmp, strncmp, etc. to make these conditions easier solvable by -afl-fuzz). +You have to set `AFL_PRELOAD=/path/to/libcompcov.so` together with +setting the AFL_COMPCOV_LEVEL you want to enable it. AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate -values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all -comparison instructions and memory comparison functions when libcompcov -is preloaded. -AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables also -the instrumentation of the floating-point comparisons on x86 and x86_64 (experimental). +values / read-only memory. + +AFL_COMPCOV_LEVEL=2 instruments all comparison instructions and memory +comparison functions when libcompcov is preloaded. + +AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables +also the instrumentation of the floating-point comparisons on x86 and x86_64 +(experimental). Integer comparison instructions are currently instrumented only on the x86, x86_64, arm and aarch64 targets. -Highly recommended. +Recommended, but not as good as CMPLOG mode (see below). ## 8) CMPLOG mode @@ -141,7 +142,7 @@ To enable it you must pass on the command line of afl-fuzz: ## 9) Wine mode -AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz. +AFL++ QEMU can use Wine to fuzz Win32 PE binaries. Use the -W flag of afl-fuzz. Note that some binaries require user interaction with the GUI and must be patched. @@ -190,8 +191,8 @@ handlers of the target. ## 13) Gotchas, feedback, bugs -If you need to fix up checksums or do other cleanup on mutated test cases, see -utils/custom_mutators/ for a viable solution. +If you need to fix up checksums or do other cleanups on mutated test cases, see +`afl_custom_post_process` in custom_mutators/examples/example.c for a viable solution. Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate the "shadow VM" trick employed by the sanitizers and will probably just |