about summary refs log tree commit diff
path: root/utils
diff options
context:
space:
mode:
Diffstat (limited to 'utils')
-rw-r--r--utils/autodict_ql/readme.md180
-rw-r--r--utils/libdislocator/README.md29
2 files changed, 126 insertions, 83 deletions
diff --git a/utils/autodict_ql/readme.md b/utils/autodict_ql/readme.md
index 789cd152..f61026b7 100644
--- a/utils/autodict_ql/readme.md
+++ b/utils/autodict_ql/readme.md
@@ -2,21 +2,35 @@
 
 ## What is this?
 
-`Autodict-QL` is a plugin system that enables fast generation of Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike The LLVM Passes that are hard to modify). This means that autodict-ql is a scriptable feature which basically uses CodeQL (a powerful semantic code analysis engine) to fetch information from a code base.
+`Autodict-QL` is a plugin system that enables fast generation of
+Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike
+The LLVM Passes that are hard to modify). This means that autodict-ql is a
+scriptable feature which basically uses CodeQL (a powerful semantic code
+analysis engine) to fetch information from a code base.
 
-Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x` switch enables the usage of dictionaries through your fuzzing campaign. If you are not familiar with Dictionaries in fuzzing, take a look [here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries) .
+Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x`
+switch enables the usage of dictionaries through your fuzzing campaign. If you
+are not familiar with Dictionaries in fuzzing, take a look
+[here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries).
 
-## Why CodeQL ?
+## Why CodeQL?
 
-We basically developed this plugin on top of the CodeQL engine because it gives the user scripting features, it's easier and it's independent of the LLVM system. This means that a user can write his CodeQL scripts or modify the current scripts to improve or change the token generation algorithms based on different program analysis concepts.
+We basically developed this plugin on top of the CodeQL engine because it gives
+the user scripting features, it's easier and it's independent of the LLVM
+system. This means that a user can write his CodeQL scripts or modify the
+current scripts to improve or change the token generation algorithms based on
+different program analysis concepts.
 
 ## CodeQL scripts
 
-Currently, we pushed some scripts as defaults for Token generation. In addition, we provide every CodeQL script as an standalone script because it's easier to modify or test.
+Currently, we pushed some scripts as defaults for Token generation. In addition,
+we provide every CodeQL script as an standalone script because it's easier to
+modify or test.
 
-Currently we provided the following CodeQL scripts :
+Currently we provided the following CodeQL scripts:
 
-`strcmp-str.ql` is used to extract strings that are related to the `strcmp` function.
+`strcmp-str.ql` is used to extract strings that are related to the `strcmp`
+function.
 
 `strncmp-str.ql` is used to extract the strings from the `strncmp` function.
 
@@ -24,13 +38,18 @@ Currently we provided the following CodeQL scripts :
 
 `litool.ql` extracts Magic numbers as Hexadecimal format.
 
-`strtool.ql` extracts strings with uses of a regex and dataflow concept to capture the string comparison functions. If `strcmp` is rewritten in a project as Mystrcmp or something like strmycmp, then this script can catch the arguments and these are valuable tokens.
+`strtool.ql` extracts strings with uses of a regex and dataflow concept to
+capture the string comparison functions. If `strcmp` is rewritten in a project
+as Mystrcmp or something like strmycmp, then this script can catch the arguments
+and these are valuable tokens.
 
-You can write other CodeQL scripts to extract possible effective tokens if you think they can be useful.
+You can write other CodeQL scripts to extract possible effective tokens if you
+think they can be useful.
 
 ## Usage
 
-Before you proceed to installation make sure that you have the following packages by installing them:
+Before you proceed to installation make sure that you have the following
+packages by installing them:
 
 ```shell
 sudo apt install build-essential libtool-bin python3-dev python3 automake git vim wget -y
@@ -38,66 +57,91 @@ sudo apt install build-essential libtool-bin python3-dev python3 automake git vi
 
 The usage of Autodict-QL is pretty easy. But let's describe it as:
 
-1. First of all, you need to have CodeQL installed on the system. We make this possible with `build-codeql.sh` bash script. This script will install CodeQL completety and will set the required environment variables for your system.
-Do the following:
-
-```shell
-# chmod +x codeql-build.sh
-# ./codeql-build.sh
-# source ~/.bashrc
-# codeql
-```
-
-Then you should get:
-
-```shell
-Usage: codeql <command> <argument>...
-Create and query CodeQL databases, or work with the QL language.
-
-GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is
-not itself free software. Type codeql --license to see the license terms.
-
-      --license              Show the license terms for the CodeQL toolchain.
-Common options:
-  -h, --help                 Show this help text.
-  -v, --verbose              Incrementally increase the number of progress messages printed.
-  -q, --quiet                Incrementally decrease the number of progress messages printed.
-Some advanced options have been hidden; try --help -v for a fuller view.
-Commands:
-  query     Compile and execute QL code.
-  bqrs      Get information from .bqrs files.
-  database  Create, analyze and process CodeQL databases.
-  dataset   [Plumbing] Work with raw QL datasets.
-  test      Execute QL unit tests.
-  resolve   [Deep plumbing] Helper commands to resolve disk locations etc.
-  execute   [Deep plumbing] Low-level commands that need special JVM options.
-  version   Show the version of the CodeQL toolchain.
-  generate  Generate formatted QL documentation.
-  github    Commands useful for interacting with the GitHub API through CodeQL.
-```
-
-2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need to compile the source of the target you want to fuzz with CodeQL. This is not something hard.
-	- First you need to create a CodeQL database of the project codebase, suppose we want to compile `libxml` with codeql. Go to libxml and issue the following commands:
-		- `./configure --disable-shared`
-		- `codeql create database libxml-db --language=cpp --command=make`
-			- Now you have the CodeQL database of the project :-)
-3. The final step is to update the CodeQL database you created in step 2 (Suppose we are in `aflplusplus/utils/autodict_ql/` directory):
-	- `codeql database upgrade /home/user/libxml/libxml-db`
+1. First of all, you need to have CodeQL installed on the system. We make this
+   possible with `build-codeql.sh` bash script. This script will install CodeQL
+   completety and will set the required environment variables for your system.
+   Do the following:
+
+    ```shell
+    # chmod +x codeql-build.sh
+    # ./codeql-build.sh
+    # source ~/.bashrc
+    # codeql
+    ```
+
+    Then you should get:
+
+    ```shell
+    Usage: codeql <command> <argument>...
+    Create and query CodeQL databases, or work with the QL language.
+
+    GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is
+    not itself free software. Type codeql --license to see the license terms.
+
+          --license              Show the license terms for the CodeQL toolchain.
+    Common options:
+      -h, --help                 Show this help text.
+      -v, --verbose              Incrementally increase the number of progress messages printed.
+      -q, --quiet                Incrementally decrease the number of progress messages printed.
+    Some advanced options have been hidden; try --help -v for a fuller view.
+    Commands:
+      query     Compile and execute QL code.
+      bqrs      Get information from .bqrs files.
+      database  Create, analyze and process CodeQL databases.
+      dataset   [Plumbing] Work with raw QL datasets.
+      test      Execute QL unit tests.
+      resolve   [Deep plumbing] Helper commands to resolve disk locations etc.
+      execute   [Deep plumbing] Low-level commands that need special JVM options.
+      version   Show the version of the CodeQL toolchain.
+      generate  Generate formatted QL documentation.
+      github    Commands useful for interacting with the GitHub API through CodeQL.
+    ```
+
+2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need
+   to compile the source of the target you want to fuzz with CodeQL. This is not
+   something hard.
+   - First you need to create a CodeQL database of the project codebase, suppose
+     we want to compile `libxml` with codeql. Go to libxml and issue the
+     following commands:
+     - `./configure --disable-shared`
+     - `codeql create database libxml-db --language=cpp --command=make`
+       - Now you have the CodeQL database of the project :-)
+3. The final step is to update the CodeQL database you created in step 2
+   (Suppose we are in `aflplusplus/utils/autodict_ql/` directory):
+   - `codeql database upgrade /home/user/libxml/libxml-db`
 4. Everything is set! Now you should issue the following to get the tokens:
-	- `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]`
-		- example : `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py $PWD /home/user/libxml/libxml-db tokens`
-			- This will create the final `tokens` dir for you and you are done, then pass the tokens path to AFL++'s `-x` flag.
+   - `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]`
+     - example: `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py
+       $PWD /home/user/libxml/libxml-db tokens`
+       - This will create the final `tokens` dir for you and you are done, then
+         pass the tokens path to AFL++'s `-x` flag.
 5. Done!
 
 ## More on dictionaries and tokens
 
-Core developer of the AFL++ project Marc Heuse also developed a similar tool named `dict2file` which is a LLVM pass which can automatically extract useful tokens, in addition with LTO instrumentation mode, this dict2file is automatically generates token extraction. `Autodict-QL` plugin gives you scripting capability and you can do whatever you want to extract from the Codebase and it's up to you. In addition it's independent from LLVM system.
-On the other hand, you can also use Google dictionaries which have been made public in May 2020, but the problem of using Google dictionaries is that they are limited to specific file formats and specifications. For example, for testing binutils and ELF file format or AVI in FFMPEG, there are no pre-built dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File` features to automatically generate dictionaries based on the target.
-
-I've personally prefered to use `Autodict-QL` or `dict2file` rather than Google dictionaries or any other manually generated dictionaries as `Autodict-QL` and `dict2file` are working based on the target.
-In overall, fuzzing with dictionaries and well-generated tokens will give better results.
-
-There are 2 important points to remember :
-
-- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code coverage and hence better chances to discover new bugs.
-- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated dictionaries. If you forget to set this environment variable, then AFL++ uses just 200 tokens and use the rest of them only probabilistically. So this will guarantee that your tokens will be used by AFL++.
\ No newline at end of file
+Core developer of the AFL++ project Marc Heuse also developed a similar tool
+named `dict2file` which is a LLVM pass which can automatically extract useful
+tokens, in addition with LTO instrumentation mode, this dict2file is
+automatically generates token extraction. `Autodict-QL` plugin gives you
+scripting capability and you can do whatever you want to extract from the
+Codebase and it's up to you. In addition it's independent from LLVM system. On
+the other hand, you can also use Google dictionaries which have been made public
+in May 2020, but the problem of using Google dictionaries is that they are
+limited to specific file formats and specifications. For example, for testing
+binutils and ELF file format or AVI in FFMPEG, there are no pre-built
+dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File`
+features to automatically generate dictionaries based on the target.
+
+I've personally preferred to use `Autodict-QL` or `dict2file` rather than Google
+dictionaries or any other manually generated dictionaries as `Autodict-QL` and
+`dict2file` are working based on the target. In overall, fuzzing with
+dictionaries and well-generated tokens will give better results.
+
+There are 2 important points to remember:
+
+- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code
+  coverage and hence better chances to discover new bugs.
+- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated
+  dictionaries. If you forget to set this environment variable, then AFL++ uses
+  just 200 tokens and use the rest of them only probabilistically. So this will
+  guarantee that your tokens will be used by AFL++.
\ No newline at end of file
diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md
index 64a5f14c..7150c205 100644
--- a/utils/libdislocator/README.md
+++ b/utils/libdislocator/README.md
@@ -10,8 +10,8 @@ heap-related security bugs in several ways:
     subsequent PROT_NONE page, causing most off-by-one reads and writes to
     immediately segfault,
 
-  - It adds a canary immediately below the allocated buffer, to catch writes
-    to negative offsets (won't catch reads, though),
+  - It adds a canary immediately below the allocated buffer, to catch writes to
+    negative offsets (won't catch reads, though),
 
   - It sets the memory returned by malloc() to garbage values, improving the
     odds of crashing when the target accesses uninitialized data,
@@ -19,35 +19,34 @@ heap-related security bugs in several ways:
   - It sets freed memory to PROT_NONE and does not actually reuse it, causing
     most use-after-free bugs to segfault right away,
 
-  - It forces all realloc() calls to return a new address - and sets
-    PROT_NONE on the original block. This catches use-after-realloc bugs,
+  - It forces all realloc() calls to return a new address - and sets PROT_NONE
+    on the original block. This catches use-after-realloc bugs,
 
-  - It checks for calloc() overflows and can cause soft or hard failures
-    of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
+  - It checks for calloc() overflows and can cause soft or hard failures of
+    alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
     AFL_LD_HARD_FAIL).
 
   - Optionally, in platforms supporting it, huge pages can be used by passing
     USEHUGEPAGE=1 to make.
 
-  - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1.
-    In this case, a tail canary is inserted in the padding bytes at the end
-    of the allocated zone. This reduce the ability of libdislocator to detect
+  - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1. In
+    this case, a tail canary is inserted in the padding bytes at the end of the
+    allocated zone. This reduce the ability of libdislocator to detect
     off-by-one bugs but also it make slibdislocator compliant to the C standard.
 
 Basically, it is inspired by some of the non-default options available for the
 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
-also somewhat similar to several other debugging libraries, such as gmalloc
-and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
-jobs.
+also somewhat similar to several other debugging libraries, such as gmalloc and
+DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs.
 
 Note that it does nothing for stack-based memory handling errors. The
 -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
 can catch some subset of that.
 
 The allocator is slow and memory-intensive (even the tiniest allocation uses up
-4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
-for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
-when fuzzing small, self-contained binaries.
+4 kB of physical memory and 8 kB of virtual mem), making it completely
+unsuitable for "production" uses; but it can be faster and more hassle-free than
+ASAN / MSAN when fuzzing small, self-contained binaries.
 
 To use this library, run AFL++ like so:
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-17 04:52:25 +0000