From e1183be22ec38e180ec86737e204c5effbc1648b Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 8 Aug 2019 10:43:27 +0200 Subject: documentation update --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 2124b862..dff6463b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # american fuzzy lop plus plus (afl++) Release Version: 2.53c + Github Version: 2.53d @@ -17,7 +18,7 @@ get any improvements since November 2017. Among others afl++ has, e.g. more performant llvm_mode, supporting - llvm up to version 8, Qemu 3.1, more speed and crashfixes for Qemu, + llvm up to version 9, Qemu 3.1, more speed and crashfixes for Qemu, laf-intel feature for Qemu (with libcompcov) and more. Additionally the following patches have been integrated: @@ -120,7 +121,7 @@ superior to blind fuzzing or coverage-only tools. PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++ instead of afl-gcc/afl-g++ is much faster and has a few cool features. See llvm_mode/ - however few code does not compile with llvm. -We support llvm versions 4.0 to 8. +We support llvm versions 3.8.0 to 9. When source code is available, instrumentation can be injected by a companion tool that works as a drop-in replacement for gcc or clang in any standard build @@ -143,7 +144,7 @@ For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`. The clang wrappers (afl-clang and afl-clang++) can be used in the same way; clang users may also opt to leverage a higher-performance instrumentation mode, as described in [llvm_mode/README.llvm](llvm_mode/README.llvm). -Clang/LLVM has a much better performance and works with LLVM version 4.0 to 8. +Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 9. Using the LAF Intel performance enhancements are also recommended, see [llvm_mode/README.laf-intel](llvm_mode/README.laf-intel) -- cgit 1.4.1 From 2053731ebc9a4c881f52c1de51fab51f79bcf980 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 17 Aug 2019 12:07:22 +0200 Subject: update readme and todo --- README.md | 4 ++++ TODO | 10 +++++----- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index dff6463b..9ff7c24b 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,10 @@ afl++ is maintained by Marc Heuse , Heiko Eißfeldt and Andrea Fioraldi . + Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl), + it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288) + + ## The enhancements compared to the original stock afl Many improvements were made over the official afl release - which did not diff --git a/TODO b/TODO index 42987cb9..692f6609 100644 --- a/TODO +++ b/TODO @@ -10,7 +10,6 @@ afl-fuzz: gcc_plugin: - needs to be rewritten - - fix crashes when compiling :( - whitelist support - skip over uninteresting blocks - laf-intel @@ -29,7 +28,8 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. At afl's default map that means ~16 collisions and ~3 wrappings. Solution #1: increase map size. every +1 decreases fuzzing speed by ~10% and halfs the collisions - birthday paradox predicts at collisions at this # of edges: + birthday paradox predicts collisions at this # of edges: + mapsize => collisions 2^16 = 302 2^17 = 427 2^18 = 603 @@ -39,10 +39,10 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. 2^22 = 2412 2^23 = 3411 2^24 = 4823 - Its an easy solution but also not a good one. + Increasing the map is an easy solution but also not a good one. Solution #2: use dynamic map size and collision free basic block IDs This only works in llvm_mode and llvm >= 9 though - A potential good future solution + A potential good future solution. Heiko/hexcoder follows this up Solution #3: write instruction pointers to a big shared map 512kb/1MB shared map and the instrumented code writes the instruction pointer into the map. Map must be big enough but could be command line @@ -51,7 +51,7 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. impacts speed, but this can be decided by user options Neutral: a little bit slower but no loss of coverage Bad: completely changes how afl uses the map and the scheduling. - Overall another very good solution + Overall another very good solution, Marc Heuse/vanHauser follows this up qemu_mode: - persistent mode patching the return address (WinAFL style) -- cgit 1.4.1 From b6f5e1635cbdcc3031c4af18ef3a877d2d7db77f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 27 Aug 2019 14:02:48 +0200 Subject: added afl++ patches authors to special thanks --- README.md | 8 +++++--- qemu_mode/patches/afl-qemu-cpu-inl.h | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 9ff7c24b..76bd98c8 100644 --- a/README.md +++ b/README.md @@ -559,8 +559,8 @@ Beyond this, see INSTALL for platform-specific tips. ## 15) Special thanks ------------------ -Many of the improvements to the original afl wouldn't be possible without -feedback, bug reports, or patches from: +Many of the improvements to the original afl and afl++ wouldn't be possible +without feedback, bug reports, or patches from: ``` Jann Horn Hanno Boeck @@ -602,7 +602,9 @@ feedback, bug reports, or patches from: Rene Freingruber Sergey Davidoff Sami Liedes Craig Young Andrzej Jackowski Daniel Hodson - Nathan Voss Dominik Maier + Nathan Voss Dominik Maier + Andrea Biondo Vincent Le Garrec + Khaled Yakdan Kuang-che Wu ``` Thank you! diff --git a/qemu_mode/patches/afl-qemu-cpu-inl.h b/qemu_mode/patches/afl-qemu-cpu-inl.h index d7bb4d25..04d9007d 100644 --- a/qemu_mode/patches/afl-qemu-cpu-inl.h +++ b/qemu_mode/patches/afl-qemu-cpu-inl.h @@ -332,7 +332,7 @@ static void afl_wait_tsl(CPUState *cpu, int fd) { if (is_valid_addr(t.tb.pc)) { mmap_lock(); - tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, 0); + tb = tb_gen_code(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask); mmap_unlock(); } else { -- cgit 1.4.1 From 7338568125f4a3831079550294275ef18b603ab2 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Tue, 27 Aug 2019 15:17:43 +0200 Subject: removed sepration lines from README --- README.md | 14 -------------- 1 file changed, 14 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 76bd98c8..2bd31a54 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,6 @@ ## 1) Challenges of guided fuzzing -------------------------------- Fuzzing is one of the most powerful and proven strategies for identifying security issues in real-world software; it is responsible for the vast @@ -177,7 +176,6 @@ file for important caveats. ## 4) Instrumenting binary-only apps ---------------------------------- When source code is *NOT* available, the fuzzer offers experimental support for fast, on-the-fly instrumentation of black-box binaries. This is accomplished @@ -205,7 +203,6 @@ A more comprehensive description of these and other options can be found in ## 5) Power schedules ------------------- The power schedules were copied from Marcel Böhme's excellent AFLfast implementation and expands on the ability to discover new paths and @@ -237,7 +234,6 @@ Computer and Communications Security (CCS'16): ## 6) Choosing initial test cases ------------------------------- To operate correctly, the fuzzer requires one or more starting file that contains a good example of the input data normally expected by the targeted @@ -259,7 +255,6 @@ exercise different code paths in the target binary. ## 7) Fuzzing binaries -------------------- The fuzzing process itself is carried out by the afl-fuzz utility. This program requires a read-only directory with initial test cases, a separate place to @@ -298,7 +293,6 @@ fuzzers - add the -d option to the command line. ## 8) Interpreting output ----------------------- See the [docs/status_screen.txt](docs/status_screen.txt) file for information on how to interpret the displayed stats and monitor the health of the process. Be @@ -360,7 +354,6 @@ see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/) ## 9) Parallelized fuzzing ------------------------ Every instance of afl-fuzz takes up roughly one core. This means that on multi-core systems, parallelization is necessary to fully utilize the hardware. @@ -373,7 +366,6 @@ last section of [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt) for tips. ## 10) Fuzzer dictionaries ----------------------- By default, afl-fuzz mutation engine is optimized for compact data formats - say, images, multimedia, compressed data, regular expression syntax, or shell @@ -410,7 +402,6 @@ utility with AFL. For that, see [libtokencap/README.tokencap](libtokencap/README ## 11) Crash triage ----------------- The coverage-based grouping of crashes usually produces a small data set that can be quickly triaged manually or with a very simple GDB or Valgrind script. @@ -459,7 +450,6 @@ near the end of [docs/technical_details.txt](docs/technical_details.txt). ## 12) Going beyond crashes ------------------------- Fuzzing is a wonderful and underutilized technique for discovering non-crashing design and implementation errors, too. Quite a few interesting bugs have been @@ -484,7 +474,6 @@ shared with libfuzzer) or `#ifdef __AFL_COMPILER` (this one is just for AFL). ## 13) Common-sense risks ----------------------- Please keep in mind that, similarly to many other computationally-intensive tasks, fuzzing may put strain on your hardware and on the OS. In particular: @@ -515,7 +504,6 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular: ## 14) Known limitations & areas for improvement ---------------------------------------------- Here are some of the most important caveats for AFL: @@ -557,7 +545,6 @@ Beyond this, see INSTALL for platform-specific tips. ## 15) Special thanks ------------------- Many of the improvements to the original afl and afl++ wouldn't be possible without feedback, bug reports, or patches from: @@ -611,7 +598,6 @@ Thank you! ## 16) Contact ------------ Questions? Concerns? Bug reports? The contributors can be reached via [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) -- cgit 1.4.1 From 10df5ad0ac3dcff705f6932487fecbdaf690e1f0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 27 Aug 2019 16:22:25 +0200 Subject: docu update --- README.md | 3 ++- TODO | 2 ++ docs/ChangeLog | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) (limited to 'README.md') diff --git a/README.md b/README.md index 2bd31a54..14e1ae59 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,8 @@ Among others afl++ has, e.g. more performant llvm_mode, supporting llvm up to version 9, Qemu 3.1, more speed and crashfixes for Qemu, - laf-intel feature for Qemu (with libcompcov) and more. + laf-intel feature for Qemu (with libcompcov), better *BSD and Android + support and more. Additionally the following patches have been integrated: diff --git a/TODO b/TODO index 89e307cf..cb95f899 100644 --- a/TODO +++ b/TODO @@ -7,6 +7,8 @@ Roadmap 2.53d: afl-fuzz: - put mutator, scheduler, forkserver and input channels in individual files - reuse forkserver for showmap, afl-cmin, etc. + - custom mutator lib: example and readme + - env var to exclusively run the custom lib/py mutator gcc_plugin: - needs to be rewritten diff --git a/docs/ChangeLog b/docs/ChangeLog index dfebb68a..6d56d314 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -18,6 +18,7 @@ Version ++2.53d (dev): ---------------------- - llvm 9 is now supported (still needs testing) + - Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though - fix building qemu on some Ubuntus (thanks to floyd!) - custom mutator by a loaded library is now supported (thanks to kyakdan!) - fix for a few features to support different map sized than 2^16 -- cgit 1.4.1 From 71bf2d88268240cd93b211ad8ae9324356fcd46c Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 4 Sep 2019 13:15:44 +0200 Subject: README update --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 14e1ae59..4b3909e2 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,9 @@ Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus) - afl++ is maintained by Marc Heuse , Heiko Eißfeldt - and Andrea Fioraldi . + afl++ is maintained by Marc "van Hauser" Heuse , + Heiko "hexc0der" Eißfeldt and + Andrea Fioraldi . Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl), it is unlikely to receive any noteable enhancements: [https://twitter.com/Dor3s/status/1154737061787660288](https://twitter.com/Dor3s/status/1154737061787660288) @@ -21,25 +22,28 @@ Many improvements were made over the official afl release - which did not get any improvements since November 2017. - Among others afl++ has, e.g. more performant llvm_mode, supporting + Among others afl++ has a more performant llvm_mode, supporting llvm up to version 9, Qemu 3.1, more speed and crashfixes for Qemu, - laf-intel feature for Qemu (with libcompcov), better *BSD and Android - support and more. + better *BSD and Android support and much, much more. Additionally the following patches have been integrated: * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) - * C. Hollers afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl) - * the new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) * instrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim) - * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) + * C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl) * Custom mutator by a library (instead of Python) by kyakdan + * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk) + + * laf-intel (compcov) support for llvm_mode, qemu_mode and unicorn_mode + + * neverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage (by Andrea Fioraldi) + A more thorough list is available in the PATCHES file. So all in all this is the best-of AFL that is currently out there :-) -- cgit 1.4.1