From 9f079658769a0edb775006ba5088cb7fcc3f89e6 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 16 Jul 2019 08:42:15 +0200 Subject: added TODO file --- TODO | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 TODO (limited to 'TODO') diff --git a/TODO b/TODO new file mode 100644 index 00000000..156b1e99 --- /dev/null +++ b/TODO @@ -0,0 +1,23 @@ +Roadmap 2.53d: +============== + - better defaults: + * laf-intel activated, needs deactiatation + * fast mode schedule + * MOpt with -L 30 + * ... ? + +afl-fuzz: + - put mutator, scheduler and forkserver in individual files + - reuse forkserver for showmap, afl-cmin, etc. + +gcc_plugin: + (see TODOs) + - whitelist support + - skip over uninteresting blocks + - laf-intel + +Roadmap 2.54d: +============== + - expand MAP size to 256k (current L2 cache size on processors) + -> 18 bit size map + - llvm_mode: dynamic map size and collission free basic block IDs -- cgit 1.4.1 From 4f5acb8f52f88f39b19874c529009be512e1de22 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 17 Jul 2019 16:39:35 +0200 Subject: test case files with time information --- TODO | 8 +++++++- afl-fuzz.c | 2 ++ docs/ChangeLog | 1 + docs/README.MOpt | 2 +- 4 files changed, 11 insertions(+), 2 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index 156b1e99..87c7c379 100644 --- a/TODO +++ b/TODO @@ -1,5 +1,7 @@ Roadmap 2.53d: ============== + - indent all the code + - better defaults: * laf-intel activated, needs deactiatation * fast mode schedule @@ -7,7 +9,7 @@ Roadmap 2.53d: * ... ? afl-fuzz: - - put mutator, scheduler and forkserver in individual files + - put mutator, scheduler, forkserver and input channels in individual files - reuse forkserver for showmap, afl-cmin, etc. gcc_plugin: @@ -15,6 +17,10 @@ gcc_plugin: - whitelist support - skip over uninteresting blocks - laf-intel + - neverZero + +unit testing / large testcase campaign + Roadmap 2.54d: ============== diff --git a/afl-fuzz.c b/afl-fuzz.c index 81dff98c..e8c2f263 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -3350,6 +3350,8 @@ static u8* describe_op(u8 hnb) { sprintf(ret, "src:%06u", current_entry); + sprintf(ret + strlen(ret), ",time:%llu", get_cur_time() - start_time); + if (splicing_with >= 0) sprintf(ret + strlen(ret), "+%06u", splicing_with); diff --git a/docs/ChangeLog b/docs/ChangeLog index 735653c0..adf5ef75 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -18,6 +18,7 @@ Version ++2.52d (tbd): ----------------------------- - Using the old ineffective afl-gcc will now show a deprecation warning + - all queue, hang and crash files now have their discovery time in their name - if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc - added gcc_plugin which is like llvm_mode but for gcc. This version diff --git a/docs/README.MOpt b/docs/README.MOpt index 836f5200..5575189c 100644 --- a/docs/README.MOpt +++ b/docs/README.MOpt @@ -7,7 +7,7 @@ distribution of operators with respect to fuzzing effectiveness. More details can be found in the technical report. ### 2. Cite Information -Chenyang Lv, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song and +Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song and Raheem Beyah, MOPT: Optimized Mutation Scheduling for Fuzzers, USENIX Security 2019. -- cgit 1.4.1 From 5b2cb426beb7af233b54d46c23750b96e69590a5 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 18 Jul 2019 12:54:19 +0200 Subject: code cleanup and documented secret cmdline option --- TODO | 6 ++++-- afl-fuzz.c | 4 +--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'TODO') diff --git a/TODO b/TODO index 87c7c379..d89524c2 100644 --- a/TODO +++ b/TODO @@ -1,6 +1,8 @@ Roadmap 2.53d: ============== - - indent all the code + - indent all the code: clang-format -style=Google + + - README.md - better defaults: * laf-intel activated, needs deactiatation @@ -19,7 +21,7 @@ gcc_plugin: - laf-intel - neverZero -unit testing / large testcase campaign +unit testing / or large testcase campaign Roadmap 2.54d: diff --git a/afl-fuzz.c b/afl-fuzz.c index 1bf3d11f..87ad814a 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -640,7 +640,6 @@ int select_algorithm(void) { } double sele = ((double)(random()%10000)*0.0001); - //SAYF("select : %f\n",sele); j_puppet = 0; for (i_puppet = 0; i_puppet < operator_num; i_puppet++) { if (unlikely(i_puppet == 0)) { @@ -4146,7 +4145,6 @@ static void maybe_delete_out_dir(void) { /* And now, for some finishing touches. */ - //fn = alloc_printf("%s/.cur_input", tmp_dir); if (file_extension) { fn = alloc_printf("%s/.cur_input.%s", out_dir, file_extension); } else { @@ -11270,6 +11268,7 @@ static void usage(u8* argv0) { "Other stuff:\n" " -T text - text banner to show on the screen\n" " -M / -S id - distributed mode (see parallel_fuzzing.txt)\n" + " -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap file\n" " -C - crash exploration mode (the peruvian rabbit thing)\n" " -e ext - File extension for the temporarily generated test case\n\n" @@ -11436,7 +11435,6 @@ static void setup_cmdline_file(char** argv) { EXP_ST void setup_stdio_file(void) { - //u8* fn = alloc_printf("%s/.cur_input", tmp_dir); u8* fn; if (file_extension) { fn = alloc_printf("%s/.cur_input.%s", out_dir, file_extension); -- cgit 1.4.1 From 322b5a736b2c84957c985cfffcb6bfc9470c0045 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 20 Jul 2019 09:06:47 +0200 Subject: updated docs and crash issues with gcc_plugin --- TODO | 4 +++- afl-fuzz.c | 2 +- docs/sister_projects.txt | 6 +++++- gcc_plugin/CRASH | 23 +++++++++++++++++++++++ gcc_plugin/README.gcc | 6 ++++++ gcc_plugin/afl-gcc-pass.so.cc | 9 +++++++-- qemu_mode/README.qemu | 2 +- 7 files changed, 46 insertions(+), 6 deletions(-) create mode 100644 gcc_plugin/CRASH (limited to 'TODO') diff --git a/TODO b/TODO index d89524c2..2c5d05a5 100644 --- a/TODO +++ b/TODO @@ -4,6 +4,8 @@ Roadmap 2.53d: - README.md + - update docs/sister_projects.txt + - better defaults: * laf-intel activated, needs deactiatation * fast mode schedule @@ -15,7 +17,7 @@ afl-fuzz: - reuse forkserver for showmap, afl-cmin, etc. gcc_plugin: - (see TODOs) + - fix crashes when compiling :( - whitelist support - skip over uninteresting blocks - laf-intel diff --git a/afl-fuzz.c b/afl-fuzz.c index 422260ef..e917ed9c 100644 --- a/afl-fuzz.c +++ b/afl-fuzz.c @@ -11247,7 +11247,7 @@ static void usage(u8* argv0) { " -Q - use binary-only instrumentation (QEMU mode)\n" " -L minutes - use MOpt(imize) mode and set the limit time for entering the\n" " pacemaker mode (minutes of no new paths, 0 = immediately).\n" - " see docs/README.MOpt\n\n" + " a recommended value is 10-60. see docs/README.MOpt\n\n" "Fuzzing behavior settings:\n" " -d - quick & dirty mode (skips deterministic steps)\n" diff --git a/docs/sister_projects.txt b/docs/sister_projects.txt index 41701e2f..a2eb2a22 100644 --- a/docs/sister_projects.txt +++ b/docs/sister_projects.txt @@ -6,6 +6,10 @@ Sister projects designed for, or meant to integrate with AFL. See README for the general instruction manual. +!!! +!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz +!!! + ------------------------------------------- Support for other languages / environments: ------------------------------------------- @@ -263,7 +267,7 @@ Static binary-only instrumentation (Aleksandar Nikolich) reports better performance compared to QEMU, but occasional translation errors with stripped binaries. - https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + https://github.com/vanhauser-thc/afl-dyninst AFL PIN (Parker Thompson) ------------------------- diff --git a/gcc_plugin/CRASH b/gcc_plugin/CRASH new file mode 100644 index 00000000..51930bb3 --- /dev/null +++ b/gcc_plugin/CRASH @@ -0,0 +1,23 @@ +to reproduce: +============= +tiff-4.0.4.tar.gz +CC=afl-gcc-fast CXX=afl-g++-fast ./configure --disable-shared +make + +result +====== +[+] Instrumented 11 locations in TIFFInitJPEG +during GIMPLE pass: evrp +tif_jpeg.c: In function ‘JPEGFixupTagsSubsamplingSec’: +tif_jpeg.c:2388:1: internal compiler error: Segmentation fault + } + ^ +0x7ffff758e83f ??? + /build/glibc-vjB4T1/glibc-2.28/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0 +0x7ffff757b09a __libc_start_main + ../csu/libc-start.c:308 +Please submit a full bug report, +with preprocessed source if appropriate. +Please include the complete backtrace with any bug report. +See for instructions. +make[2]: *** [Makefile:696: tif_jpeg.lo] Error 1 diff --git a/gcc_plugin/README.gcc b/gcc_plugin/README.gcc index fe62020b..a002c741 100644 --- a/gcc_plugin/README.gcc +++ b/gcc_plugin/README.gcc @@ -5,6 +5,12 @@ Fast GCC-based instrumentation for afl-fuzz (See ../docs/README for the general instruction manual.) (See ../llvm_mode/README.llvm for the LLVM-based instrumentation.) + +!!! +!!! gcc_plugin is not stable yet and can crash when compiling +!!! + + 1) Introduction --------------- diff --git a/gcc_plugin/afl-gcc-pass.so.cc b/gcc_plugin/afl-gcc-pass.so.cc index 8d1888ef..b1ca8325 100644 --- a/gcc_plugin/afl-gcc-pass.so.cc +++ b/gcc_plugin/afl-gcc-pass.so.cc @@ -1,7 +1,9 @@ // -// There are two TODOs in this file: +// There are some TODOs in this file: // - dont instrument blocks that are uninterested // - implement whitelist feature +// - implement notZero +// - fix crash // /* @@ -102,7 +104,7 @@ static unsigned int ext_call_instrument(function *fun) { if (!fcnt_blocks++) continue; /* skip block 0 */ - // TODO: if the predecessor does not have to destinations + // TODO: if the predecessor does not have ast least two destinations // then skip this block :TODO /* Bail on this block if we trip the specified ratio */ @@ -223,6 +225,9 @@ static unsigned int inline_instrument(function *fun) { g = gimple_build_assign(tmp3, PLUS_EXPR, tmp2, one); gimple_seq_add_stmt(&seq, g); // tmp3 = tmp2 + 1 + // TODO: neverZero: here we have to check if tmp3 == 0 + // and add 1 if so + // tree tmp4 = create_tmp_var(map_type, "tmp4"); // g = gimple_build_assign(tmp4, PLUS_EXPR, map_ptr_g, area_off); // gimple_seq_add_stmt(&seq, g); // tmp4 = __afl_area_ptr + area_off diff --git a/qemu_mode/README.qemu b/qemu_mode/README.qemu index cf29088b..124fce12 100644 --- a/qemu_mode/README.qemu +++ b/qemu_mode/README.qemu @@ -117,7 +117,7 @@ program control flow without actually executing each and every code path. If you want to experiment with this mode of operation, there is a module contributed by Aleksandar Nikolich: - https://github.com/vrtadmin/moflow/tree/master/afl-dyninst + https://github.com/vanhauser-thc/afl-dyninst https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg At this point, the author reports the possibility of hiccups with stripped -- cgit 1.4.1 From 5ac5d91c6bc7e40ca63079d3178c8a975b1050fa Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sat, 20 Jul 2019 12:00:31 +0200 Subject: CompCov TODO --- TODO | 3 +++ 1 file changed, 3 insertions(+) (limited to 'TODO') diff --git a/TODO b/TODO index d89524c2..7a75afe3 100644 --- a/TODO +++ b/TODO @@ -21,6 +21,9 @@ gcc_plugin: - laf-intel - neverZero +qemu_mode: + - Instrument only cmparison with immediate values by default when using compcov + unit testing / or large testcase campaign -- cgit 1.4.1 From 2237319ebbc8eb90c9a71d51df89537e7aed8e93 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 24 Jul 2019 15:35:52 +0200 Subject: qemu mode TODO update --- TODO | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'TODO') diff --git a/TODO b/TODO index 6631350c..a56bb506 100644 --- a/TODO +++ b/TODO @@ -24,7 +24,7 @@ gcc_plugin: - neverZero qemu_mode: - - Instrument only cmparison with immediate values by default when using compcov + - deferred mode with AFL_DEFERRED_QEMU=0xaddress unit testing / or large testcase campaign @@ -34,3 +34,8 @@ Roadmap 2.54d: - expand MAP size to 256k (current L2 cache size on processors) -> 18 bit size map - llvm_mode: dynamic map size and collission free basic block IDs + +qemu_mode: + - persistent mode patching the return address (WinAFL style) + - instrument only comparison with immediate values by default when using compcov + -- cgit 1.4.1 From f97409dd2dac4836245dfddf2e9890fa6c4b8498 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Fri, 26 Jul 2019 14:19:04 +0200 Subject: v2.53c --- README.md | 5 +++-- TODO | 11 ++--------- config.h | 2 +- docs/ChangeLog | 8 +++++--- 4 files changed, 11 insertions(+), 15 deletions(-) (limited to 'TODO') diff --git a/README.md b/README.md index e1371175..953c1afb 100644 --- a/README.md +++ b/README.md @@ -354,11 +354,11 @@ see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/) Every instance of afl-fuzz takes up roughly one core. This means that on multi-core systems, parallelization is necessary to fully utilize the hardware. For tips on how to fuzz a common target on multiple cores or multiple networked -machines, please refer to [parallel_fuzzing.txt](docs/parallel_fuzzing.txt). +machines, please refer to [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt). The parallel fuzzing mode also offers a simple way for interfacing AFL to other fuzzers, to symbolic or concolic execution engines, and so forth; again, see the -last section of [parallel_fuzzing.txt](docs/parallel_fuzzing.txt) for tips. +last section of [docs/parallel_fuzzing.txt](docs/parallel_fuzzing.txt) for tips. ## 10) Fuzzer dictionaries @@ -591,6 +591,7 @@ feedback, bug reports, or patches from: Rene Freingruber Sergey Davidoff Sami Liedes Craig Young Andrzej Jackowski Daniel Hodson + Nathan Voss Dominik Maier ``` Thank you! diff --git a/TODO b/TODO index a56bb506..3d1e444d 100644 --- a/TODO +++ b/TODO @@ -2,21 +2,14 @@ Roadmap 2.53d: ============== - indent all the code: clang-format -style=Google - - README.md - - update docs/sister_projects.txt - - better defaults: - * laf-intel activated, needs deactiatation - * fast mode schedule - * MOpt with -L 30 - * ... ? - afl-fuzz: - put mutator, scheduler, forkserver and input channels in individual files - reuse forkserver for showmap, afl-cmin, etc. gcc_plugin: + - needs to be rewritten - fix crashes when compiling :( - whitelist support - skip over uninteresting blocks @@ -32,7 +25,7 @@ unit testing / or large testcase campaign Roadmap 2.54d: ============== - expand MAP size to 256k (current L2 cache size on processors) - -> 18 bit size map + -> 18 bit map - llvm_mode: dynamic map size and collission free basic block IDs qemu_mode: diff --git a/config.h b/config.h index e7ffa220..dee0bb81 100644 --- a/config.h +++ b/config.h @@ -21,7 +21,7 @@ /* Version string: */ -#define VERSION "++2.52d" +#define VERSION "++2.53c" /****************************************************** * * diff --git a/docs/ChangeLog b/docs/ChangeLog index 09ad77ec..5f1141a6 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -13,10 +13,12 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ------------------------------ -Version ++2.52d (dev): ------------------------------ +-------------------------- +Version ++2.53c (release): +-------------------------- + - README is now README.md + - imported the few minor changes from the 2.53b release - unicorn_mode got added - thanks to domenukk for the patch! - fix llvm_mode AFL_TRACE_PC with modern llvm - fix a crash in qemu_mode which also exists in stock afl -- cgit 1.4.1