From f6fbbf8150c8a41b7cd40a2413b1c6f66b24c6c8 Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Sun, 10 Oct 2021 21:03:43 +0800 Subject: Fix document paths. --- docs/env_variables.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 0686f1a8..5f5c2510 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -2,7 +2,7 @@ This document discusses the environment variables used by American Fuzzy Lop++ to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See [README.md](README.md) for the general + users or for some types of custom fuzzing setups. See [../README.md](../README.md) for the general instruction manual. Note that most tools will warn on any unknown AFL environment variables. @@ -422,7 +422,7 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no valid terminal was detected (for virtual consoles) - - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md)) + - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)) some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given. To be able to still re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable -- cgit 1.4.1 From b1aecf4ff0d2f82168619d40d59fcf959e7eb0f6 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 30 Oct 2021 21:38:13 +0200 Subject: Edit list of environment variables --- docs/env_variables.md | 771 ++++++++++++++++++++++++-------------------------- 1 file changed, 369 insertions(+), 402 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 5f5c2510..bd66ce38 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -1,83 +1,63 @@ -# Environmental variables +# Environment variables - This document discusses the environment variables used by American Fuzzy Lop++ - to expose various exotic functions that may be (rarely) useful for power - users or for some types of custom fuzzing setups. See [../README.md](../README.md) for the general - instruction manual. + This document discusses the environment variables used by AFL++ to expose various exotic functions that may be (rarely) useful for power users or for some types of custom fuzzing setups. + For general information about AFL++, see [README.md](../README.md). - Note that most tools will warn on any unknown AFL environment variables. - This is for warning on typos that can happen. If you want to disable this - check then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable. + Note: Most tools will warn on any unknown AFL++ environment variables; for example, because of typos. If you want to disable this check, then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable. ## 1) Settings for all compilers -Starting with AFL++ 3.0 there is only one compiler: afl-cc -To select the different instrumentation modes this can be done by - 1. passing the --afl-MODE command line option to the compiler - 2. or using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, - afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, - afl-gcc-fast, afl-g++-fast - 3. or using the environment variable `AFL_CC_COMPILER` with `MODE` - -`MODE` can be one of `LTO` (afl-clang-lto*), `LLVM` (afl-clang-fast*), `GCC_PLUGIN` -(afl-g*-fast) or `GCC` (afl-gcc/afl-g++). - -Because (with the exception of the --afl-MODE command line option) the -compile-time tools do not accept AFL specific command-line options, they -make fairly broad use of environmental variables instead: - - - Some build/configure scripts break with AFL++ compilers. To be able to - pass them, do: -``` - export CC=afl-cc - export CXX=afl-c++ - export AFL_NOOPT=1 - ./configure --disable-shared --disabler-werror - unset AFL_NOOPT - make -``` +Starting with AFL++ 3.0, there is only one compiler: afl-cc. - - Most AFL tools do not print any output if stdout/stderr are redirected. - If you want to get the output into a file then set the `AFL_DEBUG` - environment variable. - This is sadly necessary for various build processes which fail otherwise. +To select the different instrumentation modes, use one of the following options: - - Setting `AFL_HARDEN` automatically adds code hardening options when invoking - the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and - `-fstack-protector-all`. The setting is useful for catching non-crashing - memory bugs at the expense of a very slight (sub-5%) performance loss. + - Pass the --afl-MODE command-line option to the compiler. Only this option accepts further AFL-specific command-line options. + - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific command-line options. Instead, use environment variables. + - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select `MODE`, use one of the following values: - - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this - will cause problems in programs built with -Werror, simply because `-O3` - enables more thorough code analysis and can spew out additional warnings. - To disable optimizations, set `AFL_DONT_OPTIMIZE`. - However if `-O...` and/or `-fno-unroll-loops` are set, these are not - overridden. + - `GCC` (afl-gcc/afl-g++) + - `GCC_PLUGIN` (afl-g*-fast) + - `LLVM` (afl-clang-fast*) + - `LTO` (afl-clang-lto*). - - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports it. +The compile-time tools do not accept AFL-specific command-line options. The --afl-MODE command line option is the only exception. The other options make fairly broad use of environment variables instead: - (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the - same gotchas; the modes are mutually exclusive. UBSAN can be enabled - similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally - there is the Control Flow Integrity sanitizer that can be activated by - `AFL_USE_CFISAN=1`) + - Some build/configure scripts break with AFL++ compilers. + To be able to pass them, do: - - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided - that your compiler supports it. To perform a leak check within your - program at a certain point (such as at the end of an __AFL_LOOP), - you can run the macro __AFL_LEAK_CHECK(); which will cause - an abort if any memory is leaked (you can combine this with the - LSAN_OPTIONS=suppressions option to supress some known leaks). + ``` + export CC=afl-cc + export CXX=afl-c++ + export AFL_NOOPT=1 + ./configure --disable-shared --disabler-werror + unset AFL_NOOPT + make + ``` + + - If you are a weird person that wants to compile and instrument asm + text files, then use the `AFL_AS_FORCE_INSTRUMENT` variable: + `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries in your `$PATH`. - - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. - One possible use of this is utils/clang_asm_normalize/, which lets - you instrument hand-written assembly when compiling clang code by plugging - a normalizer into the chain. (There is no equivalent feature for GCC.) + - Most AFL tools do not print any output if stdout/stderr are redirected. + If you want to get the output into a file, then set the `AFL_DEBUG` + environment variable. + This is sadly necessary for various build processes which fail otherwise. + + - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this + will cause problems in programs built with -Werror, simply because `-O3` + enables more thorough code analysis and can spew out additional warnings. + To disable optimizations, set `AFL_DONT_OPTIMIZE`. + However, if `-O...` and/or `-fno-unroll-loops` are set, these are not + overridden. + + - Setting `AFL_HARDEN` automatically adds code hardening options when invoking + the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and + `-fstack-protector-all`. The setting is useful for catching non-crashing + memory bugs at the expense of a very slight (sub-5%) performance loss. - Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the probability of instrumenting every branch. This is (very rarely) useful @@ -97,20 +77,37 @@ make fairly broad use of environmental variables instead: - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with libtokencap.so (but perhaps running a bit slower than without the flag). - - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, - the tool defaults to /tmp. - - - If you are a weird person that wants to compile and instrument asm - text files then use the `AFL_AS_FORCE_INSTRUMENT` variable: - `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` + - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. + One possible use of this is utils/clang_asm_normalize/, which lets + you instrument hand-written assembly when compiling clang code by plugging + a normalizer into the chain. + (There is no equivalent feature for GCC.) - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being displayed during compilation, in case you find them distracting. + - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your + compiler supports it. + + (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the + same gotchas; the modes are mutually exclusive. UBSAN can be enabled + similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally, + there is the Control Flow Integrity sanitizer that can be activated by + `AFL_USE_CFISAN=1`.) + + - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided + that your compiler supports it. To perform a leak check within your + program at a certain point (such as at the end of an __AFL_LOOP), + you can run the macro __AFL_LEAK_CHECK(); which will cause + an abort if any memory is leaked (you can combine this with the + LSAN_OPTIONS=suppressions option to supress some known leaks). + + - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, + the tool defaults to /tmp. + ## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++ -The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset -of the settings discussed in section 1, with the exception of: +The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset of the settings discussed in section 1, with the exception of: - LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will write all constant string comparisons to this file to be used later with @@ -121,204 +118,219 @@ of the settings discussed in section 1, with the exception of: - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. - - `AFL_INST_RATIO`, as we by default use collision free instrumentation. + - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not all passes support this option though as it is an outdated feature. Then there are a few specific features that are only available in instrumentation mode: ### Select the instrumentation mode - - `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. - Available options: - PCGUARD - our own pcgard based instrumentation (default) - NATIVE - clang's original pcguard based instrumentation - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) - LTO - LTO instrumentation (see below) - CTX - context sensitive instrumentation (see below) - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16) - GCC - outdated gcc instrumentation - CLANG - outdated clang instrumentation - In CLASSIC you can also specify CTX and/or NGRAM, seperate the options - with a comma "," then, e.g.: - `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` - Note that this is actually not a good idea to use both CTX and NGRAM :) - -### LTO - - This is a different kind way of instrumentation: first it compiles all - code in LTO (link time optimization) and then performs an edge inserting - instrumentation which is 100% collision free (collisions are a big issue - in AFL and AFL-like instrumentations). This is performed by using - afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only - built if LLVM 11 or newer is used. - - - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. - (not recommended for afl-clang-fast, default for afl-clang-lto as there - it is a different and better kind of instrumentation.) - - None of the following options are necessary to be used and are rather for - manual use (which only ever the author of this LTO implementation will use). - These are used if several separated instrumentations are performed which - are then later combined. - - - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given - to which function. This helps to identify functions with variable bytes - or which functions were touched by an input. - - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than - the default `0x10000`. A value of 0 or empty sets the map address to be - dynamic (the original AFL way, which is slower) - - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. - This defaults to 1 - - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written - into the instrumentation is set in a global variable - - See [instrumentation/README.lto.md](../instrumentation/README.lto.md) for more information. - -### NGRAM - - - Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` - activates ngram prev_loc coverage, good values are 2, 4 or 8 - (any value between 2 and 16 is valid). - It is highly recommended to increase the `MAP_SIZE_POW2` definition in - config.h to at least 18 and maybe up to 20 for this as otherwise too - many map collisions occur. - - See [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) - -### CTX - - - Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` - activates context sensitive branch coverage - meaning that each edge - is additionally combined with its caller. - It is highly recommended to increase the `MAP_SIZE_POW2` definition in - config.h to at least 18 and maybe up to 20 for this as otherwise too - many map collisions occur. - - See [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) +`AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode. + +Available options: + + - CLANG - outdated clang instrumentation + - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) + + You can also specify CTX and/or NGRAM, seperate the options with a comma "," then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` + + Note: It is actually not a good idea to use both CTX and NGRAM. :) + - CTX - context sensitive instrumentation (see below) + - GCC - outdated gcc instrumentation + - LTO - LTO instrumentation (see below) + - NATIVE - clang's original pcguard based instrumentation + - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16) + - PCGUARD - our own pcgard based instrumentation (default) + +#### CTX + +Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive branch coverage - meaning that each edge is additionally combined with its caller. +It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. + +For more information, see [instrumentation/README.ctx.md](../instrumentation/README.ctx.md). + +#### LTO + +This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue in AFL and AFL-like instrumentations). +This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. + + - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. + (not recommended for afl-clang-fast, default for afl-clang-lto as there + it is a different and better kind of instrumentation.) + +None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use). +These are used if several separated instrumentations are performed which are then later combined. + + - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given + to which function. This helps to identify functions with variable bytes + or which functions were touched by an input. + - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than + the default `0x10000`. A value of 0 or empty sets the map address to be + dynamic (the original AFL way, which is slower) + - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic + - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. + This defaults to 1 + - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written + into the instrumentation is set in a global variable + + For more information, see [instrumentation/README.lto.md](../instrumentation/README.lto.md). + +#### NGRAM + +Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 is valid). +It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. + +For more information, see [instrumentation/README.ngram.md](../instrumentation/README.ngram.md). ### LAF-INTEL - This great feature will split compares into series of single byte comparisons - to allow afl-fuzz to find otherwise rather impossible paths. It is not - restricted to Intel CPUs ;-) +This great feature will split compares into series of single byte comparisons to allow afl-fuzz to find otherwise rather impossible paths. +It is not restricted to Intel CPUs. ;-) - - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions + - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions - - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs + - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs - - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and - 64, 32 and 16 bit integer CMP instructions + - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and + 64, 32 and 16 bit integer CMP instructions - - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs - AFL_LLVM_LAF_SPLIT_COMPARES to be set + - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs + AFL_LLVM_LAF_SPLIT_COMPARES to be set - - Setting `AFL_LLVM_LAF_ALL` sets all of the above + - Setting `AFL_LLVM_LAF_ALL` sets all of the above - See [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) for more information. +For more information, see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). ### INSTRUMENT LIST (selectively instrument files and functions) - This feature allows selective instrumentation of the source +This feature allows selective instrumentation of the source. - - Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or - function will only instrument (or skip) those files that match the names - listed in the specified file. +Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or function will only instrument (or skip) those files that match the names listed in the specified file. - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. +For more information, see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). ### Thread safe instrumentation counters (in all modes) - - Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread - safe counters. The overhead is a little bit higher compared to the older - non-thread safe case. Note that this disables neverzero (see below). +Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread +safe counters. The overhead is a little bit higher compared to the older +non-thread safe case. Note that this disables neverzero (see below). ### NOT_ZERO - - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters - that skip zero on overflow. This is the default for llvm >= 9, - however for llvm versions below that this will increase an unnecessary - slowdown due a performance issue that is only fixed in llvm 9+. - This feature increases path discovery by a little bit. + - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters + that skip zero on overflow. This is the default for llvm >= 9, + however, for llvm versions below that this will increase an unnecessary + slowdown due a performance issue that is only fixed in llvm 9+. + This feature increases path discovery by a little bit. - - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero - test. If the target performs only few loops then this will give a - small performance boost. + - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero + test. If the target performs only few loops, then this will give a + small performance boost. - See [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) +For more information, see [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). ### CMPLOG - - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to - produce a CmpLog binary. + - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to + produce a CmpLog binary. - See [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md) +For more information, see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). ## 3) Settings for GCC / GCC_PLUGIN modes Then there are a few specific features that are only available in GCC and GCC_PLUGIN mode. + - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those + files that match the names listed in this file (one filename per line). + See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. + (GCC_PLUGIN mode only) + - Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented assembly files. Useful for troubleshooting problems or understanding how the tool works. (GCC mode only) To get them in a predictable place, try something like: -``` + + ``` mkdir assembly_here TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all -``` - - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those - files that match the names listed in this file (one filename per line). - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. - (GCC_PLUGIN mode only) + ``` ## 4) Settings for afl-fuzz The main fuzzer binary accepts several options that disable a couple of sanity checks or alter some of the more exotic semantics of the tool: - - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is - useful if you can't change the defaults (e.g., no root access to the - system) and are OK with some performance loss. + - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`) + for an existing out folder, even if a different `-i` was provided. + Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. - - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths - have been fuzzed and there were no new finds for a while. This would be - normally indicated by the cycle counter in the UI turning green. May be - convenient for some types of automated jobs. + - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after + processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to + exit soon after the first crash is found. - - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were - found within a specified period of time (in seconds). May be convenient - for some types of automated jobs. + - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for + newly found testcases and not for testcases that are loaded on startup + (`-i in`). + This is an important feature to set when resuming a fuzzing session. - - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour - which does not allow crashes or timeout seeds in the initial -i corpus. + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. + For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting + in an `-1` return code (i.e. `exit(-1)` got called), will be treated + as if a crash had ocurred. + This may be beneficial if you look for higher-level faulty conditions in which your target still exits gracefully. - - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap, - afl-tmin and afl-analyze create to gather instrumentation data from - the target. This must be equal or larger than the size the target was - compiled with. + - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with + afl_custom_fuzz() creates additional mutations through this library. + If afl-fuzz is compiled with Python (which is autodetected during building + afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide + additional mutations. + If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be + performed with the custom mutator. + This feature allows to configure custom mutators which can be very helpful, + e.g. fuzzing XML or other highly flexible structured input. + Please see [custom_mutators.md](custom_mutators.md). - - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for - newly found testcases and not for testcases that are loaded on startup - (`-i in`). This is an important feature to set when resuming a fuzzing - session. + - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime + a cycle is finished. - - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` - in config.h. Recommended values are 50-250MB - or more if your fuzzing - finds a huge amount of paths for large inputs. + - Setting `AFL_DEBUG_CHILD` will not suppress the child output. + This lets you see all output of the child, making setup issues obvious. + For example, in an unicornafl harness, you might see python stacktraces. + You may also see other logs that way, indicating why the forkserver won't start. + Not pretty but good for debugging purposes. + Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated. - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! - - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core - on Linux systems. This slows things down, but lets you run more instances - of afl-fuzz than would be prudent (if you really want to). + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour + which does not allow crashes or timeout seeds in the initial -i corpus. - - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core - on Linux systems, but will not terminate if that fails. + - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were + found within a specified period of time (in seconds). May be convenient + for some types of automated jobs. - - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary - that is compiled into the target. + - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths + have been fuzzed and there were no new finds for a while. This would be + normally indicated by the cycle counter in the UI turning green. May be + convenient for some types of automated jobs. + + - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that + includes costly mutations. afl-fuzz automatically enables this mode when + deemed useful otherwise. + + - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less + precise), which can help when starting a session against a slow target. + `AFL_CAL_FAST` works too. + + - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if + no valid terminal was detected (for virtual consoles). + + - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout + to wait for the forkserver to spin up. + The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds. + Setting a different time here is useful if the target has a very slow startup time, for example when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. - Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for deciding if a particular test case is a "hang". The default is 1 second @@ -327,188 +339,137 @@ checks or alter some of the more exotic semantics of the tool: don't want AFL++ to spend too much time classifying that stuff and just rapidly put all timeouts in that bin. - - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout - to wait for the forkserver to spin up. The default is the `-t` value times - `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the - default would wait for `1000` milliseconds. Setting a different time here is useful - if the target has a very slow startup time, for example when doing - full-system fuzzing or emulation, but you don't want the actual runs - to wait too long for timeouts. - - - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. - This can be useful to speed up the fuzzing of text-based file formats. - - - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature - if the snapshot lkm is loaded - - - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested - by some users for unorthodox parallelized fuzzing setups, but not - advisable otherwise. - - - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in - the normal output directory otherwise. You would use this to point to - a ramdisk/tmpfs. This increases the speed by a small value but also - reduces the stress on SSDs. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. + Others need not apply, unless they also want to disable the + `/proc/sys/kernel/core_pattern` check. - - When developing custom instrumentation on top of afl-fuzz, you can use - `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries - and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` - setting to instruct afl-fuzz to still follow the fork server protocol - without expecting any instrumentation data in return. - Note that this also turns off auto map size detection. + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this, then you can + set `AFL_IGNORE_PROBLEMS`. - When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the fuzzer to import test cases from other instances before doing anything - else. This makes the "own finds" counter in the UI more accurate. + else. + This makes the "own finds" counter in the UI more accurate. Beyond counter aesthetics, not much else should change. - - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` - instead (see below). - - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. Unless you implement your own targets or instrumentation, you likely don't have to set it. By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. - - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with - afl_custom_fuzz() creates additional mutations through this library. - If afl-fuzz is compiled with Python (which is autodetected during building - afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide - additional mutations. - If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be - performed with the custom mutator. - This feature allows to configure custom mutators which can be very helpful, - e.g. fuzzing XML or other highly flexible structured input. - Please see [custom_mutators.md](custom_mutators.md). + - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap, + afl-tmin and afl-analyze create to gather instrumentation data from + the target. This must be equal or larger than the size the target was + compiled with. - - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less - precise), which can help when starting a session against a slow target. - `AFL_CAL_FAST` works too. + - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off. + In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down fuzzing. + The default count is `200` elements. + So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly. - - The CPU widget shown at the bottom of the screen is fairly simplistic and - may complain of high load prematurely, especially on systems with low core - counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`. + - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core + on Linux systems. This slows things down, but lets you run more instances + of afl-fuzz than would be prudent (if you really want to). - - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will - be searched for afl-qemu-trace and afl-frida-trace.so. + - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. + This can be useful to speed up the fuzzing of text-based file formats. - - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip - prepending `afl-qemu-trace` to your command line. Use this if you wish to use a - custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments. + - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary + that is compiled into the target. - - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime - a cycle is finished. + - The CPU widget shown at the bottom of the screen is fairly simplistic and + may complain of high load prematurely, especially on systems with low core + counts. + To avoid the alarming red color for very high cpu usages, you can set `AFL_NO_CPU_RED`. - - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that - includes costly mutations. afl-fuzz automatically enables this mode when - deemed useful otherwise. + - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for + coloring console output when configured with USE_COLOR and not ALWAYS_COLORED. - - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary - without disrupting the afl-fuzz process itself. This is useful, among other - things, for bootstrapping libdislocator.so. + - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to + fork + execve() call for every tested input. + This is useful mostly when working with unruly libraries that create threads or do other crazy things when initializing (before the instrumentation has a chance to run). - - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables - for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... ` - This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically - allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that - would disrupt work of 'fuzzer' AFL++). + Note that this setting inhibits some of the user-friendly diagnostics + normally done when starting up the forkserver and causes a pretty + significant performance drop. + + - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature + if the snapshot lkm is loaded. - Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints - some basic stats. This behavior is also automatically triggered when the - output from afl-fuzz is redirected to a file or to a pipe. + some basic stats. + This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. - - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for - coloring console output when configured with USE_COLOR and not ALWAYS_COLORED. + - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so. - - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if - no valid terminal was detected (for virtual consoles) - - - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)) - some targets keep inherent state due which a detected crash testcase does - not crash the target again when the testcase is given. To be able to still - re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable - with a value of how many previous fuzz cases to keep prio a crash. - if set to e.g. 10, then the 9 previous inputs are written to - out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 - and RECORD:000000,cnt:000009 being the crash case. + - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given. + To be able to still re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash. + If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! - - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session - (not at startup), it will terminate. If you do not want this then you can - set `AFL_IGNORE_PROBLEMS`. - - - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. - Others need not apply, unless they also want to disable the - `/proc/sys/kernel/core_pattern` check. - - - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after - processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to - exit soon after the first crash is found. - - - Setting `AFL_DEBUG_CHILD` will not suppress the child output. - This lets you see all output of the child, making setup issues obvious. - For example, in an unicornafl harness, you might see python stacktraces. - You may also see other logs that way, indicating why the forkserver won't start. - Not pretty but good for debugging purposes. - Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated. + - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` + instead (see below). - - Setting `AFL_NO_CPU_RED` will not display very high cpu usages in red color. + - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary + without disrupting the afl-fuzz process itself. + This is useful, among other things, for bootstrapping libdislocator.so. - - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`) - for an existing out folder, even if a different `-i` was provided. - Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. + - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip + prepending `afl-qemu-trace` to your command line. + Use this if you wish to use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments. - - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements - in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will - kick off. In probabilistic mode, not all dictionary entries will be used all - of the time for fuzzing mutations to not slow down fuzzing. - The default count is `200` elements. So for the 200 + 1st element, there is a - 1 in 201 chance, that one of the dictionary entries will not be used directly. + - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. + Requested by some users for unorthodox parallelized fuzzing setups, but not + advisable otherwise. - - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to - fork + execve() call for every tested input. This is useful mostly when - working with unruly libraries that create threads or do other crazy - things when initializing (before the instrumentation has a chance to run). + - When developing custom instrumentation on top of afl-fuzz, you can use + `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries + and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` + setting to instruct afl-fuzz to still follow the fork server protocol + without expecting any instrumentation data in return. + Note that this also turns off auto map size detection. - Note that this setting inhibits some of the user-friendly diagnostics - normally done when starting up the forkserver and causes a pretty - significant performance drop. + - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is + useful if you can't change the defaults (e.g., no root access to the + system) and are OK with some performance loss. - Setting `AFL_STATSD` enables StatsD metrics collection. - By default AFL++ will send these metrics over UDP to 127.0.0.1:8125. + By default, AFL++ will send these metrics over UDP to 127.0.0.1:8125. The host and port are configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. - To enable tags (banner and afl_version) you should provide `AFL_STATSD_TAGS_FLAVOR` that matches - your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`) + To enable tags (banner and afl_version), you should provide `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`). - - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` - allows you to add tags to your fuzzing instances. This is especially useful when running - multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. + - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` allows you to add tags to your fuzzing instances. + This is especially useful when running multiple instances (`-M/-S` for example). + Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. - `afl_version` corresponds to the currently running AFL version (e.g `++3.0c`). + `afl_version` corresponds to the currently running AFL version (e.g. `++3.0c`). Default (empty/non present) will add no tags to the metrics. - See [rpc_statsd.md](rpc_statsd.md) for more information. + For more information, see [rpc_statsd.md](rpc_statsd.md). - - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. - For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting - in an `-1` return code (i.e. `exit(-1)` got called), will be treated - as if a crash had ocurred. - This may be beneficial if you look for higher-level faulty conditions in which your - target still exits gracefully. + - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables + for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `. + This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that would disrupt work of 'fuzzer' AFL++). + + - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` + in config.h. Recommended values are 50-250MB - or more if your fuzzing + finds a huge amount of paths for large inputs. + + - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in + the normal output directory otherwise. + You would use this to point to a ramdisk/tmpfs. + This increases the speed by a small value but also reduces the stress on SSDs. + + - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core + on Linux systems, but will not terminate if that fails. - Outdated environment variables that are not supported anymore: - `AFL_DEFER_FORKSRV` - `AFL_PERSISTENT` + - `AFL_DEFER_FORKSRV` + - `AFL_PERSISTENT` ## 5) Settings for afl-qemu-trace The QEMU wrapper used to instrument binary-only code supports several settings: - - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some - of the basic blocks, which can be useful when dealing with very complex - binaries. - - - Setting `AFL_INST_LIBS` causes the translator to also instrument the code - inside any dynamically linked libraries (notably including glibc). - - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. @@ -518,74 +479,77 @@ The QEMU wrapper used to instrument binary-only code supports several settings: `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more accurate but may need a larger shared memory. - - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all - cmp and sub in x86 and x86_64. - This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is - not specified. - - - The underlying QEMU binary will recognize any standard "user space - emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no - reason to touch them. - - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use this if you are unsure if the entrypoint might be wrong - but - use it directly, e.g. `afl-qemu-trace ./program` + use it directly, e.g. `afl-qemu-trace ./program`. - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary (this can be very good for the performance!). The entrypoint is specified as hex address, e.g. `0x4004110` Note that the address must be the address of a basic block. + - Setting `AFL_INST_LIBS` causes the translator to also instrument the code + inside any dynamically linked libraries (notably including glibc). + + - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some + of the basic blocks, which can be useful when dealing with very complex + binaries. + + - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all + cmp and sub in x86 and x86_64. + This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is + not specified. + + - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal + handlers of the target. + - When the target is i386/x86_64 you can specify the address of the function that has to be the body of the persistent loop using `AFL_QEMU_PERSISTENT_ADDR=start addr`. + - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general + purpose registers and restore them in each persistent cycle. + - Another modality to execute the persistent loop is to specify also the `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable assigned, instead of patching the return address, the specified instruction is transformed to a jump towards `start addr`. - - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general - purpose registers and restore them in each persistent cycle. - - - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the - stack pointer in which QEMU can find the return address when `start addr` is - hit. + - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the stack pointer in which QEMU can find the return address when `start addr` is hit. - With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically linked binaries. - - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal - handlers of the target. + - The underlying QEMU binary will recognize any standard "user space + emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no + reason to touch them. ## 6) Settings for afl-cmin The corpus minimization script offers very little customization: - - Setting `AFL_PATH` offers a way to specify the location of afl-showmap - and afl-qemu-trace (the latter only in `-Q` mode). + - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. + This is a modest security risk on multi-user systems with rogue users, but should be safe on dedicated fuzzing boxes. - `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for - minimization and normally deleted at exit. The files can be found in the - `/.traces/` directory. + minimization and normally deleted at exit. + The files can be found in the `/.traces/` directory. - - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is - a modest security risk on multi-user systems with rogue users, but should - be safe on dedicated fuzzing boxes. + - Setting `AFL_PATH` offers a way to specify the location of afl-showmap + and afl-qemu-trace (the latter only in `-Q` mode). - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting. ## 7) Settings for afl-tmin -Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be -searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a -temporary file can't be created in the current working directory. +Virtually nothing to play with. +Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace. +In addition to this, `TMPDIR` may be used if a temporary file can't be created in the current working directory. -You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths -to match when minimizing crashes. This will make minimization less useful, but -may prevent the tool from "jumping" from one crashing condition to another in -very buggy software. You probably want to combine it with the `-e` flag. +You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths to match when minimizing crashes. +This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software. +You probably want to combine it with the `-e` flag. ## 8) Settings for afl-analyze @@ -596,23 +560,23 @@ of decimal. The library honors these environmental variables: - - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the - library, in megabytes. The default value is 1 GB. Once this is exceeded, - allocations will return NULL. + - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to + `max_align_t` to be compliant with the C standard. - `AFL_LD_HARD_FAIL` alters the behavior by calling `abort()` on excessive allocations, thus causing what AFL++ would perceive as a crash. Useful for programs that are supposed to maintain a specific memory footprint. - - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages - that may be useful for pinpointing the cause of any observed issues. + - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the + library, in megabytes. The default value is 1 GB. Once this is exceeded, + allocations will return NULL. - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most of the common allocators check for that internally and return NULL, so it's a security risk only in more exotic setups. - - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to - `max_align_t` to be compliant with the C standard. + - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages + that may be useful for pinpointing the cause of any observed issues. ## 10) Settings for libtokencap @@ -630,34 +594,37 @@ optimal values if not already present in the environment: certainly pointless. - By default, `ASAN_OPTIONS` are set to (among others): -``` + + ``` abort_on_error=1 detect_leaks=0 malloc_context_size=0 symbolize=0 allocator_may_return_null=1 -``` - If you want to set your own options, be sure to include `abort_on_error=1` - + ``` + + If you want to set your own options, be sure to include `abort_on_error=1` - otherwise, the fuzzer will not be able to detect crashes in the tested app. Similarly, include `symbolize=0`, since without it, AFL++ may have difficulty telling crashes and hangs apart. - - In the same vein, by default, `MSAN_OPTIONS` are set to: -``` - exit_code=86 (required for legacy reasons) - abort_on_error=1 - symbolize=0 - msan_track_origins=0 - allocator_may_return_null=1 -``` - Similarly, the default `LSAN_OPTIONS` are set to: -``` + + ``` exit_code=23 fast_unwind_on_malloc=0 symbolize=0 print_suppressions=0 -``` - Be sure to include the first ones for LSAN and MSAN when customizing - anything, since some MSAN and LSAN versions don't call `abort()` on - error, and we need a way to detect faults. + ``` + + Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on error, and we need a way to detect faults. + + - In the same vein, by default, `MSAN_OPTIONS` are set to: + ``` + exit_code=86 (required for legacy reasons) + abort_on_error=1 + symbolize=0 + msan_track_origins=0 + allocator_may_return_null=1 + ``` \ No newline at end of file -- cgit 1.4.1 From bb255fdd790dfa4027f511ae3a8eebbbfd6b42e8 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 30 Oct 2021 21:42:21 +0200 Subject: Fix line breaks --- docs/env_variables.md | 547 ++++++++++++++++++++++++++++---------------------- 1 file changed, 302 insertions(+), 245 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index bd66ce38..6fb687e2 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -1,9 +1,13 @@ # Environment variables - This document discusses the environment variables used by AFL++ to expose various exotic functions that may be (rarely) useful for power users or for some types of custom fuzzing setups. - For general information about AFL++, see [README.md](../README.md). + This document discusses the environment variables used by AFL++ to expose + various exotic functions that may be (rarely) useful for power users or for + some types of custom fuzzing setups. For general information about AFL++, see + [README.md](../README.md). - Note: Most tools will warn on any unknown AFL++ environment variables; for example, because of typos. If you want to disable this check, then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable. + Note: Most tools will warn on any unknown AFL++ environment variables; for + example, because of typos. If you want to disable this check, then set the + `AFL_IGNORE_UNKNOWN_ENVS` environment variable. ## 1) Settings for all compilers @@ -11,19 +15,26 @@ Starting with AFL++ 3.0, there is only one compiler: afl-cc. To select the different instrumentation modes, use one of the following options: - - Pass the --afl-MODE command-line option to the compiler. Only this option accepts further AFL-specific command-line options. - - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific command-line options. Instead, use environment variables. - - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select `MODE`, use one of the following values: + - Pass the --afl-MODE command-line option to the compiler. Only this option + accepts further AFL-specific command-line options. + - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, + afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, + afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific + command-line options. Instead, use environment variables. + - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select + `MODE`, use one of the following values: - `GCC` (afl-gcc/afl-g++) - `GCC_PLUGIN` (afl-g*-fast) - `LLVM` (afl-clang-fast*) - `LTO` (afl-clang-lto*). -The compile-time tools do not accept AFL-specific command-line options. The --afl-MODE command line option is the only exception. The other options make fairly broad use of environment variables instead: +The compile-time tools do not accept AFL-specific command-line options. The +--afl-MODE command line option is the only exception. The other options make +fairly broad use of environment variables instead: - - Some build/configure scripts break with AFL++ compilers. - To be able to pass them, do: + - Some build/configure scripts break with AFL++ compilers. To be able to pass + them, do: ``` export CC=afl-cc @@ -34,25 +45,24 @@ The compile-time tools do not accept AFL-specific command-line options. The --af make ``` - - If you are a weird person that wants to compile and instrument asm - text files, then use the `AFL_AS_FORCE_INSTRUMENT` variable: + - If you are a weird person that wants to compile and instrument asm text + files, then use the `AFL_AS_FORCE_INSTRUMENT` variable: `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries in your `$PATH`. - - Most AFL tools do not print any output if stdout/stderr are redirected. - If you want to get the output into a file, then set the `AFL_DEBUG` - environment variable. - This is sadly necessary for various build processes which fail otherwise. + - Most AFL tools do not print any output if stdout/stderr are redirected. If + you want to get the output into a file, then set the `AFL_DEBUG` environment + variable. This is sadly necessary for various build processes which fail + otherwise. - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this will cause problems in programs built with -Werror, simply because `-O3` - enables more thorough code analysis and can spew out additional warnings. - To disable optimizations, set `AFL_DONT_OPTIMIZE`. - However, if `-O...` and/or `-fno-unroll-loops` are set, these are not - overridden. + enables more thorough code analysis and can spew out additional warnings. To + disable optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or + `-fno-unroll-loops` are set, these are not overridden. - Setting `AFL_HARDEN` automatically adds code hardening options when invoking the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and @@ -60,9 +70,9 @@ The compile-time tools do not accept AFL-specific command-line options. The --af memory bugs at the expense of a very slight (sub-5%) performance loss. - Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the - probability of instrumenting every branch. This is (very rarely) useful - when dealing with exceptionally complex programs that saturate the output - bitmap. Examples include v8, ffmpeg, and perl. + probability of instrumenting every branch. This is (very rarely) useful when + dealing with exceptionally complex programs that saturate the output bitmap. + Examples include v8, ffmpeg, and perl. (If this ever happens, afl-fuzz will warn you ahead of the time by displaying the "bitmap density" field in fiery red.) @@ -70,18 +80,17 @@ The compile-time tools do not accept AFL-specific command-line options. The --af Setting `AFL_INST_RATIO` to 0 is a valid choice. This will instrument only the transitions between function entry points, but not individual branches. - Note that this is an outdated variable. A few instances (e.g. afl-gcc) - still support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) - do not need this. + Note that this is an outdated variable. A few instances (e.g. afl-gcc) still + support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) do not + need this. - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with libtokencap.so (but perhaps running a bit slower than without the flag). - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as. - One possible use of this is utils/clang_asm_normalize/, which lets - you instrument hand-written assembly when compiling clang code by plugging - a normalizer into the chain. - (There is no equivalent feature for GCC.) + One possible use of this is utils/clang_asm_normalize/, which lets you + instrument hand-written assembly when compiling clang code by plugging a + normalizer into the chain. (There is no equivalent feature for GCC.) - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being displayed during compilation, in case you find them distracting. @@ -95,19 +104,20 @@ The compile-time tools do not accept AFL-specific command-line options. The --af there is the Control Flow Integrity sanitizer that can be activated by `AFL_USE_CFISAN=1`.) - - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided - that your compiler supports it. To perform a leak check within your - program at a certain point (such as at the end of an __AFL_LOOP), - you can run the macro __AFL_LEAK_CHECK(); which will cause - an abort if any memory is leaked (you can combine this with the - LSAN_OPTIONS=suppressions option to supress some known leaks). + - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided that + your compiler supports it. To perform a leak check within your program at a + certain point (such as at the end of an __AFL_LOOP), you can run the macro + __AFL_LEAK_CHECK(); which will cause an abort if any memory is leaked (you + can combine this with the LSAN_OPTIONS=suppressions option to supress some + known leaks). - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. ## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++ -The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset of the settings discussed in section 1, with the exception of: +The native instrumentation helpers (instrumentation and gcc_plugin) accept a +subset of the settings discussed in section 1, with the exception of: - LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will write all constant string comparisons to this file to be used later with @@ -118,10 +128,11 @@ The native instrumentation helpers (instrumentation and gcc_plugin) accept a sub - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. - - `AFL_INST_RATIO`, as we use collision free instrumentation by default. - Not all passes support this option though as it is an outdated feature. + - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not + all passes support this option though as it is an outdated feature. -Then there are a few specific features that are only available in instrumentation mode: +Then there are a few specific features that are only available in +instrumentation mode: ### Select the instrumentation mode @@ -132,7 +143,8 @@ Available options: - CLANG - outdated clang instrumentation - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) - You can also specify CTX and/or NGRAM, seperate the options with a comma "," then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` + You can also specify CTX and/or NGRAM, seperate the options with a comma "," + then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` Note: It is actually not a good idea to use both CTX and NGRAM. :) - CTX - context sensitive instrumentation (see below) @@ -144,97 +156,119 @@ Available options: #### CTX -Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive branch coverage - meaning that each edge is additionally combined with its caller. -It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. +Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive +branch coverage - meaning that each edge is additionally combined with its +caller. It is highly recommended to increase the `MAP_SIZE_POW2` definition in +config.h to at least 18 and maybe up to 20 for this as otherwise too many map +collisions occur. -For more information, see [instrumentation/README.ctx.md](../instrumentation/README.ctx.md). +For more information, see +[instrumentation/README.ctx.md](../instrumentation/README.ctx.md). #### LTO -This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue in AFL and AFL-like instrumentations). -This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. +This is a different kind way of instrumentation: first it compiles all code in +LTO (link time optimization) and then performs an edge inserting instrumentation +which is 100% collision free (collisions are a big issue in AFL and AFL-like +instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ +instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. - - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. - (not recommended for afl-clang-fast, default for afl-clang-lto as there - it is a different and better kind of instrumentation.) + - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (not + recommended for afl-clang-fast, default for afl-clang-lto as there it is a + different and better kind of instrumentation.) -None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use). -These are used if several separated instrumentations are performed which are then later combined. +None of the following options are necessary to be used and are rather for manual +use (which only ever the author of this LTO implementation will use). These are +used if several separated instrumentations are performed which are then later +combined. - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given - to which function. This helps to identify functions with variable bytes - or which functions were touched by an input. + to which function. This helps to identify functions with variable bytes or + which functions were touched by an input. - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than the default `0x10000`. A value of 0 or empty sets the map address to be dynamic (the original AFL way, which is slower) - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. - This defaults to 1 + - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the + instrumentation. This defaults to 1 - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written into the instrumentation is set in a global variable - For more information, see [instrumentation/README.lto.md](../instrumentation/README.lto.md). + For more information, see + [instrumentation/README.lto.md](../instrumentation/README.lto.md). #### NGRAM -Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 is valid). -It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. +Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates +ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 +is valid). It is highly recommended to increase the `MAP_SIZE_POW2` definition +in config.h to at least 18 and maybe up to 20 for this as otherwise too many map +collisions occur. -For more information, see [instrumentation/README.ngram.md](../instrumentation/README.ngram.md). +For more information, see +[instrumentation/README.ngram.md](../instrumentation/README.ngram.md). ### LAF-INTEL -This great feature will split compares into series of single byte comparisons to allow afl-fuzz to find otherwise rather impossible paths. -It is not restricted to Intel CPUs. ;-) +This great feature will split compares into series of single byte comparisons to +allow afl-fuzz to find otherwise rather impossible paths. It is not restricted +to Intel CPUs. ;-) - - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions + - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare + functions - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs - - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and - 64, 32 and 16 bit integer CMP instructions + - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64, + 32 and 16 bit integer CMP instructions - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs AFL_LLVM_LAF_SPLIT_COMPARES to be set - Setting `AFL_LLVM_LAF_ALL` sets all of the above -For more information, see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). +For more information, see +[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). ### INSTRUMENT LIST (selectively instrument files and functions) This feature allows selective instrumentation of the source. -Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or function will only instrument (or skip) those files that match the names listed in the specified file. +Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or +function will only instrument (or skip) those files that match the names listed +in the specified file. -For more information, see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). +For more information, see +[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). ### Thread safe instrumentation counters (in all modes) -Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread -safe counters. The overhead is a little bit higher compared to the older -non-thread safe case. Note that this disables neverzero (see below). +Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe +counters. The overhead is a little bit higher compared to the older non-thread +safe case. Note that this disables neverzero (see below). ### NOT_ZERO - - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters - that skip zero on overflow. This is the default for llvm >= 9, - however, for llvm versions below that this will increase an unnecessary - slowdown due a performance issue that is only fixed in llvm 9+. - This feature increases path discovery by a little bit. + - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip + zero on overflow. This is the default for llvm >= 9, however, for llvm + versions below that this will increase an unnecessary slowdown due a + performance issue that is only fixed in llvm 9+. This feature increases path + discovery by a little bit. - - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero - test. If the target performs only few loops, then this will give a - small performance boost. + - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test. + If the target performs only few loops, then this will give a small + performance boost. -For more information, see [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). +For more information, see +[instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). ### CMPLOG - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to produce a CmpLog binary. -For more information, see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). +For more information, see +[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). ## 3) Settings for GCC / GCC_PLUGIN modes @@ -242,14 +276,14 @@ Then there are a few specific features that are only available in GCC and GCC_PLUGIN mode. - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those - files that match the names listed in this file (one filename per line). - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information. - (GCC_PLUGIN mode only) + files that match the names listed in this file (one filename per line). See + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + for more information. (GCC_PLUGIN mode only) - Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented - assembly files. Useful for troubleshooting problems or understanding how - the tool works. (GCC mode only) - To get them in a predictable place, try something like: + assembly files. Useful for troubleshooting problems or understanding how the + tool works. (GCC mode only) To get them in a predictable place, try + something like: ``` mkdir assembly_here @@ -262,54 +296,52 @@ The main fuzzer binary accepts several options that disable a couple of sanity checks or alter some of the more exotic semantics of the tool: - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`) - for an existing out folder, even if a different `-i` was provided. - Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. + for an existing out folder, even if a different `-i` was provided. Without + this setting, afl-fuzz will refuse execution for a long-fuzzed out dir. - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to exit soon after the first crash is found. - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for - newly found testcases and not for testcases that are loaded on startup - (`-i in`). - This is an important feature to set when resuming a fuzzing session. + newly found testcases and not for testcases that are loaded on startup (`-i + in`). This is an important feature to set when resuming a fuzzing session. - - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. - For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting - in an `-1` return code (i.e. `exit(-1)` got called), will be treated - as if a crash had ocurred. - This may be beneficial if you look for higher-level faulty conditions in which your target still exits gracefully. + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For + example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an + `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash + had ocurred. This may be beneficial if you look for higher-level faulty + conditions in which your target still exits gracefully. - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with - afl_custom_fuzz() creates additional mutations through this library. - If afl-fuzz is compiled with Python (which is autodetected during building + afl_custom_fuzz() creates additional mutations through this library. If + afl-fuzz is compiled with Python (which is autodetected during building afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide - additional mutations. - If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be - performed with the custom mutator. - This feature allows to configure custom mutators which can be very helpful, - e.g. fuzzing XML or other highly flexible structured input. - Please see [custom_mutators.md](custom_mutators.md). + additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all + mutations will solely be performed with the custom mutator. This feature + allows to configure custom mutators which can be very helpful, e.g. fuzzing + XML or other highly flexible structured input. Please see + [custom_mutators.md](custom_mutators.md). - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime a cycle is finished. - - Setting `AFL_DEBUG_CHILD` will not suppress the child output. - This lets you see all output of the child, making setup issues obvious. - For example, in an unicornafl harness, you might see python stacktraces. - You may also see other logs that way, indicating why the forkserver won't start. - Not pretty but good for debugging purposes. - Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated. + - Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you + see all output of the child, making setup issues obvious. For example, in an + unicornafl harness, you might see python stacktraces. You may also see other + logs that way, indicating why the forkserver won't start. Not pretty but + good for debugging purposes. Note that `AFL_DEBUG_CHILD_OUTPUT` is + deprecated. - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! - - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour - which does not allow crashes or timeout seeds in the initial -i corpus. + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which + does not allow crashes or timeout seeds in the initial -i corpus. - - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were - found within a specified period of time (in seconds). May be convenient - for some types of automated jobs. + - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were found + within a specified period of time (in seconds). May be convenient for some + types of automated jobs. - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths have been fuzzed and there were no new finds for a while. This would be @@ -324,20 +356,23 @@ checks or alter some of the more exotic semantics of the tool: precise), which can help when starting a session against a slow target. `AFL_CAL_FAST` works too. - - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if - no valid terminal was detected (for virtual consoles). + - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no + valid terminal was detected (for virtual consoles). - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout - to wait for the forkserver to spin up. - The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds. - Setting a different time here is useful if the target has a very slow startup time, for example when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. + to wait for the forkserver to spin up. The default is the `-t` value times + `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the + default would wait for `1000` milliseconds. Setting a different time here is + useful if the target has a very slow startup time, for example when doing + full-system fuzzing or emulation, but you don't want the actual runs to wait + too long for timeouts. - Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for - deciding if a particular test case is a "hang". The default is 1 second - or the value of the `-t` parameter, whichever is larger. Dialing the value - down can be useful if you are very concerned about slow inputs, or if you - don't want AFL++ to spend too much time classifying that stuff and just - rapidly put all timeouts in that bin. + deciding if a particular test case is a "hang". The default is 1 second or + the value of the `-t` parameter, whichever is larger. Dialing the value down + can be useful if you are very concerned about slow inputs, or if you don't + want AFL++ to spend too much time classifying that stuff and just rapidly + put all timeouts in that bin. - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply, unless they also want to disable the @@ -348,28 +383,31 @@ checks or alter some of the more exotic semantics of the tool: set `AFL_IGNORE_PROBLEMS`. - When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the - fuzzer to import test cases from other instances before doing anything - else. - This makes the "own finds" counter in the UI more accurate. - Beyond counter aesthetics, not much else should change. + fuzzer to import test cases from other instances before doing anything else. + This makes the "own finds" counter in the UI more accurate. Beyond counter + aesthetics, not much else should change. - - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout. - Unless you implement your own targets or instrumentation, you likely don't have to set it. - By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. + - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on + timeout. Unless you implement your own targets or instrumentation, you + likely don't have to set it. By default, on timeout and on exit, `SIGKILL` + (`AFL_KILL_SIGNAL=9`) will be delivered to the child. - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap, - afl-tmin and afl-analyze create to gather instrumentation data from - the target. This must be equal or larger than the size the target was - compiled with. - - - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off. - In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down fuzzing. - The default count is `200` elements. - So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly. + afl-tmin and afl-analyze create to gather instrumentation data from the + target. This must be equal or larger than the size the target was compiled + with. + + - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of + elements in the `-x` dictionary and LTO autodict (combined) the + probabilistic mode will kick off. In probabilistic mode, not all dictionary + entries will be used all of the time for fuzzing mutations to not slow down + fuzzing. The default count is `200` elements. So for the 200 + 1st element, + there is a 1 in 201 chance, that one of the dictionary entries will not be + used directly. - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core - on Linux systems. This slows things down, but lets you run more instances - of afl-fuzz than would be prudent (if you really want to). + on Linux systems. This slows things down, but lets you run more instances of + afl-fuzz than would be prudent (if you really want to). - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics. This can be useful to speed up the fuzzing of text-based file formats. @@ -379,85 +417,100 @@ checks or alter some of the more exotic semantics of the tool: - The CPU widget shown at the bottom of the screen is fairly simplistic and may complain of high load prematurely, especially on systems with low core - counts. - To avoid the alarming red color for very high cpu usages, you can set `AFL_NO_CPU_RED`. + counts. To avoid the alarming red color for very high cpu usages, you can + set `AFL_NO_CPU_RED`. - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for - coloring console output when configured with USE_COLOR and not ALWAYS_COLORED. + coloring console output when configured with USE_COLOR and not + ALWAYS_COLORED. - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to - fork + execve() call for every tested input. - This is useful mostly when working with unruly libraries that create threads or do other crazy things when initializing (before the instrumentation has a chance to run). + fork + execve() call for every tested input. This is useful mostly when + working with unruly libraries that create threads or do other crazy things + when initializing (before the instrumentation has a chance to run). Note that this setting inhibits some of the user-friendly diagnostics normally done when starting up the forkserver and causes a pretty significant performance drop. - - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature - if the snapshot lkm is loaded. + - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if + the snapshot lkm is loaded. - Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints - some basic stats. - This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. - - - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so. - - - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given. - To be able to still re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash. - If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and RECORD:000000,cnt:000009 being the crash case. - NOTE: This option needs to be enabled in config.h first! + some basic stats. This behavior is also automatically triggered when the + output from afl-fuzz is redirected to a file or to a pipe. + + - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for + afl-qemu-trace and afl-frida-trace.so. + + - If you are using persistent mode (you should, see + [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), + some targets keep inherent state due which a detected crash testcase does + not crash the target again when the testcase is given. To be able to still + re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable + with a value of how many previous fuzz cases to keep prio a crash. If set to + e.g. 10, then the 9 previous inputs are written to out/default/crashes as + RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and + RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be + enabled in config.h first! - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` instead (see below). - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary - without disrupting the afl-fuzz process itself. - This is useful, among other things, for bootstrapping libdislocator.so. + without disrupting the afl-fuzz process itself. This is useful, among other + things, for bootstrapping libdislocator.so. - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip - prepending `afl-qemu-trace` to your command line. - Use this if you wish to use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments. + prepending `afl-qemu-trace` to your command line. Use this if you wish to + use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace + arguments. - - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. - Requested by some users for unorthodox parallelized fuzzing setups, but not - advisable otherwise. + - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested + by some users for unorthodox parallelized fuzzing setups, but not advisable + otherwise. - When developing custom instrumentation on top of afl-fuzz, you can use - `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries - and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` - setting to instruct afl-fuzz to still follow the fork server protocol - without expecting any instrumentation data in return. - Note that this also turns off auto map size detection. + `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries and + shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` setting + to instruct afl-fuzz to still follow the fork server protocol without + expecting any instrumentation data in return. Note that this also turns off + auto map size detection. - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is - useful if you can't change the defaults (e.g., no root access to the - system) and are OK with some performance loss. - - - Setting `AFL_STATSD` enables StatsD metrics collection. - By default, AFL++ will send these metrics over UDP to 127.0.0.1:8125. - The host and port are configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. - To enable tags (banner and afl_version), you should provide `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`). - - - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` allows you to add tags to your fuzzing instances. - This is especially useful when running multiple instances (`-M/-S` for example). - Applied tags are `banner` and `afl_version`. - `banner` corresponds to the name of the fuzzer provided through `-M/-S`. - `afl_version` corresponds to the currently running AFL version (e.g. `++3.0c`). - Default (empty/non present) will add no tags to the metrics. - For more information, see [rpc_statsd.md](rpc_statsd.md). - - - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables - for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `. - This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that would disrupt work of 'fuzzer' AFL++). - - - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` - in config.h. Recommended values are 50-250MB - or more if your fuzzing - finds a huge amount of paths for large inputs. - - - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in - the normal output directory otherwise. - You would use this to point to a ramdisk/tmpfs. - This increases the speed by a small value but also reduces the stress on SSDs. + useful if you can't change the defaults (e.g., no root access to the system) + and are OK with some performance loss. + + - Setting `AFL_STATSD` enables StatsD metrics collection. By default, AFL++ + will send these metrics over UDP to 127.0.0.1:8125. The host and port are + configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. To + enable tags (banner and afl_version), you should provide + `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see + `AFL_STATSD_TAGS_FLAVOR`). + + - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, + `signalfx` or `influxdb` allows you to add tags to your fuzzing instances. + This is especially useful when running multiple instances (`-M/-S` for + example). Applied tags are `banner` and `afl_version`. `banner` corresponds + to the name of the fuzzer provided through `-M/-S`. `afl_version` + corresponds to the currently running AFL version (e.g. `++3.0c`). Default + (empty/non present) will add no tags to the metrics. For more information, + see [rpc_statsd.md](rpc_statsd.md). + + - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables for + the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz + ... `. This exists mostly for things like `LD_LIBRARY_PATH` but it would + theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some + AFL_ vars that would disrupt work of 'fuzzer' AFL++). + + - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define + TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if + your fuzzing finds a huge amount of paths for large inputs. + + - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in the + normal output directory otherwise. You would use this to point to a + ramdisk/tmpfs. This increases the speed by a small value but also reduces + the stress on SSDs. - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core on Linux systems, but will not terminate if that fails. @@ -472,21 +525,20 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, - memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. - More info at qemu_mode/libcompcov/README.md. - There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments - only comparisons with immediate values / read-only memory and - `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more - accurate but may need a larger shared memory. - - - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. - Use this if you are unsure if the entrypoint might be wrong - but - use it directly, e.g. `afl-qemu-trace ./program`. - - - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the - binary (this can be very good for the performance!). - The entrypoint is specified as hex address, e.g. `0x4004110` - Note that the address must be the address of a basic block. + memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at + qemu_mode/libcompcov/README.md. There are two levels at the moment, + `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate + values / read-only memory and `AFL_COMPCOV_LEVEL=2` that instruments all the + comparions. Level 2 is more accurate but may need a larger shared memory. + + - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use + this if you are unsure if the entrypoint might be wrong - but use it + directly, e.g. `afl-qemu-trace ./program`. + + - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary + (this can be very good for the performance!). The entrypoint is specified as + hex address, e.g. `0x4004110` Note that the address must be the address of a + basic block. - Setting `AFL_INST_LIBS` causes the translator to also instrument the code inside any dynamically linked libraries (notably including glibc). @@ -495,10 +547,9 @@ The QEMU wrapper used to instrument binary-only code supports several settings: of the basic blocks, which can be useful when dealing with very complex binaries. - - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all - cmp and sub in x86 and x86_64. - This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is - not specified. + - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all cmp + and sub in x86 and x86_64. This is an alias of `AFL_COMPCOV_LEVEL=1` when + `AFL_COMPCOV_LEVEL` is not specified. - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal handlers of the target. @@ -511,11 +562,13 @@ The QEMU wrapper used to instrument binary-only code supports several settings: purpose registers and restore them in each persistent cycle. - Another modality to execute the persistent loop is to specify also the - `AFL_QEMU_PERSISTENT_RET=end addr` env variable. - With this variable assigned, instead of patching the return address, the - specified instruction is transformed to a jump towards `start addr`. + `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable + assigned, instead of patching the return address, the specified instruction + is transformed to a jump towards `start addr`. - - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the stack pointer in which QEMU can find the return address when `start addr` is hit. + - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from + the stack pointer in which QEMU can find the return address when `start + addr` is hit. - With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically linked binaries. @@ -528,28 +581,31 @@ The QEMU wrapper used to instrument binary-only code supports several settings: The corpus minimization script offers very little customization: - - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. - This is a modest security risk on multi-user systems with rogue users, but should be safe on dedicated fuzzing boxes. + - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is + a modest security risk on multi-user systems with rogue users, but should be + safe on dedicated fuzzing boxes. - `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for - minimization and normally deleted at exit. - The files can be found in the `/.traces/` directory. + minimization and normally deleted at exit. The files can be found in the + `/.traces/` directory. - - Setting `AFL_PATH` offers a way to specify the location of afl-showmap - and afl-qemu-trace (the latter only in `-Q` mode). + - Setting `AFL_PATH` offers a way to specify the location of afl-showmap and + afl-qemu-trace (the latter only in `-Q` mode). - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. - This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting. + This can help when embedding `afl-cmin` or `afl-showmap` in other scripts + scripting. ## 7) Settings for afl-tmin -Virtually nothing to play with. -Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace. -In addition to this, `TMPDIR` may be used if a temporary file can't be created in the current working directory. +Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be +searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a +temporary file can't be created in the current working directory. -You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths to match when minimizing crashes. -This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software. -You probably want to combine it with the `-e` flag. +You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths +to match when minimizing crashes. This will make minimization less useful, but +may prevent the tool from "jumping" from one crashing condition to another in +very buggy software. You probably want to combine it with the `-e` flag. ## 8) Settings for afl-analyze @@ -571,12 +627,12 @@ The library honors these environmental variables: library, in megabytes. The default value is 1 GB. Once this is exceeded, allocations will return NULL. - - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most - of the common allocators check for that internally and return NULL, so - it's a security risk only in more exotic setups. + - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most of + the common allocators check for that internally and return NULL, so it's a + security risk only in more exotic setups. - - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages - that may be useful for pinpointing the cause of any observed issues. + - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that + may be useful for pinpointing the cause of any observed issues. ## 10) Settings for libtokencap @@ -588,10 +644,9 @@ discovered tokens should be written. Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: - - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the - linker to do all the work before the fork server kicks in. You can - override this by setting `LD_BIND_LAZY` beforehand, but it is almost - certainly pointless. + - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker + to do all the work before the fork server kicks in. You can override this by + setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. - By default, `ASAN_OPTIONS` are set to (among others): @@ -604,8 +659,8 @@ optimal values if not already present in the environment: ``` If you want to set your own options, be sure to include `abort_on_error=1` - - otherwise, the fuzzer will not be able to detect crashes in the tested - app. Similarly, include `symbolize=0`, since without it, AFL++ may have + otherwise, the fuzzer will not be able to detect crashes in the tested app. + Similarly, include `symbolize=0`, since without it, AFL++ may have difficulty telling crashes and hangs apart. - Similarly, the default `LSAN_OPTIONS` are set to: @@ -617,7 +672,9 @@ optimal values if not already present in the environment: print_suppressions=0 ``` - Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on error, and we need a way to detect faults. + Be sure to include the first ones for LSAN and MSAN when customizing + anything, since some MSAN and LSAN versions don't call `abort()` on error, + and we need a way to detect faults. - In the same vein, by default, `MSAN_OPTIONS` are set to: -- cgit 1.4.1 From 74b4274e35609a22d42fdf0672bc374e39a7c788 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 4 Nov 2021 16:12:54 +0100 Subject: update for new sanitizer support --- docs/env_variables.md | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 6fb687e2..5362f713 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -95,21 +95,22 @@ fairly broad use of environment variables instead: - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being displayed during compilation, in case you find them distracting. - - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports it. - - (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the - same gotchas; the modes are mutually exclusive. UBSAN can be enabled - similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally, - there is the Control Flow Integrity sanitizer that can be activated by - `AFL_USE_CFISAN=1`.) - - - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided that - your compiler supports it. To perform a leak check within your program at a - certain point (such as at the end of an __AFL_LOOP), you can run the macro - __AFL_LEAK_CHECK(); which will cause an abort if any memory is leaked (you - can combine this with the LSAN_OPTIONS=suppressions option to supress some - known leaks). + - Setting `AFL_USE_...` automatically enables supported sanitizers - + provided that your compiler supports it. + Available are: + - `AFL_USE_ASAN=1` - activate the address sanitizer (memory corruption + detection) + - `AFL_USE_MSAN=1` - activate the memory sanitizer (uninitialized memory) + - `AFL_USE_UBSAN=1` - activate the undefined behaviour sanitizer + - `AFL_USE_TSAN=1` - activate the thread sanitizer to find thread race + conditions + - `AFL_USE_CFISAN=1` - activate the Control Flow Integrity sanitizer (e.g. + type confusion vulnerabilities) + - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check + within your program at a certain point (such as at the end of an + `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will + cause an abort if any memory is leaked (you can combine this with the + `LSAN_OPTIONS=...` suppression option to supress some known leaks). - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. -- cgit 1.4.1 From 72878cc14b7697024b6387b4c09dff786763d0a1 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 6 Nov 2021 22:09:54 +0100 Subject: Edit list of environment variables --- docs/env_variables.md | 201 +++++++++++++++++++++++++------------------------- 1 file changed, 102 insertions(+), 99 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 5362f713..5724b197 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -18,9 +18,9 @@ To select the different instrumentation modes, use one of the following options: - Pass the --afl-MODE command-line option to the compiler. Only this option accepts further AFL-specific command-line options. - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, - afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, - afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific - command-line options. Instead, use environment variables. + afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-g++, afl-g++-fast, + afl-gcc, afl-gcc-fast. This option does not accept AFL-specific command-line + options. Instead, use environment variables. - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select `MODE`, use one of the following values: @@ -45,14 +45,14 @@ fairly broad use of environment variables instead: make ``` + - Setting `AFL_AS`, `AFL_CC`, and `AFL_CXX` lets you use alternate downstream + compilation tools, rather than the default 'as', 'clang', or 'gcc' binaries + in your `$PATH`. + - If you are a weird person that wants to compile and instrument asm text files, then use the `AFL_AS_FORCE_INSTRUMENT` variable: `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo` - - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream - compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries - in your `$PATH`. - - Most AFL tools do not print any output if stdout/stderr are redirected. If you want to get the output into a file, then set the `AFL_DEBUG` environment variable. This is sadly necessary for various build processes which fail @@ -72,7 +72,7 @@ fairly broad use of environment variables instead: - Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the probability of instrumenting every branch. This is (very rarely) useful when dealing with exceptionally complex programs that saturate the output bitmap. - Examples include v8, ffmpeg, and perl. + Examples include ffmpeg, perl, and v8. (If this ever happens, afl-fuzz will warn you ahead of the time by displaying the "bitmap density" field in fiery red.) @@ -92,25 +92,24 @@ fairly broad use of environment variables instead: instrument hand-written assembly when compiling clang code by plugging a normalizer into the chain. (There is no equivalent feature for GCC.) - - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being + - Setting `AFL_QUIET` will prevent afl-as and afl-cc banners from being displayed during compilation, in case you find them distracting. - - Setting `AFL_USE_...` automatically enables supported sanitizers - - provided that your compiler supports it. - Available are: - - `AFL_USE_ASAN=1` - activate the address sanitizer (memory corruption + - Setting `AFL_USE_...` automatically enables supported sanitizers - provided + that your compiler supports it. Available are: + - `AFL_USE_ASAN=1` - activates the address sanitizer (memory corruption detection) - - `AFL_USE_MSAN=1` - activate the memory sanitizer (uninitialized memory) - - `AFL_USE_UBSAN=1` - activate the undefined behaviour sanitizer - - `AFL_USE_TSAN=1` - activate the thread sanitizer to find thread race - conditions - - `AFL_USE_CFISAN=1` - activate the Control Flow Integrity sanitizer (e.g. + - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g. type confusion vulnerabilities) - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check within your program at a certain point (such as at the end of an `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will cause an abort if any memory is leaked (you can combine this with the - `LSAN_OPTIONS=...` suppression option to supress some known leaks). + `LSAN_OPTIONS=...` suppression option to suppress some known leaks). + - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory) + - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race + conditions + - `AFL_USE_UBSAN=1` - activates the undefined behaviour sanitizer - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. @@ -120,18 +119,18 @@ fairly broad use of environment variables instead: The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset of the settings discussed in section 1, with the exception of: + - `AFL_AS`, since this toolchain does not directly invoke GNU `as`. + + - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not + all passes support this option though as it is an outdated feature. + - LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will - write all constant string comparisons to this file to be used later with + write all constant string comparisons to this file to be used later with afl-fuzz' `-x` option. - - `AFL_AS`, since this toolchain does not directly invoke GNU as. - - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are created. - - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not - all passes support this option though as it is an outdated feature. - Then there are a few specific features that are only available in instrumentation mode: @@ -148,13 +147,21 @@ Available options: then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` Note: It is actually not a good idea to use both CTX and NGRAM. :) - - CTX - context sensitive instrumentation (see below) + - CTX - context sensitive instrumentation - GCC - outdated gcc instrumentation - - LTO - LTO instrumentation (see below) + - LTO - LTO instrumentation - NATIVE - clang's original pcguard based instrumentation - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16) - PCGUARD - our own pcgard based instrumentation (default) +#### CMPLOG + +Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to +produce a CmpLog binary. + +For more information, see +[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). + #### CTX Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive @@ -166,6 +173,39 @@ collisions occur. For more information, see [instrumentation/README.ctx.md](../instrumentation/README.ctx.md). +#### INSTRUMENT LIST (selectively instrument files and functions) + +This feature allows selective instrumentation of the source. + +Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or +function will only instrument (or skip) those files that match the names listed +in the specified file. + +For more information, see +[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). + +#### LAF-INTEL + +This great feature will split compares into series of single byte comparisons to +allow afl-fuzz to find otherwise rather impossible paths. It is not restricted +to Intel CPUs. ;-) + + - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare + functions + + - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs + + - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64, + 32 and 16 bit integer CMP instructions + + - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs + AFL_LLVM_LAF_SPLIT_COMPARES to be set + + - Setting `AFL_LLVM_LAF_ALL` sets all of the above + +For more information, see +[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). + #### LTO This is a different kind way of instrumentation: first it compiles all code in @@ -209,46 +249,7 @@ collisions occur. For more information, see [instrumentation/README.ngram.md](../instrumentation/README.ngram.md). -### LAF-INTEL - -This great feature will split compares into series of single byte comparisons to -allow afl-fuzz to find otherwise rather impossible paths. It is not restricted -to Intel CPUs. ;-) - - - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare - functions - - - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs - - - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64, - 32 and 16 bit integer CMP instructions - - - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs - AFL_LLVM_LAF_SPLIT_COMPARES to be set - - - Setting `AFL_LLVM_LAF_ALL` sets all of the above - -For more information, see -[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). - -### INSTRUMENT LIST (selectively instrument files and functions) - -This feature allows selective instrumentation of the source. - -Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or -function will only instrument (or skip) those files that match the names listed -in the specified file. - -For more information, see -[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). - -### Thread safe instrumentation counters (in all modes) - -Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe -counters. The overhead is a little bit higher compared to the older non-thread -safe case. Note that this disables neverzero (see below). - -### NOT_ZERO +#### NOT_ZERO - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip zero on overflow. This is the default for llvm >= 9, however, for llvm @@ -263,34 +264,34 @@ safe case. Note that this disables neverzero (see below). For more information, see [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). -### CMPLOG - - - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to - produce a CmpLog binary. +#### Thread safe instrumentation counters (in all modes) -For more information, see -[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). +Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe +counters. The overhead is a little bit higher compared to the older non-thread +safe case. Note that this disables neverzero (see NOT_ZERO). ## 3) Settings for GCC / GCC_PLUGIN modes -Then there are a few specific features that are only available in GCC and -GCC_PLUGIN mode. +There are a few specific features that are only available in GCC and GCC_PLUGIN +mode. - - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those - files that match the names listed in this file (one filename per line). See - [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) - for more information. (GCC_PLUGIN mode only) + - GCC mode only: Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting + instrumented assembly files. Useful for troubleshooting problems or + understanding how the tool works. - - Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented - assembly files. Useful for troubleshooting problems or understanding how the - tool works. (GCC mode only) To get them in a predictable place, try - something like: + To get them in a predictable place, try something like: ``` mkdir assembly_here TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all ``` + - GCC_PLUGIN mode only: Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will + only instrument those files that match the names listed in this file (one + filename per line). See + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + for more information. + ## 4) Settings for afl-fuzz The main fuzzer binary accepts several options that disable a couple of sanity @@ -456,7 +457,7 @@ checks or alter some of the more exotic semantics of the tool: enabled in config.h first! - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY` - instead (see below). + instead. - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary without disrupting the afl-fuzz process itself. This is useful, among other @@ -527,10 +528,12 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at - qemu_mode/libcompcov/README.md. There are two levels at the moment, - `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate - values / read-only memory and `AFL_COMPCOV_LEVEL=2` that instruments all the - comparions. Level 2 is more accurate but may need a larger shared memory. + [qemu_mode/libcompcov/README.md](../qemu_mode/libcompcov/README.md). + + There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments + only comparisons with immediate values / read-only memory and + `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more + accurate but may need a larger shared memory. - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use this if you are unsure if the entrypoint might be wrong - but use it @@ -538,8 +541,8 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary (this can be very good for the performance!). The entrypoint is specified as - hex address, e.g. `0x4004110` Note that the address must be the address of a - basic block. + hex address, e.g. `0x4004110`. Note that the address must be the address of + a basic block. - Setting `AFL_INST_LIBS` causes the translator to also instrument the code inside any dynamically linked libraries (notably including glibc). @@ -555,12 +558,12 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal handlers of the target. - - When the target is i386/x86_64 you can specify the address of the function + - When the target is i386/x86_64, you can specify the address of the function that has to be the body of the persistent loop using `AFL_QEMU_PERSISTENT_ADDR=start addr`. - - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general - purpose registers and restore them in each persistent cycle. + - With `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of + general purpose registers and restore them in each persistent cycle. - Another modality to execute the persistent loop is to specify also the `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable @@ -615,7 +618,7 @@ of decimal. ## 9) Settings for libdislocator -The library honors these environmental variables: +The library honors these environment variables: - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to `max_align_t` to be compliant with the C standard. @@ -645,10 +648,6 @@ discovered tokens should be written. Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: - - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker - to do all the work before the fork server kicks in. You can override this by - setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. - - By default, `ASAN_OPTIONS` are set to (among others): ``` @@ -685,4 +684,8 @@ optimal values if not already present in the environment: symbolize=0 msan_track_origins=0 allocator_may_return_null=1 - ``` \ No newline at end of file + ``` + + - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker + to do all the work before the fork server kicks in. You can override this by + setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. \ No newline at end of file -- cgit 1.4.1 From 66ca8618ea3ae1506c96a38ef41b5f04387ab560 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Tue, 9 Nov 2021 20:35:12 +0100 Subject: Edit list of environment variables --- docs/env_variables.md | 83 +++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 42 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 5724b197..65cca0dc 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -177,7 +177,7 @@ For more information, see This feature allows selective instrumentation of the source. -Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or +Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a file name and/or function will only instrument (or skip) those files that match the names listed in the specified file. @@ -191,32 +191,32 @@ allow afl-fuzz to find otherwise rather impossible paths. It is not restricted to Intel CPUs. ;-) - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare - functions - - - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs + functions. - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64, - 32 and 16 bit integer CMP instructions + 32 and 16 bit integer CMP instructions. - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs - AFL_LLVM_LAF_SPLIT_COMPARES to be set + `AFL_LLVM_LAF_SPLIT_COMPARES` to be set. + + - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs. - - Setting `AFL_LLVM_LAF_ALL` sets all of the above + - Setting `AFL_LLVM_LAF_ALL` sets all of the above. For more information, see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). #### LTO -This is a different kind way of instrumentation: first it compiles all code in -LTO (link time optimization) and then performs an edge inserting instrumentation +This is a different way of instrumentation: first it compiles all code in LTO +(link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue in AFL and AFL-like instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. - - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (not - recommended for afl-clang-fast, default for afl-clang-lto as there it is a - different and better kind of instrumentation.) +`AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (Not +recommended for afl-clang-fast, default for afl-clang-lto as there it is a +different and better kind of instrumentation.) None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use). These are @@ -226,22 +226,22 @@ combined. - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given to which function. This helps to identify functions with variable bytes or which functions were touched by an input. + - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written + into the instrumentation is set in a global variable. + - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the + instrumentation. This defaults to 1. - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than the default `0x10000`. A value of 0 or empty sets the map address to be - dynamic (the original AFL way, which is slower) - - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the - instrumentation. This defaults to 1 - - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written - into the instrumentation is set in a global variable + dynamic (the original AFL way, which is slower). + - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic. For more information, see [instrumentation/README.lto.md](../instrumentation/README.lto.md). #### NGRAM -Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates -ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 +Setting `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or `AFL_LLVM_NGRAM_SIZE` activates +ngram prev_loc coverage. Good values are 2, 4, or 8 (any value between 2 and 16 is valid). It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. @@ -258,7 +258,7 @@ For more information, see discovery by a little bit. - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test. - If the target performs only few loops, then this will give a small + If the target performs only a few loops, then this will give a small performance boost. For more information, see @@ -310,9 +310,9 @@ checks or alter some of the more exotic semantics of the tool: in`). This is an important feature to set when resuming a fuzzing session. - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For - example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an - `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash - had ocurred. This may be beneficial if you look for higher-level faulty + example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1` + return code (i.e. `exit(-1)` got called), will be treated as if a crash had + occurred. This may be beneficial if you look for higher-level faulty conditions in which your target still exits gracefully. - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with @@ -325,7 +325,7 @@ checks or alter some of the more exotic semantics of the tool: XML or other highly flexible structured input. Please see [custom_mutators.md](custom_mutators.md). - - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime + - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time a cycle is finished. - Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you @@ -341,7 +341,7 @@ checks or alter some of the more exotic semantics of the tool: - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which does not allow crashes or timeout seeds in the initial -i corpus. - - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were found + - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found within a specified period of time (in seconds). May be convenient for some types of automated jobs. @@ -365,7 +365,7 @@ checks or alter some of the more exotic semantics of the tool: to wait for the forkserver to spin up. The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds. Setting a different time here is - useful if the target has a very slow startup time, for example when doing + useful if the target has a very slow startup time, for example, when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. @@ -394,8 +394,8 @@ checks or alter some of the more exotic semantics of the tool: likely don't have to set it. By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child. - - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap, - afl-tmin and afl-analyze create to gather instrumentation data from the + - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz, + afl-showmap, and afl-tmin create to gather instrumentation data from the target. This must be equal or larger than the size the target was compiled with. @@ -417,15 +417,15 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary that is compiled into the target. - - The CPU widget shown at the bottom of the screen is fairly simplistic and - may complain of high load prematurely, especially on systems with low core - counts. To avoid the alarming red color for very high cpu usages, you can - set `AFL_NO_CPU_RED`. - - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for coloring console output when configured with USE_COLOR and not ALWAYS_COLORED. + - The CPU widget shown at the bottom of the screen is fairly simplistic and + may complain of high load prematurely, especially on systems with low core + counts. To avoid the alarming red color for very high CPU usages, you can + set `AFL_NO_CPU_RED`. + - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to fork + execve() call for every tested input. This is useful mostly when working with unruly libraries that create threads or do other crazy things @@ -438,7 +438,7 @@ checks or alter some of the more exotic semantics of the tool: - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if the snapshot lkm is loaded. - - Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints + - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints some basic stats. This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe. @@ -449,7 +449,7 @@ checks or alter some of the more exotic semantics of the tool: [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given. To be able to still - re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable + re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash. If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and @@ -490,8 +490,8 @@ checks or alter some of the more exotic semantics of the tool: `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`). - - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, - `signalfx` or `influxdb` allows you to add tags to your fuzzing instances. + - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `influxdb`, + `librato`, or `signalfx` allows you to add tags to your fuzzing instances. This is especially useful when running multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. `afl_version` @@ -509,8 +509,8 @@ checks or alter some of the more exotic semantics of the tool: TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if your fuzzing finds a huge amount of paths for large inputs. - - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in the - normal output directory otherwise. You would use this to point to a + - `AFL_TMPDIR` is used to write the `.cur_input` file to if it exists, and in + the normal output directory otherwise. You would use this to point to a ramdisk/tmpfs. This increases the speed by a small value but also reduces the stress on SSDs. @@ -597,8 +597,7 @@ The corpus minimization script offers very little customization: afl-qemu-trace (the latter only in `-Q` mode). - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. - This can help when embedding `afl-cmin` or `afl-showmap` in other scripts - scripting. + This can help when embedding `afl-cmin` or `afl-showmap` in other scripts. ## 7) Settings for afl-tmin -- cgit 1.4.1 From c31f4646cbd00f591dad3258c08ff8e56aa94420 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 21 Nov 2021 21:11:52 +0100 Subject: Clean up docs folder --- README.md | 29 +- docs/afl-fuzz_approach.md | 540 ++++++++++++++++++++++++++- docs/custom_mutators.md | 6 +- docs/env_variables.md | 9 +- docs/features.md | 2 +- docs/fuzzing_in_depth.md | 572 +++++++++++++++-------------- docs/important_changes.md | 4 +- docs/interpreting_output.md | 71 ---- docs/status_screen.md | 444 ---------------------- docs/third_party_tools.md | 6 +- qemu_mode/libqasan/README.md | 2 +- unicorn_mode/samples/persistent/COMPILE.md | 12 +- utils/aflpp_driver/README.md | 12 +- 13 files changed, 864 insertions(+), 845 deletions(-) delete mode 100644 docs/interpreting_output.md delete mode 100644 docs/status_screen.md (limited to 'docs/env_variables.md') diff --git a/README.md b/README.md index fcb6b3c9..e0cb4558 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,10 @@ Step-by-step quick start: 1. Compile the program or library to be fuzzed using `afl-cc`. A common way to do this would be: - CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared - make clean all + ``` + CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared + make clean all + ``` 2. Get a small but valid input file that makes sense to the program. When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in @@ -89,10 +91,10 @@ Step-by-step quick start: 3. If the program reads from stdin, run `afl-fuzz` like so: -``` + ``` ./afl-fuzz -i seeds_dir -o output_dir -- \ - /path/to/tested/program [...program's cmdline...] -``` + /path/to/tested/program [...program's cmdline...] + ``` To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz. @@ -100,13 +102,20 @@ Step-by-step quick start: command line; AFL will put an auto-generated file name in there for you. 4. Investigate anything shown in red in the fuzzer UI by promptly consulting - [docs/status_screen.md](docs/status_screen.md). + [docs/afl-fuzz_approach.md#understanding-the-status-screen](docs/afl-fuzz_approach.md#understanding-the-status-screen). + +5. Interpret the output, see + [docs/afl-fuzz_approach.md#interpreting-output](docs/afl-fuzz_approach.md#interpreting-output). -5. You will find found crashes and hangs in the subdirectories `crashes/` and +6. You will find found crashes and hangs in the subdirectories `crashes/` and `hangs/` in the `-o output_dir` directory. You can replay the crashes by - feeding them to the target, e.g.: `cat output_dir/crashes/id:000000,* | - /path/to/tested/program [...program's cmdline...]` You can generate cores or - use gdb directly to follow up the crashes. + feeding them to the target, e.g.: + + ``` + cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...] + ``` + + You can generate cores or use gdb directly to follow up the crashes. ## Contact diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 5652816b..57a275d9 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -1,37 +1,539 @@ # The afl-fuzz approach -American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple -but rock-solid instrumentation-guided genetic algorithm. It uses a modified -form of edge coverage to effortlessly pick up subtle, local-scale changes to -program control flow. +AFL++ is a brute-force fuzzer coupled with an exceedingly simple but rock-solid +instrumentation-guided genetic algorithm. It uses a modified form of edge +coverage to effortlessly pick up subtle, local-scale changes to program control +flow. Simplifying a bit, the overall algorithm can be summed up as: - 1) Load user-supplied initial test cases into the queue, +1) Load user-supplied initial test cases into the queue. - 2) Take the next input file from the queue, +2) Take the next input file from the queue. - 3) Attempt to trim the test case to the smallest size that doesn't alter - the measured behavior of the program, +3) Attempt to trim the test case to the smallest size that doesn't alter the + measured behavior of the program. - 4) Repeatedly mutate the file using a balanced and well-researched variety - of traditional fuzzing strategies, +4) Repeatedly mutate the file using a balanced and well-researched variety of + traditional fuzzing strategies. - 5) If any of the generated mutations resulted in a new state transition - recorded by the instrumentation, add mutated output as a new entry in the - queue. +5) If any of the generated mutations resulted in a new state transition recorded + by the instrumentation, add mutated output as a new entry in the queue. - 6) Go to 2. +6) Go to 2. The discovered test cases are also periodically culled to eliminate ones that have been obsoleted by newer, higher-coverage finds; and undergo several other instrumentation-driven effort minimization steps. As a side result of the fuzzing process, the tool creates a small, -self-contained corpus of interesting test cases. These are extremely useful -for seeding other, labor- or resource-intensive testing regimes - for example, -for stress-testing browsers, office applications, graphics suites, or -closed-source tools. +self-contained corpus of interesting test cases. These are extremely useful for +seeding other, labor- or resource-intensive testing regimes - for example, for +stress-testing browsers, office applications, graphics suites, or closed-source +tools. The fuzzer is thoroughly tested to deliver out-of-the-box performance far -superior to blind fuzzing or coverage-only tools. \ No newline at end of file +superior to blind fuzzing or coverage-only tools. + +## Understanding the status screen + +This document provides an overview of the status screen - plus tips for +troubleshooting any warnings and red text shown in the UI. See +[README.md](../README.md) for the general instruction manual. + +### A note about colors + +The status screen and error messages use colors to keep things readable and +attract your attention to the most important details. For example, red almost +always means "consult this doc" :-) + +Unfortunately, the UI will render correctly only if your terminal is using +traditional un*x palette (white text on black background) or something close to +that. + +If you are using inverse video, you may want to change your settings, say: + +- For GNOME Terminal, go to `Edit > Profile` preferences, select the "colors" + tab, and from the list of built-in schemes, choose "white on black". +- For the MacOS X Terminal app, open a new window using the "Pro" scheme via the + `Shell > New Window` menu (or make "Pro" your default). + +Alternatively, if you really like your current colors, you can edit config.h to +comment out USE_COLORS, then do `make clean all`. + +I'm not aware of any other simple way to make this work without causing other +side effects - sorry about that. + +With that out of the way, let's talk about what's actually on the screen... + +### The status bar + +``` +american fuzzy lop ++3.01a (default) [fast] {0} +``` + +The top line shows you which mode afl-fuzz is running in (normal: "american +fuzzy lop", crash exploration mode: "peruvian rabbit mode") and the version of +AFL++. Next to the version is the banner, which, if not set with -T by hand, +will either show the binary name being fuzzed, or the -M/-S main/secondary name +for parallel fuzzing. Second to last is the power schedule mode being run +(default: fast). Finally, the last item is the CPU id. + +### Process timing + +``` + +----------------------------------------------------+ + | run time : 0 days, 8 hrs, 32 min, 43 sec | + | last new path : 0 days, 0 hrs, 6 min, 40 sec | + | last uniq crash : none seen yet | + | last uniq hang : 0 days, 1 hrs, 24 min, 32 sec | + +----------------------------------------------------+ +``` + +This section is fairly self-explanatory: it tells you how long the fuzzer has +been running and how much time has elapsed since its most recent finds. This is +broken down into "paths" (a shorthand for test cases that trigger new execution +patterns), crashes, and hangs. + +When it comes to timing: there is no hard rule, but most fuzzing jobs should be +expected to run for days or weeks; in fact, for a moderately complex project, +the first pass will probably take a day or so. Every now and then, some jobs +will be allowed to run for months. + +There's one important thing to watch out for: if the tool is not finding new +paths within several minutes of starting, you're probably not invoking the +target binary correctly and it never gets to parse the input files we're +throwing at it; another possible explanations are that the default memory limit +(`-m`) is too restrictive, and the program exits after failing to allocate a +buffer very early on; or that the input files are patently invalid and always +fail a basic header check. + +If there are no new paths showing up for a while, you will eventually see a big +red warning in this section, too :-) + +### Overall results + +``` + +-----------------------+ + | cycles done : 0 | + | total paths : 2095 | + | uniq crashes : 0 | + | uniq hangs : 19 | + +-----------------------+ +``` + +The first field in this section gives you the count of queue passes done so far +- that is, the number of times the fuzzer went over all the interesting test +cases discovered so far, fuzzed them, and looped back to the very beginning. +Every fuzzing session should be allowed to complete at least one cycle; and +ideally, should run much longer than that. + +As noted earlier, the first pass can take a day or longer, so sit back and +relax. + +To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded. +It is shown in magenta during the first pass, progresses to yellow if new finds +are still being made in subsequent rounds, then blue when that ends - and +finally, turns green after the fuzzer hasn't been seeing any action for a longer +while. + +The remaining fields in this part of the screen should be pretty obvious: +there's the number of test cases ("paths") discovered so far, and the number of +unique faults. The test cases, crashes, and hangs can be explored in real-time +by browsing the output directory, as discussed in [README.md](../README.md). + +### Cycle progress + +``` + +-------------------------------------+ + | now processing : 1296 (61.86%) | + | paths timed out : 0 (0.00%) | + +-------------------------------------+ +``` + +This box tells you how far along the fuzzer is with the current queue cycle: it +shows the ID of the test case it is currently working on, plus the number of +inputs it decided to ditch because they were persistently timing out. + +The "*" suffix sometimes shown in the first line means that the currently +processed path is not "favored" (a property discussed later on). + +### Map coverage + +``` + +--------------------------------------+ + | map density : 10.15% / 29.07% | + | count coverage : 4.03 bits/tuple | + +--------------------------------------+ +``` + +The section provides some trivia about the coverage observed by the +instrumentation embedded in the target binary. + +The first line in the box tells you how many branch tuples we have already hit, +in proportion to how much the bitmap can hold. The number on the left describes +the current input; the one on the right is the value for the entire input +corpus. + +Be wary of extremes: + +- Absolute numbers below 200 or so suggest one of three things: that the program + is extremely simple; that it is not instrumented properly (e.g., due to being + linked against a non-instrumented copy of the target library); or that it is + bailing out prematurely on your input test cases. The fuzzer will try to mark + this in pink, just to make you aware. +- Percentages over 70% may very rarely happen with very complex programs that + make heavy use of template-generated code. Because high bitmap density makes + it harder for the fuzzer to reliably discern new program states, we recommend + recompiling the binary with `AFL_INST_RATIO=10` or so and trying again (see + [env_variables.md](env_variables.md)). The fuzzer will flag high percentages + in red. Chances are, you will never see that unless you're fuzzing extremely + hairy software (say, v8, perl, ffmpeg). + +The other line deals with the variability in tuple hit counts seen in the +binary. In essence, if every taken branch is always taken a fixed number of +times for all the inputs we have tried, this will read `1.00`. As we manage to +trigger other hit counts for every branch, the needle will start to move toward +`8.00` (every bit in the 8-bit map hit), but will probably never reach that +extreme. + +Together, the values can be useful for comparing the coverage of several +different fuzzing jobs that rely on the same instrumented binary. + +### Stage progress + +``` + +-------------------------------------+ + | now trying : interest 32/8 | + | stage execs : 3996/34.4k (11.62%) | + | total execs : 27.4M | + | exec speed : 891.7/sec | + +-------------------------------------+ +``` + +This part gives you an in-depth peek at what the fuzzer is actually doing right +now. It tells you about the current stage, which can be any of: + +- calibration - a pre-fuzzing stage where the execution path is examined to + detect anomalies, establish baseline execution speed, and so on. Executed very + briefly whenever a new find is being made. +- trim L/S - another pre-fuzzing stage where the test case is trimmed to the + shortest form that still produces the same execution path. The length (L) and + stepover (S) are chosen in general relationship to file size. +- bitflip L/S - deterministic bit flips. There are L bits toggled at any given + time, walking the input file with S-bit increments. The current L/S variants + are: `1/1`, `2/1`, `4/1`, `8/8`, `16/8`, `32/8`. +- arith L/8 - deterministic arithmetics. The fuzzer tries to subtract or add + small integers to 8-, 16-, and 32-bit values. The stepover is always 8 bits. +- interest L/8 - deterministic value overwrite. The fuzzer has a list of known + "interesting" 8-, 16-, and 32-bit values to try. The stepover is 8 bits. +- extras - deterministic injection of dictionary terms. This can be shown as + "user" or "auto", depending on whether the fuzzer is using a user-supplied + dictionary (`-x`) or an auto-created one. You will also see "over" or + "insert", depending on whether the dictionary words overwrite existing data or + are inserted by offsetting the remaining data to accommodate their length. +- havoc - a sort-of-fixed-length cycle with stacked random tweaks. The + operations attempted during this stage include bit flips, overwrites with + random and "interesting" integers, block deletion, block duplication, plus + assorted dictionary-related operations (if a dictionary is supplied in the + first place). +- splice - a last-resort strategy that kicks in after the first full queue cycle + with no new paths. It is equivalent to 'havoc', except that it first splices + together two random inputs from the queue at some arbitrarily selected + midpoint. +- sync - a stage used only when `-M` or `-S` is set (see + [parallel_fuzzing.md](parallel_fuzzing.md)). No real fuzzing is involved, but + the tool scans the output from other fuzzers and imports test cases as + necessary. The first time this is done, it may take several minutes or so. + +The remaining fields should be fairly self-evident: there's the exec count +progress indicator for the current stage, a global exec counter, and a benchmark +for the current program execution speed. This may fluctuate from one test case +to another, but the benchmark should be ideally over 500 execs/sec most of the +time - and if it stays below 100, the job will probably take very long. + +The fuzzer will explicitly warn you about slow targets, too. If this happens, +see the [perf_tips.md](perf_tips.md) file included with the fuzzer for ideas on +how to speed things up. + +### Findings in depth + +``` + +--------------------------------------+ + | favored paths : 879 (41.96%) | + | new edges on : 423 (20.19%) | + | total crashes : 0 (0 unique) | + | total tmouts : 24 (19 unique) | + +--------------------------------------+ +``` + +This gives you several metrics that are of interest mostly to complete nerds. +The section includes the number of paths that the fuzzer likes the most based on +a minimization algorithm baked into the code (these will get considerably more +air time), and the number of test cases that actually resulted in better edge +coverage (versus just pushing the branch hit counters up). There are also +additional, more detailed counters for crashes and timeouts. + +Note that the timeout counter is somewhat different from the hang counter; this +one includes all test cases that exceeded the timeout, even if they did not +exceed it by a margin sufficient to be classified as hangs. + +### Fuzzing strategy yields + +``` + +-----------------------------------------------------+ + | bit flips : 57/289k, 18/289k, 18/288k | + | byte flips : 0/36.2k, 4/35.7k, 7/34.6k | + | arithmetics : 53/2.54M, 0/537k, 0/55.2k | + | known ints : 8/322k, 12/1.32M, 10/1.70M | + | dictionary : 9/52k, 1/53k, 1/24k | + |havoc/splice : 1903/20.0M, 0/0 | + |py/custom/rq : unused, 53/2.54M, unused | + | trim/eff : 20.31%/9201, 17.05% | + +-----------------------------------------------------+ +``` + +This is just another nerd-targeted section keeping track of how many paths we +have netted, in proportion to the number of execs attempted, for each of the +fuzzing strategies discussed earlier on. This serves to convincingly validate +assumptions about the usefulness of the various approaches taken by afl-fuzz. + +The trim strategy stats in this section are a bit different than the rest. The +first number in this line shows the ratio of bytes removed from the input files; +the second one corresponds to the number of execs needed to achieve this goal. +Finally, the third number shows the proportion of bytes that, although not +possible to remove, were deemed to have no effect and were excluded from some of +the more expensive deterministic fuzzing steps. + +Note that when deterministic mutation mode is off (which is the default because +it is not very efficient) the first five lines display "disabled (default, +enable with -D)". + +Only what is activated will have counter shown. + +### Path geometry + +``` + +---------------------+ + | levels : 5 | + | pending : 1570 | + | pend fav : 583 | + | own finds : 0 | + | imported : 0 | + | stability : 100.00% | + +---------------------+ +``` + +The first field in this section tracks the path depth reached through the guided +fuzzing process. In essence: the initial test cases supplied by the user are +considered "level 1". The test cases that can be derived from that through +traditional fuzzing are considered "level 2"; the ones derived by using these as +inputs to subsequent fuzzing rounds are "level 3"; and so forth. The maximum +depth is therefore a rough proxy for how much value you're getting out of the +instrumentation-guided approach taken by afl-fuzz. + +The next field shows you the number of inputs that have not gone through any +fuzzing yet. The same stat is also given for "favored" entries that the fuzzer +really wants to get to in this queue cycle (the non-favored entries may have to +wait a couple of cycles to get their chance). + +Next, we have the number of new paths found during this fuzzing section and +imported from other fuzzer instances when doing parallelized fuzzing; and the +extent to which identical inputs appear to sometimes produce variable behavior +in the tested binary. + +That last bit is actually fairly interesting: it measures the consistency of +observed traces. If a program always behaves the same for the same input data, +it will earn a score of 100%. When the value is lower but still shown in purple, +the fuzzing process is unlikely to be negatively affected. If it goes into red, +you may be in trouble, since AFL will have difficulty discerning between +meaningful and "phantom" effects of tweaking the input file. + +Now, most targets will just get a 100% score, but when you see lower figures, +there are several things to look at: + +- The use of uninitialized memory in conjunction with some intrinsic sources of + entropy in the tested binary. Harmless to AFL, but could be indicative of a + security bug. +- Attempts to manipulate persistent resources, such as left over temporary files + or shared memory objects. This is usually harmless, but you may want to + double-check to make sure the program isn't bailing out prematurely. Running + out of disk space, SHM handles, or other global resources can trigger this, + too. +- Hitting some functionality that is actually designed to behave randomly. + Generally harmless. For example, when fuzzing sqlite, an input like `select + random();` will trigger a variable execution path. +- Multiple threads executing at once in semi-random order. This is harmless when + the 'stability' metric stays over 90% or so, but can become an issue if not. + Here's what to try: + * Use afl-clang-fast from [instrumentation](../instrumentation/) - it uses a + thread-local tracking model that is less prone to concurrency issues, + * See if the target can be compiled or run without threads. Common + `./configure` options include `--without-threads`, `--disable-pthreads`, or + `--disable-openmp`. + * Replace pthreads with GNU Pth (https://www.gnu.org/software/pth/), which + allows you to use a deterministic scheduler. +- In persistent mode, minor drops in the "stability" metric can be normal, + because not all the code behaves identically when re-entered; but major dips + may signify that the code within `__AFL_LOOP()` is not behaving correctly on + subsequent iterations (e.g., due to incomplete clean-up or reinitialization of + the state) and that most of the fuzzing effort goes to waste. + +The paths where variable behavior is detected are marked with a matching entry +in the `/queue/.state/variable_behavior/` directory, so you can look +them up easily. + +### CPU load + +``` + [cpu: 25%] +``` + +This tiny widget shows the apparent CPU utilization on the local system. It is +calculated by taking the number of processes in the "runnable" state, and then +comparing it to the number of logical cores on the system. + +If the value is shown in green, you are using fewer CPU cores than available on +your system and can probably parallelize to improve performance; for tips on how +to do that, see [parallel_fuzzing.md](parallel_fuzzing.md). + +If the value is shown in red, your CPU is *possibly* oversubscribed, and running +additional fuzzers may not give you any benefits. + +Of course, this benchmark is very simplistic; it tells you how many processes +are ready to run, but not how resource-hungry they may be. It also doesn't +distinguish between physical cores, logical cores, and virtualized CPUs; the +performance characteristics of each of these will differ quite a bit. + +If you want a more accurate measurement, you can run the `afl-gotcpu` utility +from the command line. + +## Interpreting output + +See [#understanding-the-status-screen](#understanding-the-status-screen) for +information on how to interpret the displayed stats and monitor the health of +the process. Be sure to consult this file especially if any UI elements are +highlighted in red. + +The fuzzing process will continue until you press Ctrl-C. At a minimum, you want +to allow the fuzzer to complete one queue cycle, which may take anywhere from a +couple of hours to a week or so. + +There are three subdirectories created within the output directory and updated +in real-time: + +- queue/ - test cases for every distinctive execution path, plus all the + starting files given by the user. This is the synthesized corpus + mentioned in section 2. + + Before using this corpus for any other purposes, you can shrink + it to a smaller size using the afl-cmin tool. The tool will find + a smaller subset of files offering equivalent edge coverage. + +- crashes/ - unique test cases that cause the tested program to receive a fatal + signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are grouped by + the received signal. + +- hangs/ - unique test cases that cause the tested program to time out. The + default time limit before something is classified as a hang is the + larger of 1 second and the value of the -t parameter. The value can + be fine-tuned by setting AFL_HANG_TMOUT, but this is rarely + necessary. + +Crashes and hangs are considered "unique" if the associated execution paths +involve any state transitions not seen in previously-recorded faults. If a +single bug can be reached in multiple ways, there will be some count inflation +early in the process, but this should quickly taper off. + +The file names for crashes and hangs are correlated with the parent, non-faulting +queue entries. This should help with debugging. + +## Visualizing + +If you have gnuplot installed, you can also generate some pretty graphs for any +active fuzzing task using afl-plot. For an example of how this looks like, see +[https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/). + +You can also manually build and install afl-plot-ui, which is a helper utility +for showing the graphs generated by afl-plot in a graphical window using GTK. +You can build and install it as follows: + +```shell +sudo apt install libgtk-3-0 libgtk-3-dev pkg-config +cd utils/plot_ui +make +cd ../../ +sudo make install +``` + + +### Addendum: status and plot files + +For unattended operation, some of the key status screen information can be also +found in a machine-readable format in the fuzzer_stats file in the output +directory. This includes: + +- `start_time` - unix time indicating the start time of afl-fuzz +- `last_update` - unix time corresponding to the last update of this file +- `run_time` - run time in seconds to the last update of this file +- `fuzzer_pid` - PID of the fuzzer process +- `cycles_done` - queue cycles completed so far +- `cycles_wo_finds` - number of cycles without any new paths found +- `execs_done` - number of execve() calls attempted +- `execs_per_sec` - overall number of execs per second +- `paths_total` - total number of entries in the queue +- `paths_favored` - number of queue entries that are favored +- `paths_found` - number of entries discovered through local fuzzing +- `paths_imported` - number of entries imported from other instances +- `max_depth` - number of levels in the generated data set +- `cur_path` - currently processed entry number +- `pending_favs` - number of favored entries still waiting to be fuzzed +- `pending_total` - number of all entries waiting to be fuzzed +- `variable_paths` - number of test cases showing variable behavior +- `stability` - percentage of bitmap bytes that behave consistently +- `bitmap_cvg` - percentage of edge coverage found in the map so far +- `unique_crashes` - number of unique crashes recorded +- `unique_hangs` - number of unique hangs encountered +- `last_path` - seconds since the last path was found +- `last_crash` - seconds since the last crash was found +- `last_hang` - seconds since the last hang was found +- `execs_since_crash` - execs since the last crash was found +- `exec_timeout` - the -t command line value +- `slowest_exec_ms` - real time of the slowest execution in ms +- `peak_rss_mb` - max rss usage reached during fuzzing in MB +- `edges_found` - how many edges have been found +- `var_byte_count` - how many edges are non-deterministic +- `afl_banner` - banner text (e.g. the target name) +- `afl_version` - the version of AFL used +- `target_mode` - default, persistent, qemu, unicorn, non-instrumented +- `command_line` - full command line used for the fuzzing session + +Most of these map directly to the UI elements discussed earlier on. + +On top of that, you can also find an entry called `plot_data`, containing a +plottable history for most of these fields. If you have gnuplot installed, you +can turn this into a nice progress report with the included `afl-plot` tool. + +### Addendum: automatically sending metrics with StatsD + +In a CI environment or when running multiple fuzzers, it can be tedious to log +into each of them or deploy scripts to read the fuzzer statistics. Using +`AFL_STATSD` (and the other related environment variables `AFL_STATSD_HOST`, +`AFL_STATSD_PORT`, `AFL_STATSD_TAGS_FLAVOR`) you can automatically send metrics +to your favorite StatsD server. Depending on your StatsD server, you will be +able to monitor, trigger alerts, or perform actions based on these metrics (e.g: +alert on slow exec/s for a new build, threshold of crashes, time since last +crash > X, etc). + +The selected metrics are a subset of all the metrics found in the status and in +the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, +`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`, +`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`, +`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`, +`slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their +definitions can be found in the addendum above. + +When using multiple fuzzer instances with StatsD, it is *strongly* recommended +to setup the flavor (AFL_STATSD_TAGS_FLAVOR) to match your StatsD server. This +will allow you to see individual fuzzer performance, detect bad ones, see the +progress of each strategy... \ No newline at end of file diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 8b5a4068..b1dfd309 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -127,9 +127,9 @@ def deinit(): # optional for Python - `describe` (optional): - When this function is called, it shall describe the current testcase, + When this function is called, it shall describe the current test case, generated by the last mutation. This will be called, for example, - to name the written testcase file after a crash occurred. + to name the written test case file after a crash occurred. Using it can help to reproduce crashing mutations. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -224,7 +224,7 @@ Optionally, the following environment variables are supported: - `AFL_CUSTOM_MUTATOR_ONLY` - Disable all other mutation stages. This can prevent broken testcases + Disable all other mutation stages. This can prevent broken test cases (those that your Python module can't work with anymore) to fill up your queue. Best combined with a custom trimming routine (see below) because trimming can cause the same test breakage like havoc and splice. diff --git a/docs/env_variables.md b/docs/env_variables.md index 65cca0dc..34318cd4 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -306,8 +306,9 @@ checks or alter some of the more exotic semantics of the tool: exit soon after the first crash is found. - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for - newly found testcases and not for testcases that are loaded on startup (`-i - in`). This is an important feature to set when resuming a fuzzing session. + newly found test cases and not for test cases that are loaded on startup + (`-i in`). This is an important feature to set when resuming a fuzzing + session. - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1` @@ -447,8 +448,8 @@ checks or alter some of the more exotic semantics of the tool: - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), - some targets keep inherent state due which a detected crash testcase does - not crash the target again when the testcase is given. To be able to still + some targets keep inherent state due which a detected crash test case does + not crash the target again when the test case is given. To be able to still re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash. If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as diff --git a/docs/features.md b/docs/features.md index f44e32ff..05670e6f 100644 --- a/docs/features.md +++ b/docs/features.md @@ -17,7 +17,7 @@ | Context Coverage | | x(6) | | | | | | | Auto Dictionary | | x(7) | | | | | | | Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | | - | Shared Memory Testcases | | x | x | x86[_64]/arm64 | x | x | | + | Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | | 1. default for LLVM >= 9.0, env var for older version due an efficiency bug in previous llvm versions 2. GCC creates non-performant code, hence it is disabled in gcc_plugin diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 5306cbef..5b4a9df7 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -1,24 +1,25 @@ # Fuzzing with AFL++ The following describes how to fuzz with a target if source code is available. -If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps) +If you have a binary-only target, please go to +[fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md). -Fuzzing source code is a three-step process. +Fuzzing source code is a three-step process: 1. Compile the target with a special compiler that prepares the target to be fuzzed efficiently. This step is called "instrumenting a target". 2. Prepare the fuzzing by selecting and optimizing the input corpus for the target. -3. Perform the fuzzing of the target by randomly mutating input and assessing - if a generated input was processed in a new path in the target binary. +3. Perform the fuzzing of the target by randomly mutating input and assessing if + a generated input was processed in a new path in the target binary. ### 1. Instrumenting that target #### a) Selecting the best AFL++ compiler for instrumenting the target AFL++ comes with a central compiler `afl-cc` that incorporates various different -kinds of compiler targets and and instrumentation options. -The following evaluation flow will help you to select the best possible. +kinds of compiler targets and and instrumentation options. The following +evaluation flow will help you to select the best possible. It is highly recommended to have the newest llvm version possible installed, anything below 9 is not recommended. @@ -51,132 +52,131 @@ anything below 9 is not recommended. Clickable README links for the chosen compiler: - * [LTO mode - afl-clang-lto](../instrumentation/README.lto.md) - * [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md) - * [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md) - * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features +* [LTO mode - afl-clang-lto](../instrumentation/README.lto.md) +* [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md) +* [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md) +* GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own + features You can select the mode for the afl-cc compiler by: - 1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, - afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, - afl-gcc-fast, afl-g++-fast (recommended!) - 2. using the environment variable AFL_CC_COMPILER with MODE - 3. passing --afl-MODE command line options to the compiler via CFLAGS/CXXFLAGS/CPPFLAGS +1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, + afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, + afl-gcc-fast, afl-g++-fast (recommended!) +2. using the environment variable AFL_CC_COMPILER with MODE +3. passing --afl-MODE command line options to the compiler via + CFLAGS/CXXFLAGS/CPPFLAGS MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). -Because no AFL specific command-line options are accepted (beside the ---afl-MODE command), the compile-time tools make fairly broad use of environment -variables, which can be listed with `afl-cc -hh` or by reading [env_variables.md](env_variables.md). +Because no AFL specific command-line options are accepted (beside the --afl-MODE +command), the compile-time tools make fairly broad use of environment variables, +which can be listed with `afl-cc -hh` or by reading +[env_variables.md](env_variables.md). #### b) Selecting instrumentation options -The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto): - - * Splitting integer, string, float and switch comparisons so AFL++ can easier - solve these. This is an important option if you do not have a very good - and large input corpus. This technique is called laf-intel or COMPCOV. - To use this set the following environment variable before compiling the - target: `export AFL_LLVM_LAF_ALL=1` - You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) - * A different technique (and usually a better one than laf-intel) is to - instrument the target so that any compare values in the target are sent to - AFL++ which then tries to put these values into the fuzzing data at different - locations. This technique is very fast and good - if the target does not - transform input data before comparison. Therefore this technique is called - `input to state` or `redqueen`. - If you want to use this technique, then you have to compile the target - twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`, - and pass this binary to afl-fuzz via the `-c` parameter. - Note that you can compile also just a cmplog binary and use that for both - however there will be a performance penality. - You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md) - -If you use LTO, LLVM or GCC_PLUGIN mode (afl-clang-fast/afl-clang-lto/afl-gcc-fast) -you have the option to selectively only instrument parts of the target that you -are interested in: - - * To instrument only those parts of the target that you are interested in - create a file with all the filenames of the source code that should be - instrumented. - For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than - DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one - filename or function per line (no directory information necessary for - filenames9, and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** - `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per - default to instrument unless noted (DENYLIST) or not perform instrumentation - unless requested (ALLOWLIST). - **NOTE:** During optimization functions might be inlined and then would not match! - See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) +The following options are available when you instrument with LTO mode +(afl-clang-fast/afl-clang-lto): + +* Splitting integer, string, float and switch comparisons so AFL++ can easier + solve these. This is an important option if you do not have a very good and + large input corpus. This technique is called laf-intel or COMPCOV. To use this + set the following environment variable before compiling the target: `export + AFL_LLVM_LAF_ALL=1` You can read more about this in + [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). +* A different technique (and usually a better one than laf-intel) is to + instrument the target so that any compare values in the target are sent to + AFL++ which then tries to put these values into the fuzzing data at different + locations. This technique is very fast and good - if the target does not + transform input data before comparison. Therefore this technique is called + `input to state` or `redqueen`. If you want to use this technique, then you + have to compile the target twice, once specifically with/for this mode by + setting `AFL_LLVM_CMPLOG=1`, and pass this binary to afl-fuzz via the `-c` + parameter. Note that you can compile also just a cmplog binary and use that + for both however there will be a performance penality. You can read more about + this in + [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). + +If you use LTO, LLVM or GCC_PLUGIN mode +(afl-clang-fast/afl-clang-lto/afl-gcc-fast) you have the option to selectively +only instrument parts of the target that you are interested in: + +* To instrument only those parts of the target that you are interested in create + a file with all the filenames of the source code that should be instrumented. + For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than + DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one filename or + function per line (no directory information necessary for filenames9, and + either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** `export + AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default to + instrument unless noted (DENYLIST) or not perform instrumentation unless + requested (ALLOWLIST). **NOTE:** During optimization functions might be + inlined and then would not match! See + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) There are many more options and modes available however these are most of the time less effective. See: - * [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) - * [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) +* [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) +* [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) AFL++ performs "never zero" counting in its bitmap. You can read more about this here: - * [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) +* [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) #### c) Sanitizers -It is possible to use sanitizers when instrumenting targets for fuzzing, -which allows you to find bugs that would not necessarily result in a crash. +It is possible to use sanitizers when instrumenting targets for fuzzing, which +allows you to find bugs that would not necessarily result in a crash. Note that sanitizers have a huge impact on CPU (= less executions per second) -and RAM usage. Also you should only run one afl-fuzz instance per sanitizer type. -This is enough because a use-after-free bug will be picked up, e.g. by -ASAN (address sanitizer) anyway when syncing to other fuzzing instances, -so not all fuzzing instances need to be instrumented with ASAN. +and RAM usage. Also you should only run one afl-fuzz instance per sanitizer +type. This is enough because a use-after-free bug will be picked up, e.g. by +ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not +all fuzzing instances need to be instrumented with ASAN. The following sanitizers have built-in support in AFL++: - * ASAN = Address SANitizer, finds memory corruption vulnerabilities like - use-after-free, NULL pointer dereference, buffer overruns, etc. - Enabled with `export AFL_USE_ASAN=1` before compiling. - * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg. - a local variable that is defined and read before it is even set. - Enabled with `export AFL_USE_MSAN=1` before compiling. - * UBSAN = Undefined Behaviour SANitizer, finds instances where - by the - C and C++ standards - undefined behaviour happens, e.g. adding two - signed integers together where the result is larger than a signed integer - can hold. - Enabled with `export AFL_USE_UBSAN=1` before compiling. - * CFISAN = Control Flow Integrity SANitizer, finds instances where the - control flow is found to be illegal. Originally this was rather to - prevent return oriented programming exploit chains from functioning, - in fuzzing this is mostly reduced to detecting type confusion - vulnerabilities - which is however one of the most important and dangerous - C++ memory corruption classes! - Enabled with `export AFL_USE_CFISAN=1` before compiling. - * TSAN = Thread SANitizer, finds thread race conditions. - Enabled with `export AFL_USE_TSAN=1` before compiling. - * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really - a security issue, but for developers this can be very valuable. - Note that unlike the other sanitizers above this needs - `__AFL_LEAK_CHECK();` added to all areas of the target source code where you - find a leak check necessary! - Enabled with `export AFL_USE_LSAN=1` before compiling. - -It is possible to further modify the behaviour of the sanitizers at run-time -by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters -can be looked up in the sanitizer documentation of llvm/clang. -afl-fuzz however requires some specific parameters important for fuzzing to be -set. If you want to set your own, it might bail and report what it is missing. +* ASAN = Address SANitizer, finds memory corruption vulnerabilities like + use-after-free, NULL pointer dereference, buffer overruns, etc. Enabled with + `export AFL_USE_ASAN=1` before compiling. +* MSAN = Memory SANitizer, finds read access to uninitialized memory, eg. a + local variable that is defined and read before it is even set. Enabled with + `export AFL_USE_MSAN=1` before compiling. +* UBSAN = Undefined Behaviour SANitizer, finds instances where - by the C and + C++ standards - undefined behaviour happens, e.g. adding two signed integers + together where the result is larger than a signed integer can hold. Enabled + with `export AFL_USE_UBSAN=1` before compiling. +* CFISAN = Control Flow Integrity SANitizer, finds instances where the control + flow is found to be illegal. Originally this was rather to prevent return + oriented programming exploit chains from functioning, in fuzzing this is + mostly reduced to detecting type confusion vulnerabilities - which is, + however, one of the most important and dangerous C++ memory corruption + classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. +* TSAN = Thread SANitizer, finds thread race conditions. Enabled with `export + AFL_USE_TSAN=1` before compiling. +* LSAN = Leak SANitizer, finds memory leaks in a program. This is not really a + security issue, but for developers this can be very valuable. Note that unlike + the other sanitizers above this needs `__AFL_LEAK_CHECK();` added to all areas + of the target source code where you find a leak check necessary! Enabled with + `export AFL_USE_LSAN=1` before compiling. + +It is possible to further modify the behaviour of the sanitizers at run-time by +setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters can +be looked up in the sanitizer documentation of llvm/clang. afl-fuzz, however, +requires some specific parameters important for fuzzing to be set. If you want +to set your own, it might bail and report what it is missing. Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and others often cannot work together because of target weirdness, e.g. ASAN and CFISAN. You might need to experiment which sanitizers you can combine in a -target (which means more instances can be run without a sanitized target, -which is more effective). +target (which means more instances can be run without a sanitized target, which +is more effective). #### d) Modify the target -If the target has features that make fuzzing more difficult, e.g. -checksums, HMAC, etc. then modify the source code so that checks for these -values are removed. -This can even be done safely for source code used in operational products -by eliminating these checks within these AFL specific blocks: +If the target has features that make fuzzing more difficult, e.g. checksums, +HMAC, etc. then modify the source code so that checks for these values are +removed. This can even be done safely for source code used in operational +products by eliminating these checks within these AFL specific blocks: ``` #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION @@ -193,25 +193,24 @@ All AFL++ compilers will set this preprocessor definition automatically. In this step the target source code is compiled so that it can be fuzzed. Basically you have to tell the target build system that the selected AFL++ -compiler is used. Also - if possible - you should always configure the -build system such that the target is compiled statically and not dynamically. -How to do this is described below. +compiler is used. Also - if possible - you should always configure the build +system such that the target is compiled statically and not dynamically. How to +do this is described below. -The #1 rule when instrumenting a target is: avoid instrumenting shared -libraries at all cost. You would need to set LD_LIBRARY_PATH to point to -these, you could accidently type "make install" and install them system wide - -so don't. Really don't. -**Always compile libraries you want to have instrumented as static and link -these to the target program!** +The #1 rule when instrumenting a target is: avoid instrumenting shared libraries +at all cost. You would need to set LD_LIBRARY_PATH to point to these, you could +accidentally type "make install" and install them system wide - so don't. Really +don't. **Always compile libraries you want to have instrumented as static and +link these to the target program!** Then build the target. (Usually with `make`) **NOTES** -1. sometimes configure and build systems are fickle and do not like - stderr output (and think this means a test failure) - which is something - AFL++ likes to do to show statistics. It is recommended to disable AFL++ - instrumentation reporting via `export AFL_QUIET=1`. +1. sometimes configure and build systems are fickle and do not like stderr + output (and think this means a test failure) - which is something AFL++ likes + to do to show statistics. It is recommended to disable AFL++ instrumentation + reporting via `export AFL_QUIET=1`. 2. sometimes configure and build systems error on warnings - these should be disabled (e.g. `--disable-werror` for some configure scripts). @@ -249,41 +248,46 @@ Sometimes cmake and configure do not pick up the AFL++ compiler, or the ranlib/ar that is needed - because this was just not foreseen by the developer of the target. Or they have non-standard options. Figure out if there is a non-standard way to set this, otherwise set up the build normally and edit the -generated build environment afterwards manually to point it to the right compiler -(and/or ranlib and ar). +generated build environment afterwards manually to point it to the right +compiler (and/or ranlib and ar). #### f) Better instrumentation If you just fuzz a target program as-is you are wasting a great opportunity for much more fuzzing speed. -This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast. +This variant requires the usage of afl-clang-lto, afl-clang-fast or +afl-gcc-fast. -It is the so-called `persistent mode`, which is much, much faster but -requires that you code a source file that is specifically calling the target -functions that you want to fuzz, plus a few specific AFL++ functions around -it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details. +It is the so-called `persistent mode`, which is much, much faster but requires +that you code a source file that is specifically calling the target functions +that you want to fuzz, plus a few specific AFL++ functions around it. See +[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) +for details. -Basically if you do not fuzz a target in persistent mode then you are just -doing it for a hobby and not professionally :-). +Basically if you do not fuzz a target in persistent mode then you are just doing +it for a hobby and not professionally :-). #### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard for fuzzing, and they can be used with AFL++ (and honggfuzz) as well! Compiling them is as simple as: + ``` afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a ``` + You can even use advanced libfuzzer features like `FuzzedDataProvider`, `LLVMFuzzerMutate()` etc. and they will work! The generated binary is fuzzed with afl-fuzz like any other fuzz target. Bonus: the target is already optimized for fuzzing due to persistent mode and -shared-memory testcases and hence gives you the fastest speed possible. +shared-memory test cases and hence gives you the fastest speed possible. -For more information see [utils/aflpp_driver/README.md](../utils/aflpp_driver/README.md) +For more information, see +[utils/aflpp_driver/README.md](../utils/aflpp_driver/README.md). ### 2. Preparing the fuzzing campaign @@ -294,8 +298,8 @@ target as possible improves the efficiency a lot. Try to gather valid inputs for the target from wherever you can. E.g. if it is the PNG picture format try to find as many png files as possible, e.g. from -reported bugs, test suites, random downloads from the internet, unit test -case data - from all kind of PNG software. +reported bugs, test suites, random downloads from the internet, unit test case +data - from all kind of PNG software. If the input format is not known, you can also modify a target program to write normal data it receives and processes to a file and use these. @@ -319,10 +323,9 @@ This step is highly recommended! #### c) Minimizing all corpus files -The shorter the input files that still traverse the same path -within the target, the better the fuzzing will be. This minimization -is done with `afl-tmin` however it is a long process as this has to -be done for every file: +The shorter the input files that still traverse the same path within the target, +the better the fuzzing will be. This minimization is done with `afl-tmin` +however it is a long process as this has to be done for every file: ``` mkdir input @@ -332,8 +335,8 @@ for i in *; do done ``` -This step can also be parallelized, e.g. with `parallel`. -Note that this step is rather optional though. +This step can also be parallelized, e.g. with `parallel`. Note that this step is +rather optional though. #### Done! @@ -343,10 +346,9 @@ to be used in fuzzing! :-) ### 3. Fuzzing the target -In this final step we fuzz the target. -There are not that many important options to run the target - unless you want -to use many CPU cores/threads for the fuzzing, which will make the fuzzing much -more useful. +In this final step we fuzz the target. There are not that many important options +to run the target - unless you want to use many CPU cores/threads for the +fuzzing, which will make the fuzzing much more useful. If you just use one CPU for fuzzing, then you are fuzzing just for fun and not seriously :-) @@ -355,19 +357,19 @@ seriously :-) Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on the host if you execute afl-fuzz in a docker container). This reconfigures the -system for optimal speed - which afl-fuzz checks and bails otherwise. -Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot -run afl-system-config with root privileges on the host for whatever reason. +system for optimal speed - which afl-fuzz checks and bails otherwise. Set +`export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot run +afl-system-config with root privileges on the host for whatever reason. Note there is also `sudo afl-persistent-config` which sets additional permanent boot options for a much better fuzzing performance. Note that both scripts improve your fuzzing performance but also decrease your -system protection against attacks! So set strong firewall rules and only -expose SSH as a network service if you use these (which is highly recommended). +system protection against attacks! So set strong firewall rules and only expose +SSH as a network service if you use these (which is highly recommended). -If you have an input corpus from step 2 then specify this directory with the `-i` -option. Otherwise create a new directory and create a file with any content +If you have an input corpus from step 2 then specify this directory with the +`-i` option. Otherwise create a new directory and create a file with any content as test data in there. If you do not want anything special, the defaults are already usually best, @@ -387,36 +389,37 @@ same as the afl-fuzz -M/-S naming :-) For more information on screen or tmux please check their documentation. If you need to stop and re-start the fuzzing, use the same command line options -(or even change them by selecting a different power schedule or another -mutation mode!) and switch the input directory with a dash (`-`): +(or even change them by selecting a different power schedule or another mutation +mode!) and switch the input directory with a dash (`-`): `afl-fuzz -i - -o output -- bin/target -d @@` -Memory limits are not enforced by afl-fuzz by default and the system may run -out of memory. You can decrease the memory with the `-m` option, the value is -in MB. If this is too small for the target, you can usually see this by -afl-fuzz bailing with the message that it could not connect to the forkserver. +Memory limits are not enforced by afl-fuzz by default and the system may run out +of memory. You can decrease the memory with the `-m` option, the value is in MB. +If this is too small for the target, you can usually see this by afl-fuzz +bailing with the message that it could not connect to the forkserver. -Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if -something is already included for your data format, and tell afl-fuzz to load -that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto -you have an autodictionary generation for which you need to do nothing except -to use afl-clang-lto as the compiler. You also have the option to generate -a dictionary yourself, see [utils/libtokencap/README.md](../utils/libtokencap/README.md). +Adding a dictionary is helpful. See the directory +[dictionaries/](../dictionaries/) if something is already included for your data +format, and tell afl-fuzz to load that dictionary by adding `-x +dictionaries/FORMAT.dict`. With afl-clang-lto you have an autodictionary +generation for which you need to do nothing except to use afl-clang-lto as the +compiler. You also have the option to generate a dictionary yourself, see +[utils/libtokencap/README.md](../utils/libtokencap/README.md). afl-fuzz has a variety of options that help to workaround target quirks like -specific locations for the input file (`-f`), performing deterministic -fuzzing (`-D`) and many more. Check out `afl-fuzz -h`. +specific locations for the input file (`-f`), performing deterministic fuzzing +(`-D`) and many more. Check out `afl-fuzz -h`. We highly recommend that you set a memory limit for running the target with `-m` -which defines the maximum memory in MB. This prevents a potential -out-of-memory problem for your system plus helps you detect missing `malloc()` -failure handling in the target. -Play around with various -m values until you find one that safely works for all -your input seeds (if you have good ones and then double or quadrouple that. +which defines the maximum memory in MB. This prevents a potential out-of-memory +problem for your system plus helps you detect missing `malloc()` failure +handling in the target. Play around with various -m values until you find one +that safely works for all your input seeds (if you have good ones and then +double or quadruple that. -By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press Control-C -or send a signal SIGINT. You can limit the number of executions or approximate runtime -in seconds with options also. +By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press +Control-C or send a signal SIGINT. You can limit the number of executions or +approximate runtime in seconds with options also. When you start afl-fuzz you will see a user interface that shows what the status is: @@ -426,67 +429,67 @@ All labels are explained in [status_screen.md](status_screen.md). #### b) Using multiple cores -If you want to seriously fuzz then use as many cores/threads as possible to -fuzz your target. +If you want to seriously fuzz then use as many cores/threads as possible to fuzz +your target. On the same machine - due to the design of how AFL++ works - there is a maximum -number of CPU cores/threads that are useful, use more and the overall performance -degrades instead. This value depends on the target, and the limit is between 32 -and 64 cores per machine. +number of CPU cores/threads that are useful, use more and the overall +performance degrades instead. This value depends on the target, and the limit is +between 32 and 64 cores per machine. If you have the RAM, it is highly recommended run the instances with a caching -of the testcases. Depending on the average testcase size (and those found -during fuzzing) and their number, a value between 50-500MB is recommended. -You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`. +of the test cases. Depending on the average test case size (and those found +during fuzzing) and their number, a value between 50-500MB is recommended. You +can set the cache size (in MB) by setting the environment variable +`AFL_TESTCACHE_SIZE`. -There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many secondary -fuzzers (eg `-S variant1`) as you have cores that you use. -Every -M/-S entry needs a unique name (that can be whatever), however the same --o output directory location has to be used for all instances. +There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many +secondary fuzzers (e.g. `-S variant1`) as you have cores that you use. Every +-M/-S entry needs a unique name (that can be whatever), however, the same -o +output directory location has to be used for all instances. For every secondary fuzzer there should be a variation, e.g.: - * one should fuzz the target that was compiled differently: with sanitizers - activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; - export AFL_USE_CFISAN=1`) - * one or two should fuzz the target with CMPLOG/redqueen (see above), at - least one cmplog instance should follow transformations (`-l AT`) - * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV - (see above). Important note: If you run more than one laf-intel/COMPCOV - fuzzer and you want them to share their intermediate results, the main - fuzzer (`-M`) must be one of the them! (Although this is not really - recommended.) +* one should fuzz the target that was compiled differently: with sanitizers + activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ; export + AFL_USE_CFISAN=1`) +* one or two should fuzz the target with CMPLOG/redqueen (see above), at least + one cmplog instance should follow transformations (`-l AT`) +* one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV (see + above). Important note: If you run more than one laf-intel/COMPCOV fuzzer and + you want them to share their intermediate results, the main fuzzer (`-M`) must + be one of the them! (Although this is not really recommended.) All other secondaries should be used like this: - * A quarter to a third with the MOpt mutator enabled: `-L 0` - * run with a different power schedule, recommended are: - `fast (default), explore, coe, lin, quad, exploit and rare` - which you can set with e.g. `-p explore` - * a few instances should use the old queue cycling with `-Z` +* a quarter to a third with the MOpt mutator enabled: `-L 0` +* run with a different power schedule, recommended are: + `fast (default), explore, coe, lin, quad, exploit and rare` which you can set + with e.g. `-p explore` +* a few instances should use the old queue cycling with `-Z` -Also it is recommended to set `export AFL_IMPORT_FIRST=1` to load testcases +Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases from other fuzzers in the campaign first. If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. -You can also use different fuzzers. -If you are using AFL spinoffs or AFL conforming fuzzers, then just use the -same -o directory and give it a unique `-S` name. -Examples are: - * [Fuzzolic](https://github.com/season-lab/fuzzolic) - * [symcc](https://github.com/eurecom-s3/symcc/) - * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/) - * [AFLsmart](https://github.com/aflsmart/aflsmart) - * [FairFuzz](https://github.com/carolemieux/afl-rb) - * [Neuzz](https://github.com/Dongdongshe/neuzz) - * [Angora](https://github.com/AngoraFuzzer/Angora) - -A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL) - -However you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc. -Just show the main fuzzer (-M) with the `-F` option where the queue/work -directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`. -Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly +You can also use different fuzzers. If you are using AFL spinoffs or AFL +conforming fuzzers, then just use the same -o directory and give it a unique +`-S` name. Examples are: +* [Fuzzolic](https://github.com/season-lab/fuzzolic) +* [symcc](https://github.com/eurecom-s3/symcc/) +* [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/) +* [AFLsmart](https://github.com/aflsmart/aflsmart) +* [FairFuzz](https://github.com/carolemieux/afl-rb) +* [Neuzz](https://github.com/Dongdongshe/neuzz) +* [Angora](https://github.com/AngoraFuzzer/Angora) + +A long list can be found at +[https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL). + +However, you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, +etc. Just show the main fuzzer (-M) with the `-F` option where the queue/work +directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`. Using +honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly recommended! #### c) Using multiple machines for fuzzing @@ -498,26 +501,24 @@ instance per server, and that its name is unique, hence the recommendation for `-M main-$HOSTNAME`. Now there are three strategies on how you can sync between the servers: - * never: sounds weird, but this makes every server an island and has the - chance the each follow different paths into the target. You can make - this even more interesting by even giving different seeds to each server. - * regularly (~4h): this ensures that all fuzzing campaigns on the servers - "see" the same thing. It is like fuzzing on a huge server. - * in intervals of 1/10th of the overall expected runtime of the fuzzing you - sync. This tries a bit to combine both. have some individuality of the - paths each campaign on a server explores, on the other hand if one - gets stuck where another found progress this is handed over making it - unstuck. - -The syncing process itself is very simple. -As the `-M main-$HOSTNAME` instance syncs to all `-S` secondaries as well -as to other fuzzers, you have to copy only this directory to the other -machines. - -Lets say all servers have the `-o out` directory in /target/foo/out, and -you created a file `servers.txt` which contains the hostnames of all -participating servers, plus you have an ssh key deployed to all of them, -then run: +* never: sounds weird, but this makes every server an island and has the chance + the each follow different paths into the target. You can make this even more + interesting by even giving different seeds to each server. +* regularly (~4h): this ensures that all fuzzing campaigns on the servers "see" + the same thing. It is like fuzzing on a huge server. +* in intervals of 1/10th of the overall expected runtime of the fuzzing you + sync. This tries a bit to combine both. have some individuality of the paths + each campaign on a server explores, on the other hand if one gets stuck where + another found progress this is handed over making it unstuck. + +The syncing process itself is very simple. As the `-M main-$HOSTNAME` instance +syncs to all `-S` secondaries as well as to other fuzzers, you have to copy only +this directory to the other machines. + +Lets say all servers have the `-o out` directory in /target/foo/out, and you +created a file `servers.txt` which contains the hostnames of all participating +servers, plus you have an ssh key deployed to all of them, then run: + ```bash for FROM in `cat servers.txt`; do for TO in `cat servers.txt`; do @@ -525,49 +526,52 @@ for FROM in `cat servers.txt`; do done done ``` -You can run this manually, per cron job - as you need it. -There is a more complex and configurable script in `utils/distributed_fuzzing`. + +You can run this manually, per cron job - as you need it. There is a more +complex and configurable script in `utils/distributed_fuzzing`. #### d) The status of the fuzz campaign AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing campaign. -Just supply the directory that afl-fuzz is given with the -o option and -you will see a detailed status of every fuzzer in that campaign plus -a summary. +Just supply the directory that afl-fuzz is given with the -o option and you will +see a detailed status of every fuzzer in that campaign plus a summary. -To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/` +To have only the summary, use the `-s` switch, e.g. `afl-whatsup -s out/`. -If you have multiple servers then use the command after a sync, or you have -to execute this script per server. +If you have multiple servers, then use the command after a sync or you have to +execute this script per server. -Another tool to inspect the current state and history of a specific instance -is afl-plot, which generates an index.html file and a graphs that show how -the fuzzing instance is performing. -The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot` +Another tool to inspect the current state and history of a specific instance is +afl-plot, which generates an index.html file and a graphs that show how the +fuzzing instance is performing. The syntax is `afl-plot instance_dir web_dir`, +e.g. `afl-plot out/default /srv/www/htdocs/plot`. #### e) Stopping fuzzing, restarting fuzzing, adding new seeds To stop an afl-fuzz run, simply press Control-C. -To restart an afl-fuzz run, just reuse the same command line but replace the -`-i directory` with `-i -` or set `AFL_AUTORESUME=1`. +To restart an afl-fuzz run, just reuse the same command line but replace the `-i +directory` with `-i -` or set `AFL_AUTORESUME=1`. If you want to add new seeds to a fuzzing campaign you can run a temporary -fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new -seeds are in `newseeds/` directory: +fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new seeds +are in `newseeds/` directory: + ``` AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- ./target ``` #### f) Checking the coverage of the fuzzing -The `paths found` value is a bad indicator for checking how good the coverage is. +The `paths found` value is a bad indicator for checking how good the coverage +is. A better indicator - if you use default llvm instrumentation with at least -version 9 - is to use `afl-showmap` with the collect coverage option `-C` on -the output directory: +version 9 - is to use `afl-showmap` with the collect coverage option `-C` on the +output directory: + ``` $ afl-showmap -C -i out -o /dev/null -- ./target -params @@ ... @@ -578,53 +582,67 @@ $ afl-showmap -C -i out -o /dev/null -- ./target -params @@ l'. [+] A coverage of 4331 edges were achieved out of 9960 existing (43.48%) with 7849 input files. ``` + It is even better to check out the exact lines of code that have been reached - and which have not been found so far. -An "easy" helper script for this is [https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov), +An "easy" helper script for this is +[https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov), just follow the README of that separate project. If you see that an important area or a feature has not been covered so far then try to find an input that is able to reach that and start a new secondary in that fuzzing campaign with that seed as input, let it run for a few minutes, then terminate it. The main node will pick it up and make it available to the -other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or -`export AFL_TRY_AFFINITY=1` if you have no free core. +other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or `export +AFL_TRY_AFFINITY=1` if you have no free core. Note that in nearly all cases you can never reach full coverage. A lot of -functionality is usually dependent on exclusive options that would need individual -fuzzing campaigns each with one of these options set. E.g. if you fuzz a library to -convert image formats and your target is the png to tiff API then you will not -touch any of the other library APIs and features. +functionality is usually dependent on exclusive options that would need +individual fuzzing campaigns each with one of these options set. E.g. if you +fuzz a library to convert image formats and your target is the png to tiff API +then you will not touch any of the other library APIs and features. #### g) How long to fuzz a target? -This is a difficult question. -Basically if no new path is found for a long time (e.g. for a day or a week) -then you can expect that your fuzzing won't be fruitful anymore. -However often this just means that you should switch out secondaries for -others, e.g. custom mutator modules, sync to very different fuzzers, etc. +This is a difficult question. Basically if no new path is found for a long time +(e.g. for a day or a week) then you can expect that your fuzzing won't be +fruitful anymore. However, often this just means that you should switch out +secondaries for others, e.g. custom mutator modules, sync to very different +fuzzers, etc. Keep the queue/ directory (for future fuzzings of the same or similar targets) -and use them to seed other good fuzzers like libfuzzer with the -entropic -switch or honggfuzz. +and use them to seed other good fuzzers like libfuzzer with the -entropic switch +or honggfuzz. #### h) Improve the speed! - * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) - * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md) - * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config` - * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem - * Use your cores! [b) Using multiple cores](#b-using-multiple-cores) - * Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot +* Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 + speed increase) +* If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input + file on a tempfs location, see [env_variables.md](env_variables.md) +* Linux: Improve kernel performance: modify `/etc/default/grub`, set + `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off + mitigations=off no_stf_barrier noibpb noibrs nopcid nopti + nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off + spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then + `update-grub` and `reboot` (warning: makes the system more insecure) - you can + also just run `sudo afl-persistent-config` +* Linux: Running on an `ext2` filesystem with `noatime` mount option will be a + bit faster than on any other journaling filesystem +* Use your cores! [b) Using multiple cores](#b-using-multiple-cores) +* Run `sudo afl-system-config` before starting the first afl-fuzz instance after + a reboot ### The End -Check out the [FAQ](FAQ.md) if it maybe answers your question (that -you might not even have known you had ;-) ). +Check out the [FAQ](FAQ.md) if it maybe answers your question (that you might +not even have known you had ;-) ). This is basically all you need to know to professionally run fuzzing campaigns. -If you want to know more, the tons of texts in [docs/](./) will have you covered. +If you want to know more, the tons of texts in [docs/](./) will have you +covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ -(some might be deprecated or unsupported), see [third_party_tools.md](third_party_tools.md). \ No newline at end of file +(some might be deprecated or unsupported), see +[third_party_tools.md](third_party_tools.md). \ No newline at end of file diff --git a/docs/important_changes.md b/docs/important_changes.md index 0c5c2243..877dfab2 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -36,7 +36,7 @@ behaviours and defaults: shared libraries, etc. Additionally QEMU 5.1 supports more CPU targets so this is really worth it. * When instrumenting targets, afl-cc will not supersede optimizations anymore - if any were given. This allows to fuzz targets build regularly like those + if any were given. This allows to fuzz targets build regularly like those for debug or release versions. * afl-fuzz: * if neither -M or -S is specified, `-S default` is assumed, so more @@ -47,7 +47,7 @@ behaviours and defaults: * -m none is now default, set memory limits (in MB) with e.g. -m 250 * deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D - * a caching of testcases can now be performed and can be modified by + * a caching of test cases can now be performed and can be modified by editing config.h for TESTCASE_CACHE or by specifying the env variable `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50). * -M mains do not perform trimming diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md deleted file mode 100644 index 4bd705f2..00000000 --- a/docs/interpreting_output.md +++ /dev/null @@ -1,71 +0,0 @@ -# Interpreting output - -See the [status_screen.md](status_screen.md) file for information on -how to interpret the displayed stats and monitor the health of the process. Be -sure to consult this file especially if any UI elements are highlighted in red. - -The fuzzing process will continue until you press Ctrl-C. At a minimum, you want -to allow the fuzzer to complete one queue cycle, which may take anywhere from a -couple of hours to a week or so. - -There are three subdirectories created within the output directory and updated -in real-time: - - - queue/ - test cases for every distinctive execution path, plus all the - starting files given by the user. This is the synthesized corpus - mentioned in section 2. - - Before using this corpus for any other purposes, you can shrink - it to a smaller size using the afl-cmin tool. The tool will find - a smaller subset of files offering equivalent edge coverage. - - - crashes/ - unique test cases that cause the tested program to receive a - fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are - grouped by the received signal. - - - hangs/ - unique test cases that cause the tested program to time out. The - default time limit before something is classified as a hang is - the larger of 1 second and the value of the -t parameter. - The value can be fine-tuned by setting AFL_HANG_TMOUT, but this - is rarely necessary. - -Crashes and hangs are considered "unique" if the associated execution paths -involve any state transitions not seen in previously-recorded faults. If a -single bug can be reached in multiple ways, there will be some count inflation -early in the process, but this should quickly taper off. - -The file names for crashes and hangs are correlated with the parent, non-faulting -queue entries. This should help with debugging. - -When you can't reproduce a crash found by afl-fuzz, the most likely cause is -that you are not setting the same memory limit as used by the tool. Try: - -```shell -LIMIT_MB=50 -( ulimit -Sv $[LIMIT_MB << 10]; /path/to/tested_binary ... ) -``` - -Change LIMIT_MB to match the -m parameter passed to afl-fuzz. On OpenBSD, -also change -Sv to -Sd. - -Any existing output directory can be also used to resume aborted jobs; try: - -```shell -./afl-fuzz -i- -o existing_output_dir [...etc...] -``` - -If you have gnuplot installed, you can also generate some pretty graphs for any -active fuzzing task using afl-plot. For an example of how this looks like, -see [https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/). - -You can also manually build and install afl-plot-ui, which is a helper utility -for showing the graphs generated by afl-plot in a graphical window using GTK. -You can build and install it as follows - -```shell -sudo apt install libgtk-3-0 libgtk-3-dev pkg-config -cd utils/plot_ui -make -cd ../../ -sudo make install -``` diff --git a/docs/status_screen.md b/docs/status_screen.md deleted file mode 100644 index b1cb9696..00000000 --- a/docs/status_screen.md +++ /dev/null @@ -1,444 +0,0 @@ -# Understanding the status screen - -This document provides an overview of the status screen - plus tips for -troubleshooting any warnings and red text shown in the UI. See README.md for -the general instruction manual. - -## A note about colors - -The status screen and error messages use colors to keep things readable and -attract your attention to the most important details. For example, red almost -always means "consult this doc" :-) - -Unfortunately, the UI will render correctly only if your terminal is using -traditional un*x palette (white text on black background) or something close -to that. - -If you are using inverse video, you may want to change your settings, say: - -- For GNOME Terminal, go to `Edit > Profile` preferences, select the "colors" tab, and from the list of built-in schemes, choose "white on black". -- For the MacOS X Terminal app, open a new window using the "Pro" scheme via the `Shell > New Window` menu (or make "Pro" your default). - -Alternatively, if you really like your current colors, you can edit config.h -to comment out USE_COLORS, then do `make clean all`. - -I'm not aware of any other simple way to make this work without causing -other side effects - sorry about that. - -With that out of the way, let's talk about what's actually on the screen... - -### The status bar - -``` -american fuzzy lop ++3.01a (default) [fast] {0} -``` - -The top line shows you which mode afl-fuzz is running in -(normal: "american fuzy lop", crash exploration mode: "peruvian rabbit mode") -and the version of AFL++. -Next to the version is the banner, which, if not set with -T by hand, will -either show the binary name being fuzzed, or the -M/-S main/secondary name for -parallel fuzzing. -Second to last is the power schedule mode being run (default: fast). -Finally, the last item is the CPU id. - -### Process timing - -``` - +----------------------------------------------------+ - | run time : 0 days, 8 hrs, 32 min, 43 sec | - | last new path : 0 days, 0 hrs, 6 min, 40 sec | - | last uniq crash : none seen yet | - | last uniq hang : 0 days, 1 hrs, 24 min, 32 sec | - +----------------------------------------------------+ -``` - -This section is fairly self-explanatory: it tells you how long the fuzzer has -been running and how much time has elapsed since its most recent finds. This is -broken down into "paths" (a shorthand for test cases that trigger new execution -patterns), crashes, and hangs. - -When it comes to timing: there is no hard rule, but most fuzzing jobs should be -expected to run for days or weeks; in fact, for a moderately complex project, the -first pass will probably take a day or so. Every now and then, some jobs -will be allowed to run for months. - -There's one important thing to watch out for: if the tool is not finding new -paths within several minutes of starting, you're probably not invoking the -target binary correctly and it never gets to parse the input files we're -throwing at it; another possible explanations are that the default memory limit -(`-m`) is too restrictive, and the program exits after failing to allocate a -buffer very early on; or that the input files are patently invalid and always -fail a basic header check. - -If there are no new paths showing up for a while, you will eventually see a big -red warning in this section, too :-) - -### Overall results - -``` - +-----------------------+ - | cycles done : 0 | - | total paths : 2095 | - | uniq crashes : 0 | - | uniq hangs : 19 | - +-----------------------+ -``` - -The first field in this section gives you the count of queue passes done so far - that is, the number of times the fuzzer went over all the interesting test -cases discovered so far, fuzzed them, and looped back to the very beginning. -Every fuzzing session should be allowed to complete at least one cycle; and -ideally, should run much longer than that. - -As noted earlier, the first pass can take a day or longer, so sit back and -relax. - -To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded. -It is shown in magenta during the first pass, progresses to yellow if new finds -are still being made in subsequent rounds, then blue when that ends - and -finally, turns green after the fuzzer hasn't been seeing any action for a -longer while. - -The remaining fields in this part of the screen should be pretty obvious: -there's the number of test cases ("paths") discovered so far, and the number of -unique faults. The test cases, crashes, and hangs can be explored in real-time -by browsing the output directory, as discussed in README.md. - -### Cycle progress - -``` - +-------------------------------------+ - | now processing : 1296 (61.86%) | - | paths timed out : 0 (0.00%) | - +-------------------------------------+ -``` - -This box tells you how far along the fuzzer is with the current queue cycle: it -shows the ID of the test case it is currently working on, plus the number of -inputs it decided to ditch because they were persistently timing out. - -The "*" suffix sometimes shown in the first line means that the currently -processed path is not "favored" (a property discussed later on). - -### Map coverage - -``` - +--------------------------------------+ - | map density : 10.15% / 29.07% | - | count coverage : 4.03 bits/tuple | - +--------------------------------------+ -``` - -The section provides some trivia about the coverage observed by the -instrumentation embedded in the target binary. - -The first line in the box tells you how many branch tuples we have already -hit, in proportion to how much the bitmap can hold. The number on the left -describes the current input; the one on the right is the value for the entire -input corpus. - -Be wary of extremes: - - - Absolute numbers below 200 or so suggest one of three things: that the - program is extremely simple; that it is not instrumented properly (e.g., - due to being linked against a non-instrumented copy of the target - library); or that it is bailing out prematurely on your input test cases. - The fuzzer will try to mark this in pink, just to make you aware. - - Percentages over 70% may very rarely happen with very complex programs - that make heavy use of template-generated code. - Because high bitmap density makes it harder for the fuzzer to reliably - discern new program states, I recommend recompiling the binary with - `AFL_INST_RATIO=10` or so and trying again (see env_variables.md). - The fuzzer will flag high percentages in red. Chances are, you will never - see that unless you're fuzzing extremely hairy software (say, v8, perl, - ffmpeg). - -The other line deals with the variability in tuple hit counts seen in the -binary. In essence, if every taken branch is always taken a fixed number of -times for all the inputs we have tried, this will read `1.00`. As we manage -to trigger other hit counts for every branch, the needle will start to move -toward `8.00` (every bit in the 8-bit map hit), but will probably never -reach that extreme. - -Together, the values can be useful for comparing the coverage of several -different fuzzing jobs that rely on the same instrumented binary. - -### Stage progress - -``` - +-------------------------------------+ - | now trying : interest 32/8 | - | stage execs : 3996/34.4k (11.62%) | - | total execs : 27.4M | - | exec speed : 891.7/sec | - +-------------------------------------+ -``` - -This part gives you an in-depth peek at what the fuzzer is actually doing right -now. It tells you about the current stage, which can be any of: - - - calibration - a pre-fuzzing stage where the execution path is examined - to detect anomalies, establish baseline execution speed, and so on. Executed - very briefly whenever a new find is being made. - - trim L/S - another pre-fuzzing stage where the test case is trimmed to the - shortest form that still produces the same execution path. The length (L) - and stepover (S) are chosen in general relationship to file size. - - bitflip L/S - deterministic bit flips. There are L bits toggled at any given - time, walking the input file with S-bit increments. The current L/S variants - are: `1/1`, `2/1`, `4/1`, `8/8`, `16/8`, `32/8`. - - arith L/8 - deterministic arithmetics. The fuzzer tries to subtract or add - small integers to 8-, 16-, and 32-bit values. The stepover is always 8 bits. - - interest L/8 - deterministic value overwrite. The fuzzer has a list of known - "interesting" 8-, 16-, and 32-bit values to try. The stepover is 8 bits. - - extras - deterministic injection of dictionary terms. This can be shown as - "user" or "auto", depending on whether the fuzzer is using a user-supplied - dictionary (`-x`) or an auto-created one. You will also see "over" or "insert", - depending on whether the dictionary words overwrite existing data or are - inserted by offsetting the remaining data to accommodate their length. - - havoc - a sort-of-fixed-length cycle with stacked random tweaks. The - operations attempted during this stage include bit flips, overwrites with - random and "interesting" integers, block deletion, block duplication, plus - assorted dictionary-related operations (if a dictionary is supplied in the - first place). - - splice - a last-resort strategy that kicks in after the first full queue - cycle with no new paths. It is equivalent to 'havoc', except that it first - splices together two random inputs from the queue at some arbitrarily - selected midpoint. - - sync - a stage used only when `-M` or `-S` is set (see parallel_fuzzing.md). - No real fuzzing is involved, but the tool scans the output from other - fuzzers and imports test cases as necessary. The first time this is done, - it may take several minutes or so. - -The remaining fields should be fairly self-evident: there's the exec count -progress indicator for the current stage, a global exec counter, and a -benchmark for the current program execution speed. This may fluctuate from -one test case to another, but the benchmark should be ideally over 500 execs/sec -most of the time - and if it stays below 100, the job will probably take very -long. - -The fuzzer will explicitly warn you about slow targets, too. If this happens, -see the [perf_tips.md](perf_tips.md) file included with the fuzzer for ideas on how to speed -things up. - -### Findings in depth - -``` - +--------------------------------------+ - | favored paths : 879 (41.96%) | - | new edges on : 423 (20.19%) | - | total crashes : 0 (0 unique) | - | total tmouts : 24 (19 unique) | - +--------------------------------------+ -``` - -This gives you several metrics that are of interest mostly to complete nerds. -The section includes the number of paths that the fuzzer likes the most based -on a minimization algorithm baked into the code (these will get considerably -more air time), and the number of test cases that actually resulted in better -edge coverage (versus just pushing the branch hit counters up). There are also -additional, more detailed counters for crashes and timeouts. - -Note that the timeout counter is somewhat different from the hang counter; this -one includes all test cases that exceeded the timeout, even if they did not -exceed it by a margin sufficient to be classified as hangs. - -### Fuzzing strategy yields - -``` - +-----------------------------------------------------+ - | bit flips : 57/289k, 18/289k, 18/288k | - | byte flips : 0/36.2k, 4/35.7k, 7/34.6k | - | arithmetics : 53/2.54M, 0/537k, 0/55.2k | - | known ints : 8/322k, 12/1.32M, 10/1.70M | - | dictionary : 9/52k, 1/53k, 1/24k | - |havoc/splice : 1903/20.0M, 0/0 | - |py/custom/rq : unused, 53/2.54M, unused | - | trim/eff : 20.31%/9201, 17.05% | - +-----------------------------------------------------+ -``` - -This is just another nerd-targeted section keeping track of how many paths we -have netted, in proportion to the number of execs attempted, for each of the -fuzzing strategies discussed earlier on. This serves to convincingly validate -assumptions about the usefulness of the various approaches taken by afl-fuzz. - -The trim strategy stats in this section are a bit different than the rest. -The first number in this line shows the ratio of bytes removed from the input -files; the second one corresponds to the number of execs needed to achieve this -goal. Finally, the third number shows the proportion of bytes that, although -not possible to remove, were deemed to have no effect and were excluded from -some of the more expensive deterministic fuzzing steps. - -Note that when deterministic mutation mode is off (which is the default -because it is not very efficient) the first five lines display -"disabled (default, enable with -D)". - -Only what is activated will have counter shown. - -### Path geometry - -``` - +---------------------+ - | levels : 5 | - | pending : 1570 | - | pend fav : 583 | - | own finds : 0 | - | imported : 0 | - | stability : 100.00% | - +---------------------+ -``` - -The first field in this section tracks the path depth reached through the -guided fuzzing process. In essence: the initial test cases supplied by the -user are considered "level 1". The test cases that can be derived from that -through traditional fuzzing are considered "level 2"; the ones derived by -using these as inputs to subsequent fuzzing rounds are "level 3"; and so forth. -The maximum depth is therefore a rough proxy for how much value you're getting -out of the instrumentation-guided approach taken by afl-fuzz. - -The next field shows you the number of inputs that have not gone through any -fuzzing yet. The same stat is also given for "favored" entries that the fuzzer -really wants to get to in this queue cycle (the non-favored entries may have to -wait a couple of cycles to get their chance). - -Next, we have the number of new paths found during this fuzzing section and -imported from other fuzzer instances when doing parallelized fuzzing; and the -extent to which identical inputs appear to sometimes produce variable behavior -in the tested binary. - -That last bit is actually fairly interesting: it measures the consistency of -observed traces. If a program always behaves the same for the same input data, -it will earn a score of 100%. When the value is lower but still shown in purple, -the fuzzing process is unlikely to be negatively affected. If it goes into red, -you may be in trouble, since AFL will have difficulty discerning between -meaningful and "phantom" effects of tweaking the input file. - -Now, most targets will just get a 100% score, but when you see lower figures, -there are several things to look at: - - - The use of uninitialized memory in conjunction with some intrinsic sources - of entropy in the tested binary. Harmless to AFL, but could be indicative - of a security bug. - - Attempts to manipulate persistent resources, such as left over temporary - files or shared memory objects. This is usually harmless, but you may want - to double-check to make sure the program isn't bailing out prematurely. - Running out of disk space, SHM handles, or other global resources can - trigger this, too. - - Hitting some functionality that is actually designed to behave randomly. - Generally harmless. For example, when fuzzing sqlite, an input like - `select random();` will trigger a variable execution path. - - Multiple threads executing at once in semi-random order. This is harmless - when the 'stability' metric stays over 90% or so, but can become an issue - if not. Here's what to try: - * Use afl-clang-fast from [instrumentation](../instrumentation/) - it uses a thread-local tracking - model that is less prone to concurrency issues, - * See if the target can be compiled or run without threads. Common - `./configure` options include `--without-threads`, `--disable-pthreads`, or - `--disable-openmp`. - * Replace pthreads with GNU Pth (https://www.gnu.org/software/pth/), which - allows you to use a deterministic scheduler. - - In persistent mode, minor drops in the "stability" metric can be normal, - because not all the code behaves identically when re-entered; but major - dips may signify that the code within `__AFL_LOOP()` is not behaving - correctly on subsequent iterations (e.g., due to incomplete clean-up or - reinitialization of the state) and that most of the fuzzing effort goes - to waste. - -The paths where variable behavior is detected are marked with a matching entry -in the `/queue/.state/variable_behavior/` directory, so you can look -them up easily. - -### CPU load - -``` - [cpu: 25%] -``` - -This tiny widget shows the apparent CPU utilization on the local system. It is -calculated by taking the number of processes in the "runnable" state, and then -comparing it to the number of logical cores on the system. - -If the value is shown in green, you are using fewer CPU cores than available on -your system and can probably parallelize to improve performance; for tips on -how to do that, see parallel_fuzzing.md. - -If the value is shown in red, your CPU is *possibly* oversubscribed, and -running additional fuzzers may not give you any benefits. - -Of course, this benchmark is very simplistic; it tells you how many processes -are ready to run, but not how resource-hungry they may be. It also doesn't -distinguish between physical cores, logical cores, and virtualized CPUs; the -performance characteristics of each of these will differ quite a bit. - -If you want a more accurate measurement, you can run the `afl-gotcpu` utility from the command line. - -### Addendum: status and plot files - -For unattended operation, some of the key status screen information can be also -found in a machine-readable format in the fuzzer_stats file in the output -directory. This includes: - - - `start_time` - unix time indicating the start time of afl-fuzz - - `last_update` - unix time corresponding to the last update of this file - - `run_time` - run time in seconds to the last update of this file - - `fuzzer_pid` - PID of the fuzzer process - - `cycles_done` - queue cycles completed so far - - `cycles_wo_finds` - number of cycles without any new paths found - - `execs_done` - number of execve() calls attempted - - `execs_per_sec` - overall number of execs per second - - `paths_total` - total number of entries in the queue - - `paths_favored` - number of queue entries that are favored - - `paths_found` - number of entries discovered through local fuzzing - - `paths_imported` - number of entries imported from other instances - - `max_depth` - number of levels in the generated data set - - `cur_path` - currently processed entry number - - `pending_favs` - number of favored entries still waiting to be fuzzed - - `pending_total` - number of all entries waiting to be fuzzed - - `variable_paths` - number of test cases showing variable behavior - - `stability` - percentage of bitmap bytes that behave consistently - - `bitmap_cvg` - percentage of edge coverage found in the map so far - - `unique_crashes` - number of unique crashes recorded - - `unique_hangs` - number of unique hangs encountered - - `last_path` - seconds since the last path was found - - `last_crash` - seconds since the last crash was found - - `last_hang` - seconds since the last hang was found - - `execs_since_crash` - execs since the last crash was found - - `exec_timeout` - the -t command line value - - `slowest_exec_ms` - real time of the slowest execution in ms - - `peak_rss_mb` - max rss usage reached during fuzzing in MB - - `edges_found` - how many edges have been found - - `var_byte_count` - how many edges are non-deterministic - - `afl_banner` - banner text (e.g. the target name) - - `afl_version` - the version of AFL used - - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - - `command_line` - full command line used for the fuzzing session - -Most of these map directly to the UI elements discussed earlier on. - -On top of that, you can also find an entry called `plot_data`, containing a -plottable history for most of these fields. If you have gnuplot installed, you -can turn this into a nice progress report with the included `afl-plot` tool. - - -### Addendum: Automatically send metrics with StatsD - -In a CI environment or when running multiple fuzzers, it can be tedious to -log into each of them or deploy scripts to read the fuzzer statistics. -Using `AFL_STATSD` (and the other related environment variables `AFL_STATSD_HOST`, -`AFL_STATSD_PORT`, `AFL_STATSD_TAGS_FLAVOR`) you can automatically send metrics -to your favorite StatsD server. Depending on your StatsD server you will be able -to monitor, trigger alerts or perform actions based on these metrics (e.g: alert on -slow exec/s for a new build, threshold of crashes, time since last crash > X, etc). - -The selected metrics are a subset of all the metrics found in the status and in -the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, -`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`, -`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`, -`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`, -`slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. -Their definitions can be found in the addendum above. - -When using multiple fuzzer instances with StatsD it is *strongly* recommended to setup -the flavor (AFL_STATSD_TAGS_FLAVOR) to match your StatsD server. This will allow you -to see individual fuzzer performance, detect bad ones, see the progress of each -strategy... diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index ba96d0ce..446d373c 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -1,12 +1,12 @@ # Tools that help fuzzing with AFL++ Speeding up fuzzing: - * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory testcase feature :-) - recommended. + * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory test case feature :-) - recommended. Minimization of test cases: * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores. - * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm. - * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization. + * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm. + * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization. Distributed execution: * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL. diff --git a/qemu_mode/libqasan/README.md b/qemu_mode/libqasan/README.md index 4a241233..6a65c12b 100644 --- a/qemu_mode/libqasan/README.md +++ b/qemu_mode/libqasan/README.md @@ -19,7 +19,7 @@ finding capabilities during fuzzing) is WIP. ### When should I use QASan? If your target binary is PIC x86_64, you should also give a try to -[retrowrite](https://github.com/HexHive/retrowrite) for static rewriting. +[RetroWrite](https://github.com/HexHive/retrowrite) for static rewriting. If it fails, or if your binary is for another architecture, or you want to use persistent and snapshot mode, AFL++ QASan mode is what you want/have to use. diff --git a/unicorn_mode/samples/persistent/COMPILE.md b/unicorn_mode/samples/persistent/COMPILE.md index 111dfc54..9f2ae718 100644 --- a/unicorn_mode/samples/persistent/COMPILE.md +++ b/unicorn_mode/samples/persistent/COMPILE.md @@ -1,13 +1,16 @@ # C Sample This shows a simple persistent harness for unicornafl in C. -In contrast to the normal c harness, this harness manually resets the unicorn state on each new input. -Thanks to this, we can rerun the testcase in unicorn multiple times, without the need to fork again. +In contrast to the normal c harness, this harness manually resets the unicorn +state on each new input. +Thanks to this, we can rerun the test case in unicorn multiple times, without +the need to fork again. ## Compiling sample.c The target can be built using the `make` command. Just make sure you have built unicorn support first: + ```bash cd /path/to/afl/unicorn_mode ./build_unicorn_support.sh @@ -19,6 +22,7 @@ You don't need to compile persistent_target.c since a X86_64 binary version is pre-built and shipped in this sample folder. This file documents how the binary was built in case you want to rebuild it or recompile it for any reason. -The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in gcc. +The pre-built binary (persistent_target_x86_64.bin) was built using -g -O0 in +gcc. -We then load the binary and we execute the main function directly. +We then load the binary and we execute the main function directly. \ No newline at end of file diff --git a/utils/aflpp_driver/README.md b/utils/aflpp_driver/README.md index 30e2412f..4560be2b 100644 --- a/utils/aflpp_driver/README.md +++ b/utils/aflpp_driver/README.md @@ -7,15 +7,15 @@ targets. Just do `afl-clang-fast++ -o fuzz fuzzer_harness.cc libAFLDriver.a [plus required linking]`. -You can also sneakily do this little trick: +You can also sneakily do this little trick: If this is the clang compile command to build for libfuzzer: `clang++ -o fuzz -fsanitize=fuzzer fuzzer_harness.cc -lfoo` then just switch `clang++` with `afl-clang-fast++` and our compiler will magically insert libAFLDriver.a :) -To use shared-memory testcases, you need nothing to do. -To use stdin testcases give `-` as the only command line parameter. -To use file input testcases give `@@` as the only command line parameter. +To use shared-memory test cases, you need nothing to do. +To use stdin test cases, give `-` as the only command line parameter. +To use file input test cases, give `@@` as the only command line parameter. IMPORTANT: if you use `afl-cmin` or `afl-cmin.bash` then either pass `-` or `@@` as command line parameters. @@ -30,8 +30,8 @@ are to be fuzzed in qemu_mode. So we compile them with clang/clang++, without `clang++ -o fuzz fuzzer_harness.cc libAFLQemuDriver.a [plus required linking]`. - Then just do (where the name of the binary is `fuzz`): + ``` AFL_QEMU_PERSISTENT_ADDR=0x$(nm fuzz | grep "T LLVMFuzzerTestOneInput" | awk '{print $1}') AFL_QEMU_PERSISTENT_HOOK=/path/to/aflpp_qemu_driver_hook.so afl-fuzz -Q ... -- ./fuzz` @@ -40,4 +40,4 @@ AFL_QEMU_PERSISTENT_HOOK=/path/to/aflpp_qemu_driver_hook.so afl-fuzz -Q ... -- . if you use afl-cmin or `afl-showmap -C` with the aflpp_qemu_driver you need to set the set same AFL_QEMU_... (or AFL_FRIDA_...) environment variables. If you want to use afl-showmap (without -C) or afl-cmin.bash then you may not -set these environment variables and rather set `AFL_QEMU_DRIVER_NO_HOOK=1`. +set these environment variables and rather set `AFL_QEMU_DRIVER_NO_HOOK=1`. \ No newline at end of file -- cgit 1.4.1 From 10365a22bdd5b87711a859816a8a550a6481b038 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Mon, 22 Nov 2021 22:08:49 +0100 Subject: Merge ctx and ngram into llvm, fix references --- docs/env_variables.md | 7 +- docs/fuzzing_expert.md | 12 +-- instrumentation/README.ctx.md | 38 ------- instrumentation/README.llvm.md | 229 +++++++++++++++++++++++++--------------- instrumentation/README.ngram.md | 28 ----- 5 files changed, 152 insertions(+), 162 deletions(-) delete mode 100644 instrumentation/README.ctx.md delete mode 100644 instrumentation/README.ngram.md (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 65cca0dc..4386c5f8 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -171,7 +171,7 @@ config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. For more information, see -[instrumentation/README.ctx.md](../instrumentation/README.ctx.md). +[instrumentation/README.llvm.md#6) AFL Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). #### INSTRUMENT LIST (selectively instrument files and functions) @@ -247,7 +247,7 @@ in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. For more information, see -[instrumentation/README.ngram.md](../instrumentation/README.ngram.md). +[instrumentation/README.llvm.md#7) AFL N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage). #### NOT_ZERO @@ -261,9 +261,6 @@ For more information, see If the target performs only a few loops, then this will give a small performance boost. -For more information, see -[instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md). - #### Thread safe instrumentation counters (in all modes) Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 876c5fbb..5945d114 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -112,12 +112,8 @@ are interested in: There are many more options and modes available however these are most of the time less effective. See: - * [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) - * [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) - -AFL++ performs "never zero" counting in its bitmap. You can read more about this -here: - * [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) + * [instrumentation/README.llvm.md#6) AFL Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). + * [instrumentation/README.llvm.md#7) AFL N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) #### c) Sanitizers @@ -247,7 +243,7 @@ For meson you have to set the AFL++ compiler with the very first command! Sometimes cmake and configure do not pick up the AFL++ compiler, or the ranlib/ar that is needed - because this was just not foreseen by the developer -of the target. Or they have non-standard options. Figure out if there is a +of the target. Or they have non-standard options. Figure out if there is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or ranlib and ar). @@ -337,7 +333,7 @@ Note that this step is rather optional though. #### Done! -The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/ +The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/ if you minimized the corpus in step c) - is the resulting input corpus directory to be used in fuzzing! :-) diff --git a/instrumentation/README.ctx.md b/instrumentation/README.ctx.md deleted file mode 100644 index 335e9921..00000000 --- a/instrumentation/README.ctx.md +++ /dev/null @@ -1,38 +0,0 @@ -# AFL Context Sensitive Branch Coverage - -## What is this? - -This is an LLVM-based implementation of the context sensitive branch coverage. - -Basically every function gets its own ID and, every time when an edge is logged, -all the IDs in the callstack are hashed and combined with the edge transition -hash to augment the classic edge coverage with the information about the -calling context. - -So if both function A and function B call a function C, the coverage -collected in C will be different. - -In math the coverage is collected as follows: -`map[current_location_ID ^ previous_location_ID >> 1 ^ hash_callstack_IDs] += 1` - -The callstack hash is produced XOR-ing the function IDs to avoid explosion with -recursive functions. - -## Usage - -Set the `AFL_LLVM_INSTRUMENT=CTX` or `AFL_LLVM_CTX=1` environment variable. - -It is highly recommended to increase the MAP_SIZE_POW2 definition in -config.h to at least 18 and maybe up to 20 for this as otherwise too -many map collisions occur. - -## Caller Branch Coverage - -If the context sensitive coverage introduces too may collisions and becoming -detrimental, the user can choose to augment edge coverage with just the -called function ID, instead of the entire callstack hash. - -In math the coverage is collected as follows: -`map[current_location_ID ^ previous_location_ID >> 1 ^ previous_callee_ID] += 1` - -Set the `AFL_LLVM_INSTRUMENT=CALLER` or `AFL_LLVM_CALLER=1` environment variable. diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index dbb604f2..1671f385 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -1,72 +1,79 @@ # Fast LLVM-based instrumentation for afl-fuzz - (See [../README.md](../README.md) for the general instruction manual.) +For the general instruction manual, see [../README.md](../README.md). - (See [README.gcc_plugin.md](README.gcc_plugin.md) for the GCC-based instrumentation.) +For the GCC-based instrumentation, see +[README.gcc_plugin.md](README.gcc_plugin.md). ## 1) Introduction ! llvm_mode works with llvm versions 3.8 up to 13 ! -The code in this directory allows you to instrument programs for AFL using -true compiler-level instrumentation, instead of the more crude -assembly-level rewriting approach taken by afl-gcc and afl-clang. This has -several interesting properties: +The code in this directory allows you to instrument programs for AFL using true +compiler-level instrumentation, instead of the more crude assembly-level +rewriting approach taken by afl-gcc and afl-clang. This has several interesting +properties: - - The compiler can make many optimizations that are hard to pull off when - manually inserting assembly. As a result, some slow, CPU-bound programs will - run up to around 2x faster. +- The compiler can make many optimizations that are hard to pull off when + manually inserting assembly. As a result, some slow, CPU-bound programs will + run up to around 2x faster. - The gains are less pronounced for fast binaries, where the speed is limited - chiefly by the cost of creating new processes. In such cases, the gain will - probably stay within 10%. + The gains are less pronounced for fast binaries, where the speed is limited + chiefly by the cost of creating new processes. In such cases, the gain will + probably stay within 10%. - - The instrumentation is CPU-independent. At least in principle, you should - be able to rely on it to fuzz programs on non-x86 architectures (after - building afl-fuzz with AFL_NO_X86=1). +- The instrumentation is CPU-independent. At least in principle, you should be + able to rely on it to fuzz programs on non-x86 architectures (after building + afl-fuzz with AFL_NO_X86=1). - - The instrumentation can cope a bit better with multi-threaded targets. +- The instrumentation can cope a bit better with multi-threaded targets. - - Because the feature relies on the internals of LLVM, it is clang-specific - and will *not* work with GCC (see ../gcc_plugin/ for an alternative once - it is available). +- Because the feature relies on the internals of LLVM, it is clang-specific and + will *not* work with GCC (see ../gcc_plugin/ for an alternative once it is + available). Once this implementation is shown to be sufficiently robust and portable, it will probably replace afl-clang. For now, it can be built separately and co-exists with the original code. -The idea and much of the intial implementation came from Laszlo Szekeres. +The idea and much of the initial implementation came from Laszlo Szekeres. ## 2a) How to use this - short Set the `LLVM_CONFIG` variable to the clang version you want to use, e.g. + ``` LLVM_CONFIG=llvm-config-9 make ``` + In case you have your own compiled llvm version specify the full path: + ``` LLVM_CONFIG=~/llvm-project/build/bin/llvm-config make ``` + If you try to use a new llvm version on an old Linux this can fail because of old c++ libraries. In this case usually switching to gcc/g++ to compile llvm_mode will work: + ``` LLVM_CONFIG=llvm-config-7 REAL_CC=gcc REAL_CXX=g++ make ``` -It is highly recommended to use the newest clang version you can put your -hands on :) + +It is highly recommended to use the newest clang version you can put your hands +on :) Then look at [README.persistent_mode.md](README.persistent_mode.md). ## 2b) How to use this - long In order to leverage this mechanism, you need to have clang installed on your -system. You should also make sure that the llvm-config tool is in your path -(or pointed to via LLVM_CONFIG in the environment). +system. You should also make sure that the llvm-config tool is in your path (or +pointed to via LLVM_CONFIG in the environment). -Note that if you have several LLVM versions installed, pointing LLVM_CONFIG -to the version you want to use will switch compiling to this specific -version - if you installation is set up correctly :-) +Note that if you have several LLVM versions installed, pointing LLVM_CONFIG to +the version you want to use will switch compiling to this specific version - if +you installation is set up correctly :-) Unfortunately, some systems that do have clang come without llvm-config or the LLVM development headers; one example of this is FreeBSD. FreeBSD users will @@ -75,15 +82,15 @@ load modules (you'll see "Service unavailable" when loading afl-llvm-pass.so). To solve all your problems, you can grab pre-built binaries for your OS from: - https://llvm.org/releases/download.html +[https://llvm.org/releases/download.html](https://llvm.org/releases/download.html) ...and then put the bin/ directory from the tarball at the beginning of your $PATH when compiling the feature and building packages later on. You don't need to be root for that. -To build the instrumentation itself, type 'make'. This will generate binaries -called afl-clang-fast and afl-clang-fast++ in the parent directory. Once this -is done, you can instrument third-party code in a way similar to the standard +To build the instrumentation itself, type `make`. This will generate binaries +called afl-clang-fast and afl-clang-fast++ in the parent directory. Once this is +done, you can instrument third-party code in a way similar to the standard operating mode of AFL, e.g.: ``` @@ -93,81 +100,137 @@ operating mode of AFL, e.g.: Be sure to also include CXX set to afl-clang-fast++ for C++ code. -Note that afl-clang-fast/afl-clang-fast++ are just pointers to afl-cc. -You can also use afl-cc/afl-c++ and instead direct it to use LLVM -instrumentation by either setting `AFL_CC_COMPILER=LLVM` or pass the parameter -`--afl-llvm` via CFLAGS/CXXFLAGS/CPPFLAGS. +Note that afl-clang-fast/afl-clang-fast++ are just pointers to afl-cc. You can +also use afl-cc/afl-c++ and instead direct it to use LLVM instrumentation by +either setting `AFL_CC_COMPILER=LLVM` or pass the parameter `--afl-llvm` via +CFLAGS/CXXFLAGS/CPPFLAGS. The tool honors roughly the same environmental variables as afl-gcc (see [docs/env_variables.md](../docs/env_variables.md)). This includes AFL_USE_ASAN, -AFL_HARDEN, and AFL_DONT_OPTIMIZE. However AFL_INST_RATIO is not honored -as it does not serve a good purpose with the more effective PCGUARD analysis. +AFL_HARDEN, and AFL_DONT_OPTIMIZE. However AFL_INST_RATIO is not honored as it +does not serve a good purpose with the more effective PCGUARD analysis. ## 3) Options -Several options are present to make llvm_mode faster or help it rearrange -the code to make afl-fuzz path discovery easier. +Several options are present to make llvm_mode faster or help it rearrange the +code to make afl-fuzz path discovery easier. -If you need just to instrument specific parts of the code, you can the instrument file list -which C/C++ files to actually instrument. See [README.instrument_list.md](README.instrument_list.md) +If you need just to instrument specific parts of the code, you can the +instrument file list which C/C++ files to actually instrument. See +[README.instrument_list.md](README.instrument_list.md) -For splitting memcmp, strncmp, etc. please see [README.laf-intel.md](README.laf-intel.md) +For splitting memcmp, strncmp, etc. please see +[README.laf-intel.md](README.laf-intel.md) Then there are different ways of instrumenting the target: -1. An better instrumentation strategy uses LTO and link time -instrumentation. Note that not all targets can compile in this mode, however -if it works it is the best option you can use. -Simply use afl-clang-lto/afl-clang-lto++ to use this option. -See [README.lto.md](README.lto.md) +1. An better instrumentation strategy uses LTO and link time instrumentation. + Note that not all targets can compile in this mode, however if it works it is + the best option you can use. Simply use afl-clang-lto/afl-clang-lto++ to use + this option. See [README.lto.md](README.lto.md). -2. Alternativly you can choose a completely different coverage method: +2. Alternatively you can choose a completely different coverage method: -2a. N-GRAM coverage - which combines the previous visited edges with the -current one. This explodes the map but on the other hand has proven to be -effective for fuzzing. -See [README.ngram.md](README.ngram.md) +2a. N-GRAM coverage - which combines the previous visited edges with the current + one. This explodes the map but on the other hand has proven to be effective + for fuzzing. See + [7) AFL N-Gram Branch Coverage](#7-afl-n-gram-branch-coverage). 2b. Context sensitive coverage - which combines the visited edges with an -individual caller ID (the function that called the current one) -[README.ctx.md](README.ctx.md) + individual caller ID (the function that called the current one). See + [6) AFL Context Sensitive Branch Coverage](#6-afl-context-sensitive-branch-coverage). -Then - additionally to one of the instrumentation options above - there is -a very effective new instrumentation option called CmpLog as an alternative to -laf-intel that allow AFL++ to apply mutations similar to Redqueen. -See [README.cmplog.md](README.cmplog.md) +Then - additionally to one of the instrumentation options above - there is a +very effective new instrumentation option called CmpLog as an alternative to +laf-intel that allow AFL++ to apply mutations similar to Redqueen. See +[README.cmplog.md](README.cmplog.md). -Finally if your llvm version is 8 or lower, you can activate a mode that -prevents that a counter overflow result in a 0 value. This is good for -path discovery, but the llvm implementation for x86 for this functionality -is not optimal and was only fixed in llvm 9. -You can set this with AFL_LLVM_NOT_ZERO=1 -See [README.neverzero.md](README.neverzero.md) +Finally, if your llvm version is 8 or lower, you can activate a mode that +prevents that a counter overflow result in a 0 value. This is good for path +discovery, but the llvm implementation for x86 for this functionality is not +optimal and was only fixed in llvm 9. You can set this with AFL_LLVM_NOT_ZERO=1. -Support for thread safe counters has been added for all modes. -Activate it with `AFL_LLVM_THREADSAFE_INST=1`. The tradeoff is better precision -in multi threaded apps for a slightly higher instrumentation overhead. -This also disables the nozero counter default for performance reasons. +Support for thread safe counters has been added for all modes. Activate it with +`AFL_LLVM_THREADSAFE_INST=1`. The tradeoff is better precision in multi threaded +apps for a slightly higher instrumentation overhead. This also disables the +nozero counter default for performance reasons. -## 4) Snapshot feature +## 4) deferred initialization, persistent mode, shared memory fuzzing -To speed up fuzzing you can use a linux loadable kernel module which enables -a snapshot feature. -See [README.snapshot.md](README.snapshot.md) +This is the most powerful and effective fuzzing you can do. Please see +[README.persistent_mode.md](README.persistent_mode.md) for a full explanation. -## 5) Gotchas, feedback, bugs +## 5) Bonus feature: 'dict2file' pass -This is an early-stage mechanism, so field reports are welcome. You can send bug -reports to . +Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation +all constant string compare parameters will be written to this file to be used +with afl-fuzz' `-x` option. -## 6) deferred initialization, persistent mode, shared memory fuzzing +## 6) AFL Context Sensitive Branch Coverage -This is the most powerful and effective fuzzing you can do. -Please see [README.persistent_mode.md](README.persistent_mode.md) for a -full explanation. +### What is this? -## 7) Bonus feature: 'dict2file' pass +This is an LLVM-based implementation of the context sensitive branch coverage. -Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation -all constant string compare parameters will be written to this file to be -used with afl-fuzz' `-x` option. +Basically every function gets its own ID and, every time when an edge is logged, +all the IDs in the callstack are hashed and combined with the edge transition +hash to augment the classic edge coverage with the information about the calling +context. + +So if both function A and function B call a function C, the coverage collected +in C will be different. + +In math the coverage is collected as follows: `map[current_location_ID ^ +previous_location_ID >> 1 ^ hash_callstack_IDs] += 1` + +The callstack hash is produced XOR-ing the function IDs to avoid explosion with +recursive functions. + +### Usage + +Set the `AFL_LLVM_INSTRUMENT=CTX` or `AFL_LLVM_CTX=1` environment variable. + +It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to +at least 18 and maybe up to 20 for this as otherwise too many map collisions +occur. + +### Caller Branch Coverage + +If the context sensitive coverage introduces too may collisions and becoming +detrimental, the user can choose to augment edge coverage with just the called +function ID, instead of the entire callstack hash. + +In math the coverage is collected as follows: `map[current_location_ID ^ +previous_location_ID >> 1 ^ previous_callee_ID] += 1` + +Set the `AFL_LLVM_INSTRUMENT=CALLER` or `AFL_LLVM_CALLER=1` environment +variable. + +## 7) AFL N-Gram Branch Coverage + +### Source + +This is an LLVM-based implementation of the n-gram branch coverage proposed in +the paper +["Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf) +by Jinghan Wang, et. al. + +Note that the original implementation (available +[here](https://github.com/bitsecurerlab/afl-sensitive)) is built on top of AFL's +qemu_mode. This is essentially a port that uses LLVM vectorized instructions +(available from llvm versions 4.0.1 and higher) to achieve the same results when +compiling source code. + +In math the branch coverage is performed as follows: `map[current_location ^ +prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1` + +### Usage + +The size of `n` (i.e., the number of branches to remember) is an option that is +specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the +`AFL_LLVM_NGRAM_SIZE` environment variable. Good values are 2, 4, or 8, valid +are 2-16. + +It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to +at least 18 and maybe up to 20 for this as otherwise too many map collisions +occur. \ No newline at end of file diff --git a/instrumentation/README.ngram.md b/instrumentation/README.ngram.md deleted file mode 100644 index da61ef32..00000000 --- a/instrumentation/README.ngram.md +++ /dev/null @@ -1,28 +0,0 @@ -# AFL N-Gram Branch Coverage - -## Source - -This is an LLVM-based implementation of the n-gram branch coverage proposed in -the paper ["Be Sensitive and Collaborative: Analzying Impact of Coverage Metrics -in Greybox Fuzzing"](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf), -by Jinghan Wang, et. al. - -Note that the original implementation (available -[here](https://github.com/bitsecurerlab/afl-sensitive)) -is built on top of AFL's QEMU mode. -This is essentially a port that uses LLVM vectorized instructions (available from -llvm versions 4.0.1 and higher) to achieve the same results when compiling source code. - -In math the branch coverage is performed as follows: -`map[current_location ^ prev_location[0] >> 1 ^ prev_location[1] >> 1 ^ ... up to n-1`] += 1` - -## Usage - -The size of `n` (i.e., the number of branches to remember) is an option -that is specified either in the `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or the -`AFL_LLVM_NGRAM_SIZE` environment variable. -Good values are 2, 4 or 8, valid are 2-16. - -It is highly recommended to increase the MAP_SIZE_POW2 definition in -config.h to at least 18 and maybe up to 20 for this as otherwise too -many map collisions occur. -- cgit 1.4.1 From e0c8a5c0c6ae67af3280c0ead8124a2ffe920241 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 25 Nov 2021 16:47:49 +0100 Subject: Change "AFL" to "AFL++" in "README.llvm.md", fix references --- docs/env_variables.md | 4 ++-- docs/fuzzing_expert.md | 4 ++-- instrumentation/README.llvm.md | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 4386c5f8..cbc63032 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -171,7 +171,7 @@ config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. For more information, see -[instrumentation/README.llvm.md#6) AFL Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). +[instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). #### INSTRUMENT LIST (selectively instrument files and functions) @@ -247,7 +247,7 @@ in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur. For more information, see -[instrumentation/README.llvm.md#7) AFL N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage). +[instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage). #### NOT_ZERO diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 5945d114..d0d28582 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -112,8 +112,8 @@ are interested in: There are many more options and modes available however these are most of the time less effective. See: - * [instrumentation/README.llvm.md#6) AFL Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). - * [instrumentation/README.llvm.md#7) AFL N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) + * [instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage). + * [instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) #### c) Sanitizers diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 1671f385..88ea0127 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -9,8 +9,8 @@ For the GCC-based instrumentation, see ! llvm_mode works with llvm versions 3.8 up to 13 ! -The code in this directory allows you to instrument programs for AFL using true -compiler-level instrumentation, instead of the more crude assembly-level +The code in this directory allows you to instrument programs for AFL++ using +true compiler-level instrumentation, instead of the more crude assembly-level rewriting approach taken by afl-gcc and afl-clang. This has several interesting properties: @@ -134,11 +134,11 @@ Then there are different ways of instrumenting the target: 2a. N-GRAM coverage - which combines the previous visited edges with the current one. This explodes the map but on the other hand has proven to be effective for fuzzing. See - [7) AFL N-Gram Branch Coverage](#7-afl-n-gram-branch-coverage). + [7) AFL++ N-Gram Branch Coverage](#7-afl-n-gram-branch-coverage). 2b. Context sensitive coverage - which combines the visited edges with an individual caller ID (the function that called the current one). See - [6) AFL Context Sensitive Branch Coverage](#6-afl-context-sensitive-branch-coverage). + [6) AFL++ Context Sensitive Branch Coverage](#6-afl-context-sensitive-branch-coverage). Then - additionally to one of the instrumentation options above - there is a very effective new instrumentation option called CmpLog as an alternative to @@ -166,7 +166,7 @@ Just specify `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` and during compilation all constant string compare parameters will be written to this file to be used with afl-fuzz' `-x` option. -## 6) AFL Context Sensitive Branch Coverage +## 6) AFL++ Context Sensitive Branch Coverage ### What is this? @@ -206,7 +206,7 @@ previous_location_ID >> 1 ^ previous_callee_ID] += 1` Set the `AFL_LLVM_INSTRUMENT=CALLER` or `AFL_LLVM_CALLER=1` environment variable. -## 7) AFL N-Gram Branch Coverage +## 7) AFL++ N-Gram Branch Coverage ### Source -- cgit 1.4.1 From 7604dba6d6ee617d75ad7523ead02b6273233db5 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 26 Nov 2021 13:28:04 +0100 Subject: Fix typos --- docs/env_variables.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 34318cd4..2a004235 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -143,7 +143,7 @@ Available options: - CLANG - outdated clang instrumentation - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default) - You can also specify CTX and/or NGRAM, seperate the options with a comma "," + You can also specify CTX and/or NGRAM, separate the options with a comma "," then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4` Note: It is actually not a good idea to use both CTX and NGRAM. :) @@ -527,23 +527,23 @@ checks or alter some of the more exotic semantics of the tool: The QEMU wrapper used to instrument binary-only code supports several settings: - Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp - and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp, + and sub in x86 and x86_64 and memory comparison functions (e.g., strcmp, memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at [qemu_mode/libcompcov/README.md](../qemu_mode/libcompcov/README.md). There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate values / read-only memory and - `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more + `AFL_COMPCOV_LEVEL=2` that instruments all the comparisons. Level 2 is more accurate but may need a larger shared memory. - - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use - this if you are unsure if the entrypoint might be wrong - but use it + - `AFL_DEBUG` will print the found entry point for the binary to stderr. Use + this if you are unsure if the entry point might be wrong - but use it directly, e.g. `afl-qemu-trace ./program`. - - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary - (this can be very good for the performance!). The entrypoint is specified as - hex address, e.g. `0x4004110`. Note that the address must be the address of - a basic block. + - `AFL_ENTRYPOINT` allows you to specify a specific entry point into the + binary (this can be very good for the performance!). The entry point is + specified as hex address, e.g. `0x4004110`. Note that the address must be + the address of a basic block. - Setting `AFL_INST_LIBS` causes the translator to also instrument the code inside any dynamically linked libraries (notably including glibc). -- cgit 1.4.1 From a699dc2d2d54d10c729466408925384f2e07819b Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Nov 2021 17:38:06 +0000 Subject: Update docs --- docs/env_variables.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++---- frida_mode/README.md | 6 ++++ 2 files changed, 98 insertions(+), 7 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index cbc63032..1a330158 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -578,7 +578,92 @@ The QEMU wrapper used to instrument binary-only code supports several settings: emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no reason to touch them. -## 6) Settings for afl-cmin +## 7) Settings for afl-frida-trace + +The FRIDA wrapper used to instrument binary-only code supports many of the same +options as `afl-qemu-trace`, but also has a number of additional advanced +options. These are listed in brief below (see [here](../frida_mode/README.md) +for more details). These settings are provided for compatibiltiy with QEMU mode, +the preferred way to configure FRIDA mode is through its +[scripting](../frida_mode/Scripting.md) support. + +* `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` +* `AFL_FRIDA_DRIVER_NO_HOOK` - See `AFL_QEMU_DRIVER_NO_HOOK`. When using the +QEMU driver to provide a `main` loop for a user provided +`LLVMFuzzerTestOneInput`, this option configures the driver to read input from +`stdin` rather than using in-memory test cases. +* `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` +* `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRio format coverage +information (e.g. to be loaded within IDA lighthouse). +* `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks +and their instrumented counterparts during block compilation. +* `AFL_FRIDA_INST_JIT` - Enable the instrumentation of Just-In-Time compiled +code. Code is considered to be JIT if the executable segment is not backed by a +file. +* `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage +instrumentation (the default where available). Required to use +`AFL_FRIDA_INST_TRACE`. +* `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing +each block, control will return to FRIDA to identify the next block to execute. +* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will +report instrumented blocks back to the parent so that it can also instrument +them and they be inherited by the next child on fork, implies +`AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. +* `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH` - Disable prefetching of stalker +backpatching information. By default the child will report applied backpatches +to the parent so that they can be applied and then be inherited by the next +child on fork. +* `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` +* `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to +generate block (and hence edge) IDs. Setting this to a constant value may be +useful for debugging purposes, e.g. investigating unstable edges. +* `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, +implies `AFL_FRIDA_INST_NO_OPTIMIZE`. +* `AFL_FRIDA_INST_TRACE_UNIQUE` - As per `AFL_FRIDA_INST_TRACE`, but each edge +is logged only once, requires `AFL_FRIDA_INST_NO_OPTIMIZE`. +* `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE` - File to write DynamoRio format +coverage information for unstable edges (e.g. to be loaded within IDA +lighthouse). +* `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting +engine. See [here](Scripting.md) for details. +* `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target +application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) +* `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target +application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) +* `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR` +* `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT` +* `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code +at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the user +to detect issues in the persistent loop using a debugger. +* `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK` +* `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET` +* `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to +the specified file. +* `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks + to fetch when generating instrumented code. By fetching blocks in the same + order they appear in the original program, rather than the order of execution + should help reduce locallity and adjacency. This includes allowing us to vector + between adjancent blocks using a NOP slide rather than an immediate branch. +* `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries +stored along-side branch instructions which provide a cache to avoid having to +call back into FRIDA to find the next block. Default is 32. +* `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being +instrumented to the given file name. The statistics are written only for the +child process when new block is instrumented (when the +`AFL_FRIDA_STATS_INTERVAL` has expired). Note that simply because a new path is +found does not mean a new block needs to be compiled. It could simply be that +the existing blocks instrumented have been executed in a different order. +* `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics +information. Stats will be written whenever they are updated if the given +interval has elapsed since last time they were written. +* `AFL_FRIDA_TRACEABLE` - Set the child process to be traceable by any process +to aid debugging and overcome the restrictions imposed by YAMA. Supported on +Linux only. Permits a non-root user to use `gcore` or similar to collect a core +dump of the instrumented target. Note that in order to capture the core dump you +must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` killing the +process whilst it is being dumped. + +## 8) Settings for afl-cmin The corpus minimization script offers very little customization: @@ -596,7 +681,7 @@ The corpus minimization script offers very little customization: - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed. This can help when embedding `afl-cmin` or `afl-showmap` in other scripts. -## 7) Settings for afl-tmin +## 9) Settings for afl-tmin Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a @@ -607,12 +692,12 @@ to match when minimizing crashes. This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software. You probably want to combine it with the `-e` flag. -## 8) Settings for afl-analyze +## 10) Settings for afl-analyze You can set `AFL_ANALYZE_HEX` to get file offsets printed as hexadecimal instead of decimal. -## 9) Settings for libdislocator +## 11) Settings for libdislocator The library honors these environment variables: @@ -634,12 +719,12 @@ The library honors these environment variables: - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that may be useful for pinpointing the cause of any observed issues. -## 10) Settings for libtokencap +## 11) Settings for libtokencap This library accepts `AFL_TOKEN_FILE` to indicate the location to which the discovered tokens should be written. -## 11) Third-party variables set by afl-fuzz & other tools +## 12) Third-party variables set by afl-fuzz & other tools Several variables are not directly interpreted by afl-fuzz, but are set to optimal values if not already present in the environment: @@ -684,4 +769,4 @@ optimal values if not already present in the environment: - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker to do all the work before the fork server kicks in. You can override this by - setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. \ No newline at end of file + setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless. diff --git a/frida_mode/README.md b/frida_mode/README.md index a75324d5..6c46fe08 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -145,6 +145,10 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent (only on CMP, SUB and CALL instructions) performance is not quite so critical. ## Advanced configuration options +* `AFL_FRIDA_DRIVER_NO_HOOK` - See `AFL_QEMU_DRIVER_NO_HOOK`. When using the +QEMU driver to provide a `main` loop for a user provided +`LLVMFuzzerTestOneInput`, this option configures the driver to read input from +`stdin` rather than using in-memory test cases. * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRio format coverage information (e.g. to be loaded within IDA lighthouse). * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks @@ -194,6 +198,8 @@ is logged only once, requires `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE` - File to write DynamoRio format coverage information for unstable edges (e.g. to be loaded within IDA lighthouse). +* `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting +engine. See [here](Scripting.md) for details. * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target -- cgit 1.4.1 From d9e39be4e8dd0242877412d1a17589acc825292e Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 2 Dec 2021 16:49:16 +0100 Subject: Remove the word "simply" --- custom_mutators/gramatron/README.md | 6 +++--- docs/env_variables.md | 10 +++++----- docs/fuzzing_binary-only_targets.md | 3 +-- docs/fuzzing_in_depth.md | 10 +++++----- frida_mode/DEBUGGING.md | 6 +++--- frida_mode/MapDensity.md | 14 +++++++------- frida_mode/README.md | 10 +++++----- frida_mode/Scripting.md | 2 +- instrumentation/README.llvm.md | 4 ++-- qemu_mode/libcompcov/README.md | 6 +++--- utils/libtokencap/README.md | 8 ++++---- 11 files changed, 39 insertions(+), 40 deletions(-) (limited to 'docs/env_variables.md') diff --git a/custom_mutators/gramatron/README.md b/custom_mutators/gramatron/README.md index 91f93355..c8a76e3e 100644 --- a/custom_mutators/gramatron/README.md +++ b/custom_mutators/gramatron/README.md @@ -5,11 +5,11 @@ grammar-aware fuzzing. Technical details about our framework are available in the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). The artifact to reproduce the experiments presented in the paper are present in `artifact/`. Instructions to run a sample campaign and incorporate new -grammars is presented below: +grammars is presented below: # Compiling -Simply execute `./build_gramatron_mutator.sh` +Execute `./build_gramatron_mutator.sh` # Running @@ -25,7 +25,7 @@ afl-fuzz -i in -o out -- ./target # Adding and testing a new grammar -- Specify in a JSON format for CFG. Examples are correspond `source.json` files +- Specify in a JSON format for CFG. Examples are correspond `source.json` files - Run the automaton generation script (in `src/gramfuzz-mutator/preprocess`) which will place the generated automaton in the same folder. ``` diff --git a/docs/env_variables.md b/docs/env_variables.md index c1c70ec5..6f6110ae 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -59,9 +59,9 @@ fairly broad use of environment variables instead: otherwise. - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this - will cause problems in programs built with -Werror, simply because `-O3` - enables more thorough code analysis and can spew out additional warnings. To - disable optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or + will cause problems in programs built with -Werror, because `-O3` enables + more thorough code analysis and can spew out additional warnings. To disable + optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or `-fno-unroll-loops` are set, these are not overridden. - Setting `AFL_HARDEN` automatically adds code hardening options when invoking @@ -651,8 +651,8 @@ call back into FRIDA to find the next block. Default is 32. * `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being instrumented to the given file name. The statistics are written only for the child process when new block is instrumented (when the -`AFL_FRIDA_STATS_INTERVAL` has expired). Note that simply because a new path is -found does not mean a new block needs to be compiled. It could simply be that +`AFL_FRIDA_STATS_INTERVAL` has expired). Note that just because a new path is +found does not mean a new block needs to be compiled. It could be that the existing blocks instrumented have been executed in a different order. * `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics information. Stats will be written whenever they are updated if the given diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 290c9bec..2d57d0dc 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -129,8 +129,7 @@ Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar. In contrast to QEMU, Unicorn does not offer a full system or even userland emulation. Runtime environment and/or loaders have to be written from scratch, if needed. On top, block chaining has been removed. This means the speed boost -introduced in the patched QEMU Mode of AFL++ cannot simply be ported over to -Unicorn. +introduced in the patched QEMU Mode of AFL++ cannot be ported over to Unicorn. For non-Linux binaries, you can use AFL++'s unicorn_mode which can emulate anything you want - for the price of speed and user written scripts. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 251bbc1d..7aabe090 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -427,8 +427,8 @@ It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off, or afl-fuzz is not aborted if you are running it in a remote ssh session where the connection fails in between. Only do that though once you have verified that your fuzzing setup works! -Simply run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...` -and it will start away in a screen session. To enter this session simply type +Run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...` +and it will start away in a screen session. To enter this session, type `screen -r afl-main`. You see - it makes sense to name the screen session same as the afl-fuzz -M/-S naming :-) For more information on screen or tmux please check their documentation. @@ -457,7 +457,7 @@ handling in the target. Play around with various -m values until you find one that safely works for all your input seeds (if you have good ones and then double or quadruple that. -By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press +By default afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or send a signal SIGINT. You can limit the number of executions or approximate runtime in seconds with options also. @@ -554,7 +554,7 @@ recommended! ### d) Using multiple machines for fuzzing Maybe you have more than one machine you want to fuzz the same target on. -Simply start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...) +Start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...) orchestra as you like, just ensure that your have one and only one `-M` instance per server, and that its name is unique, hence the recommendation for `-M main-$HOSTNAME`. @@ -609,7 +609,7 @@ e.g., `afl-plot out/default /srv/www/htdocs/plot`. ### f) Stopping fuzzing, restarting fuzzing, adding new seeds -To stop an afl-fuzz run, simply press Control-C. +To stop an afl-fuzz run, press Control-C. To restart an afl-fuzz run, just reuse the same command line but replace the `-i directory` with `-i -` or set `AFL_AUTORESUME=1`. diff --git a/frida_mode/DEBUGGING.md b/frida_mode/DEBUGGING.md index 9cdc5eb6..b703ae43 100644 --- a/frida_mode/DEBUGGING.md +++ b/frida_mode/DEBUGGING.md @@ -160,9 +160,9 @@ Lastly, if your defect only occurs when using `afl-fuzz` (e.g., when using shared memory mapping being created for it to record its data), it is possible to enable the creation of a core dump for post-mortem analysis. -Firstly, check if your `/proc/sys/kernel/core_pattern` configuration is simply -set to a filename (AFL++ encourages you to set it to the value `core` in any -case since it doesn't want any handler applications getting in the way). +Firstly, check if your `/proc/sys/kernel/core_pattern` configuration is set to a +filename (AFL++ encourages you to set it to the value `core` in any case since +it doesn't want any handler applications getting in the way). Next, set `ulimit -c unlimited` to remove any size limitations for core files. diff --git a/frida_mode/MapDensity.md b/frida_mode/MapDensity.md index b6a96ca0..50f2720f 100644 --- a/frida_mode/MapDensity.md +++ b/frida_mode/MapDensity.md @@ -77,13 +77,13 @@ evenly distributed. We start with a large address and need to discard a large number of the bits to generate a block ID which is within range. But how do we choose the unique bits of the address versus those which are the same for every block? The high bits of -the address may simply be all `0s` or all `1s` to make the address canonical, -the middle portion of the address may be the same for all blocks (since if they -are all within the same binary, then they will all be adjacent in memory), and -on some systems, even the low bits may have poor entropy as some use fixed -length aligned instructions. Then we need to consider that a portion of each -binary may contain the `.data` or `.bss` sections and so may not contain any -blocks of code at all. +the address may be all `0s` or all `1s` to make the address canonical, the +middle portion of the address may be the same for all blocks (since if they are +all within the same binary, then they will all be adjacent in memory), and on +some systems, even the low bits may have poor entropy as some use fixed length +aligned instructions. Then we need to consider that a portion of each binary may +contain the `.data` or `.bss` sections and so may not contain any blocks of code +at all. ### Edge IDs diff --git a/frida_mode/README.md b/frida_mode/README.md index c19280e1..c2b98473 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -229,9 +229,9 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent * `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being instrumented to the given file name. The statistics are written only for the child process when new block is instrumented (when the - `AFL_FRIDA_STATS_INTERVAL` has expired). Note that simply because a new path - is found does not mean a new block needs to be compiled. It could simply be - that the existing blocks instrumented have been executed in a different order. + `AFL_FRIDA_STATS_INTERVAL` has expired). Note that just because a new path is + found does not mean a new block needs to be compiled. It could be that the + existing blocks instrumented have been executed in a different order. ``` stats @@ -359,8 +359,8 @@ An example of how to fuzz a dynamic library on OSX is included, see [test/osx-lib](test/osx-lib). This requires the use of a simple test harness executable which will load the library and call a target function within it. The dependent library can either be loaded in using `dlopen` and `dlsym` in a -function marked `__attribute__((constructor()))` or the test harness can simply -be linked against it. It is important that the target library is loaded before +function marked `__attribute__((constructor()))` or the test harness can be +linked against it. It is important that the target library is loaded before execution of `main`, since this is the point where FRIDA mode is initialized. Otherwise, it will not be possible to configure coverage for the test library using `AFL_FRIDA_INST_RANGES` or similar. diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index fcf8a490..fd4282db 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -511,7 +511,7 @@ int main(int argc, char **argv) { ``` There are a couple of obstacles with our target application. Unlike when fuzzing -source code, though, we can't simply edit it and recompile it. The following +source code, though, we can't just edit it and recompile it. The following script shows how we can use the normal functionality of FRIDA to modify any troublesome behavior. diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 88ea0127..35f38261 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -126,8 +126,8 @@ Then there are different ways of instrumenting the target: 1. An better instrumentation strategy uses LTO and link time instrumentation. Note that not all targets can compile in this mode, however if it works it is - the best option you can use. Simply use afl-clang-lto/afl-clang-lto++ to use - this option. See [README.lto.md](README.lto.md). + the best option you can use. To go with this option, use + afl-clang-lto/afl-clang-lto++. See [README.lto.md](README.lto.md). 2. Alternatively you can choose a completely different coverage method: diff --git a/qemu_mode/libcompcov/README.md b/qemu_mode/libcompcov/README.md index fca20a69..6a72f5ff 100644 --- a/qemu_mode/libcompcov/README.md +++ b/qemu_mode/libcompcov/README.md @@ -23,7 +23,7 @@ To use this library make sure to preload it with AFL_PRELOAD. ``` export AFL_PRELOAD=/path/to/libcompcov.so export AFL_COMPCOV_LEVEL=1 - + afl-fuzz -Q -i input -o output -- ``` @@ -33,5 +33,5 @@ logs all the comparisons. The library make use of https://github.com/ouadev/proc_maps_parser and so it is Linux specific. However this is not a strict dependency, other UNIX operating -systems can be supported simply replacing the code related to the -/proc/self/maps parsing. +systems can be supported by replacing the code related to the +/proc/self/maps parsing. \ No newline at end of file diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index a39ed3a5..91ebebd1 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -40,10 +40,10 @@ when using afl-gcc. This setting specifically adds the following flags: -fno-builtin-strcasestr ``` -The next step is simply loading this library via LD_PRELOAD. The optimal usage -pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus, -and then fire off the target binary, with libtokencap.so loaded, on every file -found by AFL in that earlier run. This demonstrates the basic principle: +The next step is to load this library via LD_PRELOAD. The optimal usage pattern +is to allow afl-fuzz to fuzz normally for a while and build up a corpus, and +then fire off the target binary, with libtokencap.so loaded, on every file found +by AFL in that earlier run. This demonstrates the basic principle: ``` export AFL_TOKEN_FILE=$PWD/temp_output.txt -- cgit 1.4.1 From 0ae9b0dff4773c34913d89d8efcab4453552c140 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 2 Dec 2021 17:01:45 +0100 Subject: Remove the word "please" --- README.md | 2 +- docs/custom_mutators.md | 9 +++++---- docs/env_variables.md | 2 +- docs/fuzzing_in_depth.md | 4 ++-- frida_mode/README.md | 4 ++-- instrumentation/README.laf-intel.md | 6 +++--- instrumentation/README.llvm.md | 8 ++++---- unicorn_mode/README.md | 38 ++++++++++++++++++------------------- utils/optimin/README.md | 8 ++++---- 9 files changed, 41 insertions(+), 40 deletions(-) (limited to 'docs/env_variables.md') diff --git a/README.md b/README.md index e74c91e5..dbf49b20 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details. Here is some information to get you started: -* For releases, please see the +* For releases, see the [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and [branches](#branches). Also take a look at the list of [important changes in AFL++](docs/important_changes.md). diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index b1dfd309..2caba560 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -5,7 +5,7 @@ For now, we support C/C++ library and Python module, collectivelly named as the custom mutator. There is also experimental support for Rust in `custom_mutators/rust`. -Please refer to that directory for documentation. +For documentation, refer to that directory. Run ```cargo doc -p custom_mutator --open``` in that directory to view the documentation in your web browser. @@ -25,7 +25,8 @@ Now AFL also supports multiple custom mutators which can be specified in the sam ```bash export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mutator_second.so" ``` -Please see [APIs](#2-apis) and [Usage](#3-usage) for detail. + +For details, see [APIs](#2-apis) and [Usage](#3-usage). The custom mutation stage is set to be the first non-deterministic stage (right before the havoc stage). @@ -288,8 +289,8 @@ afl-fuzz /path/to/program ## 4) Example -Please see [example.c](../custom_mutators/examples/example.c) and -[example.py](../custom_mutators/examples/example.py) +See [example.c](../custom_mutators/examples/example.c) and +[example.py](../custom_mutators/examples/example.py). ## 5) Other Resources diff --git a/docs/env_variables.md b/docs/env_variables.md index 6f6110ae..bb7ea70b 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -320,7 +320,7 @@ checks or alter some of the more exotic semantics of the tool: additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be performed with the custom mutator. This feature allows to configure custom mutators which can be very helpful, e.g. fuzzing - XML or other highly flexible structured input. Please see + XML or other highly flexible structured input. For details, see [custom_mutators.md](custom_mutators.md). - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 7aabe090..c94590a4 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -1,7 +1,7 @@ # Fuzzing with AFL++ The following describes how to fuzz with a target if source code is available. -If you have a binary-only target, please go to +If you have a binary-only target, go to [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md). Fuzzing source code is a three-step process: @@ -431,7 +431,7 @@ Run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...` and it will start away in a screen session. To enter this session, type `screen -r afl-main`. You see - it makes sense to name the screen session same as the afl-fuzz -M/-S naming :-) -For more information on screen or tmux please check their documentation. +For more information on screen or tmux, check their documentation. If you need to stop and re-start the fuzzing, use the same command line options (or even change them by selecting a different power schedule or another mutation diff --git a/frida_mode/README.md b/frida_mode/README.md index c2b98473..58519699 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -367,8 +367,8 @@ using `AFL_FRIDA_INST_RANGES` or similar. ## Debugging -Please refer to [DEBUGGING.md](DEBUGGING.md) for assistance should you encounter -problems with FRIDA mode. +Should you encounter problems with FRIDA mode, refer to +[DEBUGGING.md](DEBUGGING.md) for assistance. ## To do diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md index 3cde10c3..06e653ea 100644 --- a/instrumentation/README.laf-intel.md +++ b/instrumentation/README.laf-intel.md @@ -42,9 +42,9 @@ comparisons. A new experimental feature is splitting floating point comparisons into a series of sign, exponent and mantissa comparisons followed by splitting each of them into 8 bit comparisons when necessary. It is activated with the -`AFL_LLVM_LAF_SPLIT_FLOATS` setting. Please note that full IEEE 754 -functionality is not preserved, that is values of nan and infinity will probably -behave differently. +`AFL_LLVM_LAF_SPLIT_FLOATS` setting. Note that full IEEE 754 functionality is +not preserved, that is values of nan and infinity will probably behave +differently. Note that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`. diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index 35f38261..8133cbe4 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -119,8 +119,8 @@ If you need just to instrument specific parts of the code, you can the instrument file list which C/C++ files to actually instrument. See [README.instrument_list.md](README.instrument_list.md) -For splitting memcmp, strncmp, etc. please see -[README.laf-intel.md](README.laf-intel.md) +For splitting memcmp, strncmp, etc., see +[README.laf-intel.md](README.laf-intel.md). Then there are different ways of instrumenting the target: @@ -157,8 +157,8 @@ nozero counter default for performance reasons. ## 4) deferred initialization, persistent mode, shared memory fuzzing -This is the most powerful and effective fuzzing you can do. Please see -[README.persistent_mode.md](README.persistent_mode.md) for a full explanation. +This is the most powerful and effective fuzzing you can do. For a full +explanation, see [README.persistent_mode.md](README.persistent_mode.md). ## 5) Bonus feature: 'dict2file' pass diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index d2b7d16f..ed85e687 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -10,8 +10,8 @@ The CompareCoverage and NeverZero counters features are by Andrea Fioraldi Date: Thu, 2 Dec 2021 17:08:06 +0100 Subject: Change the word "behaviour" (BE) to "behavior" (AE) --- docs/env_variables.md | 4 ++-- docs/fuzzing_in_depth.md | 6 +++--- docs/important_changes.md | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index bb7ea70b..ec9b2b01 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -109,7 +109,7 @@ fairly broad use of environment variables instead: - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory) - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race conditions - - `AFL_USE_UBSAN=1` - activates the undefined behaviour sanitizer + - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer - `TMPDIR` is used by afl-as for temporary files; if this variable is not set, the tool defaults to /tmp. @@ -336,7 +336,7 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! - - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index c94590a4..8188a18e 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -178,8 +178,8 @@ The following sanitizers have built-in support in AFL++: * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg. a local variable that is defined and read before it is even set. Enabled with `export AFL_USE_MSAN=1` before compiling. -* UBSAN = Undefined Behaviour SANitizer, finds instances where - by the C and - C++ standards - undefined behaviour happens, e.g. adding two signed integers +* UBSAN = Undefined Behavior SANitizer, finds instances where - by the C and C++ + standards - undefined behavior happens, e.g. adding two signed integers together where the result is larger than a signed integer can hold. Enabled with `export AFL_USE_UBSAN=1` before compiling. * CFISAN = Control Flow Integrity SANitizer, finds instances where the control @@ -196,7 +196,7 @@ The following sanitizers have built-in support in AFL++: of the target source code where you find a leak check necessary! Enabled with `export AFL_USE_LSAN=1` before compiling. -It is possible to further modify the behaviour of the sanitizers at run-time by +It is possible to further modify the behavior of the sanitizers at run-time by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters can be looked up in the sanitizer documentation of llvm/clang. afl-fuzz, however, requires some specific parameters important for fuzzing to be set. If you want diff --git a/docs/important_changes.md b/docs/important_changes.md index 877dfab2..9d6bbbbe 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -1,6 +1,6 @@ # Important changes in AFL++ -This document lists important changes in AFL++, for example, major behaviour changes. +This document lists important changes in AFL++, for example, major behavior changes. ## From version 3.00 onwards @@ -8,23 +8,23 @@ With AFL++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for binary-only fuzzing. It is slower than Qemu mode but works on MacOS, Android, iOS etc. -With AFL++ 3.15 we introduced the following changes from previous behaviours: +With AFL++ 3.15 we introduced the following changes from previous behaviors: * Also -M main mode does not do deterministic fuzzing by default anymore * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not) -With AFL++ 3.14 we introduced the following changes from previous behaviours: +With AFL++ 3.14 we introduced the following changes from previous behaviors: * afl-fuzz: deterministic fuzzing it not a default for -M main anymore * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash however does not) -With AFL++ 3.10 we introduced the following changes from previous behaviours: +With AFL++ 3.10 we introduced the following changes from previous behaviors: * The '+' feature of the '-t' option now means to auto-calculate the timeout with the value given being the maximum timeout. The original meaning of "skipping timeouts instead of abort" is now inherent to the -t option. With AFL++ 3.00 we introduced changes that break some previous AFL and AFL++ -behaviours and defaults: +behaviors and defaults: * There are no llvm_mode and gcc_plugin subdirectories anymore and there is only one compiler: afl-cc. All previous compilers now symlink to this one. All instrumentation source code is now in the `instrumentation/` folder. -- cgit 1.4.1 From 7a8e4018a59fdabef395ca730d6e73f95e8daaed Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 2 Dec 2021 17:13:12 +0100 Subject: Change the word "env var" to "environment variable" --- docs/env_variables.md | 2 +- docs/features.md | 4 ++-- docs/important_changes.md | 5 +++-- qemu_mode/README.md | 5 +++-- utils/qbdi_mode/README.md | 6 ++++-- 5 files changed, 13 insertions(+), 9 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index ec9b2b01..6c90e84c 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -564,7 +564,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings: general purpose registers and restore them in each persistent cycle. - Another modality to execute the persistent loop is to specify also the - `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable + `AFL_QEMU_PERSISTENT_RET=end addr` environment variable. With this variable assigned, instead of patching the return address, the specified instruction is transformed to a jump towards `start addr`. diff --git a/docs/features.md b/docs/features.md index 35a869a9..fb688a64 100644 --- a/docs/features.md +++ b/docs/features.md @@ -19,8 +19,8 @@ QEMU 5.1 with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full | Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | | | Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | | -1. default for LLVM >= 9.0, env var for older version due an efficiency bug in - previous llvm versions +1. default for LLVM >= 9.0, environment variable for older version due an + efficiency bug in previous llvm versions 2. GCC creates non-performant code, hence it is disabled in gcc_plugin 3. with `AFL_LLVM_THREADSAFE_INST`, disables NeverZero 4. with pcguard mode and LTO mode for LLVM 11 and newer diff --git a/docs/important_changes.md b/docs/important_changes.md index 9d6bbbbe..726de64d 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -48,8 +48,9 @@ behaviors and defaults: * deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D * a caching of test cases can now be performed and can be modified by - editing config.h for TESTCASE_CACHE or by specifying the env variable - `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50). + editing config.h for TESTCASE_CACHE or by specifying the environment + variable `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 + (default: 50). * -M mains do not perform trimming * examples/ got renamed to utils/ * libtokencap/ libdislocator/ and qdbi_mode/ were moved to utils/ diff --git a/qemu_mode/README.md b/qemu_mode/README.md index b4b5e7bf..8e04cbf9 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -83,8 +83,9 @@ For more information, see [README.persistent.md](README.persistent.md). As an extension to persistent mode, qemuafl can snapshot and restore the memory state and brk(). For details, see [README.persistent.md](README.persistent.md). -The env var that enables the ready to use snapshot mode is `AFL_QEMU_SNAPSHOT` -and takes a hex address as a value that is the snapshot entry point. +The environment variable that enables the ready to use snapshot mode is +`AFL_QEMU_SNAPSHOT` and takes a hex address as a value that is the snapshot +entry point. Snapshot mode can work restoring all the writeable pages, that is typically slower than fork() mode but, on the other hand, it can scale better with diff --git a/utils/qbdi_mode/README.md b/utils/qbdi_mode/README.md index 8b768906..2e8b01d4 100755 --- a/utils/qbdi_mode/README.md +++ b/utils/qbdi_mode/README.md @@ -34,7 +34,9 @@ For x86 standalone-toolchain ./build/tools/make_standalone_toolchain.py --arch x86 --api 21 --install-dir ../android-standalone-toolchain-x86 ``` -In alternative you can also use the prebuilt toolchain, in that case make sure to set the proper CC and CXX env variables because there are many different compilers for each API version in the prebuilt toolchain. +In alternative you can also use the prebuilt toolchain, in that case make sure +to set the proper CC and CXX environment variables because there are many +different compilers for each API version in the prebuilt toolchain. For example: @@ -64,7 +66,7 @@ cd android-qbdi-sdk-x86_64/ tar xvf QBDI-0.7.0-android-X86_64.tar.gz ``` -Now set the `STANDALONE_TOOLCHAIN_PATH` to the path of standalone-toolchain +Now set the `STANDALONE_TOOLCHAIN_PATH` to the path of standalone-toolchain ``` export STANDALONE_TOOLCHAIN_PATH=/home/hac425/workspace/android-standalone-toolchain-x86_64 -- cgit 1.4.1 From b7395fa46710673602b8fb7257e502e5f129a56c Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Thu, 2 Dec 2021 19:52:10 +0100 Subject: Change "AFL" to "AFL++" --- README.md | 2 +- coresight_mode/README.md | 7 +++++-- dictionaries/README.md | 2 +- docs/INSTALL.md | 6 +++--- docs/afl-fuzz_approach.md | 4 ++-- docs/custom_mutators.md | 3 ++- docs/env_variables.md | 4 ++-- docs/fuzzing_in_depth.md | 8 ++++---- testcases/README.md | 2 +- unicorn_mode/README.md | 10 +++++----- utils/argv_fuzzing/README.md | 4 ++-- utils/libdislocator/README.md | 8 ++++---- utils/libtokencap/README.md | 2 +- 13 files changed, 33 insertions(+), 29 deletions(-) (limited to 'docs/env_variables.md') diff --git a/README.md b/README.md index dbf49b20..93c0dd10 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ Step-by-step quick start: To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz. If the program takes input from a file, you can put `@@` in the program's - command line; AFL will put an auto-generated file name in there for you. + command line; AFL++ will put an auto-generated file name in there for you. 4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/afl-fuzz_approach.md#understanding-the-status-screen](docs/afl-fuzz_approach.md#understanding-the-status-screen). diff --git a/coresight_mode/README.md b/coresight_mode/README.md index cd1bccab..1a39d347 100644 --- a/coresight_mode/README.md +++ b/coresight_mode/README.md @@ -3,7 +3,7 @@ CoreSight mode enables binary-only fuzzing on ARM64 Linux using CoreSight (ARM's hardware tracing technology). NOTE: CoreSight mode is in the early development stage. Not applicable for production use. -Currently the following hardware boards are supported: +Currently the following hardware boards are supported: * NVIDIA Jetson TX2 (NVIDIA Parker) * NVIDIA Jetson Nano (NVIDIA Tegra X1) * GIGABYTE R181-T90 (Marvell ThunderX2 CN99XX) @@ -12,7 +12,10 @@ Currently the following hardware boards are supported: Please read the [RICSec/coresight-trace README](https://github.com/RICSecLab/coresight-trace/blob/master/README.md) and check the prerequisites (capstone) before getting started. -CoreSight mode supports the AFL fork server mode to reduce `exec` system call overhead. To support it for binary-only fuzzing, it needs to modify the target ELF binary to re-link to the patched glibc. We employ this design from [PTrix](https://github.com/junxzm1990/afl-pt). +CoreSight mode supports the AFL++ fork server mode to reduce `exec` system call +overhead. To support it for binary-only fuzzing, it needs to modify the target +ELF binary to re-link to the patched glibc. We employ this design from +[PTrix](https://github.com/junxzm1990/afl-pt). Check out all the git submodules in the `cs_mode` directory: diff --git a/dictionaries/README.md b/dictionaries/README.md index 7c587abb..2c0056f6 100644 --- a/dictionaries/README.md +++ b/dictionaries/README.md @@ -1,4 +1,4 @@ -# AFL dictionaries +# AFL++ dictionaries (See [../README.md](../README.md) for the general instruction manual.) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index cfa20dea..ab6e735b 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -20,7 +20,7 @@ The easiest choice is to build and install everything: sudo apt-get update sudo apt-get install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools # try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev sudo apt-get install -y ninja-build # for qemu_mode git clone https://github.com/AFLplusplus/AFLplusplus @@ -114,8 +114,8 @@ This means two things: - Fuzzing will be probably slower than on Linux. In fact, some folks report considerable performance gains by running the jobs inside a Linux VM on MacOS X. - - Some non-portable, platform-specific code may be incompatible with the - AFL forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the + - Some non-portable, platform-specific code may be incompatible with the AFL++ + forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the environment before starting afl-fuzz. User emulation mode of QEMU does not appear to be supported on MacOS X, so black-box instrumentation mode (`-Q`) will not work. diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 4e8e5eaa..3e4faaec 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -348,7 +348,7 @@ That last bit is actually fairly interesting: it measures the consistency of observed traces. If a program always behaves the same for the same input data, it will earn a score of 100%. When the value is lower but still shown in purple, the fuzzing process is unlikely to be negatively affected. If it goes into red, -you may be in trouble, since AFL will have difficulty discerning between +you may be in trouble, since AFL++ will have difficulty discerning between meaningful and "phantom" effects of tweaking the input file. Now, most targets will just get a 100% score, but when you see lower figures, @@ -506,7 +506,7 @@ directory. This includes: - `edges_found` - how many edges have been found - `var_byte_count` - how many edges are non-deterministic - `afl_banner` - banner text (e.g. the target name) -- `afl_version` - the version of AFL used +- `afl_version` - the version of AFL++ used - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - `command_line` - full command line used for the fuzzing session diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 2caba560..3a2ec3b2 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -21,7 +21,8 @@ fuzzing by using libraries that perform mutations according to a given grammar. The custom mutator is passed to `afl-fuzz` via the `AFL_CUSTOM_MUTATOR_LIBRARY` or `AFL_PYTHON_MODULE` environment variable, and must export a fuzz function. -Now AFL also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. +Now AFL++ also supports multiple custom mutators which can be specified in the +same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. ```bash export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mutator_second.so" ``` diff --git a/docs/env_variables.md b/docs/env_variables.md index 6c90e84c..715a60cb 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -307,7 +307,7 @@ checks or alter some of the more exotic semantics of the tool: (`-i in`). This is an important feature to set when resuming a fuzzing session. - - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL++ treats as crash. For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash had occurred. This may be beneficial if you look for higher-level faulty @@ -493,7 +493,7 @@ checks or alter some of the more exotic semantics of the tool: This is especially useful when running multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. `afl_version` - corresponds to the currently running AFL version (e.g. `++3.0c`). Default + corresponds to the currently running AFL++ version (e.g. `++3.0c`). Default (empty/non present) will add no tags to the metrics. For more information, see [rpc_statsd.md](rpc_statsd.md). diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 8188a18e..4d2884f6 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -106,9 +106,9 @@ You can select the mode for the afl-cc compiler by: MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). -Because no AFL specific command-line options are accepted (beside the --afl-MODE -command), the compile-time tools make fairly broad use of environment variables, -which can be listed with `afl-cc -hh` or by reading +Because no AFL++ specific command-line options are accepted (beside the +--afl-MODE command), the compile-time tools make fairly broad use of environment +variables, which can be listed with `afl-cc -hh` or by reading [env_variables.md](env_variables.md). ### b) Selecting instrumentation options @@ -213,7 +213,7 @@ is more effective). If the target has features that make fuzzing more difficult, e.g. checksums, HMAC, etc. then modify the source code so that checks for these values are removed. This can even be done safely for source code used in operational -products by eliminating these checks within these AFL specific blocks: +products by eliminating these checks within these AFL++ specific blocks: ``` #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION diff --git a/testcases/README.md b/testcases/README.md index ef38d3c4..a2f74d68 100644 --- a/testcases/README.md +++ b/testcases/README.md @@ -1,4 +1,4 @@ -# AFL starting test cases +# AFL++ starting test cases (See [../README.md](../README.md) for the general instruction manual.) diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index ed85e687..4c95e8f3 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -8,7 +8,8 @@ The CompareCoverage and NeverZero counters features are by Andrea Fioraldi Date: Thu, 2 Dec 2021 21:03:59 +0100 Subject: Fix punctuation in connection with "e.g." --- .github/ISSUE_TEMPLATE/bug_report.md | 5 +++-- CONTRIBUTING.md | 2 +- docs/FAQ.md | 4 ++-- docs/INSTALL.md | 3 ++- docs/afl-fuzz_approach.md | 2 +- docs/best_practices.md | 4 ++-- docs/custom_mutators.md | 7 ++++--- docs/env_variables.md | 22 +++++++++++----------- docs/fuzzing_binary-only_targets.md | 6 +++--- docs/fuzzing_in_depth.md | 32 ++++++++++++++++---------------- docs/ideas.md | 2 +- docs/important_changes.md | 2 +- instrumentation/README.llvm.md | 2 +- instrumentation/README.lto.md | 2 +- utils/README.md | 2 +- utils/afl_network_proxy/README.md | 6 ++++-- 16 files changed, 54 insertions(+), 49 deletions(-) (limited to 'docs/env_variables.md') diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 31152cd2..0d80f4a3 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -8,8 +8,9 @@ assignees: '' --- **IMPORTANT** -1. You have verified that the issue to be present in the current `dev` branch -2. Please supply the command line options and relevant environment variables, e.g. a copy-paste of the contents of `out/default/fuzzer_setup` +1. You have verified that the issue to be present in the current `dev` branch. +2. Please supply the command line options and relevant environment variables, + e.g., a copy-paste of the contents of `out/default/fuzzer_setup`. Thank you for making AFL++ better! diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0268b2e5..0ab4f8ec 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -17,7 +17,7 @@ project, or added a file in a directory we already format, otherwise run: Regarding the coding style, please follow the AFL style. No camel case at all and use AFL's macros wherever possible -(e.g. WARNF, FATAL, MAP_SIZE, ...). +(e.g., WARNF, FATAL, MAP_SIZE, ...). Remember that AFL++ has to build and run on many platforms, so generalize your Makefiles/GNUmakefile (or your patches to our pre-existing diff --git a/docs/FAQ.md b/docs/FAQ.md index 49444999..27250415 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -21,7 +21,7 @@ If you find an interesting or important question missing, submit it via This already resulted in a much advanced AFL. Until the end of 2019, the AFL++ team had grown to four active developers which then implemented their own research and features, making it now by far the most flexible and feature rich guided fuzzer available as open source. - And in independent fuzzing benchmarks it is one of the best fuzzers available, e.g. [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html). + And in independent fuzzing benchmarks it is one of the best fuzzers available, e.g., [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html).

@@ -123,7 +123,7 @@ If you find an interesting or important question missing, submit it via Sending the same input again and again should take the exact same path through the target every time. If that is the case, the stability is 100%. - If, however, randomness happens, e.g. a thread reading other external data, + If, however, randomness happens, e.g., a thread reading other external data, reaction to timing, etc., then in some of the re-executions with the same data the edge coverage result will be different accross runs. Those edges that change are then flagged "unstable". diff --git a/docs/INSTALL.md b/docs/INSTALL.md index ab6e735b..c1e22e36 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -69,7 +69,8 @@ These build options exist: * NO_PYTHON - disable python support * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing * AFL_NO_X86 - if compiling on non-intel/amd platforms -* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian) +* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config + (e.g., Debian) e.g.: `make ASAN_BUILD=1` diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 242104f7..68f45891 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -504,7 +504,7 @@ directory. This includes: - `peak_rss_mb` - max rss usage reached during fuzzing in MB - `edges_found` - how many edges have been found - `var_byte_count` - how many edges are non-deterministic -- `afl_banner` - banner text (e.g. the target name) +- `afl_banner` - banner text (e.g., the target name) - `afl_version` - the version of AFL++ used - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - `command_line` - full command line used for the fuzzing session diff --git a/docs/best_practices.md b/docs/best_practices.md index 15f8870c..6a406bde 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -48,7 +48,7 @@ this with persistent mode [instrumentation/README.persistent_mode.md](../instrum and you have a performance gain of x10 instead of a performance loss of over x10 - that is a x100 difference!). -If modifying the source is not an option (e.g. because you only have a binary +If modifying the source is not an option (e.g., because you only have a binary and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD to emulate the network. This is also much faster than the real network would be. See [utils/socket_fuzzing/](../utils/socket_fuzzing/). @@ -123,7 +123,7 @@ Four steps are required to do this and it also requires quite some knowledge of Only exclude those functions from instrumentation that provide no value for coverage - that is if it does not process any fuzz data directly or - indirectly (e.g. hash maps, thread management etc.). If, however, a + indirectly (e.g., hash maps, thread management etc.). If, however, a function directly or indirectly handles fuzz data, then you should not put the function in a deny instrumentation list and rather live with the instability it comes with. diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index fc5ecbf9..6bee5413 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -124,7 +124,7 @@ def deinit(): # optional for Python additional test case. Note that this function is optional - but it makes sense to use it. You would only skip this if `post_process` is used to fix checksums etc. - so if you are using it e.g. as a post processing library. + so if you are using it, e.g., as a post processing library. Note that a length > 0 *must* be returned! - `describe` (optional): @@ -191,8 +191,9 @@ trimmed input. Here's a quick API description: This method is called at the start of each trimming operation and receives the initial buffer. It should return the amount of iteration steps possible - on this input (e.g. if your input has n elements and you want to remove them - one by one, return n, if you do a binary search, return log(n), and so on). + on this input (e.g., if your input has n elements and you want to remove + them one by one, return n, if you do a binary search, return log(n), and so + on). If your trimming algorithm doesn't allow to determine the amount of (remaining) steps easily (esp. while running), then you can alternatively diff --git a/docs/env_variables.md b/docs/env_variables.md index 715a60cb..771bf157 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -80,9 +80,9 @@ fairly broad use of environment variables instead: Setting `AFL_INST_RATIO` to 0 is a valid choice. This will instrument only the transitions between function entry points, but not individual branches. - Note that this is an outdated variable. A few instances (e.g. afl-gcc) still - support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) do not - need this. + Note that this is an outdated variable. A few instances (e.g., afl-gcc) + still support these, but state-of-the-art (e.g., LLVM LTO and LLVM PCGUARD) + do not need this. - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with libtokencap.so (but perhaps running a bit slower than without the flag). @@ -319,7 +319,7 @@ checks or alter some of the more exotic semantics of the tool: afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be performed with the custom mutator. This feature - allows to configure custom mutators which can be very helpful, e.g. fuzzing + allows to configure custom mutators which can be very helpful, e.g., fuzzing XML or other highly flexible structured input. For details, see [custom_mutators.md](custom_mutators.md). @@ -449,7 +449,7 @@ checks or alter some of the more exotic semantics of the tool: not crash the target again when the test case is given. To be able to still re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash. If set to - e.g. 10, then the 9 previous inputs are written to out/default/crashes as + e.g., 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! @@ -493,7 +493,7 @@ checks or alter some of the more exotic semantics of the tool: This is especially useful when running multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. `afl_version` - corresponds to the currently running AFL++ version (e.g. `++3.0c`). Default + corresponds to the currently running AFL++ version (e.g., `++3.0c`). Default (empty/non present) will add no tags to the metrics. For more information, see [rpc_statsd.md](rpc_statsd.md). @@ -535,11 +535,11 @@ The QEMU wrapper used to instrument binary-only code supports several settings: - `AFL_DEBUG` will print the found entry point for the binary to stderr. Use this if you are unsure if the entry point might be wrong - but use it - directly, e.g. `afl-qemu-trace ./program`. + directly, e.g., `afl-qemu-trace ./program`. - `AFL_ENTRYPOINT` allows you to specify a specific entry point into the binary (this can be very good for the performance!). The entry point is - specified as hex address, e.g. `0x4004110`. Note that the address must be + specified as hex address, e.g., `0x4004110`. Note that the address must be the address of a basic block. - Setting `AFL_INST_LIBS` causes the translator to also instrument the code @@ -595,7 +595,7 @@ QEMU driver to provide a `main` loop for a user provided `stdin` rather than using in-memory test cases. * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRio format coverage -information (e.g. to be loaded within IDA lighthouse). +information (e.g., to be loaded within IDA lighthouse). * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks and their instrumented counterparts during block compilation. * `AFL_FRIDA_INST_JIT` - Enable the instrumentation of Just-In-Time compiled @@ -617,13 +617,13 @@ child on fork. * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to generate block (and hence edge) IDs. Setting this to a constant value may be -useful for debugging purposes, e.g. investigating unstable edges. +useful for debugging purposes, e.g., investigating unstable edges. * `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, implies `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_TRACE_UNIQUE` - As per `AFL_FRIDA_INST_TRACE`, but each edge is logged only once, requires `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE` - File to write DynamoRio format -coverage information for unstable edges (e.g. to be loaded within IDA +coverage information for unstable edges (e.g., to be loaded within IDA lighthouse). * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting engine. See [here](Scripting.md) for details. diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index c3204212..a786fd8b 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -113,7 +113,7 @@ If you want to fuzz a binary-only library, then you can fuzz it with frida-gum via frida_mode/. You will have to write a harness to call the target function in the library, use afl-frida.c as a template. -You can also perform remote fuzzing with frida, e.g. if you want to fuzz on +You can also perform remote fuzzing with frida, e.g., if you want to fuzz on iPhone or Android devices, for this you can use [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) as an intermediate that uses AFL++ for fuzzing. @@ -198,8 +198,8 @@ It is at about 80-85% performance. Dyninst is a binary instrumentation framework similar to Pintool and DynamoRIO. However, whereas Pintool and DynamoRIO work at runtime, Dyninst instruments the target at load time and then let it run - or save the binary with the changes. -This is great for some things, e.g. fuzzing, and not so effective for others, -e.g. malware analysis. +This is great for some things, e.g., fuzzing, and not so effective for others, +e.g., malware analysis. So, what you can do with Dyninst is taking every basic block and putting AFL++'s instrumentation code in there - and then save the binary. Afterwards, just fuzz diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 96e709ab..4e1e001e 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -167,7 +167,7 @@ allows you to find bugs that would not necessarily result in a crash. Note that sanitizers have a huge impact on CPU (= less executions per second) and RAM usage. Also you should only run one afl-fuzz instance per sanitizer -type. This is enough because a use-after-free bug will be picked up, e.g. by +type. This is enough because a use-after-free bug will be picked up, e.g., by ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not all fuzzing instances need to be instrumented with ASAN. @@ -179,7 +179,7 @@ The following sanitizers have built-in support in AFL++: local variable that is defined and read before it is even set. Enabled with `export AFL_USE_MSAN=1` before compiling. * UBSAN = Undefined Behavior SANitizer, finds instances where - by the C and C++ - standards - undefined behavior happens, e.g. adding two signed integers + standards - undefined behavior happens, e.g., adding two signed integers together where the result is larger than a signed integer can hold. Enabled with `export AFL_USE_UBSAN=1` before compiling. * CFISAN = Control Flow Integrity SANitizer, finds instances where the control @@ -202,15 +202,15 @@ be looked up in the sanitizer documentation of llvm/clang. afl-fuzz, however, requires some specific parameters important for fuzzing to be set. If you want to set your own, it might bail and report what it is missing. -Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and -others often cannot work together because of target weirdness, e.g. ASAN and +Note that some sanitizers cannot be used together, e.g., ASAN and MSAN, and +others often cannot work together because of target weirdness, e.g., ASAN and CFISAN. You might need to experiment which sanitizers you can combine in a target (which means more instances can be run without a sanitized target, which is more effective). ### d) Modifying the target -If the target has features that make fuzzing more difficult, e.g. checksums, +If the target has features that make fuzzing more difficult, e.g., checksums, HMAC, etc. then modify the source code so that checks for these values are removed. This can even be done safely for source code used in operational products by eliminating these checks within these AFL++ specific blocks: @@ -250,7 +250,7 @@ Then build the target. (Usually with `make`) reporting via `export AFL_QUIET=1`. 2. sometimes configure and build systems error on warnings - these should be - disabled (e.g. `--disable-werror` for some configure scripts). + disabled (e.g., `--disable-werror` for some configure scripts). 3. in case the configure/build system complains about AFL++'s compiler and aborts then set `export AFL_NOOPT=1` which will then just behave like the @@ -354,7 +354,7 @@ You can find many good examples of starting files in the Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not produce a new path in the target. -Put all files from step a) into one directory, e.g. INPUTS. +Put all files from step a) into one directory, e.g., INPUTS. If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` the run afl-cmin like this: @@ -380,8 +380,8 @@ for i in *; do done ``` -This step can also be parallelized, e.g. with `parallel`. Note that this step is -rather optional though. +This step can also be parallelized, e.g., with `parallel`. Note that this step +is rather optional though. ### Done! @@ -503,7 +503,7 @@ can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`. There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many -secondary fuzzers (e.g. `-S variant1`) as you have cores that you use. Every +secondary fuzzers (e.g., `-S variant1`) as you have cores that you use. Every -M/-S entry needs a unique name (that can be whatever), however, the same -o output directory location has to be used for all instances. @@ -522,7 +522,7 @@ All other secondaries should be used like this: * a quarter to a third with the MOpt mutator enabled: `-L 0` * run with a different power schedule, recommended are: `fast (default), explore, coe, lin, quad, exploit and rare` which you can set - with e.g. `-p explore` + with, e.g., `-p explore` * a few instances should use the old queue cycling with `-Z` Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases @@ -547,7 +547,7 @@ A long list can be found at However, you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc. Just show the main fuzzer (-M) with the `-F` option where the queue/work -directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`. Using +directory of a different fuzzer is, e.g., `-F /src/target/honggfuzz`. Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly recommended! @@ -615,8 +615,8 @@ To restart an afl-fuzz run, just reuse the same command line but replace the `-i directory` with `-i -` or set `AFL_AUTORESUME=1`. If you want to add new seeds to a fuzzing campaign you can run a temporary -fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new seeds -are in `newseeds/` directory: +fuzzing instance, e.g., when your main fuzzer is using `-o out` and the new +seeds are in `newseeds/` directory: ``` AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- ./target @@ -665,9 +665,9 @@ then you will not touch any of the other library APIs and features. ### h) How long to fuzz a target? This is a difficult question. Basically if no new path is found for a long time -(e.g. for a day or a week) then you can expect that your fuzzing won't be +(e.g., for a day or a week) then you can expect that your fuzzing won't be fruitful anymore. However, often this just means that you should switch out -secondaries for others, e.g. custom mutator modules, sync to very different +secondaries for others, e.g., custom mutator modules, sync to very different fuzzers, etc. Keep the queue/ directory (for future fuzzings of the same or similar targets) diff --git a/docs/ideas.md b/docs/ideas.md index 325e7031..8193983b 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -32,7 +32,7 @@ Mentor: any ## Support other programming languages Other programming languages also use llvm hence they could (easily?) supported -for fuzzing, e.g. mono, swift, go, kotlin native, fortran, ... +for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ... GCC also supports: Objective-C, Fortran, Ada, Go, and D (according to [Gcc homepage](https://gcc.gnu.org/)) diff --git a/docs/important_changes.md b/docs/important_changes.md index 6cd00791..82de054f 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -44,7 +44,7 @@ behaviors and defaults: * `-i` input directory option now descends into subdirectories. It also does not fatal on crashes and too large files, instead it skips them and uses them for splicing mutations - * -m none is now default, set memory limits (in MB) with e.g. -m 250 + * -m none is now default, set memory limits (in MB) with, e.g., -m 250 * deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D * a caching of test cases can now be performed and can be modified by diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index d16049fa..ac8f2f2a 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -40,7 +40,7 @@ The idea and much of the initial implementation came from Laszlo Szekeres. ## 2a) How to use this - short -Set the `LLVM_CONFIG` variable to the clang version you want to use, e.g. +Set the `LLVM_CONFIG` variable to the clang version you want to use, e.g.: ``` LLVM_CONFIG=llvm-config-9 make diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index b97e5799..a20175b1 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -71,7 +71,7 @@ use an outdated Linux distribution, read the next section. Installing the llvm snapshot builds is easy and mostly painless: In the following line, change `NAME` for your Debian or Ubuntu release name -(e.g. buster, focal, eon, etc.): +(e.g., buster, focal, eon, etc.): ``` echo deb http://apt.llvm.org/NAME/ llvm-toolchain-NAME NAME >> /etc/apt/sources.list diff --git a/utils/README.md b/utils/README.md index b8df0b47..b7eead8e 100644 --- a/utils/README.md +++ b/utils/README.md @@ -13,7 +13,7 @@ Here's a quick overview of the stuff you can find in this directory: - afl_proxy - skeleton file example to show how to fuzz something where you gather coverage data via - different means, e.g. hw debugger + different means, e.g., hw debugger - afl_untracer - fuzz binary-only libraries much faster but with less coverage than qemu_mode diff --git a/utils/afl_network_proxy/README.md b/utils/afl_network_proxy/README.md index d2c00be2..c478319a 100644 --- a/utils/afl_network_proxy/README.md +++ b/utils/afl_network_proxy/README.md @@ -6,7 +6,8 @@ Note that the impact on fuzzing speed will be huge, expect a loss of 90%. ## When to use this 1. when you have to fuzz a target that has to run on a system that cannot - contain the fuzzing output (e.g. /tmp too small and file system is read-only) + contain the fuzzing output (e.g., /tmp too small and file system is + read-only) 2. when the target instantly reboots on crashes 3. ... any other reason you would need this @@ -28,6 +29,7 @@ For most targets this hurts performance though so it is disabled by default. Run `afl-network-server` with your target with the -m and -t values you need. Important is the -i parameter which is the TCP port to listen on. e.g.: + ``` afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@ ``` @@ -50,7 +52,7 @@ value itself should be 500-1000 higher than the one on afl-network-server. The TARGET can be an IPv4 or IPv6 address, or a host name that resolves to either. Note that also the outgoing interface can be specified with a '%' for -`afl-network-client`, e.g. `fe80::1234%eth0`. +`afl-network-client`, e.g., `fe80::1234%eth0`. Also make sure your default TCP window size is larger than your MAP_SIZE (130kb is a good value). -- cgit 1.4.1 From bcd81c377d22cf26812127881a8ac15ed9c022ad Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 4 Dec 2021 20:38:00 +0100 Subject: Fix line length and formatting --- CONTRIBUTING.md | 11 ++-- README.md | 26 +++++--- TODO.md | 9 ++- docs/FAQ.md | 82 ++++++++++++++++--------- docs/INSTALL.md | 79 +++++++++++++++--------- docs/afl-fuzz_approach.md | 4 +- docs/best_practices.md | 114 +++++++++++++++++++++++------------ docs/custom_mutators.md | 80 ++++++++++++------------ docs/env_variables.md | 96 ++++++++++++++--------------- docs/fuzzing_binary-only_targets.md | 6 +- docs/fuzzing_in_depth.md | 50 ++++++++------- docs/ideas.md | 55 +++++++++-------- docs/important_changes.md | 29 ++++----- docs/rpc_statsd.md | 73 ++++++++++++++++------ frida_mode/Scripting.md | 20 +++--- instrumentation/README.gcc_plugin.md | 4 +- 16 files changed, 435 insertions(+), 303 deletions(-) (limited to 'docs/env_variables.md') diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0ab4f8ec..fb13b91a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,10 +15,9 @@ project, or added a file in a directory we already format, otherwise run: ./.custom-format.py -i file-that-you-have-created.c ``` -Regarding the coding style, please follow the AFL style. -No camel case at all and use AFL's macros wherever possible -(e.g., WARNF, FATAL, MAP_SIZE, ...). +Regarding the coding style, please follow the AFL style. No camel case at all +and use AFL's macros wherever possible (e.g., WARNF, FATAL, MAP_SIZE, ...). -Remember that AFL++ has to build and run on many platforms, so -generalize your Makefiles/GNUmakefile (or your patches to our pre-existing -Makefiles) to be as generic as possible. +Remember that AFL++ has to build and run on many platforms, so generalize your +Makefiles/GNUmakefile (or your patches to our pre-existing Makefiles) to be as +generic as possible. \ No newline at end of file diff --git a/README.md b/README.md index 08363149..b70eb1ab 100644 --- a/README.md +++ b/README.md @@ -44,8 +44,8 @@ Here is some information to get you started: ## Building and installing AFL++ -To have AFL++ easily available with everything compiled, pull the image -directly from the Docker Hub: +To have AFL++ easily available with everything compiled, pull the image directly +from the Docker Hub: ```shell docker pull aflplusplus/aflplusplus @@ -53,8 +53,8 @@ docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` This image is automatically generated when a push to the stable repo happens -(see [branches](#branches)). You will find your target source -code in `/src` in the container. +(see [branches](#branches)). You will find your target source code in `/src` in +the container. To build AFL++ yourself, continue at [docs/INSTALL.md](docs/INSTALL.md). @@ -120,8 +120,8 @@ Questions? Concerns? Bug reports? * The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus). -* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or - important question missing, submit it via +* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important + question missing, submit it via [https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions). * There is a mailing list for the AFL/AFL++ project ([browse archive](https://groups.google.com/group/afl-users)). To compare @@ -133,10 +133,16 @@ Questions? Concerns? Bug reports? The following branches exist: -* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest release -* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability -* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* -* (any other): experimental branches to work on specific features or testing new functionality or changes. +* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest + release +* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of + AFL++ - it is synced from dev from time to time when we are satisfied with its + stability +* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state + of AFL++ - bleeding edge and you might catch a checkout which does not compile + or has a bug. *We only accept PRs in dev!!* +* (any other): experimental branches to work on specific features or testing new + functionality or changes. ## Help wanted diff --git a/TODO.md b/TODO.md index b8ac22ef..04f3abab 100644 --- a/TODO.md +++ b/TODO.md @@ -23,11 +23,10 @@ qemu_mode/frida_mode: - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as there is persistent mode - ## Ideas - LTO/sancov: write current edge to prev_loc and use that information when - using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow - up edge numbers that both following cmp paths have been found and then - disable working on this edge id -> cmplog_intelligence branch - - use cmplog colorization taint result for havoc locations? + using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow up + edge numbers that both following cmp paths have been found and then disable + working on this edge id -> cmplog_intelligence branch + - use cmplog colorization taint result for havoc locations? \ No newline at end of file diff --git a/docs/FAQ.md b/docs/FAQ.md index 671957ef..7869ee61 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -8,35 +8,45 @@ If you find an interesting or important question missing, submit it via
What is the difference between AFL and AFL++?

- AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. + AFL++ is a superior fork to Google's AFL - more speed, more and better + mutations, more and better instrumentation, custom module support, etc. - American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting in 2013/2014, and when he left Google end of 2017 he stopped developing it. + American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting + in 2013/2014, and when he left Google end of 2017 he stopped developing it. At the end of 2019, the Google fuzzing team took over maintenance of AFL, however, it is only accepting PRs from the community and is not developing enhancements anymore. - In the second quarter of 2019, 1 1/2 years later, when no further development of AFL had happened and it became clear there would none be coming, AFL++ was born, where initially community patches were collected and applied for bug fixes and enhancements. - Then from various AFL spin-offs - mostly academic research - features were integrated. - This already resulted in a much advanced AFL. - - Until the end of 2019, the AFL++ team had grown to four active developers which then implemented their own research and features, making it now by far the most flexible and feature rich guided fuzzer available as open source. - And in independent fuzzing benchmarks it is one of the best fuzzers available, e.g., [Fuzzbench Report](https://www.fuzzbench.com/reports/2020-08-03/index.html). + In the second quarter of 2019, 1 1/2 years later, when no further development + of AFL had happened and it became clear there would none be coming, AFL++ was + born, where initially community patches were collected and applied for bug + fixes and enhancements. Then from various AFL spin-offs - mostly academic + research - features were integrated. This already resulted in a much advanced + AFL. + + Until the end of 2019, the AFL++ team had grown to four active developers + which then implemented their own research and features, making it now by far + the most flexible and feature rich guided fuzzer available as open source. And + in independent fuzzing benchmarks it is one of the best fuzzers available, + e.g., [Fuzzbench + Report](https://www.fuzzbench.com/reports/2020-08-03/index.html).

Where can I find tutorials?

- We compiled a list of tutorials and exercises, see [tutorials.md](tutorials.md). + We compiled a list of tutorials and exercises, see + [tutorials.md](tutorials.md).

What is an "edge"?

A program contains `functions`, `functions` contain the compiled machine code. - The compiled machine code in a `function` can be in a single or many `basic blocks`. - A `basic block` is the largest possible number of subsequent machine code - instructions that has exactly one entry point (which can be be entered by + The compiled machine code in a `function` can be in a single or many `basic + blocks`. A `basic block` is the largest possible number of subsequent machine + code instructions that has exactly one entry point (which can be be entered by multiple other basic blocks) and runs linearly without branching or jumping to other addresses (except at the end). @@ -60,7 +70,8 @@ If you find an interesting or important question missing, submit it via Every code block between two jump locations is a `basic block`. - An `edge` is then the unique relationship between two directly connected `basic blocks` (from the code example above): + An `edge` is then the unique relationship between two directly connected + `basic blocks` (from the code example above): ``` Block A @@ -75,8 +86,8 @@ If you find an interesting or important question missing, submit it via Block E ``` - Every line between two blocks is an `edge`. - Note that a few basic block loop to itself, this too would be an edge. + Every line between two blocks is an `edge`. Note that a few basic block loop + to itself, this too would be an edge.

## Targets @@ -86,7 +97,8 @@ If you find an interesting or important question missing, submit it via AFL++ is a great fuzzer if you have the source code available. - However, if there is only the binary program and no source code available, then the standard non-instrumented mode is not effective. + However, if there is only the binary program and no source code available, + then the standard non-instrumented mode is not effective. To learn how these binaries can be fuzzed, read [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md). @@ -97,15 +109,19 @@ If you find an interesting or important question missing, submit it via The short answer is - you cannot, at least not "out of the box". - For more information on fuzzing network services, see [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service). + For more information on fuzzing network services, see + [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service).

How can I fuzz a GUI program?

- Not all GUI programs are suitable for fuzzing. If the GUI program can read the fuzz data from a file without needing any user interaction, then it would be suitable for fuzzing. + Not all GUI programs are suitable for fuzzing. If the GUI program can read the + fuzz data from a file without needing any user interaction, then it would be + suitable for fuzzing. - For more information on fuzzing GUI programs, see [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program). + For more information on fuzzing GUI programs, see + [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program).

## Performance @@ -113,27 +129,33 @@ If you find an interesting or important question missing, submit it via
How can I improve the fuzzing speed?

- There are a few things you can do to improve the fuzzing speed, see [best_practices.md#improving-speed](best_practices.md#improving-speed). + There are a few things you can do to improve the fuzzing speed, see + [best_practices.md#improving-speed](best_practices.md#improving-speed).

Why is my stability below 100%?

- Stability is measured by how many percent of the edges in the target are "stable". - Sending the same input again and again should take the exact same path through the target every time. - If that is the case, the stability is 100%. + Stability is measured by how many percent of the edges in the target are + "stable". Sending the same input again and again should take the exact same + path through the target every time. If that is the case, the stability is + 100%. If, however, randomness happens, e.g., a thread reading other external data, reaction to timing, etc., then in some of the re-executions with the same data the edge coverage result will be different across runs. Those edges that change are then flagged "unstable". - The more "unstable" edges, the more difficult for AFL++ to identify valid new paths. + The more "unstable" edges, the more difficult for AFL++ to identify valid new + paths. - A value above 90% is usually fine and a value above 80% is also still ok, and even a value above 20% can still result in successful finds of bugs. - However, it is recommended that for values below 90% or 80% you should take countermeasures to improve stability. + A value above 90% is usually fine and a value above 80% is also still ok, and + even a value above 20% can still result in successful finds of bugs. However, + it is recommended that for values below 90% or 80% you should take + countermeasures to improve stability. - For more information on stability and how to improve the stability value, see [best_practices.md#improving-stability](best_practices.md#improving-stability). + For more information on stability and how to improve the stability value, see + [best_practices.md#improving-stability](best_practices.md#improving-stability).

## Troubleshooting @@ -141,7 +163,8 @@ If you find an interesting or important question missing, submit it via
I got a weird compile error from clang.

- If you see this kind of error when trying to instrument a target with afl-cc/afl-clang-fast/afl-clang-lto: + If you see this kind of error when trying to instrument a target with + afl-cc/afl-clang-fast/afl-clang-lto: ``` /prg/tmp/llvm-project/build/bin/clang-13: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv @@ -155,7 +178,8 @@ If you find an interesting or important question missing, submit it via ******************** ``` - Then this means that your OS updated the clang installation from an upgrade package and because of that the AFL++ llvm plugins do not match anymore. + Then this means that your OS updated the clang installation from an upgrade + package and because of that the AFL++ llvm plugins do not match anymore. Solution: `git pull ; make clean install` of AFL++.

\ No newline at end of file diff --git a/docs/INSTALL.md b/docs/INSTALL.md index c1e22e36..08d3283e 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -3,7 +3,8 @@ ## Linux on x86 An easy way to install AFL++ with everything compiled is available via docker: -You can use the [Dockerfile](../Dockerfile) (which has gcc-10 and clang-11 - hence afl-clang-lto is available!) or just pull directly from the Docker Hub: +You can use the [Dockerfile](../Dockerfile) (which has gcc-10 and clang-11 - +hence afl-clang-lto is available!) or just pull directly from the Docker Hub: ```shell docker pull aflplusplus/aflplusplus @@ -13,8 +14,8 @@ docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus This image is automatically generated when a push to the stable repo happens. You will find your target source code in /src in the container. -If you want to build AFL++ yourself, you have many options. -The easiest choice is to build and install everything: +If you want to build AFL++ yourself, you have many options. The easiest choice +is to build and install everything: ```shell sudo apt-get update @@ -29,10 +30,13 @@ make distrib sudo make install ``` -It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! +It is recommended to install the newest available gcc, clang and llvm-dev +possible in your distribution! -Note that "make distrib" also builds instrumentation, qemu_mode, unicorn_mode and more. -If you just want plain AFL++, then do "make all". However, compiling and using at least instrumentation is highly recommended for much better results - hence in this case choose: +Note that "make distrib" also builds instrumentation, qemu_mode, unicorn_mode +and more. If you just want plain AFL++, then do "make all". However, compiling +and using at least instrumentation is highly recommended for much better results +- hence in this case choose: ```shell make source-only @@ -41,19 +45,25 @@ make source-only These build targets exist: * all: just the main AFL++ binaries -* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap -* source-only: everything for source code fuzzing: instrumentation, libdislocator, libtokencap +* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, + libdislocator, libtokencap +* source-only: everything for source code fuzzing: instrumentation, + libdislocator, libtokencap * distrib: everything (for both binary-only and source code fuzzing) * man: creates simple man pages from the help option of the programs * install: installs everything you have compiled with the build options above * clean: cleans everything compiled, not downloads (unless not on a checkout) * deepclean: cleans everything including downloads * code-format: format the code, do this before you commit and send a PR please! -* tests: runs test cases to ensure that all features are still working as they should +* tests: runs test cases to ensure that all features are still working as they + should * unit: perform unit tests (based on cmocka) * help: shows these build options -[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), you can also build statically linked versions of the AFL++ binaries by passing the `STATIC=1` argument to make: +[Unless you are on Mac OS +X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), you can +also build statically linked versions of the AFL++ binaries by passing the +`STATIC=1` argument to make: ```shell make STATIC=1 @@ -67,7 +77,8 @@ These build options exist: * PROFILING - compile with profiling information (gprof) * INTROSPECTION - compile afl-fuzz with mutation introspection * NO_PYTHON - disable python support -* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing +* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for + normal fuzzing * AFL_NO_X86 - if compiling on non-intel/amd platforms * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) @@ -76,15 +87,17 @@ e.g.: `make ASAN_BUILD=1` ## MacOS X on x86 and arm64 (M1) -MacOS X should work, but there are some gotchas due to the idiosyncrasies of the platform. -On top of this, we have limited release testing capabilities and depend mostly on user feedback. +MacOS X should work, but there are some gotchas due to the idiosyncrasies of the +platform. On top of this, we have limited release testing capabilities and +depend mostly on user feedback. -To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. -If possible, avoid Xcode at all cost. +To build AFL, install llvm (and perhaps gcc) from brew and follow the general +instructions for Linux. If possible, avoid Xcode at all cost. `brew install wget git make cmake llvm gdb` -Be sure to setup `PATH` to point to the correct clang binaries and use the freshly installed clang, clang++ and gmake, e.g.: +Be sure to setup `PATH` to point to the correct clang binaries and use the +freshly installed clang, clang++ and gmake, e.g.: ``` export PATH="/usr/local/Cellar/llvm/12.0.1/bin/:$PATH" @@ -97,20 +110,20 @@ cd .. gmake install ``` -`afl-gcc` will fail unless you have GCC installed, but that is using outdated instrumentation anyway. -You don't want that. -Note that `afl-clang-lto`, `afl-gcc-fast` and `qemu_mode` are not working on MacOS. +`afl-gcc` will fail unless you have GCC installed, but that is using outdated +instrumentation anyway. You don't want that. Note that `afl-clang-lto`, +`afl-gcc-fast` and `qemu_mode` are not working on MacOS. -The crash reporting daemon that comes by default with MacOS X will cause problems with fuzzing. -You need to turn it off: +The crash reporting daemon that comes by default with MacOS X will cause +problems with fuzzing. You need to turn it off: ``` launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist ``` -The `fork()` semantics on OS X are a bit unusual compared to other unix systems and definitely don't look POSIX-compliant. -This means two things: +The `fork()` semantics on OS X are a bit unusual compared to other unix systems +and definitely don't look POSIX-compliant. This means two things: - Fuzzing will be probably slower than on Linux. In fact, some folks report considerable performance gains by running the jobs inside a Linux VM on @@ -119,11 +132,13 @@ This means two things: forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the environment before starting afl-fuzz. -User emulation mode of QEMU does not appear to be supported on MacOS X, so black-box instrumentation mode (`-Q`) will not work. -However, Frida mode (`-O`) should work on x86 and arm64 MacOS boxes. +User emulation mode of QEMU does not appear to be supported on MacOS X, so +black-box instrumentation mode (`-Q`) will not work. However, Frida mode (`-O`) +should work on x86 and arm64 MacOS boxes. -MacOS X supports SYSV shared memory used by AFL's instrumentation, but the default settings aren't usable with AFL++. -The default settings on 10.14 seem to be: +MacOS X supports SYSV shared memory used by AFL's instrumentation, but the +default settings aren't usable with AFL++. The default settings on 10.14 seem to +be: ```bash $ ipcs -M @@ -136,14 +151,16 @@ shminfo: shmall: 1024 (max amount of shared memory in pages) ``` -To temporarily change your settings to something minimally usable with AFL++, run these commands as root: +To temporarily change your settings to something minimally usable with AFL++, +run these commands as root: ```bash sysctl kern.sysv.shmmax=8388608 sysctl kern.sysv.shmall=4096 ``` -If you're running more than one instance of AFL, you likely want to make `shmall` bigger and increase `shmseg` as well: +If you're running more than one instance of AFL, you likely want to make +`shmall` bigger and increase `shmseg` as well: ```bash sysctl kern.sysv.shmmax=8388608 @@ -151,4 +168,6 @@ sysctl kern.sysv.shmseg=48 sysctl kern.sysv.shmall=98304 ``` -See [https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent. \ No newline at end of file +See +[https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) +for documentation for these settings and how to make them permanent. \ No newline at end of file diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index fefde029..3804f5a0 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -445,8 +445,8 @@ involve any state transitions not seen in previously-recorded faults. If a single bug can be reached in multiple ways, there will be some count inflation early in the process, but this should quickly taper off. -The file names for crashes and hangs are correlated with the parent, non-faulting -queue entries. This should help with debugging. +The file names for crashes and hangs are correlated with the parent, +non-faulting queue entries. This should help with debugging. ## Visualizing diff --git a/docs/best_practices.md b/docs/best_practices.md index 6a406bde..e6b252f6 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -18,7 +18,8 @@ ### Fuzzing a target with source code available -To learn how to fuzz a target if source code is available, see [fuzzing_in_depth.md](fuzzing_in_depth.md). +To learn how to fuzz a target if source code is available, see +[fuzzing_in_depth.md](fuzzing_in_depth.md). ### Fuzzing a binary-only target @@ -27,11 +28,16 @@ For a comprehensive guide, see ### Fuzzing a GUI program -If the GUI program can read the fuzz data from a file (via the command line, a fixed location or via an environment variable) without needing any user interaction, then it would be suitable for fuzzing. +If the GUI program can read the fuzz data from a file (via the command line, a +fixed location or via an environment variable) without needing any user +interaction, then it would be suitable for fuzzing. -Otherwise, it is not possible without modifying the source code - which is a very good idea anyway as the GUI functionality is a huge CPU/time overhead for the fuzzing. +Otherwise, it is not possible without modifying the source code - which is a +very good idea anyway as the GUI functionality is a huge CPU/time overhead for +the fuzzing. -So create a new `main()` that just reads the test case and calls the functionality for processing the input that the GUI program is using. +So create a new `main()` that just reads the test case and calls the +functionality for processing the input that the GUI program is using. ### Fuzzing a network service @@ -40,13 +46,16 @@ Fuzzing a network service does not work "out of the box". Using a network channel is inadequate for several reasons: - it has a slow-down of x10-20 on the fuzzing speed - it does not scale to fuzzing multiple instances easily, -- instead of one initial data packet often a back-and-forth interplay of packets is needed for stateful protocols (which is totally unsupported by most coverage aware fuzzers). +- instead of one initial data packet often a back-and-forth interplay of packets + is needed for stateful protocols (which is totally unsupported by most + coverage aware fuzzers). -The established method to fuzz network services is to modify the source code -to read from a file or stdin (fd 0) (or even faster via shared memory, combine -this with persistent mode [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) -and you have a performance gain of x10 instead of a performance loss of over -x10 - that is a x100 difference!). +The established method to fuzz network services is to modify the source code to +read from a file or stdin (fd 0) (or even faster via shared memory, combine this +with persistent mode +[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) +and you have a performance gain of x10 instead of a performance loss of over x10 +- that is a x100 difference!). If modifying the source is not an option (e.g., because you only have a binary and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD @@ -64,13 +73,25 @@ allows you to define network state with different type of data packets. ### Improving speed -1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended). -2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase). -3. Instrument just what you are interested in, see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). -4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md). -5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure). -6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem. -7. Use your cores ([fuzzing_in_depth.md:3c) Using multiple cores](fuzzing_in_depth.md#c-using-multiple-cores))! +1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= + 11) or afl-clang-fast (llvm >= 9 recommended). +2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 + speed increase). +3. Instrument just what you are interested in, see + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). +4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input + file directory on a tempfs location, see + [env_variables.md](env_variables.md). +5. Improve Linux kernel performance: modify `/etc/default/grub`, set + `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off + mitigations=off no_stf_barrier noibpb noibrs nopcid nopti + nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off + spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then + `update-grub` and `reboot` (warning: makes the system less secure). +6. Running on an `ext2` filesystem with `noatime` mount option will be a bit + faster than on any other journaling filesystem. +7. Use your cores + ([fuzzing_in_depth.md:3c) Using multiple cores](fuzzing_in_depth.md#c-using-multiple-cores))! ### Improving stability @@ -78,46 +99,60 @@ For fuzzing a 100% stable target that covers all edges is the best case. A 90% stable target that covers all edges is, however, better than a 100% stable target that ignores 10% of the edges. -With instability, you basically have a partial coverage loss on an edge, with ignored functions you have a full loss on that edges. +With instability, you basically have a partial coverage loss on an edge, with +ignored functions you have a full loss on that edges. There are functions that are unstable, but also provide value to coverage, e.g., init functions that use fuzz data as input. If, however, a function that has nothing to do with the input data is the source of instability, e.g., checking jitter, or is a hash map function etc., then it should not be instrumented. -To be able to exclude these functions (based on AFL++'s measured stability), the following process will allow to identify functions with variable edges. +To be able to exclude these functions (based on AFL++'s measured stability), the +following process will allow to identify functions with variable edges. -Four steps are required to do this and it also requires quite some knowledge of coding and/or disassembly and is effectively possible only with `afl-clang-fast` `PCGUARD` and `afl-clang-lto` `LTO` instrumentation. +Four steps are required to do this and it also requires quite some knowledge of +coding and/or disassembly and is effectively possible only with `afl-clang-fast` +`PCGUARD` and `afl-clang-lto` `LTO` instrumentation. 1. Instrument to be able to find the responsible function(s): - a) For LTO instrumented binaries, this can be documented during compile time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/a/file`. - This file will have one assigned edge ID and the corresponding function per line. - - b) For PCGUARD instrumented binaries, it is much more difficult. Here you can either modify the `__sanitizer_cov_trace_pc_guard` function in `instrumentation/afl-llvm-rt.o.c` to write a backtrace to a file if the ID in `__afl_area_ptr[*guard]` is one of the unstable edge IDs. - (Example code is already there). - Then recompile and reinstall `llvm_mode` and rebuild your target. - Run the recompiled target with `afl-fuzz` for a while and then check the file that you wrote with the backtrace information. - Alternatively, you can use `gdb` to hook `__sanitizer_cov_trace_pc_guard_init` on start, check to which memory address the edge ID value is written, and set a write breakpoint to that address (`watch 0x.....`). - - c) In other instrumentation types, this is not possible. - So just recompile with the two mentioned above. - This is just for identifying the functions that have unstable edges. + a) For LTO instrumented binaries, this can be documented during compile + time, just set `export AFL_LLVM_DOCUMENT_IDS=/path/to/a/file`. This file + will have one assigned edge ID and the corresponding function per line. + + b) For PCGUARD instrumented binaries, it is much more difficult. Here you + can either modify the `__sanitizer_cov_trace_pc_guard` function in + `instrumentation/afl-llvm-rt.o.c` to write a backtrace to a file if the + ID in `__afl_area_ptr[*guard]` is one of the unstable edge IDs. (Example + code is already there). Then recompile and reinstall `llvm_mode` and + rebuild your target. Run the recompiled target with `afl-fuzz` for a + while and then check the file that you wrote with the backtrace + information. Alternatively, you can use `gdb` to hook + `__sanitizer_cov_trace_pc_guard_init` on start, check to which memory + address the edge ID value is written, and set a write breakpoint to that + address (`watch 0x.....`). + + c) In other instrumentation types, this is not possible. So just recompile + with the two mentioned above. This is just for identifying the functions + that have unstable edges. 2. Identify which edge ID numbers are unstable. Run the target with `export AFL_DEBUG=1` for a few minutes then terminate. The out/fuzzer_stats file will then show the edge IDs that were identified - as unstable in the `var_bytes` entry. You can match these numbers - directly to the data you created in the first step. - Now you know which functions are responsible for the instability + as unstable in the `var_bytes` entry. You can match these numbers directly + to the data you created in the first step. Now you know which functions are + responsible for the instability 3. Create a text file with the filenames/functions - Identify which source code files contain the functions that you need to remove from instrumentation, or just specify the functions you want to skip for instrumentation. - Note that optimization might inline functions! + Identify which source code files contain the functions that you need to + remove from instrumentation, or just specify the functions you want to skip + for instrumentation. Note that optimization might inline functions! + + Follow this document on how to do this: + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). - Follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). If `PCGUARD` is used, then you need to follow this guide (needs llvm 12+!): [https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) @@ -132,4 +167,5 @@ Four steps are required to do this and it also requires quite some knowledge of Recompile, fuzz it, be happy :) - This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677). + This link explains this process for + [Fuzzbench](https://github.com/google/fuzzbench/issues/677). \ No newline at end of file diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 6bee5413..2a77db82 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -4,13 +4,13 @@ This file describes how you can implement custom mutations to be used in AFL. For now, we support C/C++ library and Python module, collectivelly named as the custom mutator. -There is also experimental support for Rust in `custom_mutators/rust`. -For documentation, refer to that directory. -Run ```cargo doc -p custom_mutator --open``` in that directory to view the -documentation in your web browser. +There is also experimental support for Rust in `custom_mutators/rust`. For +documentation, refer to that directory. Run `cargo doc -p custom_mutator --open` +in that directory to view the documentation in your web browser. Implemented by -- C/C++ library (`*.so`): Khaled Yakdan from Code Intelligence () +- C/C++ library (`*.so`): Khaled Yakdan from Code Intelligence + () - Python module: Christian Holler from Mozilla () ## 1) Introduction @@ -29,7 +29,8 @@ export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mu For details, see [APIs](#2-apis) and [Usage](#3-usage). -The custom mutation stage is set to be the first non-deterministic stage (right before the havoc stage). +The custom mutation stage is set to be the first non-deterministic stage (right +before the havoc stage). Note: If `AFL_CUSTOM_MUTATOR_ONLY` is set, all mutations will solely be performed with the custom mutator. @@ -103,7 +104,8 @@ def deinit(): # optional for Python - `init`: - This method is called when AFL++ starts up and is used to seed RNG and set up buffers and state. + This method is called when AFL++ starts up and is used to seed RNG and set + up buffers and state. - `queue_get` (optional): @@ -121,18 +123,17 @@ def deinit(): # optional for Python - `fuzz` (optional): This method performs custom mutations on a given input. It also accepts an - additional test case. - Note that this function is optional - but it makes sense to use it. - You would only skip this if `post_process` is used to fix checksums etc. - so if you are using it, e.g., as a post processing library. + additional test case. Note that this function is optional - but it makes + sense to use it. You would only skip this if `post_process` is used to fix + checksums etc. so if you are using it, e.g., as a post processing library. Note that a length > 0 *must* be returned! - `describe` (optional): When this function is called, it shall describe the current test case, - generated by the last mutation. This will be called, for example, - to name the written test case file after a crash occurred. - Using it can help to reproduce crashing mutations. + generated by the last mutation. This will be called, for example, to name + the written test case file after a crash occurred. Using it can help to + reproduce crashing mutations. - `havoc_mutation` and `havoc_mutation_probability` (optional): @@ -144,21 +145,21 @@ def deinit(): # optional for Python - `post_process` (optional): For some cases, the format of the mutated data returned from the custom - mutator is not suitable to directly execute the target with this input. - For example, when using libprotobuf-mutator, the data returned is in a - protobuf format which corresponds to a given grammar. In order to execute - the target, the protobuf data must be converted to the plain-text format - expected by the target. In such scenarios, the user can define the - `post_process` function. This function is then transforming the data into the - format expected by the API before executing the target. + mutator is not suitable to directly execute the target with this input. For + example, when using libprotobuf-mutator, the data returned is in a protobuf + format which corresponds to a given grammar. In order to execute the target, + the protobuf data must be converted to the plain-text format expected by the + target. In such scenarios, the user can define the `post_process` function. + This function is then transforming the data into the format expected by the + API before executing the target. This can return any python object that implements the buffer protocol and supports PyBUF_SIMPLE. These include bytes, bytearray, etc. - `queue_new_entry` (optional): - This methods is called after adding a new test case to the queue. - If the contents of the file was changed return True, False otherwise. + This methods is called after adding a new test case to the queue. If the + contents of the file was changed, return True, False otherwise. - `introspection` (optional): @@ -170,8 +171,8 @@ def deinit(): # optional for Python The last method to be called, deinitializing the state. -Note that there are also three functions for trimming as described in the -next section. +Note that there are also three functions for trimming as described in the next +section. ### Trimming Support @@ -179,8 +180,8 @@ The generic trimming routines implemented in AFL++ can easily destroy the structure of complex formats, possibly leading to a point where you have a lot of test cases in the queue that your Python module cannot process anymore but your target application still accepts. This is especially the case when your -target can process a part of the input (causing coverage) and then errors out -on the remaining input. +target can process a part of the input (causing coverage) and then errors out on +the remaining input. In such cases, it makes sense to implement a custom trimming routine. The API consists of multiple methods because after each trimming step, we have to go @@ -213,10 +214,10 @@ trimmed input. Here's a quick API description: - `post_trim` (optional) This method is called after each trim operation to inform you if your - trimming step was successful or not (in terms of coverage). If you receive - a failure here, you should reset your input to the last known good state. - In any case, this method must return the next trim iteration index (from 0 - to the maximum amount of steps you returned in `init_trim`). + trimming step was successful or not (in terms of coverage). If you receive a + failure here, you should reset your input to the last known good state. In + any case, this method must return the next trim iteration index (from 0 to + the maximum amount of steps you returned in `init_trim`). Omitting any of three trimming methods will cause the trimming to be disabled and trigger a fallback to the built-in default trimming routine. @@ -227,10 +228,10 @@ Optionally, the following environment variables are supported: - `AFL_CUSTOM_MUTATOR_ONLY` - Disable all other mutation stages. This can prevent broken test cases - (those that your Python module can't work with anymore) to fill up your - queue. Best combined with a custom trimming routine (see below) because - trimming can cause the same test breakage like havoc and splice. + Disable all other mutation stages. This can prevent broken test cases (those + that your Python module can't work with anymore) to fill up your queue. Best + combined with a custom trimming routine (see below) because trimming can + cause the same test breakage like havoc and splice. - `AFL_PYTHON_ONLY` @@ -270,9 +271,10 @@ For C/C++ mutators, the source code must be compiled as a shared object: ```bash gcc -shared -Wall -O3 example.c -o example.so ``` -Note that if you specify multiple custom mutators, the corresponding functions will -be called in the order in which they are specified. e.g first `post_process` function of -`example_first.so` will be called and then that of `example_second.so`. +Note that if you specify multiple custom mutators, the corresponding functions +will be called in the order in which they are specified. e.g first +`post_process` function of `example_first.so` will be called and then that of +`example_second.so`. ### Run @@ -300,4 +302,4 @@ See [example.c](../custom_mutators/examples/example.c) and - [bruce30262/libprotobuf-mutator_fuzzing_learning](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) - [thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) - [XML Fuzzing@NullCon 2017](https://www.agarri.fr/docs/XML_Fuzzing-NullCon2017-PUBLIC.pdf) - - [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663) + - [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663) \ No newline at end of file diff --git a/docs/env_variables.md b/docs/env_variables.md index 771bf157..3f7bdadb 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -590,79 +590,81 @@ the preferred way to configure FRIDA mode is through its * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` * `AFL_FRIDA_DRIVER_NO_HOOK` - See `AFL_QEMU_DRIVER_NO_HOOK`. When using the -QEMU driver to provide a `main` loop for a user provided -`LLVMFuzzerTestOneInput`, this option configures the driver to read input from -`stdin` rather than using in-memory test cases. + QEMU driver to provide a `main` loop for a user provided + `LLVMFuzzerTestOneInput`, this option configures the driver to read input from + `stdin` rather than using in-memory test cases. * `AFL_FRIDA_EXCLUDE_RANGES` - See `AFL_QEMU_EXCLUDE_RANGES` * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRio format coverage -information (e.g., to be loaded within IDA lighthouse). + information (e.g., to be loaded within IDA lighthouse). * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks -and their instrumented counterparts during block compilation. + and their instrumented counterparts during block compilation. * `AFL_FRIDA_INST_JIT` - Enable the instrumentation of Just-In-Time compiled -code. Code is considered to be JIT if the executable segment is not backed by a -file. + code. Code is considered to be JIT if the executable segment is not backed by + a file. * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage -instrumentation (the default where available). Required to use -`AFL_FRIDA_INST_TRACE`. + instrumentation (the default where available). Required to use + `AFL_FRIDA_INST_TRACE`. * `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing -each block, control will return to FRIDA to identify the next block to execute. + each block, control will return to FRIDA to identify the next block to + execute. * `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will -report instrumented blocks back to the parent so that it can also instrument -them and they be inherited by the next child on fork, implies -`AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. + report instrumented blocks back to the parent so that it can also instrument + them and they be inherited by the next child on fork, implies + `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. * `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH` - Disable prefetching of stalker -backpatching information. By default the child will report applied backpatches -to the parent so that they can be applied and then be inherited by the next -child on fork. + backpatching information. By default the child will report applied backpatches + to the parent so that they can be applied and then be inherited by the next + child on fork. * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to -generate block (and hence edge) IDs. Setting this to a constant value may be -useful for debugging purposes, e.g., investigating unstable edges. -* `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, -implies `AFL_FRIDA_INST_NO_OPTIMIZE`. + generate block (and hence edge) IDs. Setting this to a constant value may be + useful for debugging purposes, e.g., investigating unstable edges. +* `AFL_FRIDA_INST_TRACE` - Log to stdout the address of executed blocks, implies + `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_TRACE_UNIQUE` - As per `AFL_FRIDA_INST_TRACE`, but each edge -is logged only once, requires `AFL_FRIDA_INST_NO_OPTIMIZE`. + is logged only once, requires `AFL_FRIDA_INST_NO_OPTIMIZE`. * `AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE` - File to write DynamoRio format -coverage information for unstable edges (e.g., to be loaded within IDA -lighthouse). + coverage information for unstable edges (e.g., to be loaded within IDA + lighthouse). * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting -engine. See [here](Scripting.md) for details. + engine. See [here](Scripting.md) for details. * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target -application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) + application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target -application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) + application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) * `AFL_FRIDA_PERSISTENT_ADDR` - See `AFL_QEMU_PERSISTENT_ADDR` * `AFL_FRIDA_PERSISTENT_CNT` - See `AFL_QEMU_PERSISTENT_CNT` * `AFL_FRIDA_PERSISTENT_DEBUG` - Insert a Breakpoint into the instrumented code -at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the user -to detect issues in the persistent loop using a debugger. + at `AFL_FRIDA_PERSISTENT_HOOK` and `AFL_FRIDA_PERSISTENT_RET` to allow the + user to detect issues in the persistent loop using a debugger. * `AFL_FRIDA_PERSISTENT_HOOK` - See `AFL_QEMU_PERSISTENT_HOOK` * `AFL_FRIDA_PERSISTENT_RET` - See `AFL_QEMU_PERSISTENT_RET` * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to -the specified file. + the specified file. * `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks - to fetch when generating instrumented code. By fetching blocks in the same - order they appear in the original program, rather than the order of execution - should help reduce locallity and adjacency. This includes allowing us to vector - between adjancent blocks using a NOP slide rather than an immediate branch. + to fetch when generating instrumented code. By fetching blocks in the same + order they appear in the original program, rather than the order of execution + should help reduce locallity and adjacency. This includes allowing us to + vector between adjancent blocks using a NOP slide rather than an immediate + branch. * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries -stored along-side branch instructions which provide a cache to avoid having to -call back into FRIDA to find the next block. Default is 32. + stored along-side branch instructions which provide a cache to avoid having to + call back into FRIDA to find the next block. Default is 32. * `AFL_FRIDA_STATS_FILE` - Write statistics information about the code being -instrumented to the given file name. The statistics are written only for the -child process when new block is instrumented (when the -`AFL_FRIDA_STATS_INTERVAL` has expired). Note that just because a new path is -found does not mean a new block needs to be compiled. It could be that -the existing blocks instrumented have been executed in a different order. + instrumented to the given file name. The statistics are written only for the + child process when new block is instrumented (when the + `AFL_FRIDA_STATS_INTERVAL` has expired). Note that just because a new path is + found does not mean a new block needs to be compiled. It could be that the + existing blocks instrumented have been executed in a different order. * `AFL_FRIDA_STATS_INTERVAL` - The maximum frequency to output statistics -information. Stats will be written whenever they are updated if the given -interval has elapsed since last time they were written. + information. Stats will be written whenever they are updated if the given + interval has elapsed since last time they were written. * `AFL_FRIDA_TRACEABLE` - Set the child process to be traceable by any process -to aid debugging and overcome the restrictions imposed by YAMA. Supported on -Linux only. Permits a non-root user to use `gcore` or similar to collect a core -dump of the instrumented target. Note that in order to capture the core dump you -must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` killing the -process whilst it is being dumped. + to aid debugging and overcome the restrictions imposed by YAMA. Supported on + Linux only. Permits a non-root user to use `gcore` or similar to collect a + core dump of the instrumented target. Note that in order to capture the core + dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz` + killing the process whilst it is being dumped. ## 8) Settings for afl-cmin diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index a786fd8b..b3d9ca02 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -84,7 +84,8 @@ Wine, python3, and the pefile python package installed. It is included in AFL++. -For more information, see [qemu_mode/README.wine.md](../qemu_mode/README.wine.md). +For more information, see +[qemu_mode/README.wine.md](../qemu_mode/README.wine.md). ### Frida_mode @@ -169,7 +170,8 @@ Fore more information, see ## Binary rewriters -An alternative solution are binary rewriters. They are faster then the solutions native to AFL++ but don't always work. +An alternative solution are binary rewriters. They are faster then the solutions +native to AFL++ but don't always work. ### ZAFL ZAFL is a static rewriting platform supporting x86-64 C/C++, diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index d408aa91..9611d6b7 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -259,6 +259,7 @@ Then build the target. (Usually with `make`) #### configure For `configure` build systems this is usually done by: + `CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` Note that if you are using the (better) afl-clang-lto compiler you also have to @@ -268,6 +269,7 @@ described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). #### cmake For `cmake` build systems this is usually done by: + `mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..` Note that if you are using the (better) afl-clang-lto compiler you also have to @@ -307,8 +309,8 @@ it for a hobby and not professionally :-). ### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() -libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard -for fuzzing, and they can be used with AFL++ (and honggfuzz) as well! +libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard for +fuzzing, and they can be used with AFL++ (and honggfuzz) as well! Compiling them is as simple as: @@ -358,8 +360,11 @@ Put all files from step a) into one directory, e.g., INPUTS. If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` the run afl-cmin like this: + `afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` -Note that the INPUTFILE argument that the target program would read from has to be set as `@@`. + +Note that the INPUTFILE argument that the target program would read from has to +be set as `@@`. If the target reads from stdin instead, just omit the `@@` as this is the default. @@ -420,22 +425,25 @@ as test data in there. If you do not want anything special, the defaults are already usually best, hence all you need is to specify the seed input directory with the result of step [2a) Collect inputs](#a-collect-inputs): + `afl-fuzz -i input -o output -- bin/target -d @@` -Note that the directory specified with -o will be created if it does not exist. + +Note that the directory specified with `-o` will be created if it does not +exist. It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off, or afl-fuzz is not aborted if you are running it in a remote ssh session where -the connection fails in between. -Only do that though once you have verified that your fuzzing setup works! -Run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...` -and it will start away in a screen session. To enter this session, type -`screen -r afl-main`. You see - it makes sense to name the screen session -same as the afl-fuzz -M/-S naming :-) -For more information on screen or tmux, check their documentation. +the connection fails in between. Only do that though once you have verified that +your fuzzing setup works! Run it like `screen -dmS afl-main -- afl-fuzz -M +main-$HOSTNAME -i ...` and it will start away in a screen session. To enter this +session, type `screen -r afl-main`. You see - it makes sense to name the screen +session same as the afl-fuzz -M/-S naming :-) For more information on screen or +tmux, check their documentation. If you need to stop and re-start the fuzzing, use the same command line options (or even change them by selecting a different power schedule or another mutation mode!) and switch the input directory with a dash (`-`): + `afl-fuzz -i - -o output -- bin/target -d @@` Adding a dictionary is helpful. See the directory @@ -457,12 +465,13 @@ handling in the target. Play around with various -m values until you find one that safely works for all your input seeds (if you have good ones and then double or quadruple that. -By default afl-fuzz never stops fuzzing. To terminate AFL++, press -Control-C or send a signal SIGINT. You can limit the number of executions or -approximate runtime in seconds with options also. +By default afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or +send a signal SIGINT. You can limit the number of executions or approximate +runtime in seconds with options also. When you start afl-fuzz you will see a user interface that shows what the status is: + ![resources/screenshot.png](resources/screenshot.png) All labels are explained in [status_screen.md](status_screen.md). @@ -528,8 +537,8 @@ All other secondaries should be used like this: Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases from other fuzzers in the campaign first. -If you have a large corpus, a corpus from a previous run or are fuzzing in -a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. +If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, +then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. You can also use different fuzzers. If you are using AFL spinoffs or AFL conforming fuzzers, then just use the same -o directory and give it a unique @@ -553,11 +562,10 @@ recommended! ### d) Using multiple machines for fuzzing -Maybe you have more than one machine you want to fuzz the same target on. -Start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...) -orchestra as you like, just ensure that your have one and only one `-M` -instance per server, and that its name is unique, hence the recommendation -for `-M main-$HOSTNAME`. +Maybe you have more than one machine you want to fuzz the same target on. Start +the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...) orchestra as you like, +just ensure that your have one and only one `-M` instance per server, and that +its name is unique, hence the recommendation for `-M main-$HOSTNAME`. Now there are three strategies on how you can sync between the servers: * never: sounds weird, but this makes every server an island and has the chance diff --git a/docs/ideas.md b/docs/ideas.md index 8193983b..1a578313 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -1,31 +1,29 @@ # Ideas for AFL++ -In the following, we describe a variety of ideas that could be implemented -for future AFL++ versions. +In the following, we describe a variety of ideas that could be implemented for +future AFL++ versions. ## Analysis software -Currently analysis is done by using afl-plot, which is rather outdated. -A GTK or browser tool to create run-time analysis based on fuzzer_stats, -queue/id* information and plot_data that allows for zooming in and out, -changing min/max display values etc. and doing that for a single run, -different runs and campaigns vs campaigns. -Interesting values are execs, and execs/s, edges discovered (total, when -each edge was discovered and which other fuzzer share finding that edge), -test cases executed. -It should be clickable which value is X and Y axis, zoom factor, log scaling -on-off, etc. +Currently analysis is done by using afl-plot, which is rather outdated. A GTK or +browser tool to create run-time analysis based on fuzzer_stats, queue/id* +information and plot_data that allows for zooming in and out, changing min/max +display values etc. and doing that for a single run, different runs and +campaigns vs campaigns. Interesting values are execs, and execs/s, edges +discovered (total, when each edge was discovered and which other fuzzer share +finding that edge), test cases executed. It should be clickable which value is X +and Y axis, zoom factor, log scaling on-off, etc. Mentor: vanhauser-thc ## WASM Instrumentation Currently, AFL++ can be used for source code fuzzing and traditional binaries. -With the rise of WASM as compile target, however, a novel way of -instrumentation needs to be implemented for binaries compiled to Webassembly. -This can either be done by inserting instrumentation directly into the -WASM AST, or by patching feedback into a WASM VMs of choice, similar to -the current Unicorn instrumentation. +With the rise of WASM as compile target, however, a novel way of instrumentation +needs to be implemented for binaries compiled to Webassembly. This can either be +done by inserting instrumentation directly into the WASM AST, or by patching +feedback into a WASM VMs of choice, similar to the current Unicorn +instrumentation. Mentor: any @@ -34,25 +32,26 @@ Mentor: any Other programming languages also use llvm hence they could (easily?) supported for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ... -GCC also supports: Objective-C, Fortran, Ada, Go, and D -(according to [Gcc homepage](https://gcc.gnu.org/)) +GCC also supports: Objective-C, Fortran, Ada, Go, and D (according to +[Gcc homepage](https://gcc.gnu.org/)) -LLVM is also used by: Rust, LLGo (Go), kaleidoscope (Haskell), flang (Fortran), emscripten (JavaScript, WASM), ilwasm (CIL (C#)) -(according to [LLVM frontends](https://gist.github.com/axic/62d66fb9d8bccca6cc48fa9841db9241)) +LLVM is also used by: Rust, LLGo (Go), kaleidoscope (Haskell), flang (Fortran), +emscripten (JavaScript, WASM), ilwasm (CIL (C#)) (according to +[LLVM frontends](https://gist.github.com/axic/62d66fb9d8bccca6cc48fa9841db9241)) Mentor: vanhauser-thc ## Machine Learning -Something with machine learning, better than [NEUZZ](https://github.com/dongdongshe/neuzz) :-) -Either improve a single mutator thorugh learning of many different bugs -(a bug class) or gather deep insights about a single target beforehand -(CFG, DFG, VFG, ...?) and improve performance for a single target. +Something with machine learning, better than +[NEUZZ](https://github.com/dongdongshe/neuzz) :-) Either improve a single +mutator thorugh learning of many different bugs (a bug class) or gather deep +insights about a single target beforehand (CFG, DFG, VFG, ...?) and improve +performance for a single target. Mentor: domenukk ## Your idea! -Finally, we are open to proposals! -Create an issue at https://github.com/AFLplusplus/AFLplusplus/issues and let's discuss :-) - +Finally, we are open to proposals! Create an issue at +https://github.com/AFLplusplus/AFLplusplus/issues and let's discuss :-) \ No newline at end of file diff --git a/docs/important_changes.md b/docs/important_changes.md index 82de054f..9d4523e8 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -1,6 +1,7 @@ # Important changes in AFL++ -This document lists important changes in AFL++, for example, major behavior changes. +This document lists important changes in AFL++, for example, major behavior +changes. ## From version 3.00 onwards @@ -10,8 +11,8 @@ iOS etc. With AFL++ 3.15 we introduced the following changes from previous behaviors: * Also -M main mode does not do deterministic fuzzing by default anymore - * afl-cmin and afl-showmap -Ci now descent into subdirectories like - afl-fuzz -i does (but note that afl-cmin.bash does not) + * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz + -i does (but note that afl-cmin.bash does not) With AFL++ 3.14 we introduced the following changes from previous behaviors: * afl-fuzz: deterministic fuzzing it not a default for -M main anymore @@ -31,22 +32,22 @@ behaviors and defaults: * The gcc_plugin was replaced with a new version submitted by AdaCore that supports more features. Thank you! * qemu_mode got upgraded to QEMU 5.1, but to be able to build this a current - ninja build tool version and python3 setuptools are required. - qemu_mode also got new options like snapshotting, instrumenting specific - shared libraries, etc. Additionally QEMU 5.1 supports more CPU targets so - this is really worth it. + ninja build tool version and python3 setuptools are required. qemu_mode also + got new options like snapshotting, instrumenting specific shared libraries, + etc. Additionally QEMU 5.1 supports more CPU targets so this is really worth + it. * When instrumenting targets, afl-cc will not supersede optimizations anymore if any were given. This allows to fuzz targets build regularly like those for debug or release versions. * afl-fuzz: - * if neither -M or -S is specified, `-S default` is assumed, so more - fuzzers can easily be added later - * `-i` input directory option now descends into subdirectories. It also - does not fatal on crashes and too large files, instead it skips them - and uses them for splicing mutations + * if neither -M or -S is specified, `-S default` is assumed, so more fuzzers + can easily be added later + * `-i` input directory option now descends into subdirectories. It also does + not fatal on crashes and too large files, instead it skips them and uses + them for splicing mutations * -m none is now default, set memory limits (in MB) with, e.g., -m 250 - * deterministic fuzzing is now disabled by default (unless using -M) and - can be enabled with -D + * deterministic fuzzing is now disabled by default (unless using -M) and can + be enabled with -D * a caching of test cases can now be performed and can be modified by editing config.h for TESTCASE_CACHE or by specifying the environment variable `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index 9b3d8d40..003b9c79 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -1,18 +1,29 @@ # Remote monitoring and metrics visualization -AFL++ can send out metrics as StatsD messages. For remote monitoring and visualization of the metrics, you can set up a tool chain. For example, with Prometheus and Grafana. All tools are free and open source. +AFL++ can send out metrics as StatsD messages. For remote monitoring and +visualization of the metrics, you can set up a tool chain. For example, with +Prometheus and Grafana. All tools are free and open source. -This enables you to create nice and readable dashboards containing all the information you need on your fuzzer instances. There is no need to write your own statistics parsing system, deploy and maintain it to all your instances, and sync with your graph rendering system. +This enables you to create nice and readable dashboards containing all the +information you need on your fuzzer instances. There is no need to write your +own statistics parsing system, deploy and maintain it to all your instances, and +sync with your graph rendering system. -Compared to the default integrated UI of AFL++, this can help you to visualize trends and the fuzzing state over time. You might be able to see when the fuzzing process has reached a state of no progress and visualize what are the "best strategies" for your targets (according to your own criteria). You can do so without logging into each instance individually. +Compared to the default integrated UI of AFL++, this can help you to visualize +trends and the fuzzing state over time. You might be able to see when the +fuzzing process has reached a state of no progress and visualize what are the +"best strategies" for your targets (according to your own criteria). You can do +so without logging into each instance individually. ![example visualization with Grafana](resources/statsd-grafana.png) -This is an example visualization with Grafana. The dashboard can be imported with [this JSON template](resources/grafana-afl++.json). +This is an example visualization with Grafana. The dashboard can be imported +with [this JSON template](resources/grafana-afl++.json). ## AFL++ metrics and StatsD -StatsD allows you to receive and aggregate metrics from a wide range of applications and retransmit them to a backend of your choice. +StatsD allows you to receive and aggregate metrics from a wide range of +applications and retransmit them to a backend of your choice. From AFL++, StatsD can receive the following metrics: - cur_path @@ -36,35 +47,57 @@ From AFL++, StatsD can receive the following metrics: - var_byte_count - variable_paths -Depending on your StatsD server, you will be able to monitor, trigger alerts, or perform actions based on these metrics (for example: alert on slow exec/s for a new build, threshold of crashes, time since last crash > X, and so on). +Depending on your StatsD server, you will be able to monitor, trigger alerts, or +perform actions based on these metrics (for example: alert on slow exec/s for a +new build, threshold of crashes, time since last crash > X, and so on). ## Setting environment variables in AFL++ -1. To enable the StatsD metrics collection on your fuzzer instances, set the environment variable `AFL_STATSD=1`. By default, AFL++ will send the metrics over UDP to 127.0.0.1:8125. +1. To enable the StatsD metrics collection on your fuzzer instances, set the + environment variable `AFL_STATSD=1`. By default, AFL++ will send the metrics + over UDP to 127.0.0.1:8125. -2. To enable tags for each metric based on their format (banner and afl_version), set the environment variable `AFL_STATSD_TAGS_FLAVOR`. By default, no tags will be added to the metrics. +2. To enable tags for each metric based on their format (banner and + afl_version), set the environment variable `AFL_STATSD_TAGS_FLAVOR`. By + default, no tags will be added to the metrics. The available values are the following: - `dogstatsd` - `influxdb` - `librato` - `signalfx` - - For more information on environment variables, see [env_variables.md](env_variables.md). - Note: When using multiple fuzzer instances with StatsD it is *strongly* recommended to set up `AFL_STATSD_TAGS_FLAVOR` to match your StatsD server. This will allow you to see individual fuzzer performance, detect bad ones, and see the progress of each strategy. + For more information on environment variables, see + [env_variables.md](env_variables.md). -3. Optional: To set the host and port of your StatsD daemon, set `AFL_STATSD_HOST` and `AFL_STATSD_PORT`. The default values are `localhost` and `8125`. + Note: When using multiple fuzzer instances with StatsD it is *strongly* + recommended to set up `AFL_STATSD_TAGS_FLAVOR` to match your StatsD server. + This will allow you to see individual fuzzer performance, detect bad ones, + and see the progress of each strategy. + +3. Optional: To set the host and port of your StatsD daemon, set + `AFL_STATSD_HOST` and `AFL_STATSD_PORT`. The default values are `localhost` + and `8125`. ## Installing and setting up StatsD, Prometheus, and Grafana -The easiest way to install and set up the infrastructure is with Docker and Docker Compose. +The easiest way to install and set up the infrastructure is with Docker and +Docker Compose. -Depending on your fuzzing setup and infrastructure, you may not want to run these applications on your fuzzer instances. This setup may be modified before use in a production environment; for example, adding passwords, creating volumes for storage, tweaking the metrics gathering to get host metrics (CPU, RAM, and so on). +Depending on your fuzzing setup and infrastructure, you may not want to run +these applications on your fuzzer instances. This setup may be modified before +use in a production environment; for example, adding passwords, creating volumes +for storage, tweaking the metrics gathering to get host metrics (CPU, RAM, and +so on). -For all your fuzzing instances, only one instance of Prometheus and Grafana is required. The [statsd exporter](https://registry.hub.docker.com/r/prom/statsd-exporter) converts the StatsD metrics to Prometheus. If you are using a provider that supports StatsD directly, you can skip this part of the setup." +For all your fuzzing instances, only one instance of Prometheus and Grafana is +required. The +[statsd exporter](https://registry.hub.docker.com/r/prom/statsd-exporter) +converts the StatsD metrics to Prometheus. If you are using a provider that +supports StatsD directly, you can skip this part of the setup." -You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files. +You can create and move the infrastructure files into a directory of your +choice. The directory will store all the required configuration files. To install and set up Prometheus and Grafana: @@ -76,6 +109,7 @@ To install and set up Prometheus and Grafana: ``` 2. Create a `docker-compose.yml` containing the following: + ```yml version: '3' @@ -109,7 +143,7 @@ To install and set up Prometheus and Grafana: - "8125:9125/udp" networks: - statsd-net - + grafana: image: grafana/grafana container_name: grafana @@ -134,7 +168,8 @@ To install and set up Prometheus and Grafana: ``` 4. Create a `statsd_mapping.yml` containing the following: - ```yml + + ```yml mappings: - match: "fuzzing.*" name: "fuzzing" @@ -152,4 +187,4 @@ To run your fuzzing instances: AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -M test-fuzzer-1 -i i -o o [./bin/my-application] @@ AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -S test-fuzzer-2 -i i -o o [./bin/my-application] @@ ... -``` +``` \ No newline at end of file diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index fd4282db..63ab1718 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -334,8 +334,8 @@ Interceptor.replace(LLVMFuzzerTestOneInput, cm.My_LLVMFuzzerTestOneInput); ### Hooking `main` -Lastly, it should be noted that using FRIDA mode's scripting support to hook -the `main` function is a special case. This is because the `main` function is +Lastly, it should be noted that using FRIDA mode's scripting support to hook the +`main` function is a special case. This is because the `main` function is already hooked by the FRIDA mode engine itself and hence the function `main` (or at least the first basic block already been compiled by Stalker ready for execution). Hence any attempt to use `Interceptor.replace` like in the example @@ -405,22 +405,22 @@ Consider the [following](test/js/test2.c) test code... #include const uint32_t crc32_tab[] = { - 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, + 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, ... - 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d + 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d }; uint32_t crc32(const void *buf, size_t size) { - const uint8_t *p = buf; - uint32_t crc; - crc = ~0U; - while (size--) - crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); - return crc ^ ~0U; + const uint8_t *p = buf; + uint32_t crc; + crc = ~0U; + while (size--) + crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8); + return crc ^ ~0U; } /* diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index f251415b..ef38662b 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -1,7 +1,7 @@ # GCC-based instrumentation for afl-fuzz -For the general instruction manual, see [../README.md](../README.md). -For the LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). +For the general instruction manual, see [../README.md](../README.md). For the +LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). This document describes how to build and use `afl-gcc-fast` and `afl-g++-fast`, which instrument the target with the help of gcc plugins. -- cgit 1.4.1 From 667c2e58b24603ca4660d1d5f9d9e9e3ca17b86e Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 4 Dec 2021 20:41:47 +0100 Subject: Fix punctuation in connection with "by default" --- docs/env_variables.md | 8 ++++---- docs/fuzzing_in_depth.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 3f7bdadb..530e1342 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -607,14 +607,14 @@ the preferred way to configure FRIDA mode is through its * `AFL_FRIDA_INST_NO_BACKPATCH` - Disable backpatching. At the end of executing each block, control will return to FRIDA to identify the next block to execute. -* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default the child will +* `AFL_FRIDA_INST_NO_PREFETCH` - Disable prefetching. By default, the child will report instrumented blocks back to the parent so that it can also instrument them and they be inherited by the next child on fork, implies `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH`. * `AFL_FRIDA_INST_NO_PREFETCH_BACKPATCH` - Disable prefetching of stalker - backpatching information. By default the child will report applied backpatches - to the parent so that they can be applied and then be inherited by the next - child on fork. + backpatching information. By default, the child will report applied + backpatches to the parent so that they can be applied and then be inherited by + the next child on fork. * `AFL_FRIDA_INST_RANGES` - See `AFL_QEMU_INST_RANGES` * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to generate block (and hence edge) IDs. Setting this to a constant value may be diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 9611d6b7..d1fee7cc 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -465,7 +465,7 @@ handling in the target. Play around with various -m values until you find one that safely works for all your input seeds (if you have good ones and then double or quadruple that. -By default afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or +By default, afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or send a signal SIGINT. You can limit the number of executions or approximate runtime in seconds with options also. -- cgit 1.4.1 From 8d696c93968a31133ef917810295aaf399b066ff Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 4 Dec 2021 20:55:37 +0100 Subject: Fix punctuation in connection with "with" --- docs/env_variables.md | 8 ++++---- docs/fuzzing_in_depth.md | 2 +- docs/important_changes.md | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/env_variables.md b/docs/env_variables.md index 530e1342..86ebf25c 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -553,14 +553,14 @@ The QEMU wrapper used to instrument binary-only code supports several settings: and sub in x86 and x86_64. This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is not specified. - - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal + - With `AFL_QEMU_FORCE_DFL`, you force QEMU to ignore the registered signal handlers of the target. - When the target is i386/x86_64, you can specify the address of the function that has to be the body of the persistent loop using `AFL_QEMU_PERSISTENT_ADDR=start addr`. - - With `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of + - With `AFL_QEMU_PERSISTENT_GPR=1`, QEMU will save the original value of general purpose registers and restore them in each persistent cycle. - Another modality to execute the persistent loop is to specify also the @@ -568,11 +568,11 @@ The QEMU wrapper used to instrument binary-only code supports several settings: assigned, instead of patching the return address, the specified instruction is transformed to a jump towards `start addr`. - - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from + - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET`, you can specify the offset from the stack pointer in which QEMU can find the return address when `start addr` is hit. - - With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically + - With `AFL_USE_QASAN`, you can enable QEMU AddressSanitizer for dynamically linked binaries. - The underlying QEMU binary will recognize any standard "user space diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index d1fee7cc..2e030e7b 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -449,7 +449,7 @@ mode!) and switch the input directory with a dash (`-`): Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if something is already included for your data format, and tell afl-fuzz to load that dictionary by adding `-x -dictionaries/FORMAT.dict`. With afl-clang-lto you have an autodictionary +dictionaries/FORMAT.dict`. With afl-clang-lto, you have an autodictionary generation for which you need to do nothing except to use afl-clang-lto as the compiler. You also have the option to generate a dictionary yourself, see [utils/libtokencap/README.md](../utils/libtokencap/README.md). diff --git a/docs/important_changes.md b/docs/important_changes.md index 9d4523e8..203c5a66 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -5,26 +5,26 @@ changes. ## From version 3.00 onwards -With AFL++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for +With AFL++ 3.13-3.20, we introduce frida_mode (-O) to have an alternative for binary-only fuzzing. It is slower than Qemu mode but works on MacOS, Android, iOS etc. -With AFL++ 3.15 we introduced the following changes from previous behaviors: +With AFL++ 3.15, we introduced the following changes from previous behaviors: * Also -M main mode does not do deterministic fuzzing by default anymore * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not) -With AFL++ 3.14 we introduced the following changes from previous behaviors: +With AFL++ 3.14, we introduced the following changes from previous behaviors: * afl-fuzz: deterministic fuzzing it not a default for -M main anymore * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash, however, does not) -With AFL++ 3.10 we introduced the following changes from previous behaviors: +With AFL++ 3.10, we introduced the following changes from previous behaviors: * The '+' feature of the '-t' option now means to auto-calculate the timeout with the value given being the maximum timeout. The original meaning of "skipping timeouts instead of abort" is now inherent to the -t option. -With AFL++ 3.00 we introduced changes that break some previous AFL and AFL++ +With AFL++ 3.00, we introduced changes that break some previous AFL and AFL++ behaviors and defaults: * There are no llvm_mode and gcc_plugin subdirectories anymore and there is only one compiler: afl-cc. All previous compilers now symlink to this one. -- cgit 1.4.1 From 89df436290c67b1c03122bfe5c68cf4f92e581c0 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 5 Dec 2021 19:03:48 +0100 Subject: Fix broken links - 1st run --- docs/INSTALL.md | 9 ++++---- docs/afl-fuzz_approach.md | 14 ++++++------ docs/env_variables.md | 11 +++++----- docs/fuzzing_binary-only_targets.md | 8 +++---- docs/fuzzing_in_depth.md | 9 ++++---- frida_mode/Scripting.md | 4 ++-- instrumentation/README.llvm.md | 43 ++++++++++++++++++++++++++++++++++++- utils/README.md | 2 +- 8 files changed, 72 insertions(+), 28 deletions(-) (limited to 'docs/env_variables.md') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 9d1309fe..906d3f8e 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -60,10 +60,9 @@ These build targets exist: * unit: perform unit tests (based on cmocka) * help: shows these build options -[Unless you are on Mac OS -X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), you can -also build statically linked versions of the AFL++ binaries by passing the -`STATIC=1` argument to make: +[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), +you can also build statically linked versions of the AFL++ binaries by passing +the `STATIC=1` argument to make: ```shell make STATIC=1 @@ -169,5 +168,5 @@ sysctl kern.sysv.shmall=98304 ``` See -[https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) +[http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent. \ No newline at end of file diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index a72087c2..01888935 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -243,9 +243,10 @@ now. It tells you about the current stage, which can be any of: together two random inputs from the queue at some arbitrarily selected midpoint. - sync - a stage used only when `-M` or `-S` is set (see - [parallel_fuzzing.md](parallel_fuzzing.md)). No real fuzzing is involved, but - the tool scans the output from other fuzzers and imports test cases as - necessary. The first time this is done, it may take several minutes or so. + [fuzzing_in_depth.md:3c) Using multiple cores](fuzzing_in_depth.md#c-using-multiple-cores)). + No real fuzzing is involved, but the tool scans the output from other fuzzers + and imports test cases as necessary. The first time this is done, it may take + several minutes or so. The remaining fields should be fairly self-evident: there's the exec count progress indicator for the current stage, a global exec counter, and a benchmark @@ -254,8 +255,8 @@ to another, but the benchmark should be ideally over 500 execs/sec most of the time - and if it stays below 100, the job will probably take very long. The fuzzer will explicitly warn you about slow targets, too. If this happens, -see the [perf_tips.md](perf_tips.md) file included with the fuzzer for ideas on -how to speed things up. +see the [best_practices.md#improving-speed](best_practices.md#improving-speed) +for ideas on how to speed things up. ### Findings in depth @@ -396,7 +397,8 @@ comparing it to the number of logical cores on the system. If the value is shown in green, you are using fewer CPU cores than available on your system and can probably parallelize to improve performance; for tips on how -to do that, see [parallel_fuzzing.md](parallel_fuzzing.md). +to do that, see +[fuzzing_in_depth.md:3c) Using multiple cores](fuzzing_in_depth.md#c-using-multiple-cores). If the value is shown in red, your CPU is *possibly* oversubscribed, and running additional fuzzers may not give you any benefits. diff --git a/docs/env_variables.md b/docs/env_variables.md index 86ebf25c..0952b960 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -583,10 +583,11 @@ The QEMU wrapper used to instrument binary-only code supports several settings: The FRIDA wrapper used to instrument binary-only code supports many of the same options as `afl-qemu-trace`, but also has a number of additional advanced -options. These are listed in brief below (see [here](../frida_mode/README.md) -for more details). These settings are provided for compatibiltiy with QEMU mode, -the preferred way to configure FRIDA mode is through its -[scripting](../frida_mode/Scripting.md) support. +options. These are listed in brief below (see +[frida_mode/README.md](../frida_mode/README.md) for more details). These +settings are provided for compatibiltiy with QEMU mode, the preferred way to +configure FRIDA mode is through its [scripting](../frida_mode/Scripting.md) +support. * `AFL_FRIDA_DEBUG_MAPS` - See `AFL_QEMU_DEBUG_MAPS` * `AFL_FRIDA_DRIVER_NO_HOOK` - See `AFL_QEMU_DRIVER_NO_HOOK`. When using the @@ -627,7 +628,7 @@ the preferred way to configure FRIDA mode is through its coverage information for unstable edges (e.g., to be loaded within IDA lighthouse). * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting - engine. See [here](Scripting.md) for details. + engine. See [frida_mode/Scripting.md](../frida_mode/Scripting.md) for details. * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`) * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index eaed3a91..fd18b5c1 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -107,10 +107,10 @@ For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md). If possible, you should use the persistent mode, see -[qemu_frida/README.md](../qemu_frida/README.md). The mode is approximately 2-5x -slower than compile-time instrumentation, and is less conducive to -parallelization. But for binary-only fuzzing, it gives a huge speed improvement -if it is possible to use. +[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md). +The mode is approximately 2-5x slower than compile-time instrumentation, and is +less conducive to parallelization. But for binary-only fuzzing, it gives a huge +speed improvement if it is possible to use. If you want to fuzz a binary-only library, then you can fuzz it with frida-gum via frida_mode/. You will have to write a harness to call the target function in diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 4a1ddf45..29e8f817 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -153,12 +153,12 @@ only instrument parts of the target that you are interested in: There are many more options and modes available, however, these are most of the time less effective. See: -* [instrumentation/README.ctx.md](../instrumentation/README.ctx.md) -* [instrumentation/README.ngram.md](../instrumentation/README.ngram.md) +* [instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage) +* [instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) AFL++ performs "never zero" counting in its bitmap. You can read more about this here: -* [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md) +* [instrumentation/README.llvm.md#8-neverzero-counters](../instrumentation/README.llvm.md#8-neverzero-counters) ### c) Selecting sanitizers @@ -474,7 +474,8 @@ is: ![resources/screenshot.png](resources/screenshot.png) -All labels are explained in [status_screen.md](status_screen.md). +All labels are explained in +[afl-fuzz_approach.md#understanding-the-status-screen](afl-fuzz_approach.md#understanding-the-status-screen). ### b) Keeping memory use and timeouts in check diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md index 63ab1718..ad86fdd3 100644 --- a/frida_mode/Scripting.md +++ b/frida_mode/Scripting.md @@ -109,8 +109,8 @@ Afl.setPersistentAddress(address); A persistent hook can be implemented using a conventional shared object, sample source code for a hook suitable for the prototype of `LLVMFuzzerTestOneInput` -can be found in [hook/hook.c](hook/hook.c). This can be configured using code -similar to the following. +can be found in [hook/](hook/). This can be configured using code similar to the +following. ```js const path = Afl.module.path; diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index fa025643..ca9ce933 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -234,4 +234,45 @@ are 2-16. It is highly recommended to increase the MAP_SIZE_POW2 definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions -occur. \ No newline at end of file +occur. + +## 8) NeverZero counters + +In larger, complex, or reiterative programs, the byte sized counters that +collect the edge coverage can easily fill up and wrap around. This is not that +much of an issue - unless, by chance, it wraps just to a value of zero when the +program execution ends. In this case, afl-fuzz is not able to see that the edge +has been accessed and will ignore it. + +NeverZero prevents this behavior. If a counter wraps, it jumps over the value 0 +directly to a 1. This improves path discovery (by a very small amount) at a very +low cost (one instruction per edge). + +(The alternative of saturated counters has been tested also and proved to be +inferior in terms of path discovery.) + +This is implemented in afl-gcc and afl-gcc-fast, however, for llvm_mode this is +optional if multithread safe counters are selected or the llvm version is below +9 - as there are severe performance costs in these cases. + +If you want to enable this for llvm versions below 9 or thread safe counters, +then set + +``` +export AFL_LLVM_NOT_ZERO=1 +``` + +In case you are on llvm 9 or greater and you do not want this behavior, then you +can set: + +``` +AFL_LLVM_SKIP_NEVERZERO=1 +``` + +If the target does not have extensive loops or functions that are called a lot +then this can give a small performance boost. + +Please note that the default counter implementations are not thread safe! + +Support for thread safe counters in mode LLVM CLASSIC can be activated with +setting `AFL_LLVM_THREADSAFE_INST=1`. \ No newline at end of file diff --git a/utils/README.md b/utils/README.md index 5f5745b9..debc86e8 100644 --- a/utils/README.md +++ b/utils/README.md @@ -48,7 +48,7 @@ Here's a quick overview of the stuff you can find in this directory: - defork - intercept fork() in targets - distributed_fuzzing - a sample script for synchronizing fuzzer instances - across multiple machines (see parallel_fuzzing.md). + across multiple machines. - libdislocator - like ASAN but lightweight. -- cgit 1.4.1 From bb506de0b809f97a4221ee1b6e040dcb5f9ca56a Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 5 Dec 2021 19:04:45 +0100 Subject: Fix various missed issues - 1st run --- custom_mutators/gramatron/README.md | 43 ++++----- dictionaries/README.md | 20 ++-- docs/afl-fuzz_approach.md | 11 ++- docs/custom_mutators.md | 2 +- docs/env_variables.md | 2 +- docs/features.md | 4 +- utils/autodict_ql/readme.md | 180 ++++++++++++++++++++++-------------- utils/libdislocator/README.md | 29 +++--- 8 files changed, 168 insertions(+), 123 deletions(-) (limited to 'docs/env_variables.md') diff --git a/custom_mutators/gramatron/README.md b/custom_mutators/gramatron/README.md index 5e10f97b..8aa0cc44 100644 --- a/custom_mutators/gramatron/README.md +++ b/custom_mutators/gramatron/README.md @@ -1,17 +1,17 @@ # GramaTron GramaTron is a coverage-guided fuzzer that uses grammar automatons to perform -grammar-aware fuzzing. Technical details about our framework are available -in the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). -The artifact to reproduce the experiments presented in the paper are present -in `artifact/`. Instructions to run a sample campaign and incorporate new -grammars is presented below: +grammar-aware fuzzing. Technical details about our framework are available in +the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). The artifact to +reproduce the experiments presented in the paper are present in `artifact/`. +Instructions to run a sample campaign and incorporate new grammars is presented +below: -# Compiling +## Compiling Execute `./build_gramatron_mutator.sh`. -# Running +## Running You have to set the grammar file to use with `GRAMATRON_AUTOMATION`: @@ -23,26 +23,27 @@ export GRAMATRON_AUTOMATION=grammars/ruby/source_automata.json afl-fuzz -i in -o out -- ./target ``` -# Adding and testing a new grammar +## Adding and testing a new grammar -- Specify in a JSON format for CFG. Examples are correspond `source.json` files +- Specify in a JSON format for CFG. Examples are correspond `source.json` files. - Run the automaton generation script (in `src/gramfuzz-mutator/preprocess`) which will place the generated automaton in the same folder. -``` -./preprocess/prep_automaton.sh [stack_limit] + ``` + ./preprocess/prep_automaton.sh [stack_limit] -E.g., ./preprocess/prep_automaton.sh ~/grammars/ruby/source.json PROGRAM -``` + E.g., ./preprocess/prep_automaton.sh ~/grammars/ruby/source.json PROGRAM + ``` -- If the grammar has no self-embedding rules then you do not need to pass the - stack limit parameter. However, if it does have self-embedding rules then you +- If the grammar has no self-embedding rules, then you do not need to pass the + stack limit parameter. However, if it does have self-embedding rules, then you need to pass the stack limit parameter. We recommend starting with `5` and - then increasing it if you need more complexity -- To sanity-check that the automaton is generating inputs as expected you can use the `test` binary housed in `src/gramfuzz-mutator` + then increasing it if you need more complexity. +- To sanity-check that the automaton is generating inputs as expected, you can + use the `test` binary housed in `src/gramfuzz-mutator`. -``` -./test SanityCheck + ``` + ./test SanityCheck -E.g., ./test SanityCheck ~/grammars/ruby/source_automata.json -``` \ No newline at end of file + E.g., ./test SanityCheck ~/grammars/ruby/source_automata.json + ``` \ No newline at end of file diff --git a/dictionaries/README.md b/dictionaries/README.md index f3b8a9e5..0b3b4d90 100644 --- a/dictionaries/README.md +++ b/dictionaries/README.md @@ -2,17 +2,17 @@ (See [../README.md](../README.md) for the general instruction manual.) -This subdirectory contains a set of dictionaries that can be used in -conjunction with the -x option to allow the fuzzer to effortlessly explore the -grammar of some of the more verbose data formats or languages. +This subdirectory contains a set of dictionaries that can be used in conjunction +with the -x option to allow the fuzzer to effortlessly explore the grammar of +some of the more verbose data formats or languages. -These sets were done by Michal Zalewski, various contributors, and imported -from oss-fuzz, go-fuzz and libfuzzer. +These sets were done by Michal Zalewski, various contributors, and imported from +oss-fuzz, go-fuzz and libfuzzer. Custom dictionaries can be added at will. They should consist of a reasonably-sized set of rudimentary syntax units that the fuzzer will then try -to clobber together in various ways. Snippets between 2 and 16 bytes are -usually the sweet spot. +to clobber together in various ways. Snippets between 2 and 16 bytes are usually +the sweet spot. Custom dictionaries can be created in two ways: @@ -34,9 +34,9 @@ In the file mode, every name field can be optionally followed by @, e.g.: `keyword_foo@1 = "foo"` Such entries will be loaded only if the requested dictionary level is equal or -higher than this number. The default level is zero; a higher value can be set -by appending @ to the dictionary file name, like so: +higher than this number. The default level is zero; a higher value can be set by +appending @ to the dictionary file name, like so: `-x path/to/dictionary.dct@2` -Good examples of dictionaries can be found in xml.dict and png.dict. +Good examples of dictionaries can be found in xml.dict and png.dict. \ No newline at end of file diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 01888935..2da61cc4 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -468,7 +468,8 @@ cd ../../ sudo make install ``` -To learn more about remote monitoring and metrics visualization with StatsD, see [rpc_statsd.md](rpc_statsd.md). +To learn more about remote monitoring and metrics visualization with StatsD, see +[rpc_statsd.md](rpc_statsd.md). ### Addendum: status and plot files @@ -524,9 +525,9 @@ into each of them or deploy scripts to read the fuzzer statistics. Using `AFL_STATSD` (and the other related environment variables `AFL_STATSD_HOST`, `AFL_STATSD_PORT`, `AFL_STATSD_TAGS_FLAVOR`) you can automatically send metrics to your favorite StatsD server. Depending on your StatsD server, you will be -able to monitor, trigger alerts, or perform actions based on these metrics (e.g: -alert on slow exec/s for a new build, threshold of crashes, time since last -crash > X, etc.). +able to monitor, trigger alerts, or perform actions based on these metrics +(e.g.: alert on slow exec/s for a new build, threshold of crashes, time since +last crash > X, etc.). The selected metrics are a subset of all the metrics found in the status and in the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, @@ -537,6 +538,6 @@ the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, definitions can be found in the addendum above. When using multiple fuzzer instances with StatsD, it is *strongly* recommended -to setup the flavor (AFL_STATSD_TAGS_FLAVOR) to match your StatsD server. This +to setup the flavor (`AFL_STATSD_TAGS_FLAVOR`) to match your StatsD server. This will allow you to see individual fuzzer performance, detect bad ones, see the progress of each strategy... \ No newline at end of file diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 2f632e1f..7b4e0516 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -276,7 +276,7 @@ gcc -shared -Wall -O3 example.c -o example.so ``` Note that if you specify multiple custom mutators, the corresponding functions -will be called in the order in which they are specified. e.g. first +will be called in the order in which they are specified. E.g., the first `post_process` function of `example_first.so` will be called and then that of `example_second.so`. diff --git a/docs/env_variables.md b/docs/env_variables.md index 0952b960..c45f4ab9 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -585,7 +585,7 @@ The FRIDA wrapper used to instrument binary-only code supports many of the same options as `afl-qemu-trace`, but also has a number of additional advanced options. These are listed in brief below (see [frida_mode/README.md](../frida_mode/README.md) for more details). These -settings are provided for compatibiltiy with QEMU mode, the preferred way to +settings are provided for compatibility with QEMU mode, the preferred way to configure FRIDA mode is through its [scripting](../frida_mode/Scripting.md) support. diff --git a/docs/features.md b/docs/features.md index 06b1bcbe..431d9eb1 100644 --- a/docs/features.md +++ b/docs/features.md @@ -1,7 +1,7 @@ # Important features of AFL++ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with -QEMU 5.1 with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full +QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full *BSD, Mac OS, Solaris and Android support and much, much, much more. | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |coresight_mode(11)| @@ -30,7 +30,7 @@ QEMU 5.1 with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full versions that write to a file to use with afl-fuzz' `-x` 8. the snapshot LKM is currently unmaintained due to too many kernel changes coming too fast :-( -9. frida mode is supported on Linux and MacOS for Intel and ARM +9. FRIDA mode is supported on Linux and MacOS for Intel and ARM 10. QEMU/Unicorn is only supported on Linux 11. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight extension diff --git a/utils/autodict_ql/readme.md b/utils/autodict_ql/readme.md index 789cd152..f61026b7 100644 --- a/utils/autodict_ql/readme.md +++ b/utils/autodict_ql/readme.md @@ -2,21 +2,35 @@ ## What is this? -`Autodict-QL` is a plugin system that enables fast generation of Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike The LLVM Passes that are hard to modify). This means that autodict-ql is a scriptable feature which basically uses CodeQL (a powerful semantic code analysis engine) to fetch information from a code base. +`Autodict-QL` is a plugin system that enables fast generation of +Tokens/Dictionaries in a handy way that can be manipulated by the user (unlike +The LLVM Passes that are hard to modify). This means that autodict-ql is a +scriptable feature which basically uses CodeQL (a powerful semantic code +analysis engine) to fetch information from a code base. -Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x` switch enables the usage of dictionaries through your fuzzing campaign. If you are not familiar with Dictionaries in fuzzing, take a look [here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries) . +Tokens are useful when you perform fuzzing on different parsers. The AFL++ `-x` +switch enables the usage of dictionaries through your fuzzing campaign. If you +are not familiar with Dictionaries in fuzzing, take a look +[here](https://github.com/AFLplusplus/AFLplusplus/tree/stable/dictionaries). -## Why CodeQL ? +## Why CodeQL? -We basically developed this plugin on top of the CodeQL engine because it gives the user scripting features, it's easier and it's independent of the LLVM system. This means that a user can write his CodeQL scripts or modify the current scripts to improve or change the token generation algorithms based on different program analysis concepts. +We basically developed this plugin on top of the CodeQL engine because it gives +the user scripting features, it's easier and it's independent of the LLVM +system. This means that a user can write his CodeQL scripts or modify the +current scripts to improve or change the token generation algorithms based on +different program analysis concepts. ## CodeQL scripts -Currently, we pushed some scripts as defaults for Token generation. In addition, we provide every CodeQL script as an standalone script because it's easier to modify or test. +Currently, we pushed some scripts as defaults for Token generation. In addition, +we provide every CodeQL script as an standalone script because it's easier to +modify or test. -Currently we provided the following CodeQL scripts : +Currently we provided the following CodeQL scripts: -`strcmp-str.ql` is used to extract strings that are related to the `strcmp` function. +`strcmp-str.ql` is used to extract strings that are related to the `strcmp` +function. `strncmp-str.ql` is used to extract the strings from the `strncmp` function. @@ -24,13 +38,18 @@ Currently we provided the following CodeQL scripts : `litool.ql` extracts Magic numbers as Hexadecimal format. -`strtool.ql` extracts strings with uses of a regex and dataflow concept to capture the string comparison functions. If `strcmp` is rewritten in a project as Mystrcmp or something like strmycmp, then this script can catch the arguments and these are valuable tokens. +`strtool.ql` extracts strings with uses of a regex and dataflow concept to +capture the string comparison functions. If `strcmp` is rewritten in a project +as Mystrcmp or something like strmycmp, then this script can catch the arguments +and these are valuable tokens. -You can write other CodeQL scripts to extract possible effective tokens if you think they can be useful. +You can write other CodeQL scripts to extract possible effective tokens if you +think they can be useful. ## Usage -Before you proceed to installation make sure that you have the following packages by installing them: +Before you proceed to installation make sure that you have the following +packages by installing them: ```shell sudo apt install build-essential libtool-bin python3-dev python3 automake git vim wget -y @@ -38,66 +57,91 @@ sudo apt install build-essential libtool-bin python3-dev python3 automake git vi The usage of Autodict-QL is pretty easy. But let's describe it as: -1. First of all, you need to have CodeQL installed on the system. We make this possible with `build-codeql.sh` bash script. This script will install CodeQL completety and will set the required environment variables for your system. -Do the following: - -```shell -# chmod +x codeql-build.sh -# ./codeql-build.sh -# source ~/.bashrc -# codeql -``` - -Then you should get: - -```shell -Usage: codeql ... -Create and query CodeQL databases, or work with the QL language. - -GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is -not itself free software. Type codeql --license to see the license terms. - - --license Show the license terms for the CodeQL toolchain. -Common options: - -h, --help Show this help text. - -v, --verbose Incrementally increase the number of progress messages printed. - -q, --quiet Incrementally decrease the number of progress messages printed. -Some advanced options have been hidden; try --help -v for a fuller view. -Commands: - query Compile and execute QL code. - bqrs Get information from .bqrs files. - database Create, analyze and process CodeQL databases. - dataset [Plumbing] Work with raw QL datasets. - test Execute QL unit tests. - resolve [Deep plumbing] Helper commands to resolve disk locations etc. - execute [Deep plumbing] Low-level commands that need special JVM options. - version Show the version of the CodeQL toolchain. - generate Generate formatted QL documentation. - github Commands useful for interacting with the GitHub API through CodeQL. -``` - -2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need to compile the source of the target you want to fuzz with CodeQL. This is not something hard. - - First you need to create a CodeQL database of the project codebase, suppose we want to compile `libxml` with codeql. Go to libxml and issue the following commands: - - `./configure --disable-shared` - - `codeql create database libxml-db --language=cpp --command=make` - - Now you have the CodeQL database of the project :-) -3. The final step is to update the CodeQL database you created in step 2 (Suppose we are in `aflplusplus/utils/autodict_ql/` directory): - - `codeql database upgrade /home/user/libxml/libxml-db` +1. First of all, you need to have CodeQL installed on the system. We make this + possible with `build-codeql.sh` bash script. This script will install CodeQL + completety and will set the required environment variables for your system. + Do the following: + + ```shell + # chmod +x codeql-build.sh + # ./codeql-build.sh + # source ~/.bashrc + # codeql + ``` + + Then you should get: + + ```shell + Usage: codeql ... + Create and query CodeQL databases, or work with the QL language. + + GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is + not itself free software. Type codeql --license to see the license terms. + + --license Show the license terms for the CodeQL toolchain. + Common options: + -h, --help Show this help text. + -v, --verbose Incrementally increase the number of progress messages printed. + -q, --quiet Incrementally decrease the number of progress messages printed. + Some advanced options have been hidden; try --help -v for a fuller view. + Commands: + query Compile and execute QL code. + bqrs Get information from .bqrs files. + database Create, analyze and process CodeQL databases. + dataset [Plumbing] Work with raw QL datasets. + test Execute QL unit tests. + resolve [Deep plumbing] Helper commands to resolve disk locations etc. + execute [Deep plumbing] Low-level commands that need special JVM options. + version Show the version of the CodeQL toolchain. + generate Generate formatted QL documentation. + github Commands useful for interacting with the GitHub API through CodeQL. + ``` + +2. Compile your project with CodeQL: For using the Autodict-QL plugin, you need + to compile the source of the target you want to fuzz with CodeQL. This is not + something hard. + - First you need to create a CodeQL database of the project codebase, suppose + we want to compile `libxml` with codeql. Go to libxml and issue the + following commands: + - `./configure --disable-shared` + - `codeql create database libxml-db --language=cpp --command=make` + - Now you have the CodeQL database of the project :-) +3. The final step is to update the CodeQL database you created in step 2 + (Suppose we are in `aflplusplus/utils/autodict_ql/` directory): + - `codeql database upgrade /home/user/libxml/libxml-db` 4. Everything is set! Now you should issue the following to get the tokens: - - `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]` - - example : `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py $PWD /home/user/libxml/libxml-db tokens` - - This will create the final `tokens` dir for you and you are done, then pass the tokens path to AFL++'s `-x` flag. + - `python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]` + - example: `python3 /home/user/AFLplusplus/utils/autodict_ql/autodict-ql.py + $PWD /home/user/libxml/libxml-db tokens` + - This will create the final `tokens` dir for you and you are done, then + pass the tokens path to AFL++'s `-x` flag. 5. Done! ## More on dictionaries and tokens -Core developer of the AFL++ project Marc Heuse also developed a similar tool named `dict2file` which is a LLVM pass which can automatically extract useful tokens, in addition with LTO instrumentation mode, this dict2file is automatically generates token extraction. `Autodict-QL` plugin gives you scripting capability and you can do whatever you want to extract from the Codebase and it's up to you. In addition it's independent from LLVM system. -On the other hand, you can also use Google dictionaries which have been made public in May 2020, but the problem of using Google dictionaries is that they are limited to specific file formats and specifications. For example, for testing binutils and ELF file format or AVI in FFMPEG, there are no pre-built dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File` features to automatically generate dictionaries based on the target. - -I've personally prefered to use `Autodict-QL` or `dict2file` rather than Google dictionaries or any other manually generated dictionaries as `Autodict-QL` and `dict2file` are working based on the target. -In overall, fuzzing with dictionaries and well-generated tokens will give better results. - -There are 2 important points to remember : - -- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code coverage and hence better chances to discover new bugs. -- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated dictionaries. If you forget to set this environment variable, then AFL++ uses just 200 tokens and use the rest of them only probabilistically. So this will guarantee that your tokens will be used by AFL++. \ No newline at end of file +Core developer of the AFL++ project Marc Heuse also developed a similar tool +named `dict2file` which is a LLVM pass which can automatically extract useful +tokens, in addition with LTO instrumentation mode, this dict2file is +automatically generates token extraction. `Autodict-QL` plugin gives you +scripting capability and you can do whatever you want to extract from the +Codebase and it's up to you. In addition it's independent from LLVM system. On +the other hand, you can also use Google dictionaries which have been made public +in May 2020, but the problem of using Google dictionaries is that they are +limited to specific file formats and specifications. For example, for testing +binutils and ELF file format or AVI in FFMPEG, there are no pre-built +dictionaries, so it is highly recommended to use `Autodict-QL` or `Dict2File` +features to automatically generate dictionaries based on the target. + +I've personally preferred to use `Autodict-QL` or `dict2file` rather than Google +dictionaries or any other manually generated dictionaries as `Autodict-QL` and +`dict2file` are working based on the target. In overall, fuzzing with +dictionaries and well-generated tokens will give better results. + +There are 2 important points to remember: + +- If you combine `Autodict-QL` with AFL++ cmplog, you will get much better code + coverage and hence better chances to discover new bugs. +- Do not forget to set `AFL_MAX_DET_EXTRAS` at least to the number of generated + dictionaries. If you forget to set this environment variable, then AFL++ uses + just 200 tokens and use the rest of them only probabilistically. So this will + guarantee that your tokens will be used by AFL++. \ No newline at end of file diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 64a5f14c..7150c205 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -10,8 +10,8 @@ heap-related security bugs in several ways: subsequent PROT_NONE page, causing most off-by-one reads and writes to immediately segfault, - - It adds a canary immediately below the allocated buffer, to catch writes - to negative offsets (won't catch reads, though), + - It adds a canary immediately below the allocated buffer, to catch writes to + negative offsets (won't catch reads, though), - It sets the memory returned by malloc() to garbage values, improving the odds of crashing when the target accesses uninitialized data, @@ -19,35 +19,34 @@ heap-related security bugs in several ways: - It sets freed memory to PROT_NONE and does not actually reuse it, causing most use-after-free bugs to segfault right away, - - It forces all realloc() calls to return a new address - and sets - PROT_NONE on the original block. This catches use-after-realloc bugs, + - It forces all realloc() calls to return a new address - and sets PROT_NONE + on the original block. This catches use-after-realloc bugs, - - It checks for calloc() overflows and can cause soft or hard failures - of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, + - It checks for calloc() overflows and can cause soft or hard failures of + alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, AFL_LD_HARD_FAIL). - Optionally, in platforms supporting it, huge pages can be used by passing USEHUGEPAGE=1 to make. - - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1. - In this case, a tail canary is inserted in the padding bytes at the end - of the allocated zone. This reduce the ability of libdislocator to detect + - Size alignment to `max_align_t` can be enforced with AFL_ALIGNED_ALLOC=1. In + this case, a tail canary is inserted in the padding bytes at the end of the + allocated zone. This reduce the ability of libdislocator to detect off-by-one bugs but also it make slibdislocator compliant to the C standard. Basically, it is inspired by some of the non-default options available for the OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is -also somewhat similar to several other debugging libraries, such as gmalloc -and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing -jobs. +also somewhat similar to several other debugging libraries, such as gmalloc and +DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs. Note that it does nothing for stack-based memory handling errors. The -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, can catch some subset of that. The allocator is slow and memory-intensive (even the tiniest allocation uses up -4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable -for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN -when fuzzing small, self-contained binaries. +4 kB of physical memory and 8 kB of virtual mem), making it completely +unsuitable for "production" uses; but it can be faster and more hassle-free than +ASAN / MSAN when fuzzing small, self-contained binaries. To use this library, run AFL++ like so: -- cgit 1.4.1