From 54eca027a5b234c530a59e340a3ad617d1f24384 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 26 Dec 2021 03:54:29 +0100 Subject: doc review --- docs/fuzzing_binary-only_targets.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'docs/fuzzing_binary-only_targets.md') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 5434a22c..0f2f84f6 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -12,11 +12,10 @@ fuzzed with AFL++. ## TL;DR: -QEMU mode in persistent mode is the fastest - if the stability is high enough. -Otherwise, try RetroWrite, Dyninst, and if these fail, too, then try standard -QEMU mode with `AFL_ENTRYPOINT` to where you need it. - -If your target is a library, then use FRIDA mode. +FRIDA mode and QEMU mode in persistent mode are the fastest - if persistent mode +is possible and the stability is high enough. +Otherwise, try Zafl, RetroWrite, Dyninst, and if these fail, too, then try +standard FRIDA/QEMU mode with `AFL_ENTRYPOINT` to where you need it. If your target is non-linux, then use unicorn_mode. @@ -92,7 +91,7 @@ For more information, see ### FRIDA mode In FRIDA mode, you can fuzz binary-only targets as easily as with QEMU mode. -FRIDA mode is sometimes faster and sometimes slower than QEMU mode. It is also +FRIDA mode is most of the times slightly faster than QEMU mode. It is also newer, lacks COMPCOV, and has the advantage that it works on MacOS (both intel and M1). @@ -100,7 +99,7 @@ To build FRIDA mode: ```shell cd frida_mode -make +gmake ``` For additional instructions and caveats, see -- cgit 1.4.1 From dbc62dbe566c7a3fc9ad9e3fbf2ef112442ad4f6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Dec 2021 11:55:16 +0100 Subject: sprinkle nyx links in the docs --- docs/Changelog.md | 2 ++ docs/features.md | 29 +++++++++++++++-------------- docs/fuzzing_binary-only_targets.md | 10 ++++++++++ docs/important_changes.md | 4 ---- 4 files changed, 27 insertions(+), 18 deletions(-) (limited to 'docs/fuzzing_binary-only_targets.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 58eef2ee..c4786bf3 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,6 +14,8 @@ sending a mail to . e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". This might need changing custom scripting! + - Nyx mode (full system emulation with snapshot capability) has been + added - thanks to @schumilo and @eqv! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you diff --git a/docs/features.md b/docs/features.md index 431d9eb1..6104ca63 100644 --- a/docs/features.md +++ b/docs/features.md @@ -4,20 +4,20 @@ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full *BSD, Mac OS, Solaris and Android support and much, much, much more. -| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |coresight_mode(11)| -| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------------:| -| Threadsafe counters | | x(3) | | | | | | -| NeverZero | x86[_64]| x(1) | x | x | x | x | | -| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | -| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | | -| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | -| Selective Instrumentation| | x | x | x | x | | | -| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | -| Ngram prev_loc Coverage | | x(6) | | | | | | -| Context Coverage | | x(6) | | | | | | -| Auto Dictionary | | x(7) | | | | | | -| Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | | -| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | | +| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)| +| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:| +| Threadsafe counters | | x(3) | | | | | x | | +| NeverZero | x86[_64]| x(1) | x | x | x | x | | | +| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | | +| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | | +| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | | +| Selective Instrumentation| | x | x | x | x | | | | +| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | | +| Ngram prev_loc Coverage | | x(6) | | | | | | | +| Context Coverage | | x(6) | | | | | | | +| Auto Dictionary | | x(7) | | | | | | | +| Snapshot Support | | (x)(8) | (x)(8) | | (x)(5) | | x | | +| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | x | | 1. default for LLVM >= 9.0, environment variable for older version due an efficiency bug in previous llvm versions @@ -34,6 +34,7 @@ QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full 10. QEMU/Unicorn is only supported on Linux 11. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight extension +12. Nyx mode is only supported on Linux and currently restricted to x86_x64 Among others, the following features and patches have been integrated: diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 0f2f84f6..855d7756 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -125,6 +125,16 @@ to check out our sister project libafl which supports Frida, too: [https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL). Working examples already exist :-) +### Nyx mode + +Nyx is a full system emulation fuzzing environment with snapshot support that +is built upon KVM and QEMU. +It is only available on Linux and currently restricted to x86_x64. + +For binary-only fuzzing a special 5.10 kernel is required. + +See [nyx_mode/README.md](../nyx_mode/README.md) + ### Unicorn Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar. In diff --git a/docs/important_changes.md b/docs/important_changes.md index facaf3c1..0c1c34ef 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -5,10 +5,6 @@ changes. ## From version 3.00 onwards -With AFL++ 3.13-3.20, we introduce FRIDA mode (`-O`) to have an alternative for -binary-only fuzzing. It is a bit faster than QEMU mode and works on MacOS, -Android, iOS etc. - With AFL++ 4.00, we introduced the following changes from previous behaviors: * the complete documenation was overhauled and restructured thanks to @llzmb! * a new CMPLOG target format requires recompiling CMPLOG targets for use -- cgit 1.4.1