- What is an "edge"?
+ What is an "edge"?
A program contains `functions`, `functions` contain the compiled machine code.
The compiled machine code in a `function` can be in a single or many `basic blocks`.
@@ -77,7 +77,7 @@ If you find an interesting or important question missing, submit it via
## Targets
- How can I fuzz a binary-only target?
+ How can I fuzz a binary-only target?
AFL++ is a great fuzzer if you have the source code available.
@@ -87,7 +87,7 @@ If you find an interesting or important question missing, submit it via
- How can I fuzz a network service?
+ How can I fuzz a network service?
The short answer is - you cannot, at least not "out of the box".
@@ -95,7 +95,7 @@ If you find an interesting or important question missing, submit it via
- How can I fuzz a GUI program?
+ How can I fuzz a GUI program?
Not all GUI programs are suitable for fuzzing. If the GUI program can read the fuzz data from a file without needing any user interaction, then it would be suitable for fuzzing.
@@ -105,13 +105,13 @@ If you find an interesting or important question missing, submit it via
## Performance
- How can I improve the fuzzing speed?
+ How can I improve the fuzzing speed?
There are a few things you can do to improve the fuzzing speed, see [best_practices.md#improving-speed](best_practices.md#improving-speed).
- Why is my stability below 100%?
+ Why is my stability below 100%?
Stability is measured by how many percent of the edges in the target are "stable".
Sending the same input again and again should take the exact same path through the target every time.
@@ -131,7 +131,7 @@ If you find an interesting or important question missing, submit it via
## Troubleshooting
- I got a weird compile error from clang.
+ I got a weird compile error from clang.
If you see this kind of error when trying to instrument a target with afl-cc/afl-clang-fast/afl-clang-lto:
--
cgit 1.4.1
From 78d7944bbf4608437563114c0e4291a9a516cfff Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Tue, 7 Sep 2021 14:01:27 +0200
Subject: Update docs/rpc_statsd.md
---
docs/rpc_statsd.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'docs')
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index cff93b7c..2d340dd7 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -66,7 +66,7 @@ For all your fuzzers, only one instance of StatsD, Prometheus, and Grafana is re
You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files.
-To install and set up StatsD, Prometheus, and Grafana:
+To install and set up Prometheus and Grafana:
1. Install Docker and Docker Compose:
--
cgit 1.4.1
From f760e80729412a2cd44a12e76b81ccb433626e60 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 7 Sep 2021 17:15:54 +0200
Subject: add check_binary_signatures for afl-* utils
---
docs/Changelog.md | 3 ++-
include/common.h | 1 +
src/afl-analyze.c | 1 +
src/afl-common.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/afl-showmap.c | 2 ++
src/afl-tmin.c | 1 +
6 files changed, 71 insertions(+), 1 deletion(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 0ffbef05..de217c2e 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -15,7 +15,8 @@ sending a mail to .
information on how to deal with instrumenting libraries
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
-
+ - afl-showmap, afl-tmin and afl-analyze now honor persistent mode
+ for more speed. thanks to dloffre-snl for reporting!
- afl-cc:
- fix for shared linking on MacOS
- llvm and LTO mode verified to work with new llvm 14-dev
diff --git a/include/common.h b/include/common.h
index 7bba9e91..2ca44301 100644
--- a/include/common.h
+++ b/include/common.h
@@ -38,6 +38,7 @@
#define STRINGIFY_VAL_SIZE_MAX (16)
+u32 check_binary_signatures(u8 *fn);
void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin);
void print_suggested_envs(char *mispelled_env);
void check_environment_vars(char **env);
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index e19df3ce..eef08494 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -1093,6 +1093,7 @@ int main(int argc, char **argv_orig, char **envp) {
parse_afl_kill_signal_env(getenv("AFL_KILL_SIGNAL"), SIGKILL);
read_initial_file();
+ (void)check_binary_signatures(fsrv.target_path);
ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...",
mem_limit, exec_tmout, edges_only ? ", edges only" : "");
diff --git a/src/afl-common.c b/src/afl-common.c
index 9ca2b3e8..db19f0a7 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -25,8 +25,12 @@
#include
#include
+#define _GNU_SOURCE
+#define __USE_GNU
+#include
#include
#include
+#include
#include "debug.h"
#include "alloc-inl.h"
@@ -51,6 +55,66 @@ u8 last_intr = 0;
#define AFL_PATH "/usr/local/lib/afl/"
#endif
+u32 check_binary_signatures(u8 *fn) {
+
+ int ret = 0, fd = open(fn, O_RDONLY);
+ if (fd < 0) { PFATAL("Unable to open '%s'", fn); }
+ struct stat st;
+ if (fstat(fd, &st) < 0) { PFATAL("Unable to fstat '%s'", fn); }
+ u32 f_len = st.st_size;
+ u8 *f_data = mmap(0, f_len, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (f_data == MAP_FAILED) { PFATAL("Unable to mmap file '%s'", fn); }
+ close(fd);
+
+ if (memmem(f_data, f_len, PERSIST_SIG, strlen(PERSIST_SIG) + 1)) {
+
+ if (!be_quiet) { OKF(cPIN "Persistent mode binary detected."); }
+ setenv(PERSIST_ENV_VAR, "1", 1);
+ ret = 1;
+
+ } else if (getenv("AFL_PERSISTENT")) {
+
+ if (!be_quiet) {
+
+ WARNF("AFL_PERSISTENT is no longer supported and may misbehave!");
+
+ }
+
+ } else if (getenv("AFL_FRIDA_PERSISTENT_ADDR")) {
+
+ if (!be_quiet) {
+
+ OKF("FRIDA Persistent mode configuration options detected.");
+
+ }
+
+ setenv(PERSIST_ENV_VAR, "1", 1);
+ ret = 1;
+
+ }
+
+ if (memmem(f_data, f_len, DEFER_SIG, strlen(DEFER_SIG) + 1)) {
+
+ if (!be_quiet) { OKF(cPIN "Deferred forkserver binary detected."); }
+ setenv(DEFER_ENV_VAR, "1", 1);
+ ret += 2;
+
+ } else if (getenv("AFL_DEFER_FORKSRV")) {
+
+ if (!be_quiet) {
+
+ WARNF("AFL_DEFER_FORKSRV is no longer supported and may misbehave!");
+
+ }
+
+ }
+
+ if (munmap(f_data, f_len)) { PFATAL("unmap() failed"); }
+
+ return ret;
+
+}
+
void detect_file_args(char **argv, u8 *prog_in, bool *use_stdin) {
u32 i = 0;
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 9122cd25..27b1e14a 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -1189,6 +1189,8 @@ int main(int argc, char **argv_orig, char **envp) {
}
+ (void)check_binary_signatures(fsrv->target_path);
+
shm_fuzz = ck_alloc(sizeof(sharedmem_t));
/* initialize cmplog_mode */
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 792770e0..dff51e84 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -1209,6 +1209,7 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz = map + sizeof(u32);
read_initial_file();
+ (void)check_binary_signatures(fsrv->target_path);
if (!fsrv->qemu_mode && !unicorn_mode) {
--
cgit 1.4.1
From 6546a0a5fd5532464916c6c4adfbb22d87a5acd5 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Fri, 10 Sep 2021 14:26:51 +0200
Subject: Update docs/rpc_statsd.md
---
docs/rpc_statsd.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'docs')
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 2d340dd7..288d56cb 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -62,7 +62,7 @@ The easiest way to install and set up the infrastructure is with Docker and Dock
Depending on your fuzzing setup and infrastructure, you may not want to run these applications on your fuzzer instances. This setup may be modified before use in a production environment; for example, adding passwords, creating volumes for storage, tweaking the metrics gathering to get host metrics (CPU, RAM, and so on).
-For all your fuzzers, only one instance of StatsD, Prometheus, and Grafana is required.
+For all your fuzzing instances, only one instance of Prometheus and Grafana is required. The [statsd exporter](https://registry.hub.docker.com/r/prom/statsd-exporter) converts the StatsD metrics to Prometheus. If you are using a provider that supports StatsD directly, you can skip this part of the setup."
You can create and move the infrastructure files into a directory of your choice. The directory will store all the required configuration files.
--
cgit 1.4.1
From 82ef4a90b0ff12a297e1bc3f1c8256ae9ace4f25 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Fri, 10 Sep 2021 21:37:55 +0200
Subject: Fix links
---
README.md | 2 +-
docs/best_practices.md | 2 +-
docs/branches.md | 2 +-
docs/fuzzing_expert.md | 2 +-
docs/interpreting_output.md | 2 +-
docs/known_limitations.md | 2 +-
docs/life_pro_tips.md | 20 ++++++++++----------
docs/rpc_statsd.md | 2 +-
docs/triaging_crashes.md | 2 +-
9 files changed, 18 insertions(+), 18 deletions(-)
(limited to 'docs')
diff --git a/README.md b/README.md
index eb99d9bd..25e47ef2 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ You are free to copy, modify, and distribute AFL++ with attribution under the te
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important behaviour changes in AFL++](docs/important_changes.md).
+* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [important changes in AFL++](docs/important_changes.md).
* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 23fa237d..1521748a 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -59,7 +59,7 @@ which allows you to define network state with different type of data packets.
1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended).
2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase).
3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase).
-4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md).
+4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md).
5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure).
6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem.
7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads).
diff --git a/docs/branches.md b/docs/branches.md
index 1e4ebbb2..81c73a0f 100644
--- a/docs/branches.md
+++ b/docs/branches.md
@@ -7,4 +7,4 @@ The following branches exist:
* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
* (any other): experimental branches to work on specific features or testing new functionality or changes.
-For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major behaviour changes in AFL++](behaviour_changes.md).
\ No newline at end of file
+For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [important changes in AFL++](important_changes.md).
\ No newline at end of file
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 23b24ad0..37ab8e2f 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -620,4 +620,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
\ No newline at end of file
+(some might be deprecated or unsupported), see [tools.md](tools.md).
\ No newline at end of file
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 54ad76df..364d2cf4 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -1,6 +1,6 @@
# Interpreting output
-See the [docs/status_screen.md](docs/status_screen.md) file for information on
+See the [status_screen.md](status_screen.md) file for information on
how to interpret the displayed stats and monitor the health of the process. Be
sure to consult this file especially if any UI elements are highlighted in red.
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index deb539e2..b5fc8446 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -15,7 +15,7 @@ Here are some of the most important caveats for AFL:
To work around this, you can comment out the relevant checks (see
utils/libpng_no_checksum/ for inspiration); if this is not possible,
you can also write a postprocessor, one of the hooks of custom mutators.
- See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use
+ See [custom_mutators.md](custom_mutators.md) on how to use
`AFL_CUSTOM_MUTATOR_LIBRARY`
- There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md
index 13ffcea0..e79bcafa 100644
--- a/docs/life_pro_tips.md
+++ b/docs/life_pro_tips.md
@@ -27,16 +27,16 @@ Run the bundled `afl-plot` utility to generate browser-friendly graphs.
Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`.
## Puzzled by something showing up in red or purple in the AFL UI?
-It could be important - consult docs/status_screen.md right away!
+It could be important - consult [status_screen.md](status_screen.md) right away!
## Know your target? Convert it to persistent mode for a huge performance gain!
-Consult section #5 in README.llvm.md for tips.
+Consult section #5 in [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) for tips.
## Using clang?
-Check out instrumentation/ for a faster alternative to afl-gcc!
+Check out [instrumentation/](../instrumentation/) for a faster alternative to afl-gcc!
## Did you know that AFL can fuzz closed-source or cross-platform binaries?
-Check out qemu_mode/README.md and unicorn_mode/README.md for more.
+Check out [qemu_mode/README.md](../qemu_mode/README.md) and [unicorn_mode/README.md](../unicorn_mode/README.md) for more.
## Did you know that afl-fuzz can minimize any test case for you?
Try the bundled `afl-tmin` tool - and get small repro files fast!
@@ -46,7 +46,7 @@ Try the bundled `afl-tmin` tool - and get small repro files fast!
## Trouble dealing with a machine uprising? Relax, we've all been there.
-Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
+Find essential survival tips at [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
## Want to automatically spot non-crashing memory handling bugs?
@@ -54,7 +54,7 @@ Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
## Good selection of input files is critical to a successful fuzzing job.
-See docs/perf_tips.md for pro tips.
+See [perf_tips.md](perf_tips.md) for pro tips.
## You can improve the odds of automatically spotting stack corruption issues.
@@ -70,18 +70,18 @@ sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bu
## Hey kid... pssst... want to figure out how AFL really works?
-Check out docs/technical_details.md for all the gory details in one place!
+Check out [technical_details.md](technical_details.md) for all the gory details in one place!
## There's a ton of third-party helper tools designed to work with AFL!
-Be sure to check out docs/sister_projects.md before writing your own.
+Be sure to check out [sister_projects.md](sister_projects.md) before writing your own.
## Need to fuzz the command-line arguments of a particular program?
-You can find a simple solution in utils/argv_fuzzing.
+You can find a simple solution in [utils/argv_fuzzing](../utils/argv_fuzzing/).
## Attacking a format that uses checksums?
Remove the checksum-checking code or use a postprocessor!
-See `afl_custom_post_process` in custom_mutators/examples/example.c for more.
+See `afl_custom_post_process` in [custom_mutators/examples/example.c](../custom_mutators/examples/example.c) for more.
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 898ad099..efbd550b 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -41,7 +41,7 @@ To enable the StatsD reporting on your fuzzer instances, you need to set the env
Setting `AFL_STATSD_TAGS_FLAVOR` to the provider of your choice will assign tags / labels to each metric based on their format.
The possible values are `dogstatsd`, `librato`, `signalfx` or `influxdb`.
-For more information on these env vars, check out `docs/env_variables.md`.
+For more information on these env vars, check out [env_variables.md](env_variables.md).
The simplest way of using this feature is to use any metric provider and change the host/port of your StatsD daemon,
with `AFL_STATSD_HOST` and `AFL_STATSD_PORT`, if required (defaults are `localhost` and port `8125`).
diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md
index 1857c4b1..21ccecaa 100644
--- a/docs/triaging_crashes.md
+++ b/docs/triaging_crashes.md
@@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the
tested program. It then color-codes the input based on which sections appear to
be critical, and which are not; while not bulletproof, it can often offer quick
insights into complex file formats. More info about its operation can be found
-near the end of [docs/technical_details.md](docs/technical_details.md).
\ No newline at end of file
+near the end of [technical_details.md](technical_details.md).
\ No newline at end of file
--
cgit 1.4.1
From 51b2e86ec077c0b67ef1b54a9a30288b74c01be0 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 15 Sep 2021 12:28:05 +0200
Subject: fix links
---
GNUmakefile | 2 +-
afl-system-config | 2 +-
docs/ci_fuzzing.md | 2 +-
docs/fuzzing_binary-only_targets.md | 5 +++--
docs/fuzzing_expert.md | 2 +-
5 files changed, 7 insertions(+), 6 deletions(-)
(limited to 'docs')
diff --git a/GNUmakefile b/GNUmakefile
index 376f6e9a..0a6f3950 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -541,7 +541,7 @@ test_build: afl-cc afl-gcc afl-as afl-showmap
# echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
# @rm -f test-instr
# @cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
-# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \
+# gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option." ) || \
# ( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
# @echo
# @echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
diff --git a/afl-system-config b/afl-system-config
index dbdbbf1f..3c14ba55 100755
--- a/afl-system-config
+++ b/afl-system-config
@@ -52,7 +52,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
echo ' /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
echo
}
- echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed
+ echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.
echo
DONE=1
fi
diff --git a/docs/ci_fuzzing.md b/docs/ci_fuzzing.md
index 316059f8..8d1a2f99 100644
--- a/docs/ci_fuzzing.md
+++ b/docs/ci_fuzzing.md
@@ -26,4 +26,4 @@ Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing campaigns
`-M` enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs.
How this can look like can e.g. be seen at AFL++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl)
-and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py).
\ No newline at end of file
+and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py).
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index a39e40a0..8b3bbeff 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -51,7 +51,7 @@ make
```
For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md).
-If possible you should use the persistent mode, see [qemu_frida/README.persistent.md](../qemu_frida/README.persistent.md).
+If possible you should use the persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md).
The mode is approximately 2-5x slower than compile-time instrumentation, and is
less conducive to parallelization.
@@ -71,7 +71,8 @@ cd unicorn_mode
If the goal is to fuzz a dynamic library then there are two options available.
For both you need to write a small harness that loads and calls the library.
-Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md)
+Then you fuzz this with either frida_mode or qemu_mode, and either use
+`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES`
Another, less precise and slower option is using ptrace with debugger interrupt
instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 23b24ad0..7695e21f 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -472,7 +472,7 @@ If you are using AFL spinoffs or AFL conforming fuzzers, then just use the
same -o directory and give it a unique `-S` name.
Examples are:
* [Fuzzolic](https://github.com/season-lab/fuzzolic)
- * [symcc](https://github.com/eurecom-s/symcc/)
+ * [symcc](https://github.com/eurecom-s3/symcc/)
* [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/)
* [AFLsmart](https://github.com/aflsmart/aflsmart)
* [FairFuzz](https://github.com/carolemieux/afl-rb)
--
cgit 1.4.1
From 4473904bc0de7011a77309d96f7090a51c8fe768 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Fri, 1 Oct 2021 13:25:02 +0200
Subject: fix -n
---
docs/Changelog.md | 1 +
src/afl-fuzz-stats.c | 5 +++--
src/afl-fuzz.c | 2 +-
unicorn_mode/unicornafl | 2 +-
4 files changed, 6 insertions(+), 4 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index de217c2e..dad5fee2 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -15,6 +15,7 @@ sending a mail to .
information on how to deal with instrumenting libraries
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
+ - fix -n dumb mode (nobody should use this)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- afl-cc:
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index eb1fe2d9..870ba69a 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -560,8 +560,9 @@ void show_stats(afl_state_t *afl) {
/* Roughly every minute, update fuzzer stats and save auto tokens. */
- if (unlikely(afl->force_ui_update ||
- cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000)) {
+ if (unlikely(!afl->non_instrumented_mode &&
+ (afl->force_ui_update ||
+ cur_ms - afl->stats_last_stats_ms > STATS_UPDATE_SEC * 1000))) {
afl->stats_last_stats_ms = cur_ms;
write_stats_file(afl, t_bytes, t_byte_ratio, stab_ratio,
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 8ffc0e77..87da9798 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1918,7 +1918,7 @@ int main(int argc, char **argv_orig, char **envp) {
}
- write_stats_file(afl, 0, 0, 0, 0);
+ if (!afl->non_instrumented_mode) { write_stats_file(afl, 0, 0, 0, 0); }
maybe_update_plot_file(afl, 0, 0, 0);
save_auto(afl);
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 019b8715..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
--
cgit 1.4.1
From 46683d651656f1876f6d4aeb24807ed71fa91237 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 4 Oct 2021 08:19:42 +0200
Subject: update docs
---
README.md | 20 ++++++++++++++++----
docs/fuzzing_expert.md | 7 ++++++-
qemu_mode/qemuafl | 2 +-
unicorn_mode/unicornafl | 2 +-
4 files changed, 24 insertions(+), 7 deletions(-)
(limited to 'docs')
diff --git a/README.md b/README.md
index db6a70b5..76ef8448 100644
--- a/README.md
+++ b/README.md
@@ -66,17 +66,29 @@ A common way to do this would be:
make clean all
2. Get a small but valid input file that makes sense to the program.
-When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in [dictionaries/README.md](../dictionaries/README.md), too.
+When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described
+in [dictionaries/README.md](../dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
- ./afl-fuzz -i testcase_dir -o findings_dir -- \
- /path/to/tested/program [...program's cmdline...]
+```
+ ./afl-fuzz -i seeds_dir -o output_dir -- \
+ /path/to/tested/program [...program's cmdline...]
+```
- If the program takes input from a file, you can put `@@` in the program's command line; AFL will put an auto-generated file name in there for you.
+ To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz.
+
+ If the program takes input from a file, you can put `@@` in the program's
+ command line; AFL will put an auto-generated file name in there for you.
4. Investigate anything shown in red in the fuzzer UI by promptly consulting [docs/status_screen.md](docs/status_screen.md).
+5. You will find found crashes and hangs in the subdirectories `crashes/` and
+ `hangs/` in the `-o output_dir` directory. You can replay the crashes by
+ feeding them to the target, e.g.:
+ `cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]`
+ You can generate cores or use gdb directly to follow up the crashes.
+
## Contact
Questions? Concerns? Bug reports?
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 7695e21f..ca884159 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -540,6 +540,11 @@ To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/`
If you have multiple servers then use the command after a sync, or you have
to execute this script per server.
+Another tool to inspect the current state and history of a specific instance
+is afl-plot, which generates an index.html file and a graphs that show how
+the fuzzing instance is performing.
+The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot`
+
#### e) Stopping fuzzing, restarting fuzzing, adding new seeds
To stop an afl-fuzz run, simply press Control-C.
@@ -620,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
\ No newline at end of file
+(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index 86dead4d..a6758d1c 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit 86dead4dcb1aae7181fbf6b5f3706eee9f842e3a
+Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index 1c47d1eb..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit 1c47d1ebc7e904ad4efc1370f23e269fb9ac3f93
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
--
cgit 1.4.1
From f6fbbf8150c8a41b7cd40a2413b1c6f66b24c6c8 Mon Sep 17 00:00:00 2001
From: Kuang-che Wu
Date: Sun, 10 Oct 2021 21:03:43 +0800
Subject: Fix document paths.
---
README.md | 8 ++++----
docs/best_practices.md | 6 +++---
docs/branches.md | 2 +-
docs/env_variables.md | 4 ++--
docs/fuzzing_expert.md | 4 ++--
docs/interpreting_output.md | 4 ++--
docs/known_limitations.md | 4 ++--
docs/parallel_fuzzing.md | 2 +-
docs/rpc_statsd.md | 4 ++--
docs/triaging_crashes.md | 2 +-
instrumentation/README.laf-intel.md | 5 ++---
instrumentation/README.llvm.md | 2 +-
12 files changed, 23 insertions(+), 24 deletions(-)
(limited to 'docs')
diff --git a/README.md b/README.md
index 76ef8448..1a22dd12 100644
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ You are free to copy, modify, and distribute AFL++ with attribution under the te
Here is some information to get you started:
-* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [major behaviour changes in AFL++](docs/behaviour_changes.md).
+* For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and [branches](docs/branches.md). Also take a look at the list of [major changes in AFL++](docs/important_changes.md).
* If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
* For comparisons, use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
@@ -67,7 +67,7 @@ A common way to do this would be:
2. Get a small but valid input file that makes sense to the program.
When fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described
-in [dictionaries/README.md](../dictionaries/README.md), too.
+in [dictionaries/README.md](dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
@@ -94,7 +94,7 @@ in [dictionaries/README.md](../dictionaries/README.md), too.
Questions? Concerns? Bug reports?
* The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
-* Take a look at our [FAQ](docs/faq.md). If you find an interesting or important question missing, submit it via
+* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important question missing, submit it via
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
* There is a mailing list for the AFL/AFL++ project ([browse archive](https://groups.google.com/group/afl-users)). To compare notes with other users or to get notified about major new features, send an email to .
* Or join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
@@ -191,4 +191,4 @@ If you use AFL++ in scientific work, consider citing [our paper](https://www.use
}
```
-
\ No newline at end of file
+
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 23fa237d..0708d49d 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -59,10 +59,10 @@ which allows you to define network state with different type of data packets.
1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended).
2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase).
3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase).
-4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md).
+4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md).
5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure).
6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem.
-7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads).
+7. Use your cores! [fuzzing_expert.md:b) Using multiple cores](fuzzing_expert.md#b-using-multiple-cores).
### Improving stability
@@ -117,4 +117,4 @@ Four steps are required to do this and it also requires quite some knowledge of
Recompile, fuzz it, be happy :)
- This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677).
\ No newline at end of file
+ This link explains this process for [Fuzzbench](https://github.com/google/fuzzbench/issues/677).
diff --git a/docs/branches.md b/docs/branches.md
index 1e4ebbb2..98fd6827 100644
--- a/docs/branches.md
+++ b/docs/branches.md
@@ -7,4 +7,4 @@ The following branches exist:
* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
* (any other): experimental branches to work on specific features or testing new functionality or changes.
-For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major behaviour changes in AFL++](behaviour_changes.md).
\ No newline at end of file
+For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major changes in AFL++](important_changes.md).
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 0686f1a8..5f5c2510 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -2,7 +2,7 @@
This document discusses the environment variables used by American Fuzzy Lop++
to expose various exotic functions that may be (rarely) useful for power
- users or for some types of custom fuzzing setups. See [README.md](README.md) for the general
+ users or for some types of custom fuzzing setups. See [../README.md](../README.md) for the general
instruction manual.
Note that most tools will warn on any unknown AFL environment variables.
@@ -422,7 +422,7 @@ checks or alter some of the more exotic semantics of the tool:
- Setting `AFL_FORCE_UI` will force painting the UI on the screen even if
no valid terminal was detected (for virtual consoles)
- - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md))
+ - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md))
some targets keep inherent state due which a detected crash testcase does
not crash the target again when the testcase is given. To be able to still
re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index ca884159..ef3f8a4e 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -613,7 +613,7 @@ switch or honggfuzz.
* If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md)
* Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config`
* Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
- * Use your cores! [3.b) Using multiple cores/threads](#b-using-multiple-coresthreads)
+ * Use your cores! [b) Using multiple cores](#b-using-multiple-cores)
* Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot
### The End
@@ -625,4 +625,4 @@ This is basically all you need to know to professionally run fuzzing campaigns.
If you want to know more, the tons of texts in [docs/](./) will have you covered.
Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [links_tools.md](links_tools.md).
+(some might be deprecated or unsupported), see [tools.md](tools.md).
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 54ad76df..327a0ac0 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -1,6 +1,6 @@
# Interpreting output
-See the [docs/status_screen.md](docs/status_screen.md) file for information on
+See the [status_screen.md](status_screen.md) file for information on
how to interpret the displayed stats and monitor the health of the process. Be
sure to consult this file especially if any UI elements are highlighted in red.
@@ -68,4 +68,4 @@ cd utils/plot_ui
make
cd ../../
sudo make install
-```
\ No newline at end of file
+```
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index deb539e2..2d8f84a5 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -15,7 +15,7 @@ Here are some of the most important caveats for AFL:
To work around this, you can comment out the relevant checks (see
utils/libpng_no_checksum/ for inspiration); if this is not possible,
you can also write a postprocessor, one of the hooks of custom mutators.
- See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use
+ See [custom_mutators.md](custom_mutators.md) on how to use
`AFL_CUSTOM_MUTATOR_LIBRARY`
- There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
@@ -33,4 +33,4 @@ Here are some of the most important caveats for AFL:
- Occasionally, sentient machines rise against their creators. If this
happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
-Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
\ No newline at end of file
+Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md
index 90e12e89..e37276a5 100644
--- a/docs/parallel_fuzzing.md
+++ b/docs/parallel_fuzzing.md
@@ -4,7 +4,7 @@ This document talks about synchronizing afl-fuzz jobs on a single machine
or across a fleet of systems. See README.md for the general instruction manual.
Note that this document is rather outdated. please refer to the main document
-section on multiple core usage [../README.md#Using multiple cores](../README.md#b-using-multiple-coresthreads)
+section on multiple core usage [fuzzing_expert.md#Using multiple cores](fuzzing_expert.md#b-using-multiple-cores)
for up to date strategies!
## 1) Introduction
diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md
index 288d56cb..9b3d8d40 100644
--- a/docs/rpc_statsd.md
+++ b/docs/rpc_statsd.md
@@ -50,7 +50,7 @@ Depending on your StatsD server, you will be able to monitor, trigger alerts, or
- `librato`
- `signalfx`
- For more information on environment variables, see [docs/env_variables.md](docs/env_variables.md).
+ For more information on environment variables, see [env_variables.md](env_variables.md).
Note: When using multiple fuzzer instances with StatsD it is *strongly* recommended to set up `AFL_STATSD_TAGS_FLAVOR` to match your StatsD server. This will allow you to see individual fuzzer performance, detect bad ones, and see the progress of each strategy.
@@ -152,4 +152,4 @@ To run your fuzzing instances:
AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -M test-fuzzer-1 -i i -o o [./bin/my-application] @@
AFL_STATSD_TAGS_FLAVOR=dogstatsd AFL_STATSD=1 afl-fuzz -S test-fuzzer-2 -i i -o o [./bin/my-application] @@
...
-```
\ No newline at end of file
+```
diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md
index 1857c4b1..b0015c90 100644
--- a/docs/triaging_crashes.md
+++ b/docs/triaging_crashes.md
@@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the
tested program. It then color-codes the input based on which sections appear to
be critical, and which are not; while not bulletproof, it can often offer quick
insights into complex file formats. More info about its operation can be found
-near the end of [docs/technical_details.md](docs/technical_details.md).
\ No newline at end of file
+near the end of [technical_details.md](technical_details.md).
diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md
index 229807e8..789055ed 100644
--- a/instrumentation/README.laf-intel.md
+++ b/instrumentation/README.laf-intel.md
@@ -3,9 +3,8 @@
## Introduction
This originally is the work of an individual nicknamed laf-intel.
-His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations]
-(https://lafintel.wordpress.com/) and gitlab repo [laf-llvm-pass]
-(https://gitlab.com/laf-intel/laf-llvm-pass/)
+His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations](https://lafintel.wordpress.com/)
+and gitlab repo [laf-llvm-pass](https://gitlab.com/laf-intel/laf-llvm-pass/)
describe some code transformations that
help AFL++ to enter conditional blocks, where conditions consist of
comparisons of large values.
diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md
index 6e210a7c..5b1e60cc 100644
--- a/instrumentation/README.llvm.md
+++ b/instrumentation/README.llvm.md
@@ -2,7 +2,7 @@
(See [../README.md](../README.md) for the general instruction manual.)
- (See [README.gcc_plugin.md](../README.gcc_plugin.md) for the GCC-based instrumentation.)
+ (See [README.gcc_plugin.md](README.gcc_plugin.md) for the GCC-based instrumentation.)
## 1) Introduction
--
cgit 1.4.1
From 228f6c5dad1a593b4113006e587e9885459a53c2 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 10 Oct 2021 16:00:21 +0200
Subject: Update fuzzing_binary-only_targets.md
---
docs/fuzzing_binary-only_targets.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'docs')
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index a39e40a0..d568b976 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -71,7 +71,7 @@ cd unicorn_mode
If the goal is to fuzz a dynamic library then there are two options available.
For both you need to write a small harness that loads and calls the library.
-Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md)
+Faster is the frida solution: [frida_mode/README.md](../frida_mode/README.md)
Another, less precise and slower option is using ptrace with debugger interrupt
instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
--
cgit 1.4.1
From 659366ac6007eb679bc96c8e619afbb2f1d3ad50 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 10 Oct 2021 16:09:39 +0200
Subject: Delete life_pro_tips.md
---
docs/life_pro_tips.md | 87 ---------------------------------------------------
1 file changed, 87 deletions(-)
delete mode 100644 docs/life_pro_tips.md
(limited to 'docs')
diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md
deleted file mode 100644
index 13ffcea0..00000000
--- a/docs/life_pro_tips.md
+++ /dev/null
@@ -1,87 +0,0 @@
-# AFL "Life Pro Tips"
-
-Bite-sized advice for those who understand the basics, but can't be bothered
-to read or memorize every other piece of documentation for AFL.
-
-## Get more bang for your buck by using fuzzing dictionaries.
-
-See [dictionaries/README.md](../dictionaries/README.md) to learn how.
-
-## You can get the most out of your hardware by parallelizing AFL jobs.
-
-See [parallel_fuzzing.md](parallel_fuzzing.md) for step-by-step tips.
-
-## Improve the odds of spotting memory corruption bugs with libdislocator.so!
-
-It's easy. Consult [utils/libdislocator/README.md](../utils/libdislocator/README.md) for usage tips.
-
-## Want to understand how your target parses a particular input file?
-
-Try the bundled `afl-analyze` tool; it's got colors and all!
-
-## You can visually monitor the progress of your fuzzing jobs.
-
-Run the bundled `afl-plot` utility to generate browser-friendly graphs.
-
-## Need to monitor AFL jobs programmatically?
-Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`.
-
-## Puzzled by something showing up in red or purple in the AFL UI?
-It could be important - consult docs/status_screen.md right away!
-
-## Know your target? Convert it to persistent mode for a huge performance gain!
-Consult section #5 in README.llvm.md for tips.
-
-## Using clang?
-Check out instrumentation/ for a faster alternative to afl-gcc!
-
-## Did you know that AFL can fuzz closed-source or cross-platform binaries?
-Check out qemu_mode/README.md and unicorn_mode/README.md for more.
-
-## Did you know that afl-fuzz can minimize any test case for you?
-Try the bundled `afl-tmin` tool - and get small repro files fast!
-
-## Not sure if a crash is exploitable? AFL can help you figure it out. Specify
-`-C` to enable the peruvian were-rabbit mode.
-
-## Trouble dealing with a machine uprising? Relax, we've all been there.
-
-Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
-
-## Want to automatically spot non-crashing memory handling bugs?
-
-Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
-
-## Good selection of input files is critical to a successful fuzzing job.
-
-See docs/perf_tips.md for pro tips.
-
-## You can improve the odds of automatically spotting stack corruption issues.
-
-Specify `AFL_HARDEN=1` in the environment to enable hardening flags.
-
-## Bumping into problems with non-reproducible crashes?
-It happens, but usually
-isn't hard to diagnose. See section #7 in README.md for tips.
-
-## Fuzzing is not just about memory corruption issues in the codebase.
-Add some
-sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bugs.
-
-## Hey kid... pssst... want to figure out how AFL really works?
-
-Check out docs/technical_details.md for all the gory details in one place!
-
-## There's a ton of third-party helper tools designed to work with AFL!
-
-Be sure to check out docs/sister_projects.md before writing your own.
-
-## Need to fuzz the command-line arguments of a particular program?
-
-You can find a simple solution in utils/argv_fuzzing.
-
-## Attacking a format that uses checksums?
-
-Remove the checksum-checking code or use a postprocessor!
-See `afl_custom_post_process` in custom_mutators/examples/example.c for more.
-
--
cgit 1.4.1
From 00aa689f40a3c8276af257cf0b54dc655cb0423e Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 11 Oct 2021 14:28:17 +0200
Subject: fix accidental bystander kills
---
docs/Changelog.md | 2 ++
qemu_mode/qemuafl | 2 +-
src/afl-forkserver.c | 6 +++---
unicorn_mode/unicornafl | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index dad5fee2..1c3830f9 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -18,6 +18,8 @@ sending a mail to .
- fix -n dumb mode (nobody should use this)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
+ - Prevent accidently killing non-afl/fuzz services when aborting
+ afl-showmap and other tools.
- afl-cc:
- fix for shared linking on MacOS
- llvm and LTO mode verified to work with new llvm 14-dev
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index 71ed0d20..a6758d1c 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
+Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index c8c94c08..54f510c4 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -610,12 +610,12 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
if (!time_ms) {
- kill(fsrv->fsrv_pid, fsrv->kill_signal);
+ if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); }
} else if (time_ms > fsrv->init_tmout) {
fsrv->last_run_timed_out = 1;
- kill(fsrv->fsrv_pid, fsrv->kill_signal);
+ if (fsrv->fsrv_pid > 0) { kill(fsrv->fsrv_pid, fsrv->kill_signal); }
} else {
@@ -1248,7 +1248,7 @@ fsrv_run_result_t afl_fsrv_run_target(afl_forkserver_t *fsrv, u32 timeout,
/* If there was no response from forkserver after timeout seconds,
we kill the child. The forkserver should inform us afterwards */
- kill(fsrv->child_pid, fsrv->kill_signal);
+ if (fsrv->child_pid > 0) { kill(fsrv->child_pid, fsrv->kill_signal); }
fsrv->last_run_timed_out = 1;
if (read(fsrv->fsrv_st_fd, &fsrv->child_status, 4) < 4) { exec_ms = 0; }
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index f1c85364..c0e03d2c 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
+Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
--
cgit 1.4.1
From e0c052cad70b5cf2c86e1bda1d279a2ac1440077 Mon Sep 17 00:00:00 2001
From: Dominik Maier
Date: Tue, 12 Oct 2021 23:46:47 +0200
Subject: unicornafl bindings improved
---
docs/Changelog.md | 1 +
unicorn_mode/UNICORNAFL_VERSION | 2 +-
unicorn_mode/samples/speedtest/rust/src/main.rs | 23 ++++++++++-------------
unicorn_mode/unicornafl | 2 +-
4 files changed, 13 insertions(+), 15 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 1c3830f9..ea58a386 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -34,6 +34,7 @@ sending a mail to .
- fix AFL_PRELOAD issues on MacOS
- removed utils/afl_frida because frida_mode/ is now so much better
- added uninstall target to makefile (todo: update new readme!)
+ - removed indirections in rust callbacks for unicornafl
### Version ++3.14c (release)
diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION
index cbca63e5..e76da957 100644
--- a/unicorn_mode/UNICORNAFL_VERSION
+++ b/unicorn_mode/UNICORNAFL_VERSION
@@ -1 +1 @@
-f1c853648a74b0157d233a2ef9f1693cfee78c11
+d06e3d5113dd96799a765a6514f7f5c45f071ca3
diff --git a/unicorn_mode/samples/speedtest/rust/src/main.rs b/unicorn_mode/samples/speedtest/rust/src/main.rs
index 77356a67..89e10833 100644
--- a/unicorn_mode/samples/speedtest/rust/src/main.rs
+++ b/unicorn_mode/samples/speedtest/rust/src/main.rs
@@ -12,11 +12,11 @@ use std::{
use unicornafl::{
unicorn_const::{uc_error, Arch, Mode, Permission},
- RegisterX86::{self, *},
- Unicorn, UnicornHandle,
+ RegisterX86::*,
+ Unicorn,
};
-const BINARY: &str = &"../target";
+const BINARY: &str = "../target";
// Memory map for the code to be tested
// Arbitrary address where code to test will be loaded
@@ -47,7 +47,7 @@ fn read_file(filename: &str) -> Result, io::Error> {
fn parse_locs(loc_name: &str) -> Result, io::Error> {
let contents = &read_file(&format!("../target.offsets.{}", loc_name))?;
//println!("Read: {:?}", contents);
- Ok(str_from_u8_unchecked(&contents)
+ Ok(str_from_u8_unchecked(contents)
.split('\n')
.map(|x| {
//println!("Trying to convert {}", &x[2..]);
@@ -87,8 +87,7 @@ fn main() {
}
fn fuzz(input_file: &str) -> Result<(), uc_error> {
- let mut unicorn = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?;
- let mut uc: UnicornHandle<'_, _> = unicorn.borrow();
+ let mut uc = Unicorn::new(Arch::X86, Mode::MODE_64, 0)?;
let binary =
read_file(BINARY).unwrap_or_else(|_| panic!("Could not read modem image: {}", BINARY));
@@ -133,7 +132,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
let already_allocated_malloc = already_allocated.clone();
// We use a very simple malloc/free stub here,
// that only works for exactly one allocation at a time.
- let hook_malloc = move |mut uc: UnicornHandle<'_, _>, addr: u64, size: u32| {
+ let hook_malloc = move |uc: &mut Unicorn<'_, _>, addr: u64, size: u32| {
if already_allocated_malloc.get() {
println!("Double malloc, not supported right now!");
abort();
@@ -154,7 +153,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
let already_allocated_free = already_allocated;
// No real free, just set the "used"-flag to false.
- let hook_free = move |mut uc: UnicornHandle<'_, _>, addr, size| {
+ let hook_free = move |uc: &mut Unicorn<'_, _>, addr, size| {
if already_allocated_free.get() {
println!("Double free detected. Real bug?");
abort();
@@ -177,7 +176,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
*/
// This is a fancy print function that we're just going to skip for fuzzing.
- let hook_magicfn = move |mut uc: UnicornHandle<'_, _>, addr, size| {
+ let hook_magicfn = move |uc: &mut Unicorn<'_, _>, addr, size| {
uc.reg_write(RIP, addr + size as u64).unwrap();
};
@@ -195,7 +194,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
}
let place_input_callback =
- |uc: &mut UnicornHandle<'_, _>, afl_input: &mut [u8], _persistent_round| {
+ |uc: &mut Unicorn<'_, _>, afl_input: &mut [u8], _persistent_round| {
// apply constraints to the mutated input
if afl_input.len() > INPUT_MAX as usize {
//println!("Skipping testcase with leng {}", afl_input.len());
@@ -209,9 +208,7 @@ fn fuzz(input_file: &str) -> Result<(), uc_error> {
// return true if the last run should be counted as crash
let crash_validation_callback =
- |_uc: &mut UnicornHandle<'_, _>, result, _input: &[u8], _persistent_round| {
- result != uc_error::OK
- };
+ |_uc: &mut Unicorn<'_, _>, result, _input: &[u8], _persistent_round| result != uc_error::OK;
let end_addrs = parse_locs("main_ends").unwrap();
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index c0e03d2c..d06e3d51 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit c0e03d2c6b55a22025324f121746b41b1e756fb8
+Subproject commit d06e3d5113dd96799a765a6514f7f5c45f071ca3
--
cgit 1.4.1
From 3deca3b09b46130c9e23320c0b98f60543f9b5ba Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Fri, 15 Oct 2021 11:25:02 +0200
Subject: fix lto cmplog stability issue
---
custom_mutators/grammar_mutator/grammar_mutator | 2 +-
docs/Changelog.md | 1 +
qemu_mode/qemuafl | 2 +-
src/afl-fuzz-run.c | 30 +++++++++++++++++++++++--
unicorn_mode/unicornafl | 2 +-
5 files changed, 32 insertions(+), 5 deletions(-)
(limited to 'docs')
diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator
index eedf07dd..b79d51a8 160000
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
@@ -1 +1 @@
-Subproject commit eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d63
+Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26
diff --git a/docs/Changelog.md b/docs/Changelog.md
index ea58a386..df4d343a 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -16,6 +16,7 @@ sending a mail to .
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
+ - fix stability issue with LTO and cmplog
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- Prevent accidently killing non-afl/fuzz services when aborting
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index a6758d1c..71ed0d20 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5
+Subproject commit 71ed0d206fd3d877420dceb4993a1011a4637ae6
diff --git a/src/afl-fuzz-run.c b/src/afl-fuzz-run.c
index 4173f4e1..da6ba7d9 100644
--- a/src/afl-fuzz-run.c
+++ b/src/afl-fuzz-run.c
@@ -291,8 +291,6 @@ static void write_with_gap(afl_state_t *afl, u8 *mem, u32 len, u32 skip_at,
u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 handicap, u8 from_queue) {
- if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
-
u8 fault = 0, new_bits = 0, var_detected = 0, hnb = 0,
first_run = (q->exec_cksum == 0);
u64 start_us, stop_us, diff_us;
@@ -300,6 +298,8 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
u32 use_tmout = afl->fsrv.exec_tmout;
u8 *old_sn = afl->stage_name;
+ if (unlikely(afl->shm.cmplog_mode)) { q->exec_cksum = 0; }
+
/* Be a bit more generous about timeouts when resuming sessions, or when
trying to calibrate already-added finds. This helps avoid trouble due
to intermittent latency. */
@@ -343,6 +343,32 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
}
+ /* we need a dummy run if this is LTO + cmplog */
+ if (unlikely(afl->shm.cmplog_mode)) {
+
+ write_to_testcase(afl, use_mem, q->len);
+
+ fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);
+
+ /* afl->stop_soon is set by the handler for Ctrl+C. When it's pressed,
+ we want to bail out quickly. */
+
+ if (afl->stop_soon || fault != afl->crash_mode) { goto abort_calibration; }
+
+ if (!afl->non_instrumented_mode && !afl->stage_cur &&
+ !count_bytes(afl, afl->fsrv.trace_bits)) {
+
+ fault = FSRV_RUN_NOINST;
+ goto abort_calibration;
+
+ }
+
+#ifdef INTROSPECTION
+ if (unlikely(!q->bitsmap_size)) q->bitsmap_size = afl->bitsmap_size;
+#endif
+
+ }
+
if (q->exec_cksum) {
memcpy(afl->first_trace, afl->fsrv.trace_bits, afl->fsrv.map_size);
diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl
index d4915053..f1c85364 160000
--- a/unicorn_mode/unicornafl
+++ b/unicorn_mode/unicornafl
@@ -1 +1 @@
-Subproject commit d4915053d477dd827b3fe4b494173d3fbf9f456e
+Subproject commit f1c853648a74b0157d233a2ef9f1693cfee78c11
--
cgit 1.4.1
From 34f1074ba308e850feb08c51aad781f7d307a260 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sat, 16 Oct 2021 18:44:29 +0200
Subject: changelog
---
docs/Changelog.md | 1 +
1 file changed, 1 insertion(+)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index df4d343a..d8dac557 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -17,6 +17,7 @@ sending a mail to .
coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
- fix stability issue with LTO and cmplog
+ - frida_mode: David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
- Prevent accidently killing non-afl/fuzz services when aborting
--
cgit 1.4.1
From 7cd98f565ffdf3e0c0ccd34c04ed2f3126ab4189 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 18 Oct 2021 12:16:58 +0200
Subject: lto and llvm14-dev
---
docs/Changelog.md | 2 +-
instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 --
instrumentation/afl-llvm-lto-instrumentation.so.cc | 4 ++++
instrumentation/afl-llvm-lto-instrumentlist.so.cc | 5 +++++
4 files changed, 10 insertions(+), 3 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index d8dac557..6db013cf 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -24,7 +24,7 @@ sending a mail to .
afl-showmap and other tools.
- afl-cc:
- fix for shared linking on MacOS
- - llvm and LTO mode verified to work with new llvm 14-dev
+ - llvm and LTO mode modified to work with new llvm 14-dev (again)
- added the very good grammar mutator "GramaTron" to the
custom_mutators
- added optimin, a faster and better corpus minimizer by
diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index 48ad2d02..013492f9 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -881,8 +881,6 @@ void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls(
Function &F, ArrayRef IndirCalls) {
if (IndirCalls.empty()) return;
- assert(Options.TracePC || Options.TracePCGuard ||
- Options.Inline8bitCounters /*|| Options.InlineBoolFlag*/);
for (auto I : IndirCalls) {
IRBuilder<> IRB(I);
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index 73e41f60..4eb8424f 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -244,7 +244,11 @@ bool AFLLTOPass::runOnModule(Module &M) {
// the instrument file list check
AttributeList Attrs = F.getAttributes();
+#if LLVM_VERSION_MAJOR < 14
if (Attrs.hasAttribute(-1, StringRef("skipinstrument"))) {
+#else
+ if (Attrs.hasFnAttr(StringRef("skipinstrument"))) {
+#endif
if (debug)
fprintf(stderr,
diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc
index 416dbb88..0ec0e427 100644
--- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc
@@ -116,10 +116,15 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) {
auto & Ctx = F.getContext();
AttributeList Attrs = F.getAttributes();
+#if LLVM_VERSION_MAJOR < 14
AttrBuilder NewAttrs;
NewAttrs.addAttribute("skipinstrument");
F.setAttributes(
Attrs.addAttributes(Ctx, AttributeList::FunctionIndex, NewAttrs));
+#else
+ AttributeList NewAttrs = Attrs.addFnAttribute(Ctx, "skipinstrument");
+ F.setAttributes(NewAttrs);
+#endif
}
--
cgit 1.4.1
From 45d668a671316821c3f9793381cb54956b535491 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Mon, 18 Oct 2021 13:17:07 +0200
Subject: better ui banner
---
docs/Changelog.md | 1 +
include/afl-fuzz.h | 1 -
src/afl-fuzz-init.c | 37 -------------------------------------
src/afl-fuzz-stats.c | 49 +++++++++++++++++++++++++++++--------------------
src/afl-fuzz.c | 17 +++++++++++++----
5 files changed, 43 insertions(+), 62 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 6db013cf..63896622 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -17,6 +17,7 @@ sending a mail to .
coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
- fix stability issue with LTO and cmplog
+ - better banner
- frida_mode: David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze now honor persistent mode
for more speed. thanks to dloffre-snl for reporting!
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index 4b19e698..eaf55fb8 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -1130,7 +1130,6 @@ void get_core_count(afl_state_t *);
void fix_up_sync(afl_state_t *);
void check_asan_opts(afl_state_t *);
void check_binary(afl_state_t *, u8 *);
-void fix_up_banner(afl_state_t *, u8 *);
void check_if_tty(afl_state_t *);
void setup_signal_handlers(void);
void save_cmdline(afl_state_t *, u32, char **);
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 9bb25785..9c45f08a 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -2815,43 +2815,6 @@ void check_binary(afl_state_t *afl, u8 *fname) {
}
-/* Trim and possibly create a banner for the run. */
-
-void fix_up_banner(afl_state_t *afl, u8 *name) {
-
- if (!afl->use_banner) {
-
- if (afl->sync_id) {
-
- afl->use_banner = afl->sync_id;
-
- } else {
-
- u8 *trim = strrchr(name, '/');
- if (!trim) {
-
- afl->use_banner = name;
-
- } else {
-
- afl->use_banner = trim + 1;
-
- }
-
- }
-
- }
-
- if (strlen(afl->use_banner) > 32) {
-
- u8 *tmp = ck_alloc(36);
- sprintf(tmp, "%.32s...", afl->use_banner);
- afl->use_banner = tmp;
-
- }
-
-}
-
/* Check if we're on TTY. */
void check_if_tty(afl_state_t *afl) {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 870ba69a..0c06232b 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -441,9 +441,10 @@ void show_stats(afl_state_t *afl) {
u64 cur_ms;
u32 t_bytes, t_bits;
- u32 banner_len, banner_pad;
- u8 tmp[256];
- u8 time_tmp[64];
+ static u8 banner[128];
+ u32 banner_len, banner_pad;
+ u8 tmp[256];
+ u8 time_tmp[64];
u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX];
#define IB(i) (val_buf[(i)])
@@ -656,26 +657,34 @@ void show_stats(afl_state_t *afl) {
}
/* Let's start by drawing a centered banner. */
+ if (unlikely(!banner[0])) {
- banner_len = (afl->crash_mode ? 24 : 22) + strlen(VERSION) +
- strlen(afl->use_banner) + strlen(afl->power_name) + 3 + 5;
- banner_pad = (79 - banner_len) / 2;
- memset(tmp, ' ', banner_pad);
+ char *si = "";
+ if (afl->sync_id) { si = afl->sync_id; }
+ memset(banner, 0, sizeof(banner));
+ banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) +
+ strlen(afl->power_name) + 4 + 6;
-#ifdef HAVE_AFFINITY
- sprintf(
- tmp + banner_pad,
- "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]" cBLU " {%d}",
- afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop",
- afl->use_banner, afl->power_name, afl->cpu_aff);
-#else
- sprintf(
- tmp + banner_pad, "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]",
- afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop",
- afl->use_banner, afl->power_name);
-#endif /* HAVE_AFFINITY */
+ if (strlen(afl->use_banner) + banner_len > 75) {
+
+ afl->use_banner += (strlen(afl->use_banner) + banner_len) - 76;
+ memset(afl->use_banner, '.', 3);
+
+ }
+
+ banner_len += strlen(afl->use_banner);
+ banner_pad = (79 - banner_len) / 2;
+ memset(banner, ' ', banner_pad);
+
+ sprintf(banner + banner_pad,
+ "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]",
+ afl->crash_mode ? cPIN "peruvian were-rabbit"
+ : cYEL "american fuzzy lop",
+ si, afl->use_banner, afl->power_name);
+
+ }
- SAYF("\n%s\n", tmp);
+ SAYF("\n%s\n", banner);
/* "Handy" shortcuts for drawing boxes... */
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index 92a37697..26886a4f 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -1189,7 +1189,17 @@ int main(int argc, char **argv_orig, char **envp) {
}
- if (afl->sync_id) { fix_up_sync(afl); }
+ if (afl->sync_id) {
+
+ if (strlen(afl->sync_id) > 24) {
+
+ FATAL("sync_id max length is 24 characters");
+
+ }
+
+ fix_up_sync(afl);
+
+ }
if (!strcmp(afl->in_dir, afl->out_dir)) {
@@ -1218,6 +1228,8 @@ int main(int argc, char **argv_orig, char **envp) {
if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); }
+ if (!afl->use_banner) { afl->use_banner = argv[optind]; }
+
if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) {
WARNF(cLRD
@@ -1486,9 +1498,6 @@ int main(int argc, char **argv_orig, char **envp) {
}
save_cmdline(afl, argc, argv);
-
- fix_up_banner(afl, argv[optind]);
-
check_if_tty(afl);
if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; }
--
cgit 1.4.1
From 47a333af4d7c64209570e7459b1bd5259c207dc9 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 19 Oct 2021 15:42:26 +0200
Subject: add ninja to apt install readme
---
docs/INSTALL.md | 1 +
1 file changed, 1 insertion(+)
(limited to 'docs')
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index b60a7048..960de1af 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -22,6 +22,7 @@ sudo apt-get install -y build-essential python3-dev automake git flex bison libg
# try to install llvm 11 and install the distro default if that fails
sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
+sudo apt-get install -y ninja-build # for qemu_mode
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
--
cgit 1.4.1
From 4e3fec2666c3d317db275f4af8875b56009621e1 Mon Sep 17 00:00:00 2001
From: Stefan Nagy
Date: Wed, 20 Oct 2021 17:09:18 -0400
Subject: Update binaryonly_fuzzing.md with zafl
---
docs/binaryonly_fuzzing.md | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
(limited to 'docs')
diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md
index 90ea3b66..903afb70 100644
--- a/docs/binaryonly_fuzzing.md
+++ b/docs/binaryonly_fuzzing.md
@@ -95,13 +95,28 @@
utils/afl_untracer/, use afl-untracer.c as a template.
It is slower than AFL FRIDA (see above).
+## ZAFL
+ ZAFL is a static rewriting platform for fast, space-efficient, and inlined
+ binary fuzzing instrumentation. It currently supports x86-64 C and C++,
+ stripped and unstripped, and PIE and non-PIE binaries of all sizes and complexity.
+
+ Beyond conventional instrumentation, ZAFL's API enables transformation passes
+ for more effective/efficient fuzzing. Some built-in transformations include
+ laf-Intel-style constraint unrolling, Angora-style context sensitivity, and
+ InsTrim-style CFG optimizations.
+
+ ZAFL's baseline instrumentation speed averages about 90-95% that of afl-clang-fast's
+ conventional LLVM instrumentation (but is even faster when enabling CFG optimizations).
+
+ [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl)
+
## DYNINST
Dyninst is a binary instrumentation framework similar to Pintool and
Dynamorio (see far below). However whereas Pintool and Dynamorio work at
runtime, dyninst instruments the target at load time, and then let it run -
- or save the binary with the changes.
+ or save the binary with the changes.
This is great for some things, e.g. fuzzing, and not so effective for others,
e.g. malware analysis.
@@ -116,13 +131,10 @@
The speed decrease is about 15-35%, depending on the optimization options
used with afl-dyninst.
- So if Dyninst works, it is the best option available. Otherwise it just
- doesn't work well.
-
[https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst)
-## RETROWRITE, ZAFL, ... other binary rewriter
+## RETROWRITE
If you have an x86/x86_64 binary that still has its symbols, is compiled
with position independant code (PIC/PIE) and does not use most of the C++
@@ -131,7 +143,6 @@
It is at about 80-85% performance.
- [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl)
[https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite)
--
cgit 1.4.1
From e637ca216e4559960feec6b7f887571efde4f0ba Mon Sep 17 00:00:00 2001
From: Stefan Nagy
Date: Thu, 21 Oct 2021 04:52:38 -0400
Subject: Tidy-up zafl info
---
docs/binaryonly_fuzzing.md | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
(limited to 'docs')
diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md
index 903afb70..de360543 100644
--- a/docs/binaryonly_fuzzing.md
+++ b/docs/binaryonly_fuzzing.md
@@ -95,18 +95,13 @@
utils/afl_untracer/, use afl-untracer.c as a template.
It is slower than AFL FRIDA (see above).
+
## ZAFL
- ZAFL is a static rewriting platform for fast, space-efficient, and inlined
- binary fuzzing instrumentation. It currently supports x86-64 C and C++,
- stripped and unstripped, and PIE and non-PIE binaries of all sizes and complexity.
-
- Beyond conventional instrumentation, ZAFL's API enables transformation passes
- for more effective/efficient fuzzing. Some built-in transformations include
- laf-Intel-style constraint unrolling, Angora-style context sensitivity, and
- InsTrim-style CFG optimizations.
-
- ZAFL's baseline instrumentation speed averages about 90-95% that of afl-clang-fast's
- conventional LLVM instrumentation (but is even faster when enabling CFG optimizations).
+ ZAFL is a static rewriting platform supporting x86-64 C/C++, stripped/unstripped,
+ and PIE/non-PIE binaries. Beyond conventional instrumentation, ZAFL's API enables
+ transformation passes (e.g., laf-Intel, context sensitivity, InsTrim, etc.).
+
+ Its baseline instrumentation speed typically averages 90-95% of afl-clang-fast's.
[https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl)
--
cgit 1.4.1
From e03897a0703673aa0de7772185a5b5230641cb6a Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sat, 23 Oct 2021 20:54:24 +0200
Subject: fix timeout bug in afl tools
---
docs/Changelog.md | 6 ++++--
src/afl-analyze.c | 12 ++++++++++++
src/afl-fuzz-init.c | 4 ++--
src/afl-showmap.c | 13 +++++++++++++
src/afl-tmin.c | 12 ++++++++++++
5 files changed, 43 insertions(+), 4 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 63896622..04b2fb2e 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -19,8 +19,10 @@ sending a mail to .
- fix stability issue with LTO and cmplog
- better banner
- frida_mode: David Carlier added Android support :)
- - afl-showmap, afl-tmin and afl-analyze now honor persistent mode
- for more speed. thanks to dloffre-snl for reporting!
+ - afl-showmap, afl-tmin and afl-analyze:
+ - honor persistent mode for more speed. thanks to dloffre-snl for
+ reporting!
+ - fix bug where targets are not killed on timeouts
- Prevent accidently killing non-afl/fuzz services when aborting
afl-showmap and other tools.
- afl-cc:
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 8295488d..09b01541 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -120,6 +120,17 @@ static u8 count_class_lookup[256] = {
#undef TIMES8
#undef TIMES4
+static void kill_child() {
+
+ if (fsrv.child_pid > 0) {
+
+ kill(fsrv.child_pid, fsrv.kill_signal);
+ fsrv.child_pid = -1;
+
+ }
+
+}
+
static void classify_counts(u8 *mem) {
u32 i = map_size;
@@ -1053,6 +1064,7 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv.target_path = find_binary(argv[optind]);
fsrv.trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, fsrv.out_file, &use_stdin);
+ signal(SIGALRM, kill_child);
if (qemu_mode) {
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index f0e1a80d..1170715f 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -1325,8 +1325,8 @@ void pivot_inputs(afl_state_t *afl) {
}
- nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", afl->out_dir, id,
- afl->fsrv.total_execs, use_name);
+ nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s",
+ afl->out_dir, id, afl->fsrv.total_execs, use_name);
#else
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 5df07bf2..3a244c04 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -146,6 +146,17 @@ static const u8 count_class_binary[256] = {
#undef TIMES8
#undef TIMES4
+static void kill_child() {
+
+ if (fsrv->child_pid > 0) {
+
+ kill(fsrv->child_pid, fsrv->kill_signal);
+ fsrv->child_pid = -1;
+
+ }
+
+}
+
static void classify_counts(afl_forkserver_t *fsrv) {
u8 * mem = fsrv->trace_bits;
@@ -526,6 +537,8 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
}
+ signal(SIGALRM, kill_child);
+
setitimer(ITIMER_REAL, &it, NULL);
if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); }
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 4f3a6b80..ce2a0b8f 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -120,6 +120,17 @@ static const u8 count_class_lookup[256] = {
#undef TIMES8
#undef TIMES4
+static void kill_child() {
+
+ if (fsrv->child_pid > 0) {
+
+ kill(fsrv->child_pid, fsrv->kill_signal);
+ fsrv->child_pid = -1;
+
+ }
+
+}
+
static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv,
sharedmem_t * shm_fuzz) {
@@ -1125,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->target_path = find_binary(argv[optind]);
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, out_file, &fsrv->use_stdin);
+ signal(SIGALRM, kill_child);
if (fsrv->qemu_mode) {
--
cgit 1.4.1
From b1aecf4ff0d2f82168619d40d59fcf959e7eb0f6 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sat, 30 Oct 2021 21:38:13 +0200
Subject: Edit list of environment variables
---
docs/env_variables.md | 771 ++++++++++++++++++++++++--------------------------
1 file changed, 369 insertions(+), 402 deletions(-)
(limited to 'docs')
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 5f5c2510..bd66ce38 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -1,83 +1,63 @@
-# Environmental variables
+# Environment variables
- This document discusses the environment variables used by American Fuzzy Lop++
- to expose various exotic functions that may be (rarely) useful for power
- users or for some types of custom fuzzing setups. See [../README.md](../README.md) for the general
- instruction manual.
+ This document discusses the environment variables used by AFL++ to expose various exotic functions that may be (rarely) useful for power users or for some types of custom fuzzing setups.
+ For general information about AFL++, see [README.md](../README.md).
- Note that most tools will warn on any unknown AFL environment variables.
- This is for warning on typos that can happen. If you want to disable this
- check then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable.
+ Note: Most tools will warn on any unknown AFL++ environment variables; for example, because of typos. If you want to disable this check, then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable.
## 1) Settings for all compilers
-Starting with AFL++ 3.0 there is only one compiler: afl-cc
-To select the different instrumentation modes this can be done by
- 1. passing the --afl-MODE command line option to the compiler
- 2. or using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
- afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
- afl-gcc-fast, afl-g++-fast
- 3. or using the environment variable `AFL_CC_COMPILER` with `MODE`
-
-`MODE` can be one of `LTO` (afl-clang-lto*), `LLVM` (afl-clang-fast*), `GCC_PLUGIN`
-(afl-g*-fast) or `GCC` (afl-gcc/afl-g++).
-
-Because (with the exception of the --afl-MODE command line option) the
-compile-time tools do not accept AFL specific command-line options, they
-make fairly broad use of environmental variables instead:
-
- - Some build/configure scripts break with AFL++ compilers. To be able to
- pass them, do:
-```
- export CC=afl-cc
- export CXX=afl-c++
- export AFL_NOOPT=1
- ./configure --disable-shared --disabler-werror
- unset AFL_NOOPT
- make
-```
+Starting with AFL++ 3.0, there is only one compiler: afl-cc.
- - Most AFL tools do not print any output if stdout/stderr are redirected.
- If you want to get the output into a file then set the `AFL_DEBUG`
- environment variable.
- This is sadly necessary for various build processes which fail otherwise.
+To select the different instrumentation modes, use one of the following options:
- - Setting `AFL_HARDEN` automatically adds code hardening options when invoking
- the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and
- `-fstack-protector-all`. The setting is useful for catching non-crashing
- memory bugs at the expense of a very slight (sub-5%) performance loss.
+ - Pass the --afl-MODE command-line option to the compiler. Only this option accepts further AFL-specific command-line options.
+ - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific command-line options. Instead, use environment variables.
+ - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select `MODE`, use one of the following values:
- - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this
- will cause problems in programs built with -Werror, simply because `-O3`
- enables more thorough code analysis and can spew out additional warnings.
- To disable optimizations, set `AFL_DONT_OPTIMIZE`.
- However if `-O...` and/or `-fno-unroll-loops` are set, these are not
- overridden.
+ - `GCC` (afl-gcc/afl-g++)
+ - `GCC_PLUGIN` (afl-g*-fast)
+ - `LLVM` (afl-clang-fast*)
+ - `LTO` (afl-clang-lto*).
- - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your
- compiler supports it.
+The compile-time tools do not accept AFL-specific command-line options. The --afl-MODE command line option is the only exception. The other options make fairly broad use of environment variables instead:
- (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the
- same gotchas; the modes are mutually exclusive. UBSAN can be enabled
- similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally
- there is the Control Flow Integrity sanitizer that can be activated by
- `AFL_USE_CFISAN=1`)
+ - Some build/configure scripts break with AFL++ compilers.
+ To be able to pass them, do:
- - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided
- that your compiler supports it. To perform a leak check within your
- program at a certain point (such as at the end of an __AFL_LOOP),
- you can run the macro __AFL_LEAK_CHECK(); which will cause
- an abort if any memory is leaked (you can combine this with the
- LSAN_OPTIONS=suppressions option to supress some known leaks).
+ ```
+ export CC=afl-cc
+ export CXX=afl-c++
+ export AFL_NOOPT=1
+ ./configure --disable-shared --disabler-werror
+ unset AFL_NOOPT
+ make
+ ```
+
+ - If you are a weird person that wants to compile and instrument asm
+ text files, then use the `AFL_AS_FORCE_INSTRUMENT` variable:
+ `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
- Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream
compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries
in your `$PATH`.
- - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as.
- One possible use of this is utils/clang_asm_normalize/, which lets
- you instrument hand-written assembly when compiling clang code by plugging
- a normalizer into the chain. (There is no equivalent feature for GCC.)
+ - Most AFL tools do not print any output if stdout/stderr are redirected.
+ If you want to get the output into a file, then set the `AFL_DEBUG`
+ environment variable.
+ This is sadly necessary for various build processes which fail otherwise.
+
+ - By default, the wrapper appends `-O3` to optimize builds. Very rarely, this
+ will cause problems in programs built with -Werror, simply because `-O3`
+ enables more thorough code analysis and can spew out additional warnings.
+ To disable optimizations, set `AFL_DONT_OPTIMIZE`.
+ However, if `-O...` and/or `-fno-unroll-loops` are set, these are not
+ overridden.
+
+ - Setting `AFL_HARDEN` automatically adds code hardening options when invoking
+ the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and
+ `-fstack-protector-all`. The setting is useful for catching non-crashing
+ memory bugs at the expense of a very slight (sub-5%) performance loss.
- Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the
probability of instrumenting every branch. This is (very rarely) useful
@@ -97,20 +77,37 @@ make fairly broad use of environmental variables instead:
- `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with
libtokencap.so (but perhaps running a bit slower than without the flag).
- - `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
- the tool defaults to /tmp.
-
- - If you are a weird person that wants to compile and instrument asm
- text files then use the `AFL_AS_FORCE_INSTRUMENT` variable:
- `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
+ - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as.
+ One possible use of this is utils/clang_asm_normalize/, which lets
+ you instrument hand-written assembly when compiling clang code by plugging
+ a normalizer into the chain.
+ (There is no equivalent feature for GCC.)
- Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being
displayed during compilation, in case you find them distracting.
+ - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your
+ compiler supports it.
+
+ (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the
+ same gotchas; the modes are mutually exclusive. UBSAN can be enabled
+ similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally,
+ there is the Control Flow Integrity sanitizer that can be activated by
+ `AFL_USE_CFISAN=1`.)
+
+ - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided
+ that your compiler supports it. To perform a leak check within your
+ program at a certain point (such as at the end of an __AFL_LOOP),
+ you can run the macro __AFL_LEAK_CHECK(); which will cause
+ an abort if any memory is leaked (you can combine this with the
+ LSAN_OPTIONS=suppressions option to supress some known leaks).
+
+ - `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
+ the tool defaults to /tmp.
+
## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++
-The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset
-of the settings discussed in section 1, with the exception of:
+The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset of the settings discussed in section 1, with the exception of:
- LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will
write all constant string comparisons to this file to be used later with
@@ -121,204 +118,219 @@ of the settings discussed in section 1, with the exception of:
- `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
created.
- - `AFL_INST_RATIO`, as we by default use collision free instrumentation.
+ - `AFL_INST_RATIO`, as we use collision free instrumentation by default.
Not all passes support this option though as it is an outdated feature.
Then there are a few specific features that are only available in instrumentation mode:
### Select the instrumentation mode
- - `AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode.
- Available options:
- PCGUARD - our own pcgard based instrumentation (default)
- NATIVE - clang's original pcguard based instrumentation
- CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
- LTO - LTO instrumentation (see below)
- CTX - context sensitive instrumentation (see below)
- NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16)
- GCC - outdated gcc instrumentation
- CLANG - outdated clang instrumentation
- In CLASSIC you can also specify CTX and/or NGRAM, seperate the options
- with a comma "," then, e.g.:
- `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
- Note that this is actually not a good idea to use both CTX and NGRAM :)
-
-### LTO
-
- This is a different kind way of instrumentation: first it compiles all
- code in LTO (link time optimization) and then performs an edge inserting
- instrumentation which is 100% collision free (collisions are a big issue
- in AFL and AFL-like instrumentations). This is performed by using
- afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only
- built if LLVM 11 or newer is used.
-
- - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation.
- (not recommended for afl-clang-fast, default for afl-clang-lto as there
- it is a different and better kind of instrumentation.)
-
- None of the following options are necessary to be used and are rather for
- manual use (which only ever the author of this LTO implementation will use).
- These are used if several separated instrumentations are performed which
- are then later combined.
-
- - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
- to which function. This helps to identify functions with variable bytes
- or which functions were touched by an input.
- - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than
- the default `0x10000`. A value of 0 or empty sets the map address to be
- dynamic (the original AFL way, which is slower)
- - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic
- - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation.
- This defaults to 1
- - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
- into the instrumentation is set in a global variable
-
- See [instrumentation/README.lto.md](../instrumentation/README.lto.md) for more information.
-
-### NGRAM
-
- - Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}`
- activates ngram prev_loc coverage, good values are 2, 4 or 8
- (any value between 2 and 16 is valid).
- It is highly recommended to increase the `MAP_SIZE_POW2` definition in
- config.h to at least 18 and maybe up to 20 for this as otherwise too
- many map collisions occur.
-
- See [instrumentation/README.ngram.md](../instrumentation/README.ngram.md)
-
-### CTX
-
- - Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX`
- activates context sensitive branch coverage - meaning that each edge
- is additionally combined with its caller.
- It is highly recommended to increase the `MAP_SIZE_POW2` definition in
- config.h to at least 18 and maybe up to 20 for this as otherwise too
- many map collisions occur.
-
- See [instrumentation/README.ctx.md](../instrumentation/README.ctx.md)
+`AFL_LLVM_INSTRUMENT` - this configures the instrumentation mode.
+
+Available options:
+
+ - CLANG - outdated clang instrumentation
+ - CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
+
+ You can also specify CTX and/or NGRAM, seperate the options with a comma "," then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
+
+ Note: It is actually not a good idea to use both CTX and NGRAM. :)
+ - CTX - context sensitive instrumentation (see below)
+ - GCC - outdated gcc instrumentation
+ - LTO - LTO instrumentation (see below)
+ - NATIVE - clang's original pcguard based instrumentation
+ - NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16)
+ - PCGUARD - our own pcgard based instrumentation (default)
+
+#### CTX
+
+Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive branch coverage - meaning that each edge is additionally combined with its caller.
+It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur.
+
+For more information, see [instrumentation/README.ctx.md](../instrumentation/README.ctx.md).
+
+#### LTO
+
+This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue in AFL and AFL-like instrumentations).
+This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used.
+
+ - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation.
+ (not recommended for afl-clang-fast, default for afl-clang-lto as there
+ it is a different and better kind of instrumentation.)
+
+None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use).
+These are used if several separated instrumentations are performed which are then later combined.
+
+ - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
+ to which function. This helps to identify functions with variable bytes
+ or which functions were touched by an input.
+ - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than
+ the default `0x10000`. A value of 0 or empty sets the map address to be
+ dynamic (the original AFL way, which is slower)
+ - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic
+ - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation.
+ This defaults to 1
+ - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
+ into the instrumentation is set in a global variable
+
+ For more information, see [instrumentation/README.lto.md](../instrumentation/README.lto.md).
+
+#### NGRAM
+
+Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 is valid).
+It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur.
+
+For more information, see [instrumentation/README.ngram.md](../instrumentation/README.ngram.md).
### LAF-INTEL
- This great feature will split compares into series of single byte comparisons
- to allow afl-fuzz to find otherwise rather impossible paths. It is not
- restricted to Intel CPUs ;-)
+This great feature will split compares into series of single byte comparisons to allow afl-fuzz to find otherwise rather impossible paths.
+It is not restricted to Intel CPUs. ;-)
- - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions
+ - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions
- - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
+ - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
- - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and
- 64, 32 and 16 bit integer CMP instructions
+ - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and
+ 64, 32 and 16 bit integer CMP instructions
- - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
- AFL_LLVM_LAF_SPLIT_COMPARES to be set
+ - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
+ AFL_LLVM_LAF_SPLIT_COMPARES to be set
- - Setting `AFL_LLVM_LAF_ALL` sets all of the above
+ - Setting `AFL_LLVM_LAF_ALL` sets all of the above
- See [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) for more information.
+For more information, see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
### INSTRUMENT LIST (selectively instrument files and functions)
- This feature allows selective instrumentation of the source
+This feature allows selective instrumentation of the source.
- - Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or
- function will only instrument (or skip) those files that match the names
- listed in the specified file.
+Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or function will only instrument (or skip) those files that match the names listed in the specified file.
- See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information.
+For more information, see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
### Thread safe instrumentation counters (in all modes)
- - Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread
- safe counters. The overhead is a little bit higher compared to the older
- non-thread safe case. Note that this disables neverzero (see below).
+Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread
+safe counters. The overhead is a little bit higher compared to the older
+non-thread safe case. Note that this disables neverzero (see below).
### NOT_ZERO
- - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters
- that skip zero on overflow. This is the default for llvm >= 9,
- however for llvm versions below that this will increase an unnecessary
- slowdown due a performance issue that is only fixed in llvm 9+.
- This feature increases path discovery by a little bit.
+ - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters
+ that skip zero on overflow. This is the default for llvm >= 9,
+ however, for llvm versions below that this will increase an unnecessary
+ slowdown due a performance issue that is only fixed in llvm 9+.
+ This feature increases path discovery by a little bit.
- - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero
- test. If the target performs only few loops then this will give a
- small performance boost.
+ - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero
+ test. If the target performs only few loops, then this will give a
+ small performance boost.
- See [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md)
+For more information, see [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md).
### CMPLOG
- - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
- produce a CmpLog binary.
+ - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
+ produce a CmpLog binary.
- See [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
+For more information, see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
## 3) Settings for GCC / GCC_PLUGIN modes
Then there are a few specific features that are only available in GCC and
GCC_PLUGIN mode.
+ - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those
+ files that match the names listed in this file (one filename per line).
+ See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information.
+ (GCC_PLUGIN mode only)
+
- Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented
assembly files. Useful for troubleshooting problems or understanding how
the tool works. (GCC mode only)
To get them in a predictable place, try something like:
-```
+
+ ```
mkdir assembly_here
TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all
-```
- - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those
- files that match the names listed in this file (one filename per line).
- See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information.
- (GCC_PLUGIN mode only)
+ ```
## 4) Settings for afl-fuzz
The main fuzzer binary accepts several options that disable a couple of sanity
checks or alter some of the more exotic semantics of the tool:
- - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is
- useful if you can't change the defaults (e.g., no root access to the
- system) and are OK with some performance loss.
+ - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`)
+ for an existing out folder, even if a different `-i` was provided.
+ Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
- - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths
- have been fuzzed and there were no new finds for a while. This would be
- normally indicated by the cycle counter in the UI turning green. May be
- convenient for some types of automated jobs.
+ - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after
+ processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to
+ exit soon after the first crash is found.
- - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were
- found within a specified period of time (in seconds). May be convenient
- for some types of automated jobs.
+ - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
+ newly found testcases and not for testcases that are loaded on startup
+ (`-i in`).
+ This is an important feature to set when resuming a fuzzing session.
- - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour
- which does not allow crashes or timeout seeds in the initial -i corpus.
+ - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash.
+ For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting
+ in an `-1` return code (i.e. `exit(-1)` got called), will be treated
+ as if a crash had ocurred.
+ This may be beneficial if you look for higher-level faulty conditions in which your target still exits gracefully.
- - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap,
- afl-tmin and afl-analyze create to gather instrumentation data from
- the target. This must be equal or larger than the size the target was
- compiled with.
+ - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
+ afl_custom_fuzz() creates additional mutations through this library.
+ If afl-fuzz is compiled with Python (which is autodetected during building
+ afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide
+ additional mutations.
+ If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be
+ performed with the custom mutator.
+ This feature allows to configure custom mutators which can be very helpful,
+ e.g. fuzzing XML or other highly flexible structured input.
+ Please see [custom_mutators.md](custom_mutators.md).
- - `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
- newly found testcases and not for testcases that are loaded on startup
- (`-i in`). This is an important feature to set when resuming a fuzzing
- session.
+ - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime
+ a cycle is finished.
- - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE`
- in config.h. Recommended values are 50-250MB - or more if your fuzzing
- finds a huge amount of paths for large inputs.
+ - Setting `AFL_DEBUG_CHILD` will not suppress the child output.
+ This lets you see all output of the child, making setup issues obvious.
+ For example, in an unicornafl harness, you might see python stacktraces.
+ You may also see other logs that way, indicating why the forkserver won't start.
+ Not pretty but good for debugging purposes.
+ Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated.
- Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
usually a bad idea!
- - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core
- on Linux systems. This slows things down, but lets you run more instances
- of afl-fuzz than would be prudent (if you really want to).
+ - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour
+ which does not allow crashes or timeout seeds in the initial -i corpus.
- - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
- on Linux systems, but will not terminate if that fails.
+ - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were
+ found within a specified period of time (in seconds). May be convenient
+ for some types of automated jobs.
- - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
- that is compiled into the target.
+ - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths
+ have been fuzzed and there were no new finds for a while. This would be
+ normally indicated by the cycle counter in the UI turning green. May be
+ convenient for some types of automated jobs.
+
+ - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that
+ includes costly mutations. afl-fuzz automatically enables this mode when
+ deemed useful otherwise.
+
+ - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less
+ precise), which can help when starting a session against a slow target.
+ `AFL_CAL_FAST` works too.
+
+ - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if
+ no valid terminal was detected (for virtual consoles).
+
+ - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout
+ to wait for the forkserver to spin up.
+ The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds.
+ Setting a different time here is useful if the target has a very slow startup time, for example when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts.
- Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for
deciding if a particular test case is a "hang". The default is 1 second
@@ -327,188 +339,137 @@ checks or alter some of the more exotic semantics of the tool:
don't want AFL++ to spend too much time classifying that stuff and just
rapidly put all timeouts in that bin.
- - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout
- to wait for the forkserver to spin up. The default is the `-t` value times
- `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the
- default would wait for `1000` milliseconds. Setting a different time here is useful
- if the target has a very slow startup time, for example when doing
- full-system fuzzing or emulation, but you don't want the actual runs
- to wait too long for timeouts.
-
- - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics.
- This can be useful to speed up the fuzzing of text-based file formats.
-
- - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature
- if the snapshot lkm is loaded
-
- - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested
- by some users for unorthodox parallelized fuzzing setups, but not
- advisable otherwise.
-
- - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in
- the normal output directory otherwise. You would use this to point to
- a ramdisk/tmpfs. This increases the speed by a small value but also
- reduces the stress on SSDs.
+ - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`.
+ Others need not apply, unless they also want to disable the
+ `/proc/sys/kernel/core_pattern` check.
- - When developing custom instrumentation on top of afl-fuzz, you can use
- `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries
- and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n`
- setting to instruct afl-fuzz to still follow the fork server protocol
- without expecting any instrumentation data in return.
- Note that this also turns off auto map size detection.
+ - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session
+ (not at startup), it will terminate. If you do not want this, then you can
+ set `AFL_IGNORE_PROBLEMS`.
- When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the
fuzzer to import test cases from other instances before doing anything
- else. This makes the "own finds" counter in the UI more accurate.
+ else.
+ This makes the "own finds" counter in the UI more accurate.
Beyond counter aesthetics, not much else should change.
- - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
- instead (see below).
-
- `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout.
Unless you implement your own targets or instrumentation, you likely don't have to set it.
By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child.
- - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
- afl_custom_fuzz() creates additional mutations through this library.
- If afl-fuzz is compiled with Python (which is autodetected during building
- afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide
- additional mutations.
- If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be
- performed with the custom mutator.
- This feature allows to configure custom mutators which can be very helpful,
- e.g. fuzzing XML or other highly flexible structured input.
- Please see [custom_mutators.md](custom_mutators.md).
+ - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap,
+ afl-tmin and afl-analyze create to gather instrumentation data from
+ the target. This must be equal or larger than the size the target was
+ compiled with.
- - `AFL_FAST_CAL` keeps the calibration stage about 2.5x faster (albeit less
- precise), which can help when starting a session against a slow target.
- `AFL_CAL_FAST` works too.
+ - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off.
+ In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down fuzzing.
+ The default count is `200` elements.
+ So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly.
- - The CPU widget shown at the bottom of the screen is fairly simplistic and
- may complain of high load prematurely, especially on systems with low core
- counts. To avoid the alarming red color, you can set `AFL_NO_CPU_RED`.
+ - Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core
+ on Linux systems. This slows things down, but lets you run more instances
+ of afl-fuzz than would be prudent (if you really want to).
- - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will
- be searched for afl-qemu-trace and afl-frida-trace.so.
+ - `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics.
+ This can be useful to speed up the fuzzing of text-based file formats.
- - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` cause afl-fuzz to skip
- prepending `afl-qemu-trace` to your command line. Use this if you wish to use a
- custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments.
+ - Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
+ that is compiled into the target.
- - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime
- a cycle is finished.
+ - The CPU widget shown at the bottom of the screen is fairly simplistic and
+ may complain of high load prematurely, especially on systems with low core
+ counts.
+ To avoid the alarming red color for very high cpu usages, you can set `AFL_NO_CPU_RED`.
- - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that
- includes costly mutations. afl-fuzz automatically enables this mode when
- deemed useful otherwise.
+ - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for
+ coloring console output when configured with USE_COLOR and not ALWAYS_COLORED.
- - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary
- without disrupting the afl-fuzz process itself. This is useful, among other
- things, for bootstrapping libdislocator.so.
+ - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to
+ fork + execve() call for every tested input.
+ This is useful mostly when working with unruly libraries that create threads or do other crazy things when initializing (before the instrumentation has a chance to run).
- - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables
- for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `
- This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically
- allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that
- would disrupt work of 'fuzzer' AFL++).
+ Note that this setting inhibits some of the user-friendly diagnostics
+ normally done when starting up the forkserver and causes a pretty
+ significant performance drop.
+
+ - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature
+ if the snapshot lkm is loaded.
- Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints
- some basic stats. This behavior is also automatically triggered when the
- output from afl-fuzz is redirected to a file or to a pipe.
+ some basic stats.
+ This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe.
- - Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for
- coloring console output when configured with USE_COLOR and not ALWAYS_COLORED.
+ - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so.
- - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if
- no valid terminal was detected (for virtual consoles)
-
- - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md))
- some targets keep inherent state due which a detected crash testcase does
- not crash the target again when the testcase is given. To be able to still
- re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable
- with a value of how many previous fuzz cases to keep prio a crash.
- if set to e.g. 10, then the 9 previous inputs are written to
- out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008
- and RECORD:000000,cnt:000009 being the crash case.
+ - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given.
+ To be able to still re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash.
+ If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and RECORD:000000,cnt:000009 being the crash case.
NOTE: This option needs to be enabled in config.h first!
- - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session
- (not at startup), it will terminate. If you do not want this then you can
- set `AFL_IGNORE_PROBLEMS`.
-
- - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`.
- Others need not apply, unless they also want to disable the
- `/proc/sys/kernel/core_pattern` check.
-
- - Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after
- processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to
- exit soon after the first crash is found.
-
- - Setting `AFL_DEBUG_CHILD` will not suppress the child output.
- This lets you see all output of the child, making setup issues obvious.
- For example, in an unicornafl harness, you might see python stacktraces.
- You may also see other logs that way, indicating why the forkserver won't start.
- Not pretty but good for debugging purposes.
- Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated.
+ - Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
+ instead (see below).
- - Setting `AFL_NO_CPU_RED` will not display very high cpu usages in red color.
+ - Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary
+ without disrupting the afl-fuzz process itself.
+ This is useful, among other things, for bootstrapping libdislocator.so.
- - Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`)
- for an existing out folder, even if a different `-i` was provided.
- Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
+ - In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip
+ prepending `afl-qemu-trace` to your command line.
+ Use this if you wish to use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments.
- - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements
- in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will
- kick off. In probabilistic mode, not all dictionary entries will be used all
- of the time for fuzzing mutations to not slow down fuzzing.
- The default count is `200` elements. So for the 200 + 1st element, there is a
- 1 in 201 chance, that one of the dictionary entries will not be used directly.
+ - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup.
+ Requested by some users for unorthodox parallelized fuzzing setups, but not
+ advisable otherwise.
- - Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to
- fork + execve() call for every tested input. This is useful mostly when
- working with unruly libraries that create threads or do other crazy
- things when initializing (before the instrumentation has a chance to run).
+ - When developing custom instrumentation on top of afl-fuzz, you can use
+ `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries
+ and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n`
+ setting to instruct afl-fuzz to still follow the fork server protocol
+ without expecting any instrumentation data in return.
+ Note that this also turns off auto map size detection.
- Note that this setting inhibits some of the user-friendly diagnostics
- normally done when starting up the forkserver and causes a pretty
- significant performance drop.
+ - Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is
+ useful if you can't change the defaults (e.g., no root access to the
+ system) and are OK with some performance loss.
- Setting `AFL_STATSD` enables StatsD metrics collection.
- By default AFL++ will send these metrics over UDP to 127.0.0.1:8125.
+ By default, AFL++ will send these metrics over UDP to 127.0.0.1:8125.
The host and port are configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively.
- To enable tags (banner and afl_version) you should provide `AFL_STATSD_TAGS_FLAVOR` that matches
- your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`)
+ To enable tags (banner and afl_version), you should provide `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`).
- - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb`
- allows you to add tags to your fuzzing instances. This is especially useful when running
- multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`.
+ - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` allows you to add tags to your fuzzing instances.
+ This is especially useful when running multiple instances (`-M/-S` for example).
+ Applied tags are `banner` and `afl_version`.
`banner` corresponds to the name of the fuzzer provided through `-M/-S`.
- `afl_version` corresponds to the currently running AFL version (e.g `++3.0c`).
+ `afl_version` corresponds to the currently running AFL version (e.g. `++3.0c`).
Default (empty/non present) will add no tags to the metrics.
- See [rpc_statsd.md](rpc_statsd.md) for more information.
+ For more information, see [rpc_statsd.md](rpc_statsd.md).
- - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash.
- For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting
- in an `-1` return code (i.e. `exit(-1)` got called), will be treated
- as if a crash had ocurred.
- This may be beneficial if you look for higher-level faulty conditions in which your
- target still exits gracefully.
+ - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables
+ for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `.
+ This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that would disrupt work of 'fuzzer' AFL++).
+
+ - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE`
+ in config.h. Recommended values are 50-250MB - or more if your fuzzing
+ finds a huge amount of paths for large inputs.
+
+ - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in
+ the normal output directory otherwise.
+ You would use this to point to a ramdisk/tmpfs.
+ This increases the speed by a small value but also reduces the stress on SSDs.
+
+ - Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
+ on Linux systems, but will not terminate if that fails.
- Outdated environment variables that are not supported anymore:
- `AFL_DEFER_FORKSRV`
- `AFL_PERSISTENT`
+ - `AFL_DEFER_FORKSRV`
+ - `AFL_PERSISTENT`
## 5) Settings for afl-qemu-trace
The QEMU wrapper used to instrument binary-only code supports several settings:
- - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some
- of the basic blocks, which can be useful when dealing with very complex
- binaries.
-
- - Setting `AFL_INST_LIBS` causes the translator to also instrument the code
- inside any dynamically linked libraries (notably including glibc).
-
- Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp
and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`.
@@ -518,74 +479,77 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
`AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more
accurate but may need a larger shared memory.
- - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all
- cmp and sub in x86 and x86_64.
- This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is
- not specified.
-
- - The underlying QEMU binary will recognize any standard "user space
- emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no
- reason to touch them.
-
- `AFL_DEBUG` will print the found entrypoint for the binary to stderr.
Use this if you are unsure if the entrypoint might be wrong - but
- use it directly, e.g. `afl-qemu-trace ./program`
+ use it directly, e.g. `afl-qemu-trace ./program`.
- `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the
binary (this can be very good for the performance!).
The entrypoint is specified as hex address, e.g. `0x4004110`
Note that the address must be the address of a basic block.
+ - Setting `AFL_INST_LIBS` causes the translator to also instrument the code
+ inside any dynamically linked libraries (notably including glibc).
+
+ - It is possible to set `AFL_INST_RATIO` to skip the instrumentation on some
+ of the basic blocks, which can be useful when dealing with very complex
+ binaries.
+
+ - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all
+ cmp and sub in x86 and x86_64.
+ This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is
+ not specified.
+
+ - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal
+ handlers of the target.
+
- When the target is i386/x86_64 you can specify the address of the function
that has to be the body of the persistent loop using
`AFL_QEMU_PERSISTENT_ADDR=start addr`.
+ - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general
+ purpose registers and restore them in each persistent cycle.
+
- Another modality to execute the persistent loop is to specify also the
`AFL_QEMU_PERSISTENT_RET=end addr` env variable.
With this variable assigned, instead of patching the return address, the
specified instruction is transformed to a jump towards `start addr`.
- - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general
- purpose registers and restore them in each persistent cycle.
-
- - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the
- stack pointer in which QEMU can find the return address when `start addr` is
- hit.
+ - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the stack pointer in which QEMU can find the return address when `start addr` is hit.
- With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically
linked binaries.
- - With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal
- handlers of the target.
+ - The underlying QEMU binary will recognize any standard "user space
+ emulation" variables (e.g., `QEMU_STACK_SIZE`), but there should be no
+ reason to touch them.
## 6) Settings for afl-cmin
The corpus minimization script offers very little customization:
- - Setting `AFL_PATH` offers a way to specify the location of afl-showmap
- and afl-qemu-trace (the latter only in `-Q` mode).
+ - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp.
+ This is a modest security risk on multi-user systems with rogue users, but should be safe on dedicated fuzzing boxes.
- `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for
- minimization and normally deleted at exit. The files can be found in the
- `/.traces/` directory.
+ minimization and normally deleted at exit.
+ The files can be found in the `/.traces/` directory.
- - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is
- a modest security risk on multi-user systems with rogue users, but should
- be safe on dedicated fuzzing boxes.
+ - Setting `AFL_PATH` offers a way to specify the location of afl-showmap
+ and afl-qemu-trace (the latter only in `-Q` mode).
- `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting.
## 7) Settings for afl-tmin
-Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be
-searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a
-temporary file can't be created in the current working directory.
+Virtually nothing to play with.
+Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace.
+In addition to this, `TMPDIR` may be used if a temporary file can't be created in the current working directory.
-You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths
-to match when minimizing crashes. This will make minimization less useful, but
-may prevent the tool from "jumping" from one crashing condition to another in
-very buggy software. You probably want to combine it with the `-e` flag.
+You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths to match when minimizing crashes.
+This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software.
+You probably want to combine it with the `-e` flag.
## 8) Settings for afl-analyze
@@ -596,23 +560,23 @@ of decimal.
The library honors these environmental variables:
- - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the
- library, in megabytes. The default value is 1 GB. Once this is exceeded,
- allocations will return NULL.
+ - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to
+ `max_align_t` to be compliant with the C standard.
- `AFL_LD_HARD_FAIL` alters the behavior by calling `abort()` on excessive
allocations, thus causing what AFL++ would perceive as a crash. Useful for
programs that are supposed to maintain a specific memory footprint.
- - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages
- that may be useful for pinpointing the cause of any observed issues.
+ - `AFL_LD_LIMIT_MB` caps the size of the maximum heap usage permitted by the
+ library, in megabytes. The default value is 1 GB. Once this is exceeded,
+ allocations will return NULL.
- `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most
of the common allocators check for that internally and return NULL, so
it's a security risk only in more exotic setups.
- - `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to
- `max_align_t` to be compliant with the C standard.
+ - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages
+ that may be useful for pinpointing the cause of any observed issues.
## 10) Settings for libtokencap
@@ -630,34 +594,37 @@ optimal values if not already present in the environment:
certainly pointless.
- By default, `ASAN_OPTIONS` are set to (among others):
-```
+
+ ```
abort_on_error=1
detect_leaks=0
malloc_context_size=0
symbolize=0
allocator_may_return_null=1
-```
- If you want to set your own options, be sure to include `abort_on_error=1` -
+ ```
+
+ If you want to set your own options, be sure to include `abort_on_error=1` -
otherwise, the fuzzer will not be able to detect crashes in the tested
app. Similarly, include `symbolize=0`, since without it, AFL++ may have
difficulty telling crashes and hangs apart.
- - In the same vein, by default, `MSAN_OPTIONS` are set to:
-```
- exit_code=86 (required for legacy reasons)
- abort_on_error=1
- symbolize=0
- msan_track_origins=0
- allocator_may_return_null=1
-```
- Similarly, the default `LSAN_OPTIONS` are set to:
-```
+
+ ```
exit_code=23
fast_unwind_on_malloc=0
symbolize=0
print_suppressions=0
-```
- Be sure to include the first ones for LSAN and MSAN when customizing
- anything, since some MSAN and LSAN versions don't call `abort()` on
- error, and we need a way to detect faults.
+ ```
+
+ Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on error, and we need a way to detect faults.
+
+ - In the same vein, by default, `MSAN_OPTIONS` are set to:
+ ```
+ exit_code=86 (required for legacy reasons)
+ abort_on_error=1
+ symbolize=0
+ msan_track_origins=0
+ allocator_may_return_null=1
+ ```
\ No newline at end of file
--
cgit 1.4.1
From bb255fdd790dfa4027f511ae3a8eebbbfd6b42e8 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sat, 30 Oct 2021 21:42:21 +0200
Subject: Fix line breaks
---
docs/env_variables.md | 547 ++++++++++++++++++++++++++++----------------------
1 file changed, 302 insertions(+), 245 deletions(-)
(limited to 'docs')
diff --git a/docs/env_variables.md b/docs/env_variables.md
index bd66ce38..6fb687e2 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -1,9 +1,13 @@
# Environment variables
- This document discusses the environment variables used by AFL++ to expose various exotic functions that may be (rarely) useful for power users or for some types of custom fuzzing setups.
- For general information about AFL++, see [README.md](../README.md).
+ This document discusses the environment variables used by AFL++ to expose
+ various exotic functions that may be (rarely) useful for power users or for
+ some types of custom fuzzing setups. For general information about AFL++, see
+ [README.md](../README.md).
- Note: Most tools will warn on any unknown AFL++ environment variables; for example, because of typos. If you want to disable this check, then set the `AFL_IGNORE_UNKNOWN_ENVS` environment variable.
+ Note: Most tools will warn on any unknown AFL++ environment variables; for
+ example, because of typos. If you want to disable this check, then set the
+ `AFL_IGNORE_UNKNOWN_ENVS` environment variable.
## 1) Settings for all compilers
@@ -11,19 +15,26 @@ Starting with AFL++ 3.0, there is only one compiler: afl-cc.
To select the different instrumentation modes, use one of the following options:
- - Pass the --afl-MODE command-line option to the compiler. Only this option accepts further AFL-specific command-line options.
- - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++, afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific command-line options. Instead, use environment variables.
- - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select `MODE`, use one of the following values:
+ - Pass the --afl-MODE command-line option to the compiler. Only this option
+ accepts further AFL-specific command-line options.
+ - Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast,
+ afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++,
+ afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific
+ command-line options. Instead, use environment variables.
+ - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select
+ `MODE`, use one of the following values:
- `GCC` (afl-gcc/afl-g++)
- `GCC_PLUGIN` (afl-g*-fast)
- `LLVM` (afl-clang-fast*)
- `LTO` (afl-clang-lto*).
-The compile-time tools do not accept AFL-specific command-line options. The --afl-MODE command line option is the only exception. The other options make fairly broad use of environment variables instead:
+The compile-time tools do not accept AFL-specific command-line options. The
+--afl-MODE command line option is the only exception. The other options make
+fairly broad use of environment variables instead:
- - Some build/configure scripts break with AFL++ compilers.
- To be able to pass them, do:
+ - Some build/configure scripts break with AFL++ compilers. To be able to pass
+ them, do:
```
export CC=afl-cc
@@ -34,25 +45,24 @@ The compile-time tools do not accept AFL-specific command-line options. The --af
make
```
- - If you are a weird person that wants to compile and instrument asm
- text files, then use the `AFL_AS_FORCE_INSTRUMENT` variable:
+ - If you are a weird person that wants to compile and instrument asm text
+ files, then use the `AFL_AS_FORCE_INSTRUMENT` variable:
`AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
- Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream
compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries
in your `$PATH`.
- - Most AFL tools do not print any output if stdout/stderr are redirected.
- If you want to get the output into a file, then set the `AFL_DEBUG`
- environment variable.
- This is sadly necessary for various build processes which fail otherwise.
+ - Most AFL tools do not print any output if stdout/stderr are redirected. If
+ you want to get the output into a file, then set the `AFL_DEBUG` environment
+ variable. This is sadly necessary for various build processes which fail
+ otherwise.
- By default, the wrapper appends `-O3` to optimize builds. Very rarely, this
will cause problems in programs built with -Werror, simply because `-O3`
- enables more thorough code analysis and can spew out additional warnings.
- To disable optimizations, set `AFL_DONT_OPTIMIZE`.
- However, if `-O...` and/or `-fno-unroll-loops` are set, these are not
- overridden.
+ enables more thorough code analysis and can spew out additional warnings. To
+ disable optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or
+ `-fno-unroll-loops` are set, these are not overridden.
- Setting `AFL_HARDEN` automatically adds code hardening options when invoking
the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and
@@ -60,9 +70,9 @@ The compile-time tools do not accept AFL-specific command-line options. The --af
memory bugs at the expense of a very slight (sub-5%) performance loss.
- Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the
- probability of instrumenting every branch. This is (very rarely) useful
- when dealing with exceptionally complex programs that saturate the output
- bitmap. Examples include v8, ffmpeg, and perl.
+ probability of instrumenting every branch. This is (very rarely) useful when
+ dealing with exceptionally complex programs that saturate the output bitmap.
+ Examples include v8, ffmpeg, and perl.
(If this ever happens, afl-fuzz will warn you ahead of the time by
displaying the "bitmap density" field in fiery red.)
@@ -70,18 +80,17 @@ The compile-time tools do not accept AFL-specific command-line options. The --af
Setting `AFL_INST_RATIO` to 0 is a valid choice. This will instrument only
the transitions between function entry points, but not individual branches.
- Note that this is an outdated variable. A few instances (e.g. afl-gcc)
- still support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD)
- do not need this.
+ Note that this is an outdated variable. A few instances (e.g. afl-gcc) still
+ support these, but state-of-the-art (e.g. LLVM LTO and LLVM PCGUARD) do not
+ need this.
- `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with
libtokencap.so (but perhaps running a bit slower than without the flag).
- `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as.
- One possible use of this is utils/clang_asm_normalize/, which lets
- you instrument hand-written assembly when compiling clang code by plugging
- a normalizer into the chain.
- (There is no equivalent feature for GCC.)
+ One possible use of this is utils/clang_asm_normalize/, which lets you
+ instrument hand-written assembly when compiling clang code by plugging a
+ normalizer into the chain. (There is no equivalent feature for GCC.)
- Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being
displayed during compilation, in case you find them distracting.
@@ -95,19 +104,20 @@ The compile-time tools do not accept AFL-specific command-line options. The --af
there is the Control Flow Integrity sanitizer that can be activated by
`AFL_USE_CFISAN=1`.)
- - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided
- that your compiler supports it. To perform a leak check within your
- program at a certain point (such as at the end of an __AFL_LOOP),
- you can run the macro __AFL_LEAK_CHECK(); which will cause
- an abort if any memory is leaked (you can combine this with the
- LSAN_OPTIONS=suppressions option to supress some known leaks).
+ - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided that
+ your compiler supports it. To perform a leak check within your program at a
+ certain point (such as at the end of an __AFL_LOOP), you can run the macro
+ __AFL_LEAK_CHECK(); which will cause an abort if any memory is leaked (you
+ can combine this with the LSAN_OPTIONS=suppressions option to supress some
+ known leaks).
- `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
the tool defaults to /tmp.
## 2) Settings for LLVM and LTO: afl-clang-fast / afl-clang-fast++ / afl-clang-lto / afl-clang-lto++
-The native instrumentation helpers (instrumentation and gcc_plugin) accept a subset of the settings discussed in section 1, with the exception of:
+The native instrumentation helpers (instrumentation and gcc_plugin) accept a
+subset of the settings discussed in section 1, with the exception of:
- LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will
write all constant string comparisons to this file to be used later with
@@ -118,10 +128,11 @@ The native instrumentation helpers (instrumentation and gcc_plugin) accept a sub
- `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
created.
- - `AFL_INST_RATIO`, as we use collision free instrumentation by default.
- Not all passes support this option though as it is an outdated feature.
+ - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not
+ all passes support this option though as it is an outdated feature.
-Then there are a few specific features that are only available in instrumentation mode:
+Then there are a few specific features that are only available in
+instrumentation mode:
### Select the instrumentation mode
@@ -132,7 +143,8 @@ Available options:
- CLANG - outdated clang instrumentation
- CLASSIC - classic AFL (map[cur_loc ^ prev_loc >> 1]++) (default)
- You can also specify CTX and/or NGRAM, seperate the options with a comma "," then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
+ You can also specify CTX and/or NGRAM, seperate the options with a comma ","
+ then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
Note: It is actually not a good idea to use both CTX and NGRAM. :)
- CTX - context sensitive instrumentation (see below)
@@ -144,97 +156,119 @@ Available options:
#### CTX
-Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive branch coverage - meaning that each edge is additionally combined with its caller.
-It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur.
+Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive
+branch coverage - meaning that each edge is additionally combined with its
+caller. It is highly recommended to increase the `MAP_SIZE_POW2` definition in
+config.h to at least 18 and maybe up to 20 for this as otherwise too many map
+collisions occur.
-For more information, see [instrumentation/README.ctx.md](../instrumentation/README.ctx.md).
+For more information, see
+[instrumentation/README.ctx.md](../instrumentation/README.ctx.md).
#### LTO
-This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue in AFL and AFL-like instrumentations).
-This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used.
+This is a different kind way of instrumentation: first it compiles all code in
+LTO (link time optimization) and then performs an edge inserting instrumentation
+which is 100% collision free (collisions are a big issue in AFL and AFL-like
+instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++
+instead of afl-clang-fast, but is only built if LLVM 11 or newer is used.
- - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation.
- (not recommended for afl-clang-fast, default for afl-clang-lto as there
- it is a different and better kind of instrumentation.)
+ - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (not
+ recommended for afl-clang-fast, default for afl-clang-lto as there it is a
+ different and better kind of instrumentation.)
-None of the following options are necessary to be used and are rather for manual use (which only ever the author of this LTO implementation will use).
-These are used if several separated instrumentations are performed which are then later combined.
+None of the following options are necessary to be used and are rather for manual
+use (which only ever the author of this LTO implementation will use). These are
+used if several separated instrumentations are performed which are then later
+combined.
- `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
- to which function. This helps to identify functions with variable bytes
- or which functions were touched by an input.
+ to which function. This helps to identify functions with variable bytes or
+ which functions were touched by an input.
- `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than
the default `0x10000`. A value of 0 or empty sets the map address to be
dynamic (the original AFL way, which is slower)
- `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic
- - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation.
- This defaults to 1
+ - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the
+ instrumentation. This defaults to 1
- `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
into the instrumentation is set in a global variable
- For more information, see [instrumentation/README.lto.md](../instrumentation/README.lto.md).
+ For more information, see
+ [instrumentation/README.lto.md](../instrumentation/README.lto.md).
#### NGRAM
-Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16 is valid).
-It is highly recommended to increase the `MAP_SIZE_POW2` definition in config.h to at least 18 and maybe up to 20 for this as otherwise too many map collisions occur.
+Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates
+ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16
+is valid). It is highly recommended to increase the `MAP_SIZE_POW2` definition
+in config.h to at least 18 and maybe up to 20 for this as otherwise too many map
+collisions occur.
-For more information, see [instrumentation/README.ngram.md](../instrumentation/README.ngram.md).
+For more information, see
+[instrumentation/README.ngram.md](../instrumentation/README.ngram.md).
### LAF-INTEL
-This great feature will split compares into series of single byte comparisons to allow afl-fuzz to find otherwise rather impossible paths.
-It is not restricted to Intel CPUs. ;-)
+This great feature will split compares into series of single byte comparisons to
+allow afl-fuzz to find otherwise rather impossible paths. It is not restricted
+to Intel CPUs. ;-)
- - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare functions
+ - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare
+ functions
- Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
- - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and
- 64, 32 and 16 bit integer CMP instructions
+ - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64,
+ 32 and 16 bit integer CMP instructions
- Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
AFL_LLVM_LAF_SPLIT_COMPARES to be set
- Setting `AFL_LLVM_LAF_ALL` sets all of the above
-For more information, see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
+For more information, see
+[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
### INSTRUMENT LIST (selectively instrument files and functions)
This feature allows selective instrumentation of the source.
-Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or function will only instrument (or skip) those files that match the names listed in the specified file.
+Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or
+function will only instrument (or skip) those files that match the names listed
+in the specified file.
-For more information, see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
+For more information, see
+[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
### Thread safe instrumentation counters (in all modes)
-Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread
-safe counters. The overhead is a little bit higher compared to the older
-non-thread safe case. Note that this disables neverzero (see below).
+Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe
+counters. The overhead is a little bit higher compared to the older non-thread
+safe case. Note that this disables neverzero (see below).
### NOT_ZERO
- - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters
- that skip zero on overflow. This is the default for llvm >= 9,
- however, for llvm versions below that this will increase an unnecessary
- slowdown due a performance issue that is only fixed in llvm 9+.
- This feature increases path discovery by a little bit.
+ - Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip
+ zero on overflow. This is the default for llvm >= 9, however, for llvm
+ versions below that this will increase an unnecessary slowdown due a
+ performance issue that is only fixed in llvm 9+. This feature increases path
+ discovery by a little bit.
- - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero
- test. If the target performs only few loops, then this will give a
- small performance boost.
+ - Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test.
+ If the target performs only few loops, then this will give a small
+ performance boost.
-For more information, see [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md).
+For more information, see
+[instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md).
### CMPLOG
- Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
produce a CmpLog binary.
-For more information, see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
+For more information, see
+[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
## 3) Settings for GCC / GCC_PLUGIN modes
@@ -242,14 +276,14 @@ Then there are a few specific features that are only available in GCC and
GCC_PLUGIN mode.
- Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those
- files that match the names listed in this file (one filename per line).
- See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) for more information.
- (GCC_PLUGIN mode only)
+ files that match the names listed in this file (one filename per line). See
+ [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
+ for more information. (GCC_PLUGIN mode only)
- Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented
- assembly files. Useful for troubleshooting problems or understanding how
- the tool works. (GCC mode only)
- To get them in a predictable place, try something like:
+ assembly files. Useful for troubleshooting problems or understanding how the
+ tool works. (GCC mode only) To get them in a predictable place, try
+ something like:
```
mkdir assembly_here
@@ -262,54 +296,52 @@ The main fuzzer binary accepts several options that disable a couple of sanity
checks or alter some of the more exotic semantics of the tool:
- Setting `AFL_AUTORESUME` will resume a fuzz run (same as providing `-i -`)
- for an existing out folder, even if a different `-i` was provided.
- Without this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
+ for an existing out folder, even if a different `-i` was provided. Without
+ this setting, afl-fuzz will refuse execution for a long-fuzzed out dir.
- Benchmarking only: `AFL_BENCH_JUST_ONE` causes the fuzzer to exit after
processing the first queue entry; and `AFL_BENCH_UNTIL_CRASH` causes it to
exit soon after the first crash is found.
- `AFL_CMPLOG_ONLY_NEW` will only perform the expensive cmplog feature for
- newly found testcases and not for testcases that are loaded on startup
- (`-i in`).
- This is an important feature to set when resuming a fuzzing session.
+ newly found testcases and not for testcases that are loaded on startup (`-i
+ in`). This is an important feature to set when resuming a fuzzing session.
- - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash.
- For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting
- in an `-1` return code (i.e. `exit(-1)` got called), will be treated
- as if a crash had ocurred.
- This may be beneficial if you look for higher-level faulty conditions in which your target still exits gracefully.
+ - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For
+ example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an
+ `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash
+ had ocurred. This may be beneficial if you look for higher-level faulty
+ conditions in which your target still exits gracefully.
- Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
- afl_custom_fuzz() creates additional mutations through this library.
- If afl-fuzz is compiled with Python (which is autodetected during building
+ afl_custom_fuzz() creates additional mutations through this library. If
+ afl-fuzz is compiled with Python (which is autodetected during building
afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide
- additional mutations.
- If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be
- performed with the custom mutator.
- This feature allows to configure custom mutators which can be very helpful,
- e.g. fuzzing XML or other highly flexible structured input.
- Please see [custom_mutators.md](custom_mutators.md).
+ additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all
+ mutations will solely be performed with the custom mutator. This feature
+ allows to configure custom mutators which can be very helpful, e.g. fuzzing
+ XML or other highly flexible structured input. Please see
+ [custom_mutators.md](custom_mutators.md).
- Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime
a cycle is finished.
- - Setting `AFL_DEBUG_CHILD` will not suppress the child output.
- This lets you see all output of the child, making setup issues obvious.
- For example, in an unicornafl harness, you might see python stacktraces.
- You may also see other logs that way, indicating why the forkserver won't start.
- Not pretty but good for debugging purposes.
- Note that `AFL_DEBUG_CHILD_OUTPUT` is deprecated.
+ - Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you
+ see all output of the child, making setup issues obvious. For example, in an
+ unicornafl harness, you might see python stacktraces. You may also see other
+ logs that way, indicating why the forkserver won't start. Not pretty but
+ good for debugging purposes. Note that `AFL_DEBUG_CHILD_OUTPUT` is
+ deprecated.
- Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
usually a bad idea!
- - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour
- which does not allow crashes or timeout seeds in the initial -i corpus.
+ - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which
+ does not allow crashes or timeout seeds in the initial -i corpus.
- - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were
- found within a specified period of time (in seconds). May be convenient
- for some types of automated jobs.
+ - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were found
+ within a specified period of time (in seconds). May be convenient for some
+ types of automated jobs.
- `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths
have been fuzzed and there were no new finds for a while. This would be
@@ -324,20 +356,23 @@ checks or alter some of the more exotic semantics of the tool:
precise), which can help when starting a session against a slow target.
`AFL_CAL_FAST` works too.
- - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if
- no valid terminal was detected (for virtual consoles).
+ - Setting `AFL_FORCE_UI` will force painting the UI on the screen even if no
+ valid terminal was detected (for virtual consoles).
- Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout
- to wait for the forkserver to spin up.
- The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds.
- Setting a different time here is useful if the target has a very slow startup time, for example when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts.
+ to wait for the forkserver to spin up. The default is the `-t` value times
+ `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the
+ default would wait for `1000` milliseconds. Setting a different time here is
+ useful if the target has a very slow startup time, for example when doing
+ full-system fuzzing or emulation, but you don't want the actual runs to wait
+ too long for timeouts.
- Setting `AFL_HANG_TMOUT` allows you to specify a different timeout for
- deciding if a particular test case is a "hang". The default is 1 second
- or the value of the `-t` parameter, whichever is larger. Dialing the value
- down can be useful if you are very concerned about slow inputs, or if you
- don't want AFL++ to spend too much time classifying that stuff and just
- rapidly put all timeouts in that bin.
+ deciding if a particular test case is a "hang". The default is 1 second or
+ the value of the `-t` parameter, whichever is larger. Dialing the value down
+ can be useful if you are very concerned about slow inputs, or if you don't
+ want AFL++ to spend too much time classifying that stuff and just rapidly
+ put all timeouts in that bin.
- If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`.
Others need not apply, unless they also want to disable the
@@ -348,28 +383,31 @@ checks or alter some of the more exotic semantics of the tool:
set `AFL_IGNORE_PROBLEMS`.
- When running in the `-M` or `-S` mode, setting `AFL_IMPORT_FIRST` causes the
- fuzzer to import test cases from other instances before doing anything
- else.
- This makes the "own finds" counter in the UI more accurate.
- Beyond counter aesthetics, not much else should change.
+ fuzzer to import test cases from other instances before doing anything else.
+ This makes the "own finds" counter in the UI more accurate. Beyond counter
+ aesthetics, not much else should change.
- - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on timeout.
- Unless you implement your own targets or instrumentation, you likely don't have to set it.
- By default, on timeout and on exit, `SIGKILL` (`AFL_KILL_SIGNAL=9`) will be delivered to the child.
+ - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on
+ timeout. Unless you implement your own targets or instrumentation, you
+ likely don't have to set it. By default, on timeout and on exit, `SIGKILL`
+ (`AFL_KILL_SIGNAL=9`) will be delivered to the child.
- `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap,
- afl-tmin and afl-analyze create to gather instrumentation data from
- the target. This must be equal or larger than the size the target was
- compiled with.
-
- - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will kick off.
- In probabilistic mode, not all dictionary entries will be used all of the time for fuzzing mutations to not slow down fuzzing.
- The default count is `200` elements.
- So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly.
+ afl-tmin and afl-analyze create to gather instrumentation data from the
+ target. This must be equal or larger than the size the target was compiled
+ with.
+
+ - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of
+ elements in the `-x` dictionary and LTO autodict (combined) the
+ probabilistic mode will kick off. In probabilistic mode, not all dictionary
+ entries will be used all of the time for fuzzing mutations to not slow down
+ fuzzing. The default count is `200` elements. So for the 200 + 1st element,
+ there is a 1 in 201 chance, that one of the dictionary entries will not be
+ used directly.
- Setting `AFL_NO_AFFINITY` disables attempts to bind to a specific CPU core
- on Linux systems. This slows things down, but lets you run more instances
- of afl-fuzz than would be prudent (if you really want to).
+ on Linux systems. This slows things down, but lets you run more instances of
+ afl-fuzz than would be prudent (if you really want to).
- `AFL_NO_ARITH` causes AFL++ to skip most of the deterministic arithmetics.
This can be useful to speed up the fuzzing of text-based file formats.
@@ -379,85 +417,100 @@ checks or alter some of the more exotic semantics of the tool:
- The CPU widget shown at the bottom of the screen is fairly simplistic and
may complain of high load prematurely, especially on systems with low core
- counts.
- To avoid the alarming red color for very high cpu usages, you can set `AFL_NO_CPU_RED`.
+ counts. To avoid the alarming red color for very high cpu usages, you can
+ set `AFL_NO_CPU_RED`.
- Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for
- coloring console output when configured with USE_COLOR and not ALWAYS_COLORED.
+ coloring console output when configured with USE_COLOR and not
+ ALWAYS_COLORED.
- Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to
- fork + execve() call for every tested input.
- This is useful mostly when working with unruly libraries that create threads or do other crazy things when initializing (before the instrumentation has a chance to run).
+ fork + execve() call for every tested input. This is useful mostly when
+ working with unruly libraries that create threads or do other crazy things
+ when initializing (before the instrumentation has a chance to run).
Note that this setting inhibits some of the user-friendly diagnostics
normally done when starting up the forkserver and causes a pretty
significant performance drop.
- - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature
- if the snapshot lkm is loaded.
+ - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if
+ the snapshot lkm is loaded.
- Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints
- some basic stats.
- This behavior is also automatically triggered when the output from afl-fuzz is redirected to a file or to a pipe.
-
- - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for afl-qemu-trace and afl-frida-trace.so.
-
- - If you are using persistent mode (you should, see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)), some targets keep inherent state due which a detected crash testcase does not crash the target again when the testcase is given.
- To be able to still re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable with a value of how many previous fuzz cases to keep prio a crash.
- If set to e.g. 10, then the 9 previous inputs are written to out/default/crashes as RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and RECORD:000000,cnt:000009 being the crash case.
- NOTE: This option needs to be enabled in config.h first!
+ some basic stats. This behavior is also automatically triggered when the
+ output from afl-fuzz is redirected to a file or to a pipe.
+
+ - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for
+ afl-qemu-trace and afl-frida-trace.so.
+
+ - If you are using persistent mode (you should, see
+ [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)),
+ some targets keep inherent state due which a detected crash testcase does
+ not crash the target again when the testcase is given. To be able to still
+ re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable
+ with a value of how many previous fuzz cases to keep prio a crash. If set to
+ e.g. 10, then the 9 previous inputs are written to out/default/crashes as
+ RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and
+ RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be
+ enabled in config.h first!
- Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
instead (see below).
- Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary
- without disrupting the afl-fuzz process itself.
- This is useful, among other things, for bootstrapping libdislocator.so.
+ without disrupting the afl-fuzz process itself. This is useful, among other
+ things, for bootstrapping libdislocator.so.
- In QEMU mode (-Q), setting `AFL_QEMU_CUSTOM_BIN` will cause afl-fuzz to skip
- prepending `afl-qemu-trace` to your command line.
- Use this if you wish to use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace arguments.
+ prepending `afl-qemu-trace` to your command line. Use this if you wish to
+ use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace
+ arguments.
- - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup.
- Requested by some users for unorthodox parallelized fuzzing setups, but not
- advisable otherwise.
+ - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested
+ by some users for unorthodox parallelized fuzzing setups, but not advisable
+ otherwise.
- When developing custom instrumentation on top of afl-fuzz, you can use
- `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries
- and shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n`
- setting to instruct afl-fuzz to still follow the fork server protocol
- without expecting any instrumentation data in return.
- Note that this also turns off auto map size detection.
+ `AFL_SKIP_BIN_CHECK` to inhibit the checks for non-instrumented binaries and
+ shell scripts; and `AFL_DUMB_FORKSRV` in conjunction with the `-n` setting
+ to instruct afl-fuzz to still follow the fork server protocol without
+ expecting any instrumentation data in return. Note that this also turns off
+ auto map size detection.
- Setting `AFL_SKIP_CPUFREQ` skips the check for CPU scaling policy. This is
- useful if you can't change the defaults (e.g., no root access to the
- system) and are OK with some performance loss.
-
- - Setting `AFL_STATSD` enables StatsD metrics collection.
- By default, AFL++ will send these metrics over UDP to 127.0.0.1:8125.
- The host and port are configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively.
- To enable tags (banner and afl_version), you should provide `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see `AFL_STATSD_TAGS_FLAVOR`).
-
- - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`, `signalfx` or `influxdb` allows you to add tags to your fuzzing instances.
- This is especially useful when running multiple instances (`-M/-S` for example).
- Applied tags are `banner` and `afl_version`.
- `banner` corresponds to the name of the fuzzer provided through `-M/-S`.
- `afl_version` corresponds to the currently running AFL version (e.g. `++3.0c`).
- Default (empty/non present) will add no tags to the metrics.
- For more information, see [rpc_statsd.md](rpc_statsd.md).
-
- - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables
- for the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `.
- This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some AFL_ vars that would disrupt work of 'fuzzer' AFL++).
-
- - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE`
- in config.h. Recommended values are 50-250MB - or more if your fuzzing
- finds a huge amount of paths for large inputs.
-
- - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in
- the normal output directory otherwise.
- You would use this to point to a ramdisk/tmpfs.
- This increases the speed by a small value but also reduces the stress on SSDs.
+ useful if you can't change the defaults (e.g., no root access to the system)
+ and are OK with some performance loss.
+
+ - Setting `AFL_STATSD` enables StatsD metrics collection. By default, AFL++
+ will send these metrics over UDP to 127.0.0.1:8125. The host and port are
+ configurable with `AFL_STATSD_HOST` and `AFL_STATSD_PORT` respectively. To
+ enable tags (banner and afl_version), you should provide
+ `AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see
+ `AFL_STATSD_TAGS_FLAVOR`).
+
+ - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`,
+ `signalfx` or `influxdb` allows you to add tags to your fuzzing instances.
+ This is especially useful when running multiple instances (`-M/-S` for
+ example). Applied tags are `banner` and `afl_version`. `banner` corresponds
+ to the name of the fuzzer provided through `-M/-S`. `afl_version`
+ corresponds to the currently running AFL version (e.g. `++3.0c`). Default
+ (empty/non present) will add no tags to the metrics. For more information,
+ see [rpc_statsd.md](rpc_statsd.md).
+
+ - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables for
+ the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz
+ ... `. This exists mostly for things like `LD_LIBRARY_PATH` but it would
+ theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some
+ AFL_ vars that would disrupt work of 'fuzzer' AFL++).
+
+ - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define
+ TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if
+ your fuzzing finds a huge amount of paths for large inputs.
+
+ - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in the
+ normal output directory otherwise. You would use this to point to a
+ ramdisk/tmpfs. This increases the speed by a small value but also reduces
+ the stress on SSDs.
- Setting `AFL_TRY_AFFINITY` tries to attempt binding to a specific CPU core
on Linux systems, but will not terminate if that fails.
@@ -472,21 +525,20 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
- Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp
and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
- memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`.
- More info at qemu_mode/libcompcov/README.md.
- There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments
- only comparisons with immediate values / read-only memory and
- `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more
- accurate but may need a larger shared memory.
-
- - `AFL_DEBUG` will print the found entrypoint for the binary to stderr.
- Use this if you are unsure if the entrypoint might be wrong - but
- use it directly, e.g. `afl-qemu-trace ./program`.
-
- - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the
- binary (this can be very good for the performance!).
- The entrypoint is specified as hex address, e.g. `0x4004110`
- Note that the address must be the address of a basic block.
+ memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at
+ qemu_mode/libcompcov/README.md. There are two levels at the moment,
+ `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate
+ values / read-only memory and `AFL_COMPCOV_LEVEL=2` that instruments all the
+ comparions. Level 2 is more accurate but may need a larger shared memory.
+
+ - `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use
+ this if you are unsure if the entrypoint might be wrong - but use it
+ directly, e.g. `afl-qemu-trace ./program`.
+
+ - `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary
+ (this can be very good for the performance!). The entrypoint is specified as
+ hex address, e.g. `0x4004110` Note that the address must be the address of a
+ basic block.
- Setting `AFL_INST_LIBS` causes the translator to also instrument the code
inside any dynamically linked libraries (notably including glibc).
@@ -495,10 +547,9 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
of the basic blocks, which can be useful when dealing with very complex
binaries.
- - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all
- cmp and sub in x86 and x86_64.
- This is an alias of `AFL_COMPCOV_LEVEL=1` when `AFL_COMPCOV_LEVEL` is
- not specified.
+ - Setting `AFL_QEMU_COMPCOV` enables the CompareCoverage tracing of all cmp
+ and sub in x86 and x86_64. This is an alias of `AFL_COMPCOV_LEVEL=1` when
+ `AFL_COMPCOV_LEVEL` is not specified.
- With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal
handlers of the target.
@@ -511,11 +562,13 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
purpose registers and restore them in each persistent cycle.
- Another modality to execute the persistent loop is to specify also the
- `AFL_QEMU_PERSISTENT_RET=end addr` env variable.
- With this variable assigned, instead of patching the return address, the
- specified instruction is transformed to a jump towards `start addr`.
+ `AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable
+ assigned, instead of patching the return address, the specified instruction
+ is transformed to a jump towards `start addr`.
- - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from the stack pointer in which QEMU can find the return address when `start addr` is hit.
+ - With `AFL_QEMU_PERSISTENT_RETADDR_OFFSET` you can specify the offset from
+ the stack pointer in which QEMU can find the return address when `start
+ addr` is hit.
- With `AFL_USE_QASAN` you can enable QEMU AddressSanitizer for dynamically
linked binaries.
@@ -528,28 +581,31 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
The corpus minimization script offers very little customization:
- - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp.
- This is a modest security risk on multi-user systems with rogue users, but should be safe on dedicated fuzzing boxes.
+ - `AFL_ALLOW_TMP` permits this and some other scripts to run in /tmp. This is
+ a modest security risk on multi-user systems with rogue users, but should be
+ safe on dedicated fuzzing boxes.
- `AFL_KEEP_TRACES` makes the tool keep traces and other metadata used for
- minimization and normally deleted at exit.
- The files can be found in the `/.traces/` directory.
+ minimization and normally deleted at exit. The files can be found in the
+ `/.traces/` directory.
- - Setting `AFL_PATH` offers a way to specify the location of afl-showmap
- and afl-qemu-trace (the latter only in `-Q` mode).
+ - Setting `AFL_PATH` offers a way to specify the location of afl-showmap and
+ afl-qemu-trace (the latter only in `-Q` mode).
- `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
- This can help when embedding `afl-cmin` or `afl-showmap` in other scripts scripting.
+ This can help when embedding `afl-cmin` or `afl-showmap` in other scripts
+ scripting.
## 7) Settings for afl-tmin
-Virtually nothing to play with.
-Well, in QEMU mode (`-Q`), `AFL_PATH` will be searched for afl-qemu-trace.
-In addition to this, `TMPDIR` may be used if a temporary file can't be created in the current working directory.
+Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be
+searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a
+temporary file can't be created in the current working directory.
-You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths to match when minimizing crashes.
-This will make minimization less useful, but may prevent the tool from "jumping" from one crashing condition to another in very buggy software.
-You probably want to combine it with the `-e` flag.
+You can specify `AFL_TMIN_EXACT` if you want afl-tmin to require execution paths
+to match when minimizing crashes. This will make minimization less useful, but
+may prevent the tool from "jumping" from one crashing condition to another in
+very buggy software. You probably want to combine it with the `-e` flag.
## 8) Settings for afl-analyze
@@ -571,12 +627,12 @@ The library honors these environmental variables:
library, in megabytes. The default value is 1 GB. Once this is exceeded,
allocations will return NULL.
- - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most
- of the common allocators check for that internally and return NULL, so
- it's a security risk only in more exotic setups.
+ - `AFL_LD_NO_CALLOC_OVER` inhibits `abort()` on `calloc()` overflows. Most of
+ the common allocators check for that internally and return NULL, so it's a
+ security risk only in more exotic setups.
- - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages
- that may be useful for pinpointing the cause of any observed issues.
+ - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that
+ may be useful for pinpointing the cause of any observed issues.
## 10) Settings for libtokencap
@@ -588,10 +644,9 @@ discovered tokens should be written.
Several variables are not directly interpreted by afl-fuzz, but are set to
optimal values if not already present in the environment:
- - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the
- linker to do all the work before the fork server kicks in. You can
- override this by setting `LD_BIND_LAZY` beforehand, but it is almost
- certainly pointless.
+ - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker
+ to do all the work before the fork server kicks in. You can override this by
+ setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless.
- By default, `ASAN_OPTIONS` are set to (among others):
@@ -604,8 +659,8 @@ optimal values if not already present in the environment:
```
If you want to set your own options, be sure to include `abort_on_error=1` -
- otherwise, the fuzzer will not be able to detect crashes in the tested
- app. Similarly, include `symbolize=0`, since without it, AFL++ may have
+ otherwise, the fuzzer will not be able to detect crashes in the tested app.
+ Similarly, include `symbolize=0`, since without it, AFL++ may have
difficulty telling crashes and hangs apart.
- Similarly, the default `LSAN_OPTIONS` are set to:
@@ -617,7 +672,9 @@ optimal values if not already present in the environment:
print_suppressions=0
```
- Be sure to include the first ones for LSAN and MSAN when customizing anything, since some MSAN and LSAN versions don't call `abort()` on error, and we need a way to detect faults.
+ Be sure to include the first ones for LSAN and MSAN when customizing
+ anything, since some MSAN and LSAN versions don't call `abort()` on error,
+ and we need a way to detect faults.
- In the same vein, by default, `MSAN_OPTIONS` are set to:
--
cgit 1.4.1
From 651133ea00ae803377f941b95a9d396bf92eb407 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Wed, 3 Nov 2021 21:11:11 +0100
Subject: Clean up references to power_schedules.md
---
docs/parallel_fuzzing.md | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
(limited to 'docs')
diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md
index e37276a5..d24f2837 100644
--- a/docs/parallel_fuzzing.md
+++ b/docs/parallel_fuzzing.md
@@ -27,9 +27,8 @@ will not be able to use that input to guide their work.
To help with this problem, afl-fuzz offers a simple way to synchronize test
cases on the fly.
-Note that AFL++ has AFLfast's power schedules implemented.
-It is therefore a good idea to use different power schedules if you run
-several instances in parallel. See [power_schedules.md](power_schedules.md)
+It is a good idea to use different power schedules if you run several instances
+in parallel (`-p` option).
Alternatively running other AFL spinoffs in parallel can be of value,
e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
@@ -39,7 +38,7 @@ e.g. Angora (https://github.com/AngoraFuzzer/Angora/)
If you wish to parallelize a single job across multiple cores on a local
system, simply create a new, empty output directory ("sync dir") that will be
shared by all the instances of afl-fuzz; and then come up with a naming scheme
-for every instance - say, "fuzzer01", "fuzzer02", etc.
+for every instance - say, "fuzzer01", "fuzzer02", etc.
Run the first one ("main node", -M) like this:
@@ -93,7 +92,7 @@ file name.
There is support for parallelizing the deterministic checks.
This is only needed where
-
+
1. many new paths are found fast over a long time and it looks unlikely that
main node will ever catch up, and
2. deterministic fuzzing is actively helping path discovery (you can see this
@@ -195,7 +194,7 @@ to keep in mind:
- You do not want a "main" instance of afl-fuzz on every system; you should
run them all with -S, and just designate a single process somewhere within
the fleet to run with -M.
-
+
- Syncing is only necessary for the main nodes on a system. It is possible
to run main-less with only secondaries. However then you need to find out
which secondary took over the temporary role to be the main node. Look for
--
cgit 1.4.1
From 6ce3d7fede6b32b522b6cc4403f7c0101cf4a4bc Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Thu, 4 Nov 2021 15:53:17 +0100
Subject: add AFL_USE_TSAN
---
TODO.md | 1 +
docs/Changelog.md | 2 +
docs/fuzzing_expert.md | 2 +
frida_mode/src/instrument/instrument.c | 4 +-
frida_mode/src/instrument/instrument_arm32.c | 2 +
frida_mode/src/instrument/instrument_arm64.c | 1 +
frida_mode/src/instrument/instrument_x64.c | 54 ++++++++++++++------------
frida_mode/src/instrument/instrument_x86.c | 1 +
frida_mode/src/main.c | 7 ++--
frida_mode/src/prefetch.c | 6 +--
frida_mode/src/seccomp/seccomp_callback.c | 32 ++++++++-------
frida_mode/src/seccomp/seccomp_filter.c | 6 +--
include/envs.h | 1 +
instrumentation/SanitizerCoverageLTO.so.cc | 3 +-
instrumentation/SanitizerCoveragePCGUARD.so.cc | 3 +-
instrumentation/afl-llvm-pass.so.cc | 3 +-
qemu_mode/libcompcov/libcompcov.so.c | 25 +++++++++---
src/afl-as.c | 1 +
src/afl-cc.c | 9 +++++
utils/aflpp_driver/aflpp_qemu_driver.c | 2 +-
20 files changed, 106 insertions(+), 59 deletions(-)
(limited to 'docs')
diff --git a/TODO.md b/TODO.md
index 1d4270b4..30676312 100644
--- a/TODO.md
+++ b/TODO.md
@@ -2,6 +2,7 @@
## TODO
+ - AFL_USE_TSAN to docs/env_variables.md after work over
- screen update during input2stage
- better autodetection of shifting runtime timeout values
- Update afl->pending_not_fuzzed for MOpt
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 04b2fb2e..cfeb8cc1 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -26,7 +26,9 @@ sending a mail to .
- Prevent accidently killing non-afl/fuzz services when aborting
afl-showmap and other tools.
- afl-cc:
+ - support llvm IR select instrumentation for default PCGUARD and LTO
- fix for shared linking on MacOS
+ - added AFL_USE_TSAN thread sanitizer support
- llvm and LTO mode modified to work with new llvm 14-dev (again)
- added the very good grammar mutator "GramaTron" to the
custom_mutators
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 96193f88..44ebade4 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -149,6 +149,8 @@ The following sanitizers have built-in support in AFL++:
vulnerabilities - which is however one of the most important and dangerous
C++ memory corruption classes!
Enabled with `export AFL_USE_CFISAN=1` before compiling.
+ * TSAN = Thread SANitizer, finds thread race conditions.
+ Enabled with `export AFL_USE_TSAN=1` before compiling.
* LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
a security issue, but for developers this can be very valuable.
Note that unlike the other sanitizers above this needs
diff --git a/frida_mode/src/instrument/instrument.c b/frida_mode/src/instrument/instrument.c
index 81d85aa1..eeebe545 100644
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@@ -347,8 +347,8 @@ void instrument_init(void) {
#else
tid = syscall(SYS_gettid);
#endif
- instrument_hash_seed = g_get_monotonic_time() ^
- (((guint64)getpid()) << 32) ^ tid;
+ instrument_hash_seed =
+ g_get_monotonic_time() ^ (((guint64)getpid()) << 32) ^ tid;
}
diff --git a/frida_mode/src/instrument/instrument_arm32.c b/frida_mode/src/instrument/instrument_arm32.c
index 4b0a648e..395d56c1 100644
--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@@ -23,7 +23,9 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
void instrument_coverage_optimize_init(void) {
+
WARNF("Optimized coverage not supported on this architecture");
+
}
void instrument_flush(GumStalkerOutput *output) {
diff --git a/frida_mode/src/instrument/instrument_arm64.c b/frida_mode/src/instrument/instrument_arm64.c
index 80d1d845..358e8e6b 100644
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@@ -96,6 +96,7 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
void instrument_coverage_optimize_init(void) {
+
}
void instrument_flush(GumStalkerOutput *output) {
diff --git a/frida_mode/src/instrument/instrument_x64.c b/frida_mode/src/instrument/instrument_x64.c
index a7eb650a..19ec81b2 100644
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@@ -4,12 +4,12 @@
#include
#if defined(__linux__)
-#if !defined(__ANDROID__)
-#include
-#include
-#else
-#include
-#endif
+ #if !defined(__ANDROID__)
+ #include
+ #include
+ #else
+ #include
+ #endif
#endif
#include "frida-gumjs.h"
@@ -22,13 +22,13 @@
#if defined(__x86_64__)
-#ifndef MAP_FIXED_NOREPLACE
- #ifdef MAP_EXCL
- #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED
- #else
- #define MAP_FIXED_NOREPLACE MAP_FIXED
+ #ifndef MAP_FIXED_NOREPLACE
+ #ifdef MAP_EXCL
+ #define MAP_FIXED_NOREPLACE MAP_EXCL | MAP_FIXED
+ #else
+ #define MAP_FIXED_NOREPLACE MAP_FIXED
+ #endif
#endif
-#endif
gboolean instrument_is_coverage_optimize_supported(void) {
@@ -53,15 +53,12 @@ typedef struct {
// 0x7ffff6cfb08b: pushf
// 0x7ffff6cfb08c: push rsi
// 0x7ffff6cfb08d: mov rsi,0x228
- // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi # 0x7ffff700e740
- // 0x7ffff6cfb09b: xor rsi,0x451
- // 0x7ffff6cfb0a2: add BYTE PTR [rsi+0x10000],0x1
- // 0x7ffff6cfb0a9: adc BYTE PTR [rsi+0x10000],0x0
- // 0x7ffff6cfb0b0: pop rsi
- // 0x7ffff6cfb0b1: popf
+ // 0x7ffff6cfb094: xchg QWORD PTR [rip+0x3136a5],rsi #
+ // 0x7ffff700e740 0x7ffff6cfb09b: xor rsi,0x451 0x7ffff6cfb0a2: add
+ // BYTE PTR [rsi+0x10000],0x1 0x7ffff6cfb0a9: adc BYTE PTR
+ // [rsi+0x10000],0x0 0x7ffff6cfb0b0: pop rsi 0x7ffff6cfb0b1: popf
// 0x7ffff6cfb0b2: lea rsp,[rsp+0x80]
-
uint8_t lea_rsp_rsp_sub_rz[5];
uint8_t push_fq;
uint8_t push_rsi;
@@ -160,16 +157,25 @@ static void instrument_coverage_optimize_map_mmap(char * shm_file_path,
__afl_area_ptr = NULL;
-#if !defined(__ANDROID__)
+ #if !defined(__ANDROID__)
shm_fd = shm_open(shm_file_path, O_RDWR, DEFAULT_PERMISSION);
if (shm_fd == -1) { FATAL("shm_open() failed\n"); }
-#else
+ #else
shm_fd = open("/dev/ashmem", O_RDWR);
if (shm_fd == -1) { FATAL("open() failed\n"); }
- if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) { FATAL("ioctl(ASHMEM_SET_NAME) failed"); }
- if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) { FATAL("ioctl(ASHMEM_SET_SIZE) failed"); }
+ if (ioctl(shm_fd, ASHMEM_SET_NAME, shm_file_path) == -1) {
-#endif
+ FATAL("ioctl(ASHMEM_SET_NAME) failed");
+
+ }
+
+ if (ioctl(shm_fd, ASHMEM_SET_SIZE, __afl_map_size) == -1) {
+
+ FATAL("ioctl(ASHMEM_SET_SIZE) failed");
+
+ }
+
+ #endif
__afl_area_ptr = mmap(address, __afl_map_size, PROT_READ | PROT_WRITE,
MAP_FIXED_NOREPLACE | MAP_SHARED, shm_fd, 0);
diff --git a/frida_mode/src/instrument/instrument_x86.c b/frida_mode/src/instrument/instrument_x86.c
index 1ff5c920..f90c01c2 100644
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@@ -84,6 +84,7 @@ void instrument_coverage_optimize(const cs_insn * instr,
}
void instrument_coverage_optimize_init(void) {
+
}
void instrument_flush(GumStalkerOutput *output) {
diff --git a/frida_mode/src/main.c b/frida_mode/src/main.c
index c8183d8f..3599143b 100644
--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@@ -126,15 +126,16 @@ static void afl_print_cmdline(void) {
g_free(fname);
g_free(buffer);
#elif defined(__APPLE__)
- int idx;
+ int idx;
char **argv = *_NSGetArgv();
- int nargv = *_NSGetArgc();
+ int nargv = *_NSGetArgc();
- for (idx = 0; idx < nargv; idx ++) {
+ for (idx = 0; idx < nargv; idx++) {
OKF("AFL - COMMANDLINE: argv[%d] = %s", idx, argv[idx]);
}
+
#endif
}
diff --git a/frida_mode/src/prefetch.c b/frida_mode/src/prefetch.c
index c30ca65c..1ddbd5ed 100644
--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@@ -44,8 +44,8 @@ static void gum_afl_stalker_backpatcher_notify(GumStalkerObserver *self,
sizeof(prefetch_data->backpatch_data) - prefetch_data->backpatch_size;
if (sizeof(gsize) + size > remaining) { return; }
- gsize *dst_backpatch_size = (gsize *)
- &prefetch_data->backpatch_data[prefetch_data->backpatch_size];
+ gsize *dst_backpatch_size =
+ (gsize *)&prefetch_data->backpatch_data[prefetch_data->backpatch_size];
*dst_backpatch_size = size;
prefetch_data->backpatch_size += sizeof(gsize);
@@ -117,7 +117,7 @@ static void prefetch_read_patches(void) {
remaining = prefetch_data->backpatch_size - offset) {
gsize *src_backpatch_data = (gsize *)&prefetch_data->backpatch_data[offset];
- gsize size = *src_backpatch_data;
+ gsize size = *src_backpatch_data;
offset += sizeof(gsize);
if (prefetch_data->backpatch_size - offset < size) {
diff --git a/frida_mode/src/seccomp/seccomp_callback.c b/frida_mode/src/seccomp/seccomp_callback.c
index 4232d842..ac0fb8bb 100644
--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@@ -1,8 +1,8 @@
#if defined(__linux__) && !defined(__ANDROID__)
-#if !defined(__MUSL__)
- #include
-#endif
+ #if !defined(__MUSL__)
+ #include
+ #endif
#include
#include "seccomp.h"
@@ -16,12 +16,13 @@ static void seccomp_callback_filter(struct seccomp_notif * req,
GumDebugSymbolDetails details = {0};
if (req->data.nr == SYS_OPENAT) {
-#if UINTPTR_MAX == 0xffffffffffffffffu
+ #if UINTPTR_MAX == 0xffffffffffffffffu
seccomp_print("SYS_OPENAT: (%s)\n", (char *)req->data.args[1]);
-#endif
-#if UINTPTR_MAX == 0xffffffff
+ #endif
+ #if UINTPTR_MAX == 0xffffffff
seccomp_print("SYS_OPENAT: (%s)\n", (char *)(__u32)req->data.args[1]);
-#endif
+ #endif
+
}
seccomp_print(
@@ -31,7 +32,7 @@ static void seccomp_callback_filter(struct seccomp_notif * req,
req->data.args[0], req->data.args[1], req->data.args[2],
req->data.args[3], req->data.args[4], req->data.args[5]);
-#if !defined(__MUSL__)
+ #if !defined(__MUSL__)
seccomp_print("FRAMES: (%u)\n", frames->len);
char **syms = backtrace_symbols(frames->items, frames->len);
if (syms == NULL) { FATAL("Failed to get symbols"); }
@@ -52,23 +53,24 @@ static void seccomp_callback_filter(struct seccomp_notif * req,
}
free(syms);
-#else
+ #else
void **syms = (void **)__builtin_frame_address(0);
- void *framep = __builtin_frame_address(1);
- int i = 0;
+ void * framep = __builtin_frame_address(1);
+ int i = 0;
syms = framep;
while (syms) {
-
- framep = *syms;
+
+ framep = *syms;
syms = framep;
if (!syms) break;
- seccomp_print("\%3d. %s\n", i ++, (char *)framep);
+ seccomp_print("\%3d. %s\n", i++, (char *)framep);
}
-#endif
+
+ #endif
resp->error = 0;
resp->val = 0;
diff --git a/frida_mode/src/seccomp/seccomp_filter.c b/frida_mode/src/seccomp/seccomp_filter.c
index 7ee5ead1..0dcc4cbb 100644
--- a/frida_mode/src/seccomp/seccomp_filter.c
+++ b/frida_mode/src/seccomp/seccomp_filter.c
@@ -2,9 +2,9 @@
#include
#include
-#if !defined(__MUSL__)
- #include
-#endif
+ #if !defined(__MUSL__)
+ #include
+ #endif
#include
#include
#include
diff --git a/include/envs.h b/include/envs.h
index 61267a0d..25d05539 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -203,6 +203,7 @@ static char *afl_environment_variables[] = {
"AFL_USE_MSAN",
"AFL_USE_TRACE_PC",
"AFL_USE_UBSAN",
+ "AFL_USE_TSAN",
"AFL_USE_CFISAN",
"AFL_USE_LSAN",
"AFL_WINE_PATH",
diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc
index ee8c317e..4e25221a 100644
--- a/instrumentation/SanitizerCoverageLTO.so.cc
+++ b/instrumentation/SanitizerCoverageLTO.so.cc
@@ -1142,10 +1142,11 @@ bool ModuleSanitizerCoverage::instrumentModule(
else {
char modeline[100];
- snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+ snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
getenv("AFL_USE_ASAN") ? ", ASAN" : "",
getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+ getenv("AFL_USE_TSAN") ? ", TSAN" : "",
getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
OKF("Instrumented %u locations (%u selects) without collisions (%llu "
diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc
index be3f4f49..76bb2448 100644
--- a/instrumentation/SanitizerCoveragePCGUARD.so.cc
+++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc
@@ -547,10 +547,11 @@ bool ModuleSanitizerCoverage::instrumentModule(
else {
char modeline[100];
- snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+ snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
getenv("AFL_USE_ASAN") ? ", ASAN" : "",
getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+ getenv("AFL_USE_TSAN") ? ", TSAN" : "",
getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
OKF("Instrumented %u locations with no collisions (%s mode) of which are "
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index ecf28f31..9b7e625e 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -956,11 +956,12 @@ bool AFLCoverage::runOnModule(Module &M) {
else {
char modeline[100];
- snprintf(modeline, sizeof(modeline), "%s%s%s%s%s",
+ snprintf(modeline, sizeof(modeline), "%s%s%s%s%s%s",
getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
getenv("AFL_USE_ASAN") ? ", ASAN" : "",
getenv("AFL_USE_MSAN") ? ", MSAN" : "",
getenv("AFL_USE_CFISAN") ? ", CFISAN" : "",
+ getenv("AFL_USE_TSAN") ? ", TSAN" : "",
getenv("AFL_USE_UBSAN") ? ", UBSAN" : "");
OKF("Instrumented %d locations (%s mode, ratio %u%%).", inst_blocks,
modeline, inst_ratio);
diff --git a/qemu_mode/libcompcov/libcompcov.so.c b/qemu_mode/libcompcov/libcompcov.so.c
index 24867cda..eba3d80a 100644
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@@ -42,10 +42,10 @@
#endif /* !__linux__ */
#ifndef likely
-# define likely(x) __builtin_expect((!!(x)),1)
+ #define likely(x) __builtin_expect((!!(x)), 1)
#endif
#ifndef unlikely
-# define unlikely(x) __builtin_expect((!!(x)),0)
+ #define unlikely(x) __builtin_expect((!!(x)), 0)
#endif
/* Change this value to tune the compare coverage */
@@ -235,7 +235,12 @@ int strcmp(const char *str1, const char *str2) {
int strncmp(const char *str1, const char *str2, size_t len) {
- if (unlikely(!__libc_strncmp)) { __libc_strncmp = dlsym(RTLD_NEXT, "strncmp"); }
+ if (unlikely(!__libc_strncmp)) {
+
+ __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
+
+ }
+
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -265,7 +270,12 @@ int strncmp(const char *str1, const char *str2, size_t len) {
int strcasecmp(const char *str1, const char *str2) {
- if (unlikely(!__libc_strcasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp"); }
+ if (unlikely(!__libc_strcasecmp)) {
+
+ __libc_strncasecmp = dlsym(RTLD_NEXT, "strcasecmp");
+
+ }
+
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
@@ -296,7 +306,12 @@ int strcasecmp(const char *str1, const char *str2) {
int strncasecmp(const char *str1, const char *str2, size_t len) {
- if (unlikely(!__libc_strncasecmp)) { __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp"); }
+ if (unlikely(!__libc_strncasecmp)) {
+
+ __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
+
+ }
+
void *retaddr = __builtin_return_address(0);
if (__compcov_is_in_bound(retaddr) &&
diff --git a/src/afl-as.c b/src/afl-as.c
index 7119d630..774340ac 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -521,6 +521,7 @@ static void add_instrumentation(void) {
getenv("AFL_HARDEN") ? "hardened" : "non-hardened",
getenv("AFL_USE_ASAN") ? ", ASAN" : "",
getenv("AFL_USE_MSAN") ? ", MSAN" : "",
+ getenv("AFL_USE_TSAN") ? ", TSAN" : "",
getenv("AFL_USE_UBSAN") ? ", UBSAN" : "",
getenv("AFL_USE_LSAN") ? ", LSAN" : "");
diff --git a/src/afl-cc.c b/src/afl-cc.c
index e7f08aac..3837459b 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -857,6 +857,14 @@ static void edit_params(u32 argc, char **argv, char **envp) {
cc_params[cc_par_cnt++] = "-fsanitize=undefined";
cc_params[cc_par_cnt++] = "-fsanitize-undefined-trap-on-error";
cc_params[cc_par_cnt++] = "-fno-sanitize-recover=all";
+ cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer";
+
+ }
+
+ if (getenv("AFL_USE_TSAN")) {
+
+ cc_params[cc_par_cnt++] = "-fsanitize=thread";
+ cc_params[cc_par_cnt++] = "-fno-omit-frame-pointer";
}
@@ -1814,6 +1822,7 @@ int main(int argc, char **argv, char **envp) {
" AFL_USE_CFISAN: activate control flow sanitizer\n"
" AFL_USE_MSAN: activate memory sanitizer\n"
" AFL_USE_UBSAN: activate undefined behaviour sanitizer\n"
+ " AFL_USE_TSAN: activate thread sanitizer\n"
" AFL_USE_LSAN: activate leak-checker sanitizer\n");
if (have_gcc_plugin)
diff --git a/utils/aflpp_driver/aflpp_qemu_driver.c b/utils/aflpp_driver/aflpp_qemu_driver.c
index 99a4c9a8..e47df1e6 100644
--- a/utils/aflpp_driver/aflpp_qemu_driver.c
+++ b/utils/aflpp_driver/aflpp_qemu_driver.c
@@ -22,7 +22,7 @@ int main(int argc, char **argv) {
if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv);
// Do any other expensive one-time initialization here.
- if (getenv("AFL_QEMU_DRIVER_NO_HOOK")) {
+ if (getenv("AFL_QEMU_DRIVER_NO_HOOK") || getenv("AFL_FRIDA_DRIVER_NO_HOOK")) {
afl_qemu_driver_stdin_input();
--
cgit 1.4.1
From 74b4274e35609a22d42fdf0672bc374e39a7c788 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Thu, 4 Nov 2021 16:12:54 +0100
Subject: update for new sanitizer support
---
docs/env_variables.md | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
(limited to 'docs')
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 6fb687e2..5362f713 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -95,21 +95,22 @@ fairly broad use of environment variables instead:
- Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being
displayed during compilation, in case you find them distracting.
- - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your
- compiler supports it.
-
- (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the
- same gotchas; the modes are mutually exclusive. UBSAN can be enabled
- similarly by setting the environment variable `AFL_USE_UBSAN=1`. Finally,
- there is the Control Flow Integrity sanitizer that can be activated by
- `AFL_USE_CFISAN=1`.)
-
- - Setting `AFL_USE_LSAN` automatically enables Leak-Sanitizer, provided that
- your compiler supports it. To perform a leak check within your program at a
- certain point (such as at the end of an __AFL_LOOP), you can run the macro
- __AFL_LEAK_CHECK(); which will cause an abort if any memory is leaked (you
- can combine this with the LSAN_OPTIONS=suppressions option to supress some
- known leaks).
+ - Setting `AFL_USE_...` automatically enables supported sanitizers -
+ provided that your compiler supports it.
+ Available are:
+ - `AFL_USE_ASAN=1` - activate the address sanitizer (memory corruption
+ detection)
+ - `AFL_USE_MSAN=1` - activate the memory sanitizer (uninitialized memory)
+ - `AFL_USE_UBSAN=1` - activate the undefined behaviour sanitizer
+ - `AFL_USE_TSAN=1` - activate the thread sanitizer to find thread race
+ conditions
+ - `AFL_USE_CFISAN=1` - activate the Control Flow Integrity sanitizer (e.g.
+ type confusion vulnerabilities)
+ - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check
+ within your program at a certain point (such as at the end of an
+ `__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will
+ cause an abort if any memory is leaked (you can combine this with the
+ `LSAN_OPTIONS=...` suppression option to supress some known leaks).
- `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
the tool defaults to /tmp.
--
cgit 1.4.1
From 9325a4fcbb8eb4ed1d71f93de5301bf1a9a68253 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sat, 6 Nov 2021 10:28:22 +0100
Subject: http->https
---
GNUmakefile | 2 +-
GNUmakefile.gcc_plugin | 2 +-
GNUmakefile.llvm | 2 +-
TODO.md | 1 -
afl-cmin.bash | 2 +-
afl-plot | 2 +-
afl-whatsup | 2 +-
docs/Changelog.md | 2 +-
docs/INSTALL.md | 2 +-
docs/best_practices.md | 2 +-
docs/interpreting_output.md | 2 +-
docs/known_limitations.md | 2 +-
docs/sister_projects.md | 12 ++++++------
docs/technical_details.md | 12 ++++++------
frida_mode/Scripting.md | 2 +-
include/afl-as.h | 4 ++--
include/afl-fuzz.h | 2 +-
include/afl-prealloc.h | 2 +-
include/alloc-inl.h | 2 +-
include/cmplog.h | 2 +-
include/common.h | 2 +-
include/config.h | 2 +-
include/debug.h | 2 +-
include/forkserver.h | 2 +-
include/hash.h | 2 +-
include/list.h | 2 +-
include/sharedmem.h | 2 +-
include/snapshot-inl.h | 2 +-
include/types.h | 2 +-
instrumentation/README.llvm.md | 2 +-
instrumentation/afl-compiler-rt.o.c | 2 +-
instrumentation/afl-gcc-pass.so.cc | 2 +-
instrumentation/afl-llvm-dict2file.so.cc | 2 +-
instrumentation/afl-llvm-lto-instrumentation.so.cc | 2 +-
instrumentation/afl-llvm-lto-instrumentlist.so.cc | 2 +-
instrumentation/afl-llvm-pass.so.cc | 2 +-
instrumentation/afl-llvm-rt-lto.o.c | 2 +-
instrumentation/cmplog-instructions-pass.cc | 2 +-
instrumentation/cmplog-routines-pass.cc | 2 +-
instrumentation/cmplog-switches-pass.cc | 2 +-
instrumentation/compare-transform-pass.so.cc | 2 +-
instrumentation/split-compares-pass.so.cc | 2 +-
instrumentation/split-switches-pass.so.cc | 2 +-
qemu_mode/build_qemu_support.sh | 2 +-
src/afl-analyze.c | 2 +-
src/afl-as.c | 4 ++--
src/afl-cc.c | 2 +-
src/afl-common.c | 2 +-
src/afl-forkserver.c | 8 ++++----
src/afl-fuzz-bitmap.c | 2 +-
src/afl-fuzz-cmplog.c | 2 +-
src/afl-fuzz-extras.c | 2 +-
src/afl-fuzz-init.c | 4 ++--
src/afl-fuzz-mutators.c | 2 +-
src/afl-fuzz-one.c | 2 +-
src/afl-fuzz-python.c | 2 +-
src/afl-fuzz-queue.c | 2 +-
src/afl-fuzz-redqueen.c | 2 +-
src/afl-fuzz-run.c | 2 +-
src/afl-fuzz-state.c | 2 +-
src/afl-fuzz-stats.c | 2 +-
src/afl-fuzz.c | 2 +-
src/afl-gotcpu.c | 2 +-
src/afl-ld-lto.c | 2 +-
src/afl-performance.c | 2 +-
src/afl-sharedmem.c | 2 +-
src/afl-showmap.c | 2 +-
src/afl-tmin.c | 2 +-
test-instr.c | 2 +-
unicorn_mode/build_unicorn_support.sh | 2 +-
70 files changed, 85 insertions(+), 86 deletions(-)
(limited to 'docs')
diff --git a/GNUmakefile b/GNUmakefile
index 0a6f3950..ad2642f3 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -10,7 +10,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# For Heiko:
diff --git a/GNUmakefile.gcc_plugin b/GNUmakefile.gcc_plugin
index bce97b2f..ed2725d7 100644
--- a/GNUmakefile.gcc_plugin
+++ b/GNUmakefile.gcc_plugin
@@ -17,7 +17,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
#TEST_MMAP=1
PREFIX ?= /usr/local
diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm
index b802ef16..64e5beb2 100644
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@@ -12,7 +12,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# For Heiko:
diff --git a/TODO.md b/TODO.md
index 30676312..1d4270b4 100644
--- a/TODO.md
+++ b/TODO.md
@@ -2,7 +2,6 @@
## TODO
- - AFL_USE_TSAN to docs/env_variables.md after work over
- screen update during input2stage
- better autodetection of shifting runtime timeout values
- Update afl->pending_not_fuzzed for MOpt
diff --git a/afl-cmin.bash b/afl-cmin.bash
index c77dfbc1..e25ddc74 100755
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@@ -11,7 +11,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# This tool tries to find the smallest subset of files in the input directory
# that still trigger the full range of instrumentation data points seen in
diff --git a/afl-plot b/afl-plot
index 87b9caae..1ea1fc55 100755
--- a/afl-plot
+++ b/afl-plot
@@ -12,7 +12,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
get_abs_path() {
diff --git a/afl-whatsup b/afl-whatsup
index 9c2564c6..10a52f83 100755
--- a/afl-whatsup
+++ b/afl-whatsup
@@ -12,7 +12,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# This tool summarizes the status of any locally-running synchronized
# instances of afl-fuzz.
diff --git a/docs/Changelog.md b/docs/Changelog.md
index cfeb8cc1..7c77a6bf 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -2760,7 +2760,7 @@ sending a mail to .
- Updated the documentation and added notes_for_asan.txt. Based on feedback
from Hanno Boeck, Ben Laurie, and others.
- - Moved the project to http://lcamtuf.coredump.cx/afl/.
+ - Moved the project to https://lcamtuf.coredump.cx/afl/.
### Version 0.46b:
diff --git a/docs/INSTALL.md b/docs/INSTALL.md
index 960de1af..cfa20dea 100644
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@@ -150,4 +150,4 @@ sysctl kern.sysv.shmseg=48
sysctl kern.sysv.shmall=98304
```
-See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent.
\ No newline at end of file
+See [https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html) for documentation for these settings and how to make them permanent.
\ No newline at end of file
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 0708d49d..5d07dd14 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -108,7 +108,7 @@ Four steps are required to do this and it also requires quite some knowledge of
Follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
If `PCGUARD` is used, then you need to follow this guide (needs llvm 12+!):
- [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation)
+ [https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](https://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation)
Only exclude those functions from instrumentation that provide no value for coverage - that is if it does not process any fuzz data directly or indirectly (e.g. hash maps, thread management etc.).
If however a function directly or indirectly handles fuzz data, then you should not put the function in a deny instrumentation list and rather live with the instability it comes with.
diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md
index 327a0ac0..4bd705f2 100644
--- a/docs/interpreting_output.md
+++ b/docs/interpreting_output.md
@@ -56,7 +56,7 @@ Any existing output directory can be also used to resume aborted jobs; try:
If you have gnuplot installed, you can also generate some pretty graphs for any
active fuzzing task using afl-plot. For an example of how this looks like,
-see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
+see [https://lcamtuf.coredump.cx/afl/plot/](https://lcamtuf.coredump.cx/afl/plot/).
You can also manually build and install afl-plot-ui, which is a helper utility
for showing the graphs generated by afl-plot in a graphical window using GTK.
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
index 2d8f84a5..a68c0a85 100644
--- a/docs/known_limitations.md
+++ b/docs/known_limitations.md
@@ -31,6 +31,6 @@ Here are some of the most important caveats for AFL:
[https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
- Occasionally, sentient machines rise against their creators. If this
- happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
+ happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/).
Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/sister_projects.md b/docs/sister_projects.md
index 5cb3a102..613bc778 100644
--- a/docs/sister_projects.md
+++ b/docs/sister_projects.md
@@ -15,7 +15,7 @@ instruction manual.
Allows fuzz-testing of Python programs. Uses custom instrumentation and its
own forkserver.
-http://jwilk.net/software/python-afl
+https://jwilk.net/software/python-afl
### Go-fuzz (Dmitry Vyukov)
@@ -34,7 +34,7 @@ https://github.com/kmcallister/afl.rs
Adds AFL-compatible instrumentation to OCaml programs.
https://github.com/ocamllabs/opam-repo-dev/pull/23
-http://canopy.mirage.io/Posts/Fuzzing
+https://canopy.mirage.io/Posts/Fuzzing
### AFL for GCJ Java and other GCC frontends (-)
@@ -54,7 +54,7 @@ some programs to be fuzzed without the fork / execve overhead. (Similar
functionality is now available as the "persistent" feature described in
[the llvm_mode readme](../instrumentation/README.llvm.md))
-http://llvm.org/docs/LibFuzzer.html
+https://llvm.org/docs/LibFuzzer.html
## TriforceAFL (Tim Newsham and Jesse Hertz)
@@ -189,7 +189,7 @@ https://github.com/bshastry/afl-sancov
Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
-http://jwilk.net/software/recidivm
+https://jwilk.net/software/recidivm
### aflize (Jacek Wielemborek)
@@ -274,7 +274,7 @@ https://goo.gl/j9EgFf
A simple SQL shell designed specifically for fuzzing the underlying library.
-http://www.sqlite.org/src/artifact/9e7e273da2030371
+https://www.sqlite.org/src/artifact/9e7e273da2030371
### Support for Python mutation modules (Christian Holler)
@@ -292,7 +292,7 @@ A similar guided approach as applied to fuzzing syscalls:
https://github.com/google/syzkaller/wiki/Found-Bugs
https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
-http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
+https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications)
diff --git a/docs/technical_details.md b/docs/technical_details.md
index b0ca493e..b9d271d9 100644
--- a/docs/technical_details.md
+++ b/docs/technical_details.md
@@ -161,8 +161,8 @@ features of the underlying data format, as shown in this image:
Several practical examples of the results of this algorithm are discussed
here:
- http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
- http://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html
+ https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
+ https://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html
The synthetic corpus produced by this process is essentially a compact
collection of "hmm, this does something new!" input files, and can be used to
@@ -323,7 +323,7 @@ value of various fuzzing strategies and optimize their parameters so that they
work equally well across a wide range of file types. The strategies used by
afl-fuzz are generally format-agnostic and are discussed in more detail here:
- http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
+ https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
It is somewhat notable that especially early on, most of the work done by
`afl-fuzz` is actually highly deterministic, and progresses to random stacked
@@ -376,7 +376,7 @@ valid grammar for the tested parser.
A discussion of how these features are implemented within afl-fuzz can be found
here:
- http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
+ https://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
In essence, when basic, typically easily-obtained syntax tokens are combined
together in a purely random manner, the instrumentation and the evolutionary
@@ -429,7 +429,7 @@ thrown away.
A detailed discussion of the value of this approach can be found here:
- http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
+ https://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
The method uses instrumentation feedback to explore the state of the crashing
program to get past the ambiguous faulting condition and then isolate the
@@ -447,7 +447,7 @@ goes through `execve()`, linking, and libc initialization only once, and is then
cloned from a stopped process image by leveraging copy-on-write. The
implementation is described in more detail here:
- http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
+ https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
The fork server is an integral aspect of the injected instrumentation and
simply stops at the first instrumented function to await commands from
diff --git a/frida_mode/Scripting.md b/frida_mode/Scripting.md
index f6017fad..691b03d1 100644
--- a/frida_mode/Scripting.md
+++ b/frida_mode/Scripting.md
@@ -302,7 +302,7 @@ Consider the [following](test/js/test2.c) test code...
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
#include
diff --git a/include/afl-as.h b/include/afl-as.h
index 3c12c68f..2a2e8ad7 100644
--- a/include/afl-as.h
+++ b/include/afl-as.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This file houses the assembly-level instrumentation injected into fuzzed
programs. The instrumentation stores XORed pairs of data: identifiers of the
@@ -396,7 +396,7 @@ static const u8 *main_payload_32 =
"\n";
/* The OpenBSD hack is due to lahf and sahf not being recognized by some
- versions of binutils: http://marc.info/?l=openbsd-cvs&m=141636589924400
+ versions of binutils: https://marc.info/?l=openbsd-cvs&m=141636589924400
The Apple code is a bit different when calling libc functions because
they are doing relocations differently from everybody else. We also need
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index eaf55fb8..e73ea1a4 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This is the real deal: the program takes an instrumented binary and
attempts a variety of basic fuzzing tricks, paying close attention to
diff --git a/include/afl-prealloc.h b/include/afl-prealloc.h
index fa6c9b70..87bbb1cc 100644
--- a/include/afl-prealloc.h
+++ b/include/afl-prealloc.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/include/alloc-inl.h b/include/alloc-inl.h
index c914da5f..0c540330 100644
--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This allocator is not designed to resist malicious attackers (the canaries
are small and predictable), but provides a robust and portable way to detect
diff --git a/include/cmplog.h b/include/cmplog.h
index 878ed60c..1c15d2b8 100644
--- a/include/cmplog.h
+++ b/include/cmplog.h
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code to handle the shared memory. This is used by the fuzzer
as well the other components like afl-tmin, afl-showmap, etc...
diff --git a/include/common.h b/include/common.h
index 2ca44301..e3997aa4 100644
--- a/include/common.h
+++ b/include/common.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Gather some functions common to multiple executables
diff --git a/include/config.h b/include/config.h
index 4630da0c..3aee9b00 100644
--- a/include/config.h
+++ b/include/config.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/include/debug.h b/include/debug.h
index f8df5711..feb7f52d 100644
--- a/include/debug.h
+++ b/include/debug.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/include/forkserver.h b/include/forkserver.h
index c6f7de00..7af01cb2 100644
--- a/include/forkserver.h
+++ b/include/forkserver.h
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code that implements a forkserver. This is used by the fuzzer
as well the other components like afl-tmin.
diff --git a/include/hash.h b/include/hash.h
index 9319ab95..9bb34ff8 100644
--- a/include/hash.h
+++ b/include/hash.h
@@ -21,7 +21,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/include/list.h b/include/list.h
index 7ec81cbe..d49e56da 100644
--- a/include/list.h
+++ b/include/list.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This allocator is not designed to resist malicious attackers (the canaries
are small and predictable), but provides a robust and portable way to detect
diff --git a/include/sharedmem.h b/include/sharedmem.h
index fdc947f9..93080d0f 100644
--- a/include/sharedmem.h
+++ b/include/sharedmem.h
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code to handle the shared memory. This is used by the fuzzer
as well the other components like afl-tmin, afl-showmap, etc...
diff --git a/include/snapshot-inl.h b/include/snapshot-inl.h
index a18187ef..7234bbaa 100644
--- a/include/snapshot-inl.h
+++ b/include/snapshot-inl.h
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/include/types.h b/include/types.h
index 7b94fb83..e945f0f5 100644
--- a/include/types.h
+++ b/include/types.h
@@ -16,7 +16,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md
index 5b1e60cc..dbb604f2 100644
--- a/instrumentation/README.llvm.md
+++ b/instrumentation/README.llvm.md
@@ -75,7 +75,7 @@ load modules (you'll see "Service unavailable" when loading afl-llvm-pass.so).
To solve all your problems, you can grab pre-built binaries for your OS from:
- http://llvm.org/releases/download.html
+ https://llvm.org/releases/download.html
...and then put the bin/ directory from the tarball at the beginning of your
$PATH when compiling the feature and building packages later on. You don't need
diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c
index 9acab4e7..b2802a29 100644
--- a/instrumentation/afl-compiler-rt.o.c
+++ b/instrumentation/afl-compiler-rt.o.c
@@ -9,7 +9,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/afl-gcc-pass.so.cc b/instrumentation/afl-gcc-pass.so.cc
index 3b7eb878..df2b6f2a 100644
--- a/instrumentation/afl-gcc-pass.so.cc
+++ b/instrumentation/afl-gcc-pass.so.cc
@@ -30,7 +30,7 @@
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program. If not, see .
+ along with this program. If not, see .
*/
diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc
index 0a3e74b9..7c04c0c5 100644
--- a/instrumentation/afl-llvm-dict2file.so.cc
+++ b/instrumentation/afl-llvm-dict2file.so.cc
@@ -10,7 +10,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This library is plugged into LLVM when invoking clang through afl-clang-lto.
diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc
index c2f61d34..cd43b437 100644
--- a/instrumentation/afl-llvm-lto-instrumentation.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc
@@ -10,7 +10,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This library is plugged into LLVM when invoking clang through afl-clang-lto.
diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc
index ee2e5dd3..cf26f912 100644
--- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc
+++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This library is plugged into LLVM when invoking clang through afl-clang-fast.
It tells the compiler to add code roughly equivalent to the bits discussed
diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc
index 9b7e625e..21ce0cf9 100644
--- a/instrumentation/afl-llvm-pass.so.cc
+++ b/instrumentation/afl-llvm-pass.so.cc
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This library is plugged into LLVM when invoking clang through afl-clang-fast.
It tells the compiler to add code roughly equivalent to the bits discussed
diff --git a/instrumentation/afl-llvm-rt-lto.o.c b/instrumentation/afl-llvm-rt-lto.o.c
index e53785ff..eb346157 100644
--- a/instrumentation/afl-llvm-rt-lto.o.c
+++ b/instrumentation/afl-llvm-rt-lto.o.c
@@ -6,7 +6,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc
index 01a8a637..80af05f0 100644
--- a/instrumentation/cmplog-instructions-pass.cc
+++ b/instrumentation/cmplog-instructions-pass.cc
@@ -11,7 +11,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc
index 1e2610f2..01b7a373 100644
--- a/instrumentation/cmplog-routines-pass.cc
+++ b/instrumentation/cmplog-routines-pass.cc
@@ -11,7 +11,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc
index c42d44fe..aa719013 100644
--- a/instrumentation/cmplog-switches-pass.cc
+++ b/instrumentation/cmplog-switches-pass.cc
@@ -11,7 +11,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc
index 288e8282..a1239040 100644
--- a/instrumentation/compare-transform-pass.so.cc
+++ b/instrumentation/compare-transform-pass.so.cc
@@ -5,7 +5,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/instrumentation/split-compares-pass.so.cc b/instrumentation/split-compares-pass.so.cc
index e63be98c..7c652ca2 100644
--- a/instrumentation/split-compares-pass.so.cc
+++ b/instrumentation/split-compares-pass.so.cc
@@ -6,7 +6,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/instrumentation/split-switches-pass.so.cc b/instrumentation/split-switches-pass.so.cc
index 82f198aa..1e32a31d 100644
--- a/instrumentation/split-switches-pass.so.cc
+++ b/instrumentation/split-switches-pass.so.cc
@@ -5,7 +5,7 @@
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
diff --git a/qemu_mode/build_qemu_support.sh b/qemu_mode/build_qemu_support.sh
index 84f144be..71453a71 100755
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@@ -19,7 +19,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# This script downloads, patches, and builds a version of QEMU with
# minor tweaks to allow non-instrumented binaries to be run under
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index 09b01541..60cb1434 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
A nifty utility that grabs an input file and takes a stab at explaining
its structure by observing how changes to it affect the execution path.
diff --git a/src/afl-as.c b/src/afl-as.c
index 9af272f2..b644b82a 100644
--- a/src/afl-as.c
+++ b/src/afl-as.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
The sole purpose of this wrapper is to preprocess assembly files generated
by GCC / clang and inject the instrumentation bits included from afl-as.h. It
@@ -101,7 +101,7 @@ static void edit_params(int argc, char **argv) {
/* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work
with the code generated by newer versions of clang that are hand-built
- by the user. See the thread here: http://goo.gl/HBWDtn.
+ by the user. See the thread here: https://goo.gl/HBWDtn.
To work around this, when using clang and running without AFL_AS
specified, we will actually call 'clang -c' instead of 'as -q' to
diff --git a/src/afl-cc.c b/src/afl-cc.c
index 5f77b097..8ff241ba 100644
--- a/src/afl-cc.c
+++ b/src/afl-cc.c
@@ -11,7 +11,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
diff --git a/src/afl-common.c b/src/afl-common.c
index 26a0d54b..ec3b2f3f 100644
--- a/src/afl-common.c
+++ b/src/afl-common.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Gather some functions common to multiple executables
diff --git a/src/afl-forkserver.c b/src/afl-forkserver.c
index 80b295e0..b1769bfb 100644
--- a/src/afl-forkserver.c
+++ b/src/afl-forkserver.c
@@ -19,7 +19,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code that implements a forkserver. This is used by the fuzzer
as well the other components like afl-tmin.
@@ -351,7 +351,7 @@ static void report_error_and_exit(int error) {
/* Spins up fork server. The idea is explained here:
- http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
+ https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
In essence, the instrumentation allows us to skip execve(), and just keep
cloning a stopped child. So, we just execute once, and then send commands
@@ -917,7 +917,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
MSG_ULIMIT_USAGE
" /path/to/fuzzed_app )\n\n"
- " Tip: you can use http://jwilk.net/software/recidivm to "
+ " Tip: you can use https://jwilk.net/software/recidivm to "
"quickly\n"
" estimate the required amount of virtual memory for the "
"binary.\n\n"
@@ -1017,7 +1017,7 @@ void afl_fsrv_start(afl_forkserver_t *fsrv, char **argv,
MSG_ULIMIT_USAGE
" /path/to/fuzzed_app )\n\n"
- " Tip: you can use http://jwilk.net/software/recidivm to quickly\n"
+ " Tip: you can use https://jwilk.net/software/recidivm to quickly\n"
" estimate the required amount of virtual memory for the "
"binary.\n\n"
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index 316067e4..f7b59f25 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This is the real deal: the program takes an instrumented binary and
attempts a variety of basic fuzzing tricks, paying close attention to
diff --git a/src/afl-fuzz-cmplog.c b/src/afl-fuzz-cmplog.c
index c2e9c80f..6fc926f0 100644
--- a/src/afl-fuzz-cmplog.c
+++ b/src/afl-fuzz-cmplog.c
@@ -17,7 +17,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code to handle the shared memory. This is used by the fuzzer
as well the other components like afl-tmin, afl-showmap, etc...
diff --git a/src/afl-fuzz-extras.c b/src/afl-fuzz-extras.c
index 584241d4..0f0fe331 100644
--- a/src/afl-fuzz-extras.c
+++ b/src/afl-fuzz-extras.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This is the real deal: the program takes an instrumented binary and
attempts a variety of basic fuzzing tricks, paying close attention to
diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c
index 1170715f..9262d718 100644
--- a/src/afl-fuzz-init.c
+++ b/src/afl-fuzz-init.c
@@ -15,7 +15,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
This is the real deal: the program takes an instrumented binary and
attempts a variety of basic fuzzing tricks, paying close attention to
@@ -974,7 +974,7 @@ void perform_dry_run(afl_state_t *afl) {
MSG_ULIMIT_USAGE
" /path/to/binary [...] .
+ See .
This is xoshiro256++ 1.0, one of our all-purpose, rock-solid generators.
It has excellent (sub-ns) speed, a state (256 bits) that is large
diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c
index 22fe5a62..7fb8f821 100644
--- a/src/afl-sharedmem.c
+++ b/src/afl-sharedmem.c
@@ -17,7 +17,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
Shared code to handle the shared memory. This is used by the fuzzer
as well the other components like afl-tmin, afl-showmap, etc...
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 3826e385..23ec0df0 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
A very simple tool that runs the targeted binary and displays
the contents of the trace bitmap in a human-readable form. Useful in
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index ce2a0b8f..8ce4bdd5 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -18,7 +18,7 @@
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
A simple test case minimizer that takes an input file and tries to remove
as much data as possible while keeping the binary in a crashing state
diff --git a/test-instr.c b/test-instr.c
index 13d4eb93..eaae50ef 100644
--- a/test-instr.c
+++ b/test-instr.c
@@ -7,7 +7,7 @@
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at:
- http://www.apache.org/licenses/LICENSE-2.0
+ https://www.apache.org/licenses/LICENSE-2.0
*/
#include
diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh
index 6c376f8d..f9c0be7f 100755
--- a/unicorn_mode/build_unicorn_support.sh
+++ b/unicorn_mode/build_unicorn_support.sh
@@ -20,7 +20,7 @@
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# This script downloads, patches, and builds a version of Unicorn with
# minor tweaks to allow Unicorn-emulated binaries to be run under
--
cgit 1.4.1
From da45eb6b417832de16cc2cf6c4b65e0e2f7311db Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Sat, 6 Nov 2021 15:02:13 +0100
Subject: update changelog
---
docs/Changelog.md | 2 ++
1 file changed, 2 insertions(+)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 04b2fb2e..7b70771d 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -18,6 +18,8 @@ sending a mail to .
- fix -n dumb mode (nobody should use this)
- fix stability issue with LTO and cmplog
- better banner
+ - more effective cmplog mode
+ - more often update the UI when in input2stage mode
- frida_mode: David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze:
- honor persistent mode for more speed. thanks to dloffre-snl for
--
cgit 1.4.1
From 72878cc14b7697024b6387b4c09dff786763d0a1 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sat, 6 Nov 2021 22:09:54 +0100
Subject: Edit list of environment variables
---
docs/env_variables.md | 201 +++++++++++++++++++++++++-------------------------
1 file changed, 102 insertions(+), 99 deletions(-)
(limited to 'docs')
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 5362f713..5724b197 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -18,9 +18,9 @@ To select the different instrumentation modes, use one of the following options:
- Pass the --afl-MODE command-line option to the compiler. Only this option
accepts further AFL-specific command-line options.
- Use a symlink to afl-cc: afl-clang, afl-clang++, afl-clang-fast,
- afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-gcc, afl-g++,
- afl-gcc-fast, afl-g++-fast. This option does not accept AFL-specific
- command-line options. Instead, use environment variables.
+ afl-clang-fast++, afl-clang-lto, afl-clang-lto++, afl-g++, afl-g++-fast,
+ afl-gcc, afl-gcc-fast. This option does not accept AFL-specific command-line
+ options. Instead, use environment variables.
- Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select
`MODE`, use one of the following values:
@@ -45,14 +45,14 @@ fairly broad use of environment variables instead:
make
```
+ - Setting `AFL_AS`, `AFL_CC`, and `AFL_CXX` lets you use alternate downstream
+ compilation tools, rather than the default 'as', 'clang', or 'gcc' binaries
+ in your `$PATH`.
+
- If you are a weird person that wants to compile and instrument asm text
files, then use the `AFL_AS_FORCE_INSTRUMENT` variable:
`AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
- - Setting `AFL_CC`, `AFL_CXX`, and `AFL_AS` lets you use alternate downstream
- compilation tools, rather than the default 'clang', 'gcc', or 'as' binaries
- in your `$PATH`.
-
- Most AFL tools do not print any output if stdout/stderr are redirected. If
you want to get the output into a file, then set the `AFL_DEBUG` environment
variable. This is sadly necessary for various build processes which fail
@@ -72,7 +72,7 @@ fairly broad use of environment variables instead:
- Setting `AFL_INST_RATIO` to a percentage between 0 and 100 controls the
probability of instrumenting every branch. This is (very rarely) useful when
dealing with exceptionally complex programs that saturate the output bitmap.
- Examples include v8, ffmpeg, and perl.
+ Examples include ffmpeg, perl, and v8.
(If this ever happens, afl-fuzz will warn you ahead of the time by
displaying the "bitmap density" field in fiery red.)
@@ -92,25 +92,24 @@ fairly broad use of environment variables instead:
instrument hand-written assembly when compiling clang code by plugging a
normalizer into the chain. (There is no equivalent feature for GCC.)
- - Setting `AFL_QUIET` will prevent afl-cc and afl-as banners from being
+ - Setting `AFL_QUIET` will prevent afl-as and afl-cc banners from being
displayed during compilation, in case you find them distracting.
- - Setting `AFL_USE_...` automatically enables supported sanitizers -
- provided that your compiler supports it.
- Available are:
- - `AFL_USE_ASAN=1` - activate the address sanitizer (memory corruption
+ - Setting `AFL_USE_...` automatically enables supported sanitizers - provided
+ that your compiler supports it. Available are:
+ - `AFL_USE_ASAN=1` - activates the address sanitizer (memory corruption
detection)
- - `AFL_USE_MSAN=1` - activate the memory sanitizer (uninitialized memory)
- - `AFL_USE_UBSAN=1` - activate the undefined behaviour sanitizer
- - `AFL_USE_TSAN=1` - activate the thread sanitizer to find thread race
- conditions
- - `AFL_USE_CFISAN=1` - activate the Control Flow Integrity sanitizer (e.g.
+ - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g.
type confusion vulnerabilities)
- `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check
within your program at a certain point (such as at the end of an
`__AFL_LOOP()`), you can run the macro `__AFL_LEAK_CHECK();` which will
cause an abort if any memory is leaked (you can combine this with the
- `LSAN_OPTIONS=...` suppression option to supress some known leaks).
+ `LSAN_OPTIONS=...` suppression option to suppress some known leaks).
+ - `AFL_USE_MSAN=1` - activates the memory sanitizer (uninitialized memory)
+ - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race
+ conditions
+ - `AFL_USE_UBSAN=1` - activates the undefined behaviour sanitizer
- `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
the tool defaults to /tmp.
@@ -120,18 +119,18 @@ fairly broad use of environment variables instead:
The native instrumentation helpers (instrumentation and gcc_plugin) accept a
subset of the settings discussed in section 1, with the exception of:
+ - `AFL_AS`, since this toolchain does not directly invoke GNU `as`.
+
+ - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not
+ all passes support this option though as it is an outdated feature.
+
- LLVM modes support `AFL_LLVM_DICT2FILE=/absolute/path/file.txt` which will
- write all constant string comparisons to this file to be used later with
+ write all constant string comparisons to this file to be used later with
afl-fuzz' `-x` option.
- - `AFL_AS`, since this toolchain does not directly invoke GNU as.
-
- `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
created.
- - `AFL_INST_RATIO`, as we use collision free instrumentation by default. Not
- all passes support this option though as it is an outdated feature.
-
Then there are a few specific features that are only available in
instrumentation mode:
@@ -148,13 +147,21 @@ Available options:
then, e.g.: `AFL_LLVM_INSTRUMENT=CLASSIC,CTX,NGRAM-4`
Note: It is actually not a good idea to use both CTX and NGRAM. :)
- - CTX - context sensitive instrumentation (see below)
+ - CTX - context sensitive instrumentation
- GCC - outdated gcc instrumentation
- - LTO - LTO instrumentation (see below)
+ - LTO - LTO instrumentation
- NATIVE - clang's original pcguard based instrumentation
- NGRAM-x - deeper previous location coverage (from NGRAM-2 up to NGRAM-16)
- PCGUARD - our own pcgard based instrumentation (default)
+#### CMPLOG
+
+Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
+produce a CmpLog binary.
+
+For more information, see
+[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
+
#### CTX
Setting `AFL_LLVM_CTX` or `AFL_LLVM_INSTRUMENT=CTX` activates context sensitive
@@ -166,6 +173,39 @@ collisions occur.
For more information, see
[instrumentation/README.ctx.md](../instrumentation/README.ctx.md).
+#### INSTRUMENT LIST (selectively instrument files and functions)
+
+This feature allows selective instrumentation of the source.
+
+Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or
+function will only instrument (or skip) those files that match the names listed
+in the specified file.
+
+For more information, see
+[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
+
+#### LAF-INTEL
+
+This great feature will split compares into series of single byte comparisons to
+allow afl-fuzz to find otherwise rather impossible paths. It is not restricted
+to Intel CPUs. ;-)
+
+ - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare
+ functions
+
+ - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
+
+ - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64,
+ 32 and 16 bit integer CMP instructions
+
+ - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
+ AFL_LLVM_LAF_SPLIT_COMPARES to be set
+
+ - Setting `AFL_LLVM_LAF_ALL` sets all of the above
+
+For more information, see
+[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
+
#### LTO
This is a different kind way of instrumentation: first it compiles all code in
@@ -209,46 +249,7 @@ collisions occur.
For more information, see
[instrumentation/README.ngram.md](../instrumentation/README.ngram.md).
-### LAF-INTEL
-
-This great feature will split compares into series of single byte comparisons to
-allow afl-fuzz to find otherwise rather impossible paths. It is not restricted
-to Intel CPUs. ;-)
-
- - Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare
- functions
-
- - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
-
- - Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64,
- 32 and 16 bit integer CMP instructions
-
- - Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
- AFL_LLVM_LAF_SPLIT_COMPARES to be set
-
- - Setting `AFL_LLVM_LAF_ALL` sets all of the above
-
-For more information, see
-[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
-
-### INSTRUMENT LIST (selectively instrument files and functions)
-
-This feature allows selective instrumentation of the source.
-
-Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or
-function will only instrument (or skip) those files that match the names listed
-in the specified file.
-
-For more information, see
-[instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md).
-
-### Thread safe instrumentation counters (in all modes)
-
-Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe
-counters. The overhead is a little bit higher compared to the older non-thread
-safe case. Note that this disables neverzero (see below).
-
-### NOT_ZERO
+#### NOT_ZERO
- Setting `AFL_LLVM_NOT_ZERO=1` during compilation will use counters that skip
zero on overflow. This is the default for llvm >= 9, however, for llvm
@@ -263,34 +264,34 @@ safe case. Note that this disables neverzero (see below).
For more information, see
[instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md).
-### CMPLOG
-
- - Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
- produce a CmpLog binary.
+#### Thread safe instrumentation counters (in all modes)
-For more information, see
-[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).
+Setting `AFL_LLVM_THREADSAFE_INST` will inject code that implements thread safe
+counters. The overhead is a little bit higher compared to the older non-thread
+safe case. Note that this disables neverzero (see NOT_ZERO).
## 3) Settings for GCC / GCC_PLUGIN modes
-Then there are a few specific features that are only available in GCC and
-GCC_PLUGIN mode.
+There are a few specific features that are only available in GCC and GCC_PLUGIN
+mode.
- - Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will only instrument those
- files that match the names listed in this file (one filename per line). See
- [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
- for more information. (GCC_PLUGIN mode only)
+ - GCC mode only: Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting
+ instrumented assembly files. Useful for troubleshooting problems or
+ understanding how the tool works.
- - Setting `AFL_KEEP_ASSEMBLY` prevents afl-as from deleting instrumented
- assembly files. Useful for troubleshooting problems or understanding how the
- tool works. (GCC mode only) To get them in a predictable place, try
- something like:
+ To get them in a predictable place, try something like:
```
mkdir assembly_here
TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all
```
+ - GCC_PLUGIN mode only: Setting `AFL_GCC_INSTRUMENT_FILE` with a filename will
+ only instrument those files that match the names listed in this file (one
+ filename per line). See
+ [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
+ for more information.
+
## 4) Settings for afl-fuzz
The main fuzzer binary accepts several options that disable a couple of sanity
@@ -456,7 +457,7 @@ checks or alter some of the more exotic semantics of the tool:
enabled in config.h first!
- Note that `AFL_POST_LIBRARY` is deprecated, use `AFL_CUSTOM_MUTATOR_LIBRARY`
- instead (see below).
+ instead.
- Setting `AFL_PRELOAD` causes AFL++ to set `LD_PRELOAD` for the target binary
without disrupting the afl-fuzz process itself. This is useful, among other
@@ -527,10 +528,12 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
- Setting `AFL_COMPCOV_LEVEL` enables the CompareCoverage tracing of all cmp
and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
memcmp, ...) when libcompcov is preloaded using `AFL_PRELOAD`. More info at
- qemu_mode/libcompcov/README.md. There are two levels at the moment,
- `AFL_COMPCOV_LEVEL=1` that instruments only comparisons with immediate
- values / read-only memory and `AFL_COMPCOV_LEVEL=2` that instruments all the
- comparions. Level 2 is more accurate but may need a larger shared memory.
+ [qemu_mode/libcompcov/README.md](../qemu_mode/libcompcov/README.md).
+
+ There are two levels at the moment, `AFL_COMPCOV_LEVEL=1` that instruments
+ only comparisons with immediate values / read-only memory and
+ `AFL_COMPCOV_LEVEL=2` that instruments all the comparions. Level 2 is more
+ accurate but may need a larger shared memory.
- `AFL_DEBUG` will print the found entrypoint for the binary to stderr. Use
this if you are unsure if the entrypoint might be wrong - but use it
@@ -538,8 +541,8 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
- `AFL_ENTRYPOINT` allows you to specify a specific entrypoint into the binary
(this can be very good for the performance!). The entrypoint is specified as
- hex address, e.g. `0x4004110` Note that the address must be the address of a
- basic block.
+ hex address, e.g. `0x4004110`. Note that the address must be the address of
+ a basic block.
- Setting `AFL_INST_LIBS` causes the translator to also instrument the code
inside any dynamically linked libraries (notably including glibc).
@@ -555,12 +558,12 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
- With `AFL_QEMU_FORCE_DFL` you force QEMU to ignore the registered signal
handlers of the target.
- - When the target is i386/x86_64 you can specify the address of the function
+ - When the target is i386/x86_64, you can specify the address of the function
that has to be the body of the persistent loop using
`AFL_QEMU_PERSISTENT_ADDR=start addr`.
- - `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of general
- purpose registers and restore them in each persistent cycle.
+ - With `AFL_QEMU_PERSISTENT_GPR=1` QEMU will save the original value of
+ general purpose registers and restore them in each persistent cycle.
- Another modality to execute the persistent loop is to specify also the
`AFL_QEMU_PERSISTENT_RET=end addr` env variable. With this variable
@@ -615,7 +618,7 @@ of decimal.
## 9) Settings for libdislocator
-The library honors these environmental variables:
+The library honors these environment variables:
- `AFL_ALIGNED_ALLOC=1` will force the alignment of the allocation size to
`max_align_t` to be compliant with the C standard.
@@ -645,10 +648,6 @@ discovered tokens should be written.
Several variables are not directly interpreted by afl-fuzz, but are set to
optimal values if not already present in the environment:
- - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker
- to do all the work before the fork server kicks in. You can override this by
- setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless.
-
- By default, `ASAN_OPTIONS` are set to (among others):
```
@@ -685,4 +684,8 @@ optimal values if not already present in the environment:
symbolize=0
msan_track_origins=0
allocator_may_return_null=1
- ```
\ No newline at end of file
+ ```
+
+ - By default, `LD_BIND_NOW` is set to speed up fuzzing by forcing the linker
+ to do all the work before the fork server kicks in. You can override this by
+ setting `LD_BIND_LAZY` beforehand, but it is almost certainly pointless.
\ No newline at end of file
--
cgit 1.4.1
From 66ca8618ea3ae1506c96a38ef41b5f04387ab560 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Tue, 9 Nov 2021 20:35:12 +0100
Subject: Edit list of environment variables
---
docs/env_variables.md | 83 +++++++++++++++++++++++++--------------------------
1 file changed, 41 insertions(+), 42 deletions(-)
(limited to 'docs')
diff --git a/docs/env_variables.md b/docs/env_variables.md
index 5724b197..65cca0dc 100644
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@@ -177,7 +177,7 @@ For more information, see
This feature allows selective instrumentation of the source.
-Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a filenames and/or
+Setting `AFL_LLVM_ALLOWLIST` or `AFL_LLVM_DENYLIST` with a file name and/or
function will only instrument (or skip) those files that match the names listed
in the specified file.
@@ -191,32 +191,32 @@ allow afl-fuzz to find otherwise rather impossible paths. It is not restricted
to Intel CPUs. ;-)
- Setting `AFL_LLVM_LAF_TRANSFORM_COMPARES` will split string compare
- functions
-
- - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs
+ functions.
- Setting `AFL_LLVM_LAF_SPLIT_COMPARES` will split all floating point and 64,
- 32 and 16 bit integer CMP instructions
+ 32 and 16 bit integer CMP instructions.
- Setting `AFL_LLVM_LAF_SPLIT_FLOATS` will split floating points, needs
- AFL_LLVM_LAF_SPLIT_COMPARES to be set
+ `AFL_LLVM_LAF_SPLIT_COMPARES` to be set.
+
+ - Setting `AFL_LLVM_LAF_SPLIT_SWITCHES` will split all `switch` constructs.
- - Setting `AFL_LLVM_LAF_ALL` sets all of the above
+ - Setting `AFL_LLVM_LAF_ALL` sets all of the above.
For more information, see
[instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md).
#### LTO
-This is a different kind way of instrumentation: first it compiles all code in
-LTO (link time optimization) and then performs an edge inserting instrumentation
+This is a different way of instrumentation: first it compiles all code in LTO
+(link time optimization) and then performs an edge inserting instrumentation
which is 100% collision free (collisions are a big issue in AFL and AFL-like
instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++
instead of afl-clang-fast, but is only built if LLVM 11 or newer is used.
- - `AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (not
- recommended for afl-clang-fast, default for afl-clang-lto as there it is a
- different and better kind of instrumentation.)
+`AFL_LLVM_INSTRUMENT=CFG` will use Control Flow Graph instrumentation. (Not
+recommended for afl-clang-fast, default for afl-clang-lto as there it is a
+different and better kind of instrumentation.)
None of the following options are necessary to be used and are rather for manual
use (which only ever the author of this LTO implementation will use). These are
@@ -226,22 +226,22 @@ combined.
- `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
to which function. This helps to identify functions with variable bytes or
which functions were touched by an input.
+ - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
+ into the instrumentation is set in a global variable.
+ - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the
+ instrumentation. This defaults to 1.
- `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than
the default `0x10000`. A value of 0 or empty sets the map address to be
- dynamic (the original AFL way, which is slower)
- - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic
- - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the
- instrumentation. This defaults to 1
- - `AFL_LLVM_LTO_DONTWRITEID` prevents that the highest location ID written
- into the instrumentation is set in a global variable
+ dynamic (the original AFL way, which is slower).
+ - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic.
For more information, see
[instrumentation/README.lto.md](../instrumentation/README.lto.md).
#### NGRAM
-Setting `AFL_LLVM_NGRAM_SIZE` or `AFL_LLVM_INSTRUMENT=NGRAM-{value}` activates
-ngram prev_loc coverage, good values are 2, 4 or 8 (any value between 2 and 16
+Setting `AFL_LLVM_INSTRUMENT=NGRAM-{value}` or `AFL_LLVM_NGRAM_SIZE` activates
+ngram prev_loc coverage. Good values are 2, 4, or 8 (any value between 2 and 16
is valid). It is highly recommended to increase the `MAP_SIZE_POW2` definition
in config.h to at least 18 and maybe up to 20 for this as otherwise too many map
collisions occur.
@@ -258,7 +258,7 @@ For more information, see
discovery by a little bit.
- Setting `AFL_LLVM_SKIP_NEVERZERO=1` will not implement the skip zero test.
- If the target performs only few loops, then this will give a small
+ If the target performs only a few loops, then this will give a small
performance boost.
For more information, see
@@ -310,9 +310,9 @@ checks or alter some of the more exotic semantics of the tool:
in`). This is an important feature to set when resuming a fuzzing session.
- Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For
- example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an
- `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash
- had ocurred. This may be beneficial if you look for higher-level faulty
+ example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in a `-1`
+ return code (i.e. `exit(-1)` got called), will be treated as if a crash had
+ occurred. This may be beneficial if you look for higher-level faulty
conditions in which your target still exits gracefully.
- Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with
@@ -325,7 +325,7 @@ checks or alter some of the more exotic semantics of the tool:
XML or other highly flexible structured input. Please see
[custom_mutators.md](custom_mutators.md).
- - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule everytime
+ - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time
a cycle is finished.
- Setting `AFL_DEBUG_CHILD` will not suppress the child output. This lets you
@@ -341,7 +341,7 @@ checks or alter some of the more exotic semantics of the tool:
- `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behaviour which
does not allow crashes or timeout seeds in the initial -i corpus.
- - `AFL_EXIT_ON_TIME` Causes afl-fuzz to terminate if no new paths were found
+ - `AFL_EXIT_ON_TIME` causes afl-fuzz to terminate if no new paths were found
within a specified period of time (in seconds). May be convenient for some
types of automated jobs.
@@ -365,7 +365,7 @@ checks or alter some of the more exotic semantics of the tool:
to wait for the forkserver to spin up. The default is the `-t` value times
`FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the
default would wait for `1000` milliseconds. Setting a different time here is
- useful if the target has a very slow startup time, for example when doing
+ useful if the target has a very slow startup time, for example, when doing
full-system fuzzing or emulation, but you don't want the actual runs to wait
too long for timeouts.
@@ -394,8 +394,8 @@ checks or alter some of the more exotic semantics of the tool:
likely don't have to set it. By default, on timeout and on exit, `SIGKILL`
(`AFL_KILL_SIGNAL=9`) will be delivered to the child.
- - `AFL_MAP_SIZE` sets the size of the shared map that afl-fuzz, afl-showmap,
- afl-tmin and afl-analyze create to gather instrumentation data from the
+ - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz,
+ afl-showmap, and afl-tmin create to gather instrumentation data from the
target. This must be equal or larger than the size the target was compiled
with.
@@ -417,15 +417,15 @@ checks or alter some of the more exotic semantics of the tool:
- Setting `AFL_NO_AUTODICT` will not load an LTO generated auto dictionary
that is compiled into the target.
- - The CPU widget shown at the bottom of the screen is fairly simplistic and
- may complain of high load prematurely, especially on systems with low core
- counts. To avoid the alarming red color for very high cpu usages, you can
- set `AFL_NO_CPU_RED`.
-
- Setting `AFL_NO_COLOR` or `AFL_NO_COLOUR` will omit control sequences for
coloring console output when configured with USE_COLOR and not
ALWAYS_COLORED.
+ - The CPU widget shown at the bottom of the screen is fairly simplistic and
+ may complain of high load prematurely, especially on systems with low core
+ counts. To avoid the alarming red color for very high CPU usages, you can
+ set `AFL_NO_CPU_RED`.
+
- Setting `AFL_NO_FORKSRV` disables the forkserver optimization, reverting to
fork + execve() call for every tested input. This is useful mostly when
working with unruly libraries that create threads or do other crazy things
@@ -438,7 +438,7 @@ checks or alter some of the more exotic semantics of the tool:
- `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if
the snapshot lkm is loaded.
- - Setting `AFL_NO_UI` inhibits the UI altogether, and just periodically prints
+ - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints
some basic stats. This behavior is also automatically triggered when the
output from afl-fuzz is redirected to a file or to a pipe.
@@ -449,7 +449,7 @@ checks or alter some of the more exotic semantics of the tool:
[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)),
some targets keep inherent state due which a detected crash testcase does
not crash the target again when the testcase is given. To be able to still
- re-trigger these crashes you can use the `AFL_PERSISTENT_RECORD` variable
+ re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable
with a value of how many previous fuzz cases to keep prio a crash. If set to
e.g. 10, then the 9 previous inputs are written to out/default/crashes as
RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and
@@ -490,8 +490,8 @@ checks or alter some of the more exotic semantics of the tool:
`AFL_STATSD_TAGS_FLAVOR` that matches your StatsD server (see
`AFL_STATSD_TAGS_FLAVOR`).
- - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `librato`,
- `signalfx` or `influxdb` allows you to add tags to your fuzzing instances.
+ - Setting `AFL_STATSD_TAGS_FLAVOR` to one of `dogstatsd`, `influxdb`,
+ `librato`, or `signalfx` allows you to add tags to your fuzzing instances.
This is especially useful when running multiple instances (`-M/-S` for
example). Applied tags are `banner` and `afl_version`. `banner` corresponds
to the name of the fuzzer provided through `-M/-S`. `afl_version`
@@ -509,8 +509,8 @@ checks or alter some of the more exotic semantics of the tool:
TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if
your fuzzing finds a huge amount of paths for large inputs.
- - `AFL_TMPDIR` is used to write the `.cur_input` file to if exists, and in the
- normal output directory otherwise. You would use this to point to a
+ - `AFL_TMPDIR` is used to write the `.cur_input` file to if it exists, and in
+ the normal output directory otherwise. You would use this to point to a
ramdisk/tmpfs. This increases the speed by a small value but also reduces
the stress on SSDs.
@@ -597,8 +597,7 @@ The corpus minimization script offers very little customization:
afl-qemu-trace (the latter only in `-Q` mode).
- `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
- This can help when embedding `afl-cmin` or `afl-showmap` in other scripts
- scripting.
+ This can help when embedding `afl-cmin` or `afl-showmap` in other scripts.
## 7) Settings for afl-tmin
--
cgit 1.4.1
From b47344e8f7b92c2501262e132b8459f01e89147e Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 10 Nov 2021 11:33:49 +0100
Subject: doc
---
docs/fuzzing_expert.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'docs')
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
index 44ebade4..876c5fbb 100644
--- a/docs/fuzzing_expert.md
+++ b/docs/fuzzing_expert.md
@@ -87,8 +87,8 @@ The following options are available when you instrument with LTO mode (afl-clang
transform input data before comparison. Therefore this technique is called
`input to state` or `redqueen`.
If you want to use this technique, then you have to compile the target
- twice, once specifically with/for this mode, and pass this binary to afl-fuzz
- via the `-c` parameter.
+ twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`,
+ and pass this binary to afl-fuzz via the `-c` parameter.
Note that you can compile also just a cmplog binary and use that for both
however there will be a performance penality.
You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
--
cgit 1.4.1
From 533e979010ca338df6fc415d87668f8187752915 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 10 Nov 2021 12:49:57 +0100
Subject: update qemuafl, update changelog
---
docs/Changelog.md | 17 +++++++++++------
qemu_mode/QEMUAFL_VERSION | 2 +-
qemu_mode/qemuafl | 2 +-
3 files changed, 13 insertions(+), 8 deletions(-)
(limited to 'docs')
diff --git a/docs/Changelog.md b/docs/Changelog.md
index 2c72b5f2..6a9c895c 100644
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@@ -9,25 +9,31 @@ Want to stay in the loop on major new features? Join our mailing list by
sending a mail to .
### Version ++3.15a (dev)
+ - documentation restructuring, made possible by Google Season of Docs :)
- afl-fuzz:
+ - cmplog binaries will need to be recompiled for this version
+ (it is better!)
+ - fix a regression introduced in 3.10 that resulted in less
+ coverage being detected. thanks to Collin May for reporting!
- added AFL_IGNORE_PROBLEMS plus checks to identify and abort on
incorrect LTO usage setups and enhanced the READMEs for better
information on how to deal with instrumenting libraries
- - fix a regression introduced in 3.10 that resulted in less
- coverage being detected. thanks to Collin May for reporting!
- fix -n dumb mode (nobody should use this)
- fix stability issue with LTO and cmplog
- better banner
- more effective cmplog mode
- more often update the UI when in input2stage mode
- - frida_mode: David Carlier added Android support :)
+ - frida_mode:
+ - better performance, bug fixes
+ - David Carlier added Android support :)
- afl-showmap, afl-tmin and afl-analyze:
- - honor persistent mode for more speed. thanks to dloffre-snl for
- reporting!
+ - honor persistent mode for more speed. thanks to dloffre-snl
+ for reporting!
- fix bug where targets are not killed on timeouts
- Prevent accidently killing non-afl/fuzz services when aborting
afl-showmap and other tools.
- afl-cc:
+ - new cmplog mode (incompatible with older afl++ versions)
- support llvm IR select instrumentation for default PCGUARD and LTO
- fix for shared linking on MacOS
- added AFL_USE_TSAN thread sanitizer support
@@ -45,7 +51,6 @@ sending a mail to .
- added uninstall target to makefile (todo: update new readme!)
- removed indirections in rust callbacks for unicornafl
-
### Version ++3.14c (release)
- afl-fuzz:
- fix -F when a '/' was part of the parameter
diff --git a/qemu_mode/QEMUAFL_VERSION b/qemu_mode/QEMUAFL_VERSION
index 5d6b5276..680c04d6 100644
--- a/qemu_mode/QEMUAFL_VERSION
+++ b/qemu_mode/QEMUAFL_VERSION
@@ -1 +1 @@
-eb765dd8a606c12c7d43bb2748461c7f13ab0367
+002e473939
diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl
index eb765dd8..002e4739 160000
--- a/qemu_mode/qemuafl
+++ b/qemu_mode/qemuafl
@@ -1 +1 @@
-Subproject commit eb765dd8a606c12c7d43bb2748461c7f13ab0367
+Subproject commit 002e473939a350854d56f67ce7b2e2d9706b8bca
--
cgit 1.4.1
From 268339a683aab00f8487eac1ca31ef5d6c6abc4b Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 16 Nov 2021 11:03:53 +0100
Subject: showmap -A -> -H, accurate help output
---
GNUmakefile | 2 +-
afl-cmin | 6 +++---
afl-cmin.bash | 4 ++--
coresight_mode/README.md | 1 -
docs/Changelog.md | 6 +++++-
src/afl-analyze.c | 7 ++++++-
src/afl-fuzz-bitmap.c | 6 ++----
src/afl-fuzz.c | 7 ++++++-
src/afl-showmap.c | 19 ++++++++++++-------
src/afl-tmin.c | 7 ++++++-
10 files changed, 43 insertions(+), 22 deletions(-)
(limited to 'docs')
diff --git a/GNUmakefile b/GNUmakefile
index ab57e7ad..673d2bf8 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -346,7 +346,7 @@ help:
@echo "HELP --- the following make targets exist:"
@echo "=========================================="
@echo "all: just the main afl++ binaries"
- @echo "binary-only: everything for binary-only fuzzing: coresight_mode, qemu_mode, unicorn_mode, libdislocator, libtokencap"
+ @echo "binary-only: everything for binary-only fuzzing: qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, libtokencap"
@echo "source-only: everything for source code fuzzing: gcc_plugin, libdislocator, libtokencap"
@echo "distrib: everything (for both binary-only and source code fuzzing)"
@echo "man: creates simple man pages from the help option of the programs"
diff --git a/afl-cmin b/afl-cmin
index e6f8c175..879aead2 100755
--- a/afl-cmin
+++ b/afl-cmin
@@ -396,7 +396,7 @@ BEGIN {
system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
} else {
system("cp \""in_dir"/"first_file"\" "stdin_file)
- system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" .
### Version ++3.15a (dev)
- documentation restructuring, made possible by Google Season of Docs :)
+ - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :)
+ thanks to RICSecLab submitting!
- afl-fuzz:
- cmplog binaries will need to be recompiled for this version
(it is better!)
- fix a regression introduced in 3.10 that resulted in less
coverage being detected. thanks to Collin May for reporting!
- - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on
+ - added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on
incorrect LTO usage setups and enhanced the READMEs for better
information on how to deal with instrumenting libraries
- fix -n dumb mode (nobody should use this)
@@ -30,6 +32,8 @@ sending a mail to .
- honor persistent mode for more speed. thanks to dloffre-snl
for reporting!
- fix bug where targets are not killed on timeouts
+ - moved hidden afl-showmap -A option to -H to be used for
+ coresight_mode
- Prevent accidently killing non-afl/fuzz services when aborting
afl-showmap and other tools.
- afl-cc:
diff --git a/src/afl-analyze.c b/src/afl-analyze.c
index bc562c15..ac5a324c 100644
--- a/src/afl-analyze.c
+++ b/src/afl-analyze.c
@@ -848,12 +848,17 @@ static void usage(u8 *argv0) {
" -f file - input file read by the tested program (stdin)\n"
" -t msec - timeout for each run (%u ms)\n"
" -m megs - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
" -A - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
" -O - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
- "mode)\n\n"
+ "mode)\n"
+#endif
+ "\n"
"Analysis settings:\n"
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c
index f7b59f25..a204e374 100644
--- a/src/afl-fuzz-bitmap.c
+++ b/src/afl-fuzz-bitmap.c
@@ -452,14 +452,12 @@ save_if_interesting(afl_state_t *afl, void *mem, u32 len, u8 fault) {
if (unlikely(len == 0)) { return 0; }
+ u8 fn[PATH_MAX];
u8 *queue_fn = "";
- u8 new_bits = '\0';
+ u8 new_bits = 0, keeping = 0, res, classified = 0;
s32 fd;
- u8 keeping = 0, res, classified = 0;
u64 cksum = 0;
- u8 fn[PATH_MAX];
-
/* Update path frequency. */
/* Generating a hash on every input is super expensive. Bad idea and should
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index dfd62db8..195366bd 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -113,12 +113,17 @@ static void usage(u8 *argv0, int more_help) {
"maximum.\n"
" -m megs - memory limit for child process (%u MB, 0 = no limit "
"[default])\n"
+#if defined(__linux__) && defined(__aarch64__)
" -A - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
" -O - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
- "mode)\n\n"
+ "mode)\n"
+#endif
+ "\n"
"Mutator settings:\n"
" -D - enable deterministic fuzzing (once per queue entry)\n"
diff --git a/src/afl-showmap.c b/src/afl-showmap.c
index 899baaa0..0ba265ab 100644
--- a/src/afl-showmap.c
+++ b/src/afl-showmap.c
@@ -844,13 +844,18 @@ static void usage(u8 *argv0) {
"Execution control settings:\n"
" -t msec - timeout for each run (none)\n"
" -m megs - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
+ " -A - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
" -O - use binary-only instrumentation (FRIDA mode)\n"
- " -P - use binary-only instrumentation (ARM CoreSight mode)\n"
+#if defined(__linux__)
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use Unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine mode)\n"
" (Not necessary, here for consistency with other afl-* "
- "tools)\n\n"
+ "tools)\n"
+#endif
+ "\n"
"Other settings:\n"
" -i dir - process all files below this directory, must be combined "
"with -o.\n"
@@ -920,7 +925,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (getenv("AFL_QUIET") != NULL) { be_quiet = true; }
- while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOPQUWbcrsh")) > 0) {
+ while ((opt = getopt(argc, argv, "+i:o:f:m:t:A:eqCZOHQUWbcrsh")) > 0) {
switch (opt) {
@@ -1049,7 +1054,7 @@ int main(int argc, char **argv_orig, char **envp) {
quiet_mode = true;
break;
- case 'A':
+ case 'H':
/* Another afl-cmin specific feature. */
at_file = optarg;
break;
@@ -1065,13 +1070,13 @@ int main(int argc, char **argv_orig, char **envp) {
/* FIXME: We want to use -P for consistency, but it is already unsed for
* undocumenetd feature "Another afl-cmin specific feature." */
- case 'P': /* CoreSight mode */
+ case 'A': /* CoreSight mode */
#if !defined(__aarch64__) || !defined(__linux__)
- FATAL("-P option is not supported on this platform");
+ FATAL("-A option is not supported on this platform");
#endif
- if (fsrv->cs_mode) { FATAL("Multiple -P options not supported"); }
+ if (fsrv->cs_mode) { FATAL("Multiple -A options not supported"); }
fsrv->cs_mode = true;
break;
diff --git a/src/afl-tmin.c b/src/afl-tmin.c
index 22383a4e..89546c45 100644
--- a/src/afl-tmin.c
+++ b/src/afl-tmin.c
@@ -866,14 +866,19 @@ static void usage(u8 *argv0) {
" -f file - input file read by the tested program (stdin)\n"
" -t msec - timeout for each run (%u ms)\n"
" -m megs - memory limit for child process (%u MB)\n"
+#if defined(__linux__) && defined(__aarch64__)
" -A - use binary-only instrumentation (ARM CoreSight mode)\n"
+#endif
" -O - use binary-only instrumentation (FRIDA mode)\n"
+#if defined(__linux__)
" -Q - use binary-only instrumentation (QEMU mode)\n"
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
"mode)\n"
" (Not necessary, here for consistency with other afl-* "
- "tools)\n\n"
+ "tools)\n"
+#endif
+ "\n"
"Minimization settings:\n"
--
cgit 1.4.1
From b659be15494011184694a35ce02927f743fe0518 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Tue, 16 Nov 2021 13:54:31 +0100
Subject: add coresight to docs
---
docs/binaryonly_fuzzing.md | 10 +++-------
docs/features.md | 31 +++++++++++++++++--------------
2 files changed, 20 insertions(+), 21 deletions(-)
(limited to 'docs')
diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md
index de360543..2c0872cf 100644
--- a/docs/binaryonly_fuzzing.md
+++ b/docs/binaryonly_fuzzing.md
@@ -175,13 +175,9 @@
## CORESIGHT
Coresight is ARM's answer to Intel's PT.
- There is no implementation so far which handles coresight and getting
- it working on an ARM Linux is very difficult due to custom kernel building
- on embedded systems is difficult. And finding one that has coresight in
- the ARM chip is difficult too.
- My guess is that it is slower than Qemu, but faster than Intel PT.
-
- If anyone finds any coresight implementation for AFL please ping me: vh@thc.org
+ With afl++ v3.15 there is a coresight tracer implementation available in
+ `coresight_mode/` which is faster than QEMU, however can not run in parallel.
+ Currently only one process can be traced, it is WIP.
## PIN & DYNAMORIO
diff --git a/docs/features.md b/docs/features.md
index c0956703..f44e32ff 100644
--- a/docs/features.md
+++ b/docs/features.md
@@ -4,20 +4,20 @@
with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full *BSD,
Mac OS, Solaris and Android support and much, much, much more.
- | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | frida_mode | qemu_mode |unicorn_mode |
- | -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|
- | Threadsafe counters | | x(3) | | | | |
- | NeverZero | x86[_64]| x(1) | x | x | x | x |
- | Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x |
- | LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] |
- | CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | |
- | Selective Instrumentation| | x | x | x | x | |
- | Non-Colliding Coverage | | x(4) | | | (x)(5) | |
- | Ngram prev_loc Coverage | | x(6) | | | | |
- | Context Coverage | | x(6) | | | | |
- | Auto Dictionary | | x(7) | | | | |
- | Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | |
- | Shared Memory Testcases | | x | x | x86[_64]/arm64 | x | x |
+ | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | frida_mode(9) | qemu_mode(10) |unicorn_mode(10) |coresight_mode(11)|
+ | -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------------:|
+ | Threadsafe counters | | x(3) | | | | | |
+ | NeverZero | x86[_64]| x(1) | x | x | x | x | |
+ | Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | |
+ | LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | |
+ | CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | |
+ | Selective Instrumentation| | x | x | x | x | | |
+ | Non-Colliding Coverage | | x(4) | | | (x)(5) | | |
+ | Ngram prev_loc Coverage | | x(6) | | | | | |
+ | Context Coverage | | x(6) | | | | | |
+ | Auto Dictionary | | x(7) | | | | | |
+ | Snapshot LKM Support | | (x)(8) | (x)(8) | | (x)(5) | | |
+ | Shared Memory Testcases | | x | x | x86[_64]/arm64 | x | x | |
1. default for LLVM >= 9.0, env var for older version due an efficiency bug in previous llvm versions
2. GCC creates non-performant code, hence it is disabled in gcc_plugin
@@ -27,6 +27,9 @@
6. not compatible with LTO instrumentation and needs at least LLVM v4.1
7. automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM versions that write to a file to use with afl-fuzz' `-x`
8. the snapshot LKM is currently unmaintained due to too many kernel changes coming too fast :-(
+ 9. frida mode is supported on Linux and MacOS for Intel and ARM
+ 10. QEMU/Unicorn is only supported on Linux
+ 11. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight extension
Among others, the following features and patches have been integrated:
--
cgit 1.4.1
From 132630d48d0f9fe50e9388f941433c85636587da Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 17 Nov 2021 09:09:03 +0100
Subject: nit
---
docs/technical_details.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'docs')
diff --git a/docs/technical_details.md b/docs/technical_details.md
index b9d271d9..994ffe9f 100644
--- a/docs/technical_details.md
+++ b/docs/technical_details.md
@@ -1,7 +1,7 @@
# Technical "whitepaper" for afl-fuzz
-NOTE: this document is rather outdated!
+NOTE: this document is mostly outdated!
This document provides a quick overview of the guts of American Fuzzy Lop.
--
cgit 1.4.1
From 8a9f3bcca87ef7bcadec09e2504ae3a40d6d4314 Mon Sep 17 00:00:00 2001
From: vanhauser-thc
Date: Wed, 17 Nov 2021 09:09:26 +0100
Subject: d2
---
docs/docs2.md | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 119 insertions(+)
create mode 100644 docs/docs2.md
(limited to 'docs')
diff --git a/docs/docs2.md b/docs/docs2.md
new file mode 100644
index 00000000..10912efd
--- /dev/null
+++ b/docs/docs2.md
@@ -0,0 +1,119 @@
+# Restructure AFL++'s documentation - Case Study
+
+## Problem statement
+
+AFL++ inherited it's documentation from the original Google AFL project.
+Since then it has been massively improved - feature and performance wise -
+and although the documenation has likewise been continued it has grown out
+of proportion.
+The documentation is done by non-natives to the English language, plus
+none of us has a writer background.
+
+We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord
+channels, web forums and as issues in our repository.
+Most of them could be answered if people would read through all the
+documentation.
+
+This only increases as AFL++ has been on the top of Google's fuzzbench
+statistics (which measures the performance of fuzzers) and has been
+integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix
+packaging repositories, e.g. Debian, FreeBSD, etc.
+
+AFL++ had 44 (!) documentation files with 13k total lines of content.
+This was way too much.
+
+## Proposal abstract
+
+AFL++'s documentatin needs a complete overhaul, both on a
+organisation/structural level as well as the content.
+
+Overall the following actions have to be performed:
+ * Create a better structure of documentation so it is easier to find the
+ information that is being looked for, combining and/or splitting up the
+ existing documents as needed.
+ * Rewrite some documentation to remove duplication. Several information is
+ present several times in the documentation. These should be removed to
+ where needed so that we have as little bloat as possible.
+ * The documents have been written and modified by a lot of different people,
+ most of them non-native English speaker. Hence an overall review where
+ parts should be rewritten has to be performed and then the rewrite done.
+ * Create a cheat-sheet for a very short best-setup build and run of AFL++
+ * Pictures explain more than 1000 words. We need at least 4 images that
+ explain the workflow with AFL++:
+ - the build workflow
+ - the fuzzing workflow
+ - the fuzzing campaign management workflow
+ - the overall workflow that is an overview of the above
+ - maybe more? where the technical writes seems it necessary for
+ understanding.
+
+Requirements:
+ * Documentation has to be in Markdown format
+ * Images have to be either in SVG or PNG format.
+ * All documentation should be (moved) in(to) docs/
+
+## Project description
+
+We created our proposal by discussing in the team what the issues are and
+what was needed to fix it.
+This resulted in the [project proposal](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/docs.md).
+
+We did not want to be selected by a writer but select a writer ourselves, so
+we combed through the list and reviewed every single one of them.
+We were not looking for coders writing technical documentation, but rather
+someone who is an experienced writer and has documented experience with
+structuring documentation.
+Few fit that profile and we sent out messages to 6 people.
+We finally decided on Jana because she had a strong background in technical
+documentation and structuring information.
+She had no technical experience in fuzzing whatsoever, but this was a plus -
+of course this made the whole process longer to explain details, but overall
+ensured that the documentation can be read by (mostly) everyone.
+
+The project was off to a good start, but then Jana got pregnant with serious
+side effects that made working impossible for her for a longer time, hence
+the schedule was thrown back.
+She offered to rescind the payment and we select a new writer, but we saw
+little opportunity in that, as that would mean a new selection of a writer,
+someone else with a different vision on how the result should look like so
+basically a full restart of the project and a large impact on our own time.
+So we agreed on - after discussion with the Google GSoD team - that she
+continues the project after the GSoD completion deadline as best as she can.
+
+Originally the project should have been ended begin of October, but now - at
+mid of November, we are at about 65% completion, with a completion hopefully
+in January or February next year.
+The most important parts of the documentation have been restructured and
+rewritten (the user how-to parts) with some smaller todos left, the in-depth
+documentation on the inner workings as well as the workflow diagrams are still
+to be done.
+
+## Metrics
+
+We merged most of the changes in our development branch and are getting
+close to a state where the user documentation part is completed and we
+can create a new release. Only then the new documentatin is actually visible
+to users. Therefore no metrics could be collected so far.
+
+The documentation was reviewed by a few test users so far however who gave
+it a thumbs up.
+
+## Summary
+
+The GSoD project itself is great. It helps to get the documentation back in
+line.
+It was and is a larger time investment from our side, but we expected that.
+When the project is done, the documentation will be more accessible by users
+and also need less maintenance by us.
+There is still follow-up work to be done by us afterwards (web site for the
+docs, etc.).
+
+Not sure what we would do differently next time. I think we prepared best as
+possible and reacted best as possible to the unexpected.
+
+Recommendations for other organizations who would like to participate in GSoD:
+ - expect the process to take a larger part of your time. the writer needs
+ your full support.
+ - have someone dedicated from the dev/org side to support, educate and
+ supervice the writer
+ - set clear goals and expectations
--
cgit 1.4.1
From 5ec859cece70ab1b5cd9e0356c4cc3e260d2cbe0 Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sat, 20 Nov 2021 15:48:49 +0100
Subject: Clean up docs folder
---
README.md | 98 ++++----
docs/best_practices.md | 4 +-
docs/branches.md | 11 -
docs/fuzzing_expert.md | 630 ----------------------------------------------
docs/fuzzing_in_depth.md | 630 ++++++++++++++++++++++++++++++++++++++++++++++
docs/known_limitations.md | 36 ---
docs/limitations.md | 36 +++
docs/sister_projects.md | 319 -----------------------
docs/third_party_tools.md | 33 +++
docs/tools.md | 33 ---
10 files changed, 756 insertions(+), 1074 deletions(-)
delete mode 100644 docs/branches.md
delete mode 100644 docs/fuzzing_expert.md
create mode 100644 docs/fuzzing_in_depth.md
delete mode 100644 docs/known_limitations.md
create mode 100644 docs/limitations.md
delete mode 100644 docs/sister_projects.md
create mode 100644 docs/third_party_tools.md
delete mode 100644 docs/tools.md
(limited to 'docs')
diff --git a/README.md b/README.md
index 575a6a1a..b2714787 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ Release version: [3.14c](https://github.com/AFLplusplus/AFLplusplus/releases)
GitHub version: 3.15a
-Repository:
+Repository:
[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
AFL++ is maintained by:
@@ -18,33 +18,33 @@ AFL++ is maintained by:
Originally developed by Michał "lcamtuf" Zalewski.
-AFL++ is a superior fork to Google's AFL - more speed, more and better
+AFL++ is a superior fork to Google's AFL - more speed, more and better
mutations, more and better instrumentation, custom module support, etc.
-You are free to copy, modify, and distribute AFL++ with attribution under the
+You are free to copy, modify, and distribute AFL++ with attribution under the
terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
## Getting started
Here is some information to get you started:
-* For releases, please see the
- [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab and
- [branches](docs/branches.md). Also take a look at the list of
+* For releases, please see the
+ [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and
+ [branches](#branches). Also take a look at the list of
[important changes in AFL++](docs/important_changes.md).
-* If you want to use AFL++ for your academic work, check the
+* If you want to use AFL++ for your academic work, check the
[papers page](https://aflplus.plus/papers/) on the website.
* To cite our work, look at the [Cite](#cite) section.
-* For comparisons, use the fuzzbench `aflplusplus` setup, or use
- `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
- default configuration on Google's
+* For comparisons, use the fuzzbench `aflplusplus` setup, or use
+ `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
+ default configuration on Google's
[fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
-* To get you started with tutorials, go to
+* To get you started with tutorials, go to
[docs/tutorials.md](docs/tutorials.md).
## Building and installing AFL++
-To have AFL++ easily available with everything compiled, pull the image
+To have AFL++ easily available with everything compiled, pull the image
directly from the Docker Hub:
```shell
@@ -52,39 +52,39 @@ docker pull aflplusplus/aflplusplus
docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
```
-This image is automatically generated when a push to the stable repo happens
-(see [docs/branches.md](docs/branches.md)). You will find your target source
+This image is automatically generated when a push to the stable repo happens
+(see [branches](#branches)). You will find your target source
code in `/src` in the container.
To build AFL++ yourself, continue at [docs/INSTALL.md](docs/INSTALL.md).
## Quick start: Fuzzing with AFL++
-*NOTE: Before you start, please read about the [common sense risks of
+*NOTE: Before you start, please read about the [common sense risks of
fuzzing](docs/common_sense_risks.md).*
-This is a quick start for fuzzing targets with the source code available. To
+This is a quick start for fuzzing targets with the source code available. To
read about the process in detail, see
-[docs/fuzzing_expert.md](docs/fuzzing_expert.md).
+[docs/fuzzing_in_depth.md](docs/fuzzing_in_depth.md).
To learn about fuzzing other targets, see:
-* Binary-only targets:
+* Binary-only targets:
[docs/fuzzing_binary-only_targets.md](docs/fuzzing_binary-only_targets.md)
-* Network services:
+* Network services:
[docs/best_practices.md#fuzzing-a-network-service](docs/best_practices.md#fuzzing-a-network-service)
-* GUI programs:
+* GUI programs:
[docs/best_practices.md#fuzzing-a-gui-program](docs/best_practices.md#fuzzing-a-gui-program)
Step-by-step quick start:
-1. Compile the program or library to be fuzzed using `afl-cc`. A common way to
+1. Compile the program or library to be fuzzed using `afl-cc`. A common way to
do this would be:
CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared
make clean all
-2. Get a small but valid input file that makes sense to the program. When
- fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
+2. Get a small but valid input file that makes sense to the program. When
+ fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
[dictionaries/README.md](dictionaries/README.md), too.
3. If the program reads from stdin, run `afl-fuzz` like so:
@@ -96,51 +96,63 @@ Step-by-step quick start:
To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz.
- If the program takes input from a file, you can put `@@` in the program's
+ If the program takes input from a file, you can put `@@` in the program's
command line; AFL will put an auto-generated file name in there for you.
-4. Investigate anything shown in red in the fuzzer UI by promptly consulting
+4. Investigate anything shown in red in the fuzzer UI by promptly consulting
[docs/status_screen.md](docs/status_screen.md).
-5. You will find found crashes and hangs in the subdirectories `crashes/` and
- `hangs/` in the `-o output_dir` directory. You can replay the crashes by
- feeding them to the target, e.g.: `cat output_dir/crashes/id:000000,* |
- /path/to/tested/program [...program's cmdline...]` You can generate cores or
+5. You will find found crashes and hangs in the subdirectories `crashes/` and
+ `hangs/` in the `-o output_dir` directory. You can replay the crashes by
+ feeding them to the target, e.g.: `cat output_dir/crashes/id:000000,* |
+ /path/to/tested/program [...program's cmdline...]` You can generate cores or
use gdb directly to follow up the crashes.
## Contact
Questions? Concerns? Bug reports?
-* The contributors can be reached via
+* The contributors can be reached via
[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
-* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or
- important question missing, submit it via
+* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or
+ important question missing, submit it via
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
-* There is a mailing list for the AFL/AFL++ project
- ([browse archive](https://groups.google.com/group/afl-users)). To compare
- notes with other users or to get notified about major new features, send an
+* There is a mailing list for the AFL/AFL++ project
+ ([browse archive](https://groups.google.com/group/afl-users)). To compare
+ notes with other users or to get notified about major new features, send an
email to .
* Or join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
+## Branches
+
+The following branches exist:
+
+* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest release
+* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability
+* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
+* (any other): experimental branches to work on specific features or testing new functionality or changes.
+
+For releases, please see the [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases).
+Also take a look at the list of [important changes in AFL++](docs/important_changes.md).
+
## Help wanted
-We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it
-even better. However, we already work on so many things that we do not have the
+We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it
+even better. However, we already work on so many things that we do not have the
time for all the big ideas.
-This can be your way to support and contribute to AFL++ - extend it to do
+This can be your way to support and contribute to AFL++ - extend it to do
something cool.
-For everyone who wants to contribute (and send pull requests), please read our
+For everyone who wants to contribute (and send pull requests), please read our
[contributing guidelines](CONTRIBUTING.md) before your submit.
## Special thanks
-Many of the improvements to the original AFL and AFL++ wouldn't be possible
+Many of the improvements to the original AFL and AFL++ wouldn't be possible
without feedback, bug reports, or patches from our contributors.
-Thank you! (For people sending pull requests - please add yourself to this list
+Thank you! (For people sending pull requests - please add yourself to this list
:-)
@@ -200,8 +212,8 @@ Thank you! (For people sending pull requests - please add yourself to this list
## Cite
-If you use AFL++ in scientific work, consider citing
-[our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi)
+If you use AFL++ in scientific work, consider citing
+[our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi)
presented at WOOT'20:
Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.
diff --git a/docs/best_practices.md b/docs/best_practices.md
index 5d07dd14..7016f08d 100644
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@@ -48,7 +48,7 @@ to emulate the network. This is also much faster than the real network would be.
See [utils/socket_fuzzing/](../utils/socket_fuzzing/).
There is an outdated AFL++ branch that implements networking if you are
-desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) -
+desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) -
however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet))
which allows you to define network state with different type of data packets.
@@ -62,7 +62,7 @@ which allows you to define network state with different type of data packets.
4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md).
5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure).
6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem.
-7. Use your cores! [fuzzing_expert.md:b) Using multiple cores](fuzzing_expert.md#b-using-multiple-cores).
+7. Use your cores ([fuzzing_in_depth.md:b) Using multiple cores](fuzzing_in_depth.md#b-using-multiple-cores))!
### Improving stability
diff --git a/docs/branches.md b/docs/branches.md
deleted file mode 100644
index ae147b08..00000000
--- a/docs/branches.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Branches
-
-The following branches exist:
-
-* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest release
-* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability
-* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
-* (any other): experimental branches to work on specific features or testing new functionality or changes.
-
-For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab.
-Also take a look at the list of [important changes in AFL++](important_changes.md).
\ No newline at end of file
diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md
deleted file mode 100644
index 876c5fbb..00000000
--- a/docs/fuzzing_expert.md
+++ /dev/null
@@ -1,630 +0,0 @@
-# Fuzzing with AFL++
-
-The following describes how to fuzz with a target if source code is available.
-If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps)
-
-Fuzzing source code is a three-step process.
-
-1. Compile the target with a special compiler that prepares the target to be
- fuzzed efficiently. This step is called "instrumenting a target".
-2. Prepare the fuzzing by selecting and optimizing the input corpus for the
- target.
-3. Perform the fuzzing of the target by randomly mutating input and assessing
- if a generated input was processed in a new path in the target binary.
-
-### 1. Instrumenting that target
-
-#### a) Selecting the best AFL++ compiler for instrumenting the target
-
-AFL++ comes with a central compiler `afl-cc` that incorporates various different
-kinds of compiler targets and and instrumentation options.
-The following evaluation flow will help you to select the best possible.
-
-It is highly recommended to have the newest llvm version possible installed,
-anything below 9 is not recommended.
-
-```
-+--------------------------------+
-| clang/clang++ 11+ is available | --> use LTO mode (afl-clang-lto/afl-clang-lto++)
-+--------------------------------+ see [instrumentation/README.lto.md](instrumentation/README.lto.md)
- |
- | if not, or if the target fails with LTO afl-clang-lto/++
- |
- v
-+---------------------------------+
-| clang/clang++ 3.8+ is available | --> use LLVM mode (afl-clang-fast/afl-clang-fast++)
-+---------------------------------+ see [instrumentation/README.llvm.md](instrumentation/README.llvm.md)
- |
- | if not, or if the target fails with LLVM afl-clang-fast/++
- |
- v
- +--------------------------------+
- | gcc 5+ is available | -> use GCC_PLUGIN mode (afl-gcc-fast/afl-g++-fast)
- +--------------------------------+ see [instrumentation/README.gcc_plugin.md](instrumentation/README.gcc_plugin.md) and
- [instrumentation/README.instrument_list.md](instrumentation/README.instrument_list.md)
- |
- | if not, or if you do not have a gcc with plugin support
- |
- v
- use GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang)
-```
-
-Clickable README links for the chosen compiler:
-
- * [LTO mode - afl-clang-lto](../instrumentation/README.lto.md)
- * [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md)
- * [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md)
- * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features
-
-You can select the mode for the afl-cc compiler by:
- 1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
- afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
- afl-gcc-fast, afl-g++-fast (recommended!)
- 2. using the environment variable AFL_CC_COMPILER with MODE
- 3. passing --afl-MODE command line options to the compiler via CFLAGS/CXXFLAGS/CPPFLAGS
-
-MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN
-(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++).
-
-Because no AFL specific command-line options are accepted (beside the
---afl-MODE command), the compile-time tools make fairly broad use of environment
-variables, which can be listed with `afl-cc -hh` or by reading [env_variables.md](env_variables.md).
-
-#### b) Selecting instrumentation options
-
-The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto):
-
- * Splitting integer, string, float and switch comparisons so AFL++ can easier
- solve these. This is an important option if you do not have a very good
- and large input corpus. This technique is called laf-intel or COMPCOV.
- To use this set the following environment variable before compiling the
- target: `export AFL_LLVM_LAF_ALL=1`
- You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
- * A different technique (and usually a better one than laf-intel) is to
- instrument the target so that any compare values in the target are sent to
- AFL++ which then tries to put these values into the fuzzing data at different
- locations. This technique is very fast and good - if the target does not
- transform input data before comparison. Therefore this technique is called
- `input to state` or `redqueen`.
- If you want to use this technique, then you have to compile the target
- twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`,
- and pass this binary to afl-fuzz via the `-c` parameter.
- Note that you can compile also just a cmplog binary and use that for both
- however there will be a performance penality.
- You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
-
-If you use LTO, LLVM or GCC_PLUGIN mode (afl-clang-fast/afl-clang-lto/afl-gcc-fast)
-you have the option to selectively only instrument parts of the target that you
-are interested in:
-
- * To instrument only those parts of the target that you are interested in
- create a file with all the filenames of the source code that should be
- instrumented.
- For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than
- DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one
- filename or function per line (no directory information necessary for
- filenames9, and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or**
- `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per
- default to instrument unless noted (DENYLIST) or not perform instrumentation
- unless requested (ALLOWLIST).
- **NOTE:** During optimization functions might be inlined and then would not match!
- See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
-
-There are many more options and modes available however these are most of the
-time less effective. See:
- * [instrumentation/README.ctx.md](../instrumentation/README.ctx.md)
- * [instrumentation/README.ngram.md](../instrumentation/README.ngram.md)
-
-AFL++ performs "never zero" counting in its bitmap. You can read more about this
-here:
- * [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md)
-
-#### c) Sanitizers
-
-It is possible to use sanitizers when instrumenting targets for fuzzing,
-which allows you to find bugs that would not necessarily result in a crash.
-
-Note that sanitizers have a huge impact on CPU (= less executions per second)
-and RAM usage. Also you should only run one afl-fuzz instance per sanitizer type.
-This is enough because a use-after-free bug will be picked up, e.g. by
-ASAN (address sanitizer) anyway when syncing to other fuzzing instances,
-so not all fuzzing instances need to be instrumented with ASAN.
-
-The following sanitizers have built-in support in AFL++:
- * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
- use-after-free, NULL pointer dereference, buffer overruns, etc.
- Enabled with `export AFL_USE_ASAN=1` before compiling.
- * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg.
- a local variable that is defined and read before it is even set.
- Enabled with `export AFL_USE_MSAN=1` before compiling.
- * UBSAN = Undefined Behaviour SANitizer, finds instances where - by the
- C and C++ standards - undefined behaviour happens, e.g. adding two
- signed integers together where the result is larger than a signed integer
- can hold.
- Enabled with `export AFL_USE_UBSAN=1` before compiling.
- * CFISAN = Control Flow Integrity SANitizer, finds instances where the
- control flow is found to be illegal. Originally this was rather to
- prevent return oriented programming exploit chains from functioning,
- in fuzzing this is mostly reduced to detecting type confusion
- vulnerabilities - which is however one of the most important and dangerous
- C++ memory corruption classes!
- Enabled with `export AFL_USE_CFISAN=1` before compiling.
- * TSAN = Thread SANitizer, finds thread race conditions.
- Enabled with `export AFL_USE_TSAN=1` before compiling.
- * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
- a security issue, but for developers this can be very valuable.
- Note that unlike the other sanitizers above this needs
- `__AFL_LEAK_CHECK();` added to all areas of the target source code where you
- find a leak check necessary!
- Enabled with `export AFL_USE_LSAN=1` before compiling.
-
-It is possible to further modify the behaviour of the sanitizers at run-time
-by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters
-can be looked up in the sanitizer documentation of llvm/clang.
-afl-fuzz however requires some specific parameters important for fuzzing to be
-set. If you want to set your own, it might bail and report what it is missing.
-
-Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and
-others often cannot work together because of target weirdness, e.g. ASAN and
-CFISAN. You might need to experiment which sanitizers you can combine in a
-target (which means more instances can be run without a sanitized target,
-which is more effective).
-
-#### d) Modify the target
-
-If the target has features that make fuzzing more difficult, e.g.
-checksums, HMAC, etc. then modify the source code so that checks for these
-values are removed.
-This can even be done safely for source code used in operational products
-by eliminating these checks within these AFL specific blocks:
-
-```
-#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
- // say that the checksum or HMAC was fine - or whatever is required
- // to eliminate the need for the fuzzer to guess the right checksum
- return 0;
-#endif
-```
-
-All AFL++ compilers will set this preprocessor definition automatically.
-
-#### e) Instrument the target
-
-In this step the target source code is compiled so that it can be fuzzed.
-
-Basically you have to tell the target build system that the selected AFL++
-compiler is used. Also - if possible - you should always configure the
-build system such that the target is compiled statically and not dynamically.
-How to do this is described below.
-
-The #1 rule when instrumenting a target is: avoid instrumenting shared
-libraries at all cost. You would need to set LD_LIBRARY_PATH to point to
-these, you could accidently type "make install" and install them system wide -
-so don't. Really don't.
-**Always compile libraries you want to have instrumented as static and link
-these to the target program!**
-
-Then build the target. (Usually with `make`)
-
-**NOTES**
-
-1. sometimes configure and build systems are fickle and do not like
- stderr output (and think this means a test failure) - which is something
- AFL++ likes to do to show statistics. It is recommended to disable AFL++
- instrumentation reporting via `export AFL_QUIET=1`.
-
-2. sometimes configure and build systems error on warnings - these should be
- disabled (e.g. `--disable-werror` for some configure scripts).
-
-3. in case the configure/build system complains about AFL++'s compiler and
- aborts then set `export AFL_NOOPT=1` which will then just behave like the
- real compiler. This option has to be unset again before building the target!
-
-##### configure
-
-For `configure` build systems this is usually done by:
-`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared`
-
-Note that if you are using the (better) afl-clang-lto compiler you also have to
-set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
-described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
-
-##### cmake
-
-For `cmake` build systems this is usually done by:
-`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..`
-
-Note that if you are using the (better) afl-clang-lto compiler you also have to
-set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
-described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
-
-##### meson
-
-For meson you have to set the AFL++ compiler with the very first command!
-`CC=afl-cc CXX=afl-c++ meson`
-
-##### other build systems or if configure/cmake didn't work
-
-Sometimes cmake and configure do not pick up the AFL++ compiler, or the
-ranlib/ar that is needed - because this was just not foreseen by the developer
-of the target. Or they have non-standard options. Figure out if there is a
-non-standard way to set this, otherwise set up the build normally and edit the
-generated build environment afterwards manually to point it to the right compiler
-(and/or ranlib and ar).
-
-#### f) Better instrumentation
-
-If you just fuzz a target program as-is you are wasting a great opportunity for
-much more fuzzing speed.
-
-This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast.
-
-It is the so-called `persistent mode`, which is much, much faster but
-requires that you code a source file that is specifically calling the target
-functions that you want to fuzz, plus a few specific AFL++ functions around
-it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details.
-
-Basically if you do not fuzz a target in persistent mode then you are just
-doing it for a hobby and not professionally :-).
-
-#### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput()
-
-libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard
-for fuzzing, and they can be used with AFL++ (and honggfuzz) as well!
-Compiling them is as simple as:
-```
-afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a
-```
-You can even use advanced libfuzzer features like `FuzzedDataProvider`,
-`LLVMFuzzerMutate()` etc. and they will work!
-
-The generated binary is fuzzed with afl-fuzz like any other fuzz target.
-
-Bonus: the target is already optimized for fuzzing due to persistent mode and
-shared-memory testcases and hence gives you the fastest speed possible.
-
-For more information see [utils/aflpp_driver/README.md](../utils/aflpp_driver/README.md)
-
-### 2. Preparing the fuzzing campaign
-
-As you fuzz the target with mutated input, having as diverse inputs for the
-target as possible improves the efficiency a lot.
-
-#### a) Collect inputs
-
-Try to gather valid inputs for the target from wherever you can. E.g. if it is
-the PNG picture format try to find as many png files as possible, e.g. from
-reported bugs, test suites, random downloads from the internet, unit test
-case data - from all kind of PNG software.
-
-If the input format is not known, you can also modify a target program to write
-normal data it receives and processes to a file and use these.
-
-#### b) Making the input corpus unique
-
-Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not
-produce a new path in the target.
-
-Put all files from step a) into one directory, e.g. INPUTS.
-
-If the target program is to be called by fuzzing as `bin/target -d INPUTFILE`
-the run afl-cmin like this:
-`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@`
-Note that the INPUTFILE argument that the target program would read from has to be set as `@@`.
-
-If the target reads from stdin instead, just omit the `@@` as this is the
-default.
-
-This step is highly recommended!
-
-#### c) Minimizing all corpus files
-
-The shorter the input files that still traverse the same path
-within the target, the better the fuzzing will be. This minimization
-is done with `afl-tmin` however it is a long process as this has to
-be done for every file:
-
-```
-mkdir input
-cd INPUTS_UNIQUE
-for i in *; do
- afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@
-done
-```
-
-This step can also be parallelized, e.g. with `parallel`.
-Note that this step is rather optional though.
-
-#### Done!
-
-The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/
-if you minimized the corpus in step c) - is the resulting input corpus directory
-to be used in fuzzing! :-)
-
-### 3. Fuzzing the target
-
-In this final step we fuzz the target.
-There are not that many important options to run the target - unless you want
-to use many CPU cores/threads for the fuzzing, which will make the fuzzing much
-more useful.
-
-If you just use one CPU for fuzzing, then you are fuzzing just for fun and not
-seriously :-)
-
-#### a) Running afl-fuzz
-
-Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on
-the host if you execute afl-fuzz in a docker container). This reconfigures the
-system for optimal speed - which afl-fuzz checks and bails otherwise.
-Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot
-run afl-system-config with root privileges on the host for whatever reason.
-
-Note there is also `sudo afl-persistent-config` which sets additional permanent
-boot options for a much better fuzzing performance.
-
-Note that both scripts improve your fuzzing performance but also decrease your
-system protection against attacks! So set strong firewall rules and only
-expose SSH as a network service if you use these (which is highly recommended).
-
-If you have an input corpus from step 2 then specify this directory with the `-i`
-option. Otherwise create a new directory and create a file with any content
-as test data in there.
-
-If you do not want anything special, the defaults are already usually best,
-hence all you need is to specify the seed input directory with the result of
-step [2a. Collect inputs](#a-collect-inputs):
-`afl-fuzz -i input -o output -- bin/target -d @@`
-Note that the directory specified with -o will be created if it does not exist.
-
-It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off,
-or afl-fuzz is not aborted if you are running it in a remote ssh session where
-the connection fails in between.
-Only do that though once you have verified that your fuzzing setup works!
-Simply run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...`
-and it will start away in a screen session. To enter this session simply type
-`screen -r afl-main`. You see - it makes sense to name the screen session
-same as the afl-fuzz -M/-S naming :-)
-For more information on screen or tmux please check their documentation.
-
-If you need to stop and re-start the fuzzing, use the same command line options
-(or even change them by selecting a different power schedule or another
-mutation mode!) and switch the input directory with a dash (`-`):
-`afl-fuzz -i - -o output -- bin/target -d @@`
-
-Memory limits are not enforced by afl-fuzz by default and the system may run
-out of memory. You can decrease the memory with the `-m` option, the value is
-in MB. If this is too small for the target, you can usually see this by
-afl-fuzz bailing with the message that it could not connect to the forkserver.
-
-Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if
-something is already included for your data format, and tell afl-fuzz to load
-that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto
-you have an autodictionary generation for which you need to do nothing except
-to use afl-clang-lto as the compiler. You also have the option to generate
-a dictionary yourself, see [utils/libtokencap/README.md](../utils/libtokencap/README.md).
-
-afl-fuzz has a variety of options that help to workaround target quirks like
-specific locations for the input file (`-f`), performing deterministic
-fuzzing (`-D`) and many more. Check out `afl-fuzz -h`.
-
-We highly recommend that you set a memory limit for running the target with `-m`
-which defines the maximum memory in MB. This prevents a potential
-out-of-memory problem for your system plus helps you detect missing `malloc()`
-failure handling in the target.
-Play around with various -m values until you find one that safely works for all
-your input seeds (if you have good ones and then double or quadrouple that.
-
-By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press Control-C
-or send a signal SIGINT. You can limit the number of executions or approximate runtime
-in seconds with options also.
-
-When you start afl-fuzz you will see a user interface that shows what the status
-is:
-
-
-All labels are explained in [status_screen.md](status_screen.md).
-
-#### b) Using multiple cores
-
-If you want to seriously fuzz then use as many cores/threads as possible to
-fuzz your target.
-
-On the same machine - due to the design of how AFL++ works - there is a maximum
-number of CPU cores/threads that are useful, use more and the overall performance
-degrades instead. This value depends on the target, and the limit is between 32
-and 64 cores per machine.
-
-If you have the RAM, it is highly recommended run the instances with a caching
-of the testcases. Depending on the average testcase size (and those found
-during fuzzing) and their number, a value between 50-500MB is recommended.
-You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`.
-
-There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many secondary
-fuzzers (eg `-S variant1`) as you have cores that you use.
-Every -M/-S entry needs a unique name (that can be whatever), however the same
--o output directory location has to be used for all instances.
-
-For every secondary fuzzer there should be a variation, e.g.:
- * one should fuzz the target that was compiled differently: with sanitizers
- activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ;
- export AFL_USE_CFISAN=1`)
- * one or two should fuzz the target with CMPLOG/redqueen (see above), at
- least one cmplog instance should follow transformations (`-l AT`)
- * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV
- (see above). Important note: If you run more than one laf-intel/COMPCOV
- fuzzer and you want them to share their intermediate results, the main
- fuzzer (`-M`) must be one of the them! (Although this is not really
- recommended.)
-
-All other secondaries should be used like this:
- * A quarter to a third with the MOpt mutator enabled: `-L 0`
- * run with a different power schedule, recommended are:
- `fast (default), explore, coe, lin, quad, exploit and rare`
- which you can set with e.g. `-p explore`
- * a few instances should use the old queue cycling with `-Z`
-
-Also it is recommended to set `export AFL_IMPORT_FIRST=1` to load testcases
-from other fuzzers in the campaign first.
-
-If you have a large corpus, a corpus from a previous run or are fuzzing in
-a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
-
-You can also use different fuzzers.
-If you are using AFL spinoffs or AFL conforming fuzzers, then just use the
-same -o directory and give it a unique `-S` name.
-Examples are:
- * [Fuzzolic](https://github.com/season-lab/fuzzolic)
- * [symcc](https://github.com/eurecom-s3/symcc/)
- * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/)
- * [AFLsmart](https://github.com/aflsmart/aflsmart)
- * [FairFuzz](https://github.com/carolemieux/afl-rb)
- * [Neuzz](https://github.com/Dongdongshe/neuzz)
- * [Angora](https://github.com/AngoraFuzzer/Angora)
-
-A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL)
-
-However you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc.
-Just show the main fuzzer (-M) with the `-F` option where the queue/work
-directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`.
-Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly
-recommended!
-
-#### c) Using multiple machines for fuzzing
-
-Maybe you have more than one machine you want to fuzz the same target on.
-Simply start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...)
-orchestra as you like, just ensure that your have one and only one `-M`
-instance per server, and that its name is unique, hence the recommendation
-for `-M main-$HOSTNAME`.
-
-Now there are three strategies on how you can sync between the servers:
- * never: sounds weird, but this makes every server an island and has the
- chance the each follow different paths into the target. You can make
- this even more interesting by even giving different seeds to each server.
- * regularly (~4h): this ensures that all fuzzing campaigns on the servers
- "see" the same thing. It is like fuzzing on a huge server.
- * in intervals of 1/10th of the overall expected runtime of the fuzzing you
- sync. This tries a bit to combine both. have some individuality of the
- paths each campaign on a server explores, on the other hand if one
- gets stuck where another found progress this is handed over making it
- unstuck.
-
-The syncing process itself is very simple.
-As the `-M main-$HOSTNAME` instance syncs to all `-S` secondaries as well
-as to other fuzzers, you have to copy only this directory to the other
-machines.
-
-Lets say all servers have the `-o out` directory in /target/foo/out, and
-you created a file `servers.txt` which contains the hostnames of all
-participating servers, plus you have an ssh key deployed to all of them,
-then run:
-```bash
-for FROM in `cat servers.txt`; do
- for TO in `cat servers.txt`; do
- rsync -rlpogtz --rsh=ssh $FROM:/target/foo/out/main-$FROM $TO:target/foo/out/
- done
-done
-```
-You can run this manually, per cron job - as you need it.
-There is a more complex and configurable script in `utils/distributed_fuzzing`.
-
-#### d) The status of the fuzz campaign
-
-AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing
-campaign.
-
-Just supply the directory that afl-fuzz is given with the -o option and
-you will see a detailed status of every fuzzer in that campaign plus
-a summary.
-
-To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/`
-
-If you have multiple servers then use the command after a sync, or you have
-to execute this script per server.
-
-Another tool to inspect the current state and history of a specific instance
-is afl-plot, which generates an index.html file and a graphs that show how
-the fuzzing instance is performing.
-The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot`
-
-#### e) Stopping fuzzing, restarting fuzzing, adding new seeds
-
-To stop an afl-fuzz run, simply press Control-C.
-
-To restart an afl-fuzz run, just reuse the same command line but replace the
-`-i directory` with `-i -` or set `AFL_AUTORESUME=1`.
-
-If you want to add new seeds to a fuzzing campaign you can run a temporary
-fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new
-seeds are in `newseeds/` directory:
-```
-AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- ./target
-```
-
-#### f) Checking the coverage of the fuzzing
-
-The `paths found` value is a bad indicator for checking how good the coverage is.
-
-A better indicator - if you use default llvm instrumentation with at least
-version 9 - is to use `afl-showmap` with the collect coverage option `-C` on
-the output directory:
-```
-$ afl-showmap -C -i out -o /dev/null -- ./target -params @@
-...
-[*] Using SHARED MEMORY FUZZING feature.
-[*] Target map size: 9960
-[+] Processed 7849 input files.
-[+] Captured 4331 tuples (highest value 255, total values 67130596) in '/dev/nul
-l'.
-[+] A coverage of 4331 edges were achieved out of 9960 existing (43.48%) with 7849 input files.
-```
-It is even better to check out the exact lines of code that have been reached -
-and which have not been found so far.
-
-An "easy" helper script for this is [https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov),
-just follow the README of that separate project.
-
-If you see that an important area or a feature has not been covered so far then
-try to find an input that is able to reach that and start a new secondary in
-that fuzzing campaign with that seed as input, let it run for a few minutes,
-then terminate it. The main node will pick it up and make it available to the
-other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
-`export AFL_TRY_AFFINITY=1` if you have no free core.
-
-Note that in nearly all cases you can never reach full coverage. A lot of
-functionality is usually dependent on exclusive options that would need individual
-fuzzing campaigns each with one of these options set. E.g. if you fuzz a library to
-convert image formats and your target is the png to tiff API then you will not
-touch any of the other library APIs and features.
-
-#### g) How long to fuzz a target?
-
-This is a difficult question.
-Basically if no new path is found for a long time (e.g. for a day or a week)
-then you can expect that your fuzzing won't be fruitful anymore.
-However often this just means that you should switch out secondaries for
-others, e.g. custom mutator modules, sync to very different fuzzers, etc.
-
-Keep the queue/ directory (for future fuzzings of the same or similar targets)
-and use them to seed other good fuzzers like libfuzzer with the -entropic
-switch or honggfuzz.
-
-#### h) Improve the speed!
-
- * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase)
- * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md)
- * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config`
- * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
- * Use your cores! [b) Using multiple cores](#b-using-multiple-cores)
- * Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot
-
-### The End
-
-Check out the [FAQ](FAQ.md) if it maybe answers your question (that
-you might not even have known you had ;-) ).
-
-This is basically all you need to know to professionally run fuzzing campaigns.
-If you want to know more, the tons of texts in [docs/](./) will have you covered.
-
-Note that there are also a lot of tools out there that help fuzzing with AFL++
-(some might be deprecated or unsupported), see [tools.md](tools.md).
\ No newline at end of file
diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md
new file mode 100644
index 00000000..5306cbef
--- /dev/null
+++ b/docs/fuzzing_in_depth.md
@@ -0,0 +1,630 @@
+# Fuzzing with AFL++
+
+The following describes how to fuzz with a target if source code is available.
+If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps)
+
+Fuzzing source code is a three-step process.
+
+1. Compile the target with a special compiler that prepares the target to be
+ fuzzed efficiently. This step is called "instrumenting a target".
+2. Prepare the fuzzing by selecting and optimizing the input corpus for the
+ target.
+3. Perform the fuzzing of the target by randomly mutating input and assessing
+ if a generated input was processed in a new path in the target binary.
+
+### 1. Instrumenting that target
+
+#### a) Selecting the best AFL++ compiler for instrumenting the target
+
+AFL++ comes with a central compiler `afl-cc` that incorporates various different
+kinds of compiler targets and and instrumentation options.
+The following evaluation flow will help you to select the best possible.
+
+It is highly recommended to have the newest llvm version possible installed,
+anything below 9 is not recommended.
+
+```
++--------------------------------+
+| clang/clang++ 11+ is available | --> use LTO mode (afl-clang-lto/afl-clang-lto++)
++--------------------------------+ see [instrumentation/README.lto.md](instrumentation/README.lto.md)
+ |
+ | if not, or if the target fails with LTO afl-clang-lto/++
+ |
+ v
++---------------------------------+
+| clang/clang++ 3.8+ is available | --> use LLVM mode (afl-clang-fast/afl-clang-fast++)
++---------------------------------+ see [instrumentation/README.llvm.md](instrumentation/README.llvm.md)
+ |
+ | if not, or if the target fails with LLVM afl-clang-fast/++
+ |
+ v
+ +--------------------------------+
+ | gcc 5+ is available | -> use GCC_PLUGIN mode (afl-gcc-fast/afl-g++-fast)
+ +--------------------------------+ see [instrumentation/README.gcc_plugin.md](instrumentation/README.gcc_plugin.md) and
+ [instrumentation/README.instrument_list.md](instrumentation/README.instrument_list.md)
+ |
+ | if not, or if you do not have a gcc with plugin support
+ |
+ v
+ use GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang)
+```
+
+Clickable README links for the chosen compiler:
+
+ * [LTO mode - afl-clang-lto](../instrumentation/README.lto.md)
+ * [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md)
+ * [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md)
+ * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features
+
+You can select the mode for the afl-cc compiler by:
+ 1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
+ afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
+ afl-gcc-fast, afl-g++-fast (recommended!)
+ 2. using the environment variable AFL_CC_COMPILER with MODE
+ 3. passing --afl-MODE command line options to the compiler via CFLAGS/CXXFLAGS/CPPFLAGS
+
+MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN
+(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++).
+
+Because no AFL specific command-line options are accepted (beside the
+--afl-MODE command), the compile-time tools make fairly broad use of environment
+variables, which can be listed with `afl-cc -hh` or by reading [env_variables.md](env_variables.md).
+
+#### b) Selecting instrumentation options
+
+The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto):
+
+ * Splitting integer, string, float and switch comparisons so AFL++ can easier
+ solve these. This is an important option if you do not have a very good
+ and large input corpus. This technique is called laf-intel or COMPCOV.
+ To use this set the following environment variable before compiling the
+ target: `export AFL_LLVM_LAF_ALL=1`
+ You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
+ * A different technique (and usually a better one than laf-intel) is to
+ instrument the target so that any compare values in the target are sent to
+ AFL++ which then tries to put these values into the fuzzing data at different
+ locations. This technique is very fast and good - if the target does not
+ transform input data before comparison. Therefore this technique is called
+ `input to state` or `redqueen`.
+ If you want to use this technique, then you have to compile the target
+ twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`,
+ and pass this binary to afl-fuzz via the `-c` parameter.
+ Note that you can compile also just a cmplog binary and use that for both
+ however there will be a performance penality.
+ You can read more about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
+
+If you use LTO, LLVM or GCC_PLUGIN mode (afl-clang-fast/afl-clang-lto/afl-gcc-fast)
+you have the option to selectively only instrument parts of the target that you
+are interested in:
+
+ * To instrument only those parts of the target that you are interested in
+ create a file with all the filenames of the source code that should be
+ instrumented.
+ For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than
+ DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one
+ filename or function per line (no directory information necessary for
+ filenames9, and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or**
+ `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per
+ default to instrument unless noted (DENYLIST) or not perform instrumentation
+ unless requested (ALLOWLIST).
+ **NOTE:** During optimization functions might be inlined and then would not match!
+ See [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
+
+There are many more options and modes available however these are most of the
+time less effective. See:
+ * [instrumentation/README.ctx.md](../instrumentation/README.ctx.md)
+ * [instrumentation/README.ngram.md](../instrumentation/README.ngram.md)
+
+AFL++ performs "never zero" counting in its bitmap. You can read more about this
+here:
+ * [instrumentation/README.neverzero.md](../instrumentation/README.neverzero.md)
+
+#### c) Sanitizers
+
+It is possible to use sanitizers when instrumenting targets for fuzzing,
+which allows you to find bugs that would not necessarily result in a crash.
+
+Note that sanitizers have a huge impact on CPU (= less executions per second)
+and RAM usage. Also you should only run one afl-fuzz instance per sanitizer type.
+This is enough because a use-after-free bug will be picked up, e.g. by
+ASAN (address sanitizer) anyway when syncing to other fuzzing instances,
+so not all fuzzing instances need to be instrumented with ASAN.
+
+The following sanitizers have built-in support in AFL++:
+ * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
+ use-after-free, NULL pointer dereference, buffer overruns, etc.
+ Enabled with `export AFL_USE_ASAN=1` before compiling.
+ * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg.
+ a local variable that is defined and read before it is even set.
+ Enabled with `export AFL_USE_MSAN=1` before compiling.
+ * UBSAN = Undefined Behaviour SANitizer, finds instances where - by the
+ C and C++ standards - undefined behaviour happens, e.g. adding two
+ signed integers together where the result is larger than a signed integer
+ can hold.
+ Enabled with `export AFL_USE_UBSAN=1` before compiling.
+ * CFISAN = Control Flow Integrity SANitizer, finds instances where the
+ control flow is found to be illegal. Originally this was rather to
+ prevent return oriented programming exploit chains from functioning,
+ in fuzzing this is mostly reduced to detecting type confusion
+ vulnerabilities - which is however one of the most important and dangerous
+ C++ memory corruption classes!
+ Enabled with `export AFL_USE_CFISAN=1` before compiling.
+ * TSAN = Thread SANitizer, finds thread race conditions.
+ Enabled with `export AFL_USE_TSAN=1` before compiling.
+ * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
+ a security issue, but for developers this can be very valuable.
+ Note that unlike the other sanitizers above this needs
+ `__AFL_LEAK_CHECK();` added to all areas of the target source code where you
+ find a leak check necessary!
+ Enabled with `export AFL_USE_LSAN=1` before compiling.
+
+It is possible to further modify the behaviour of the sanitizers at run-time
+by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters
+can be looked up in the sanitizer documentation of llvm/clang.
+afl-fuzz however requires some specific parameters important for fuzzing to be
+set. If you want to set your own, it might bail and report what it is missing.
+
+Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and
+others often cannot work together because of target weirdness, e.g. ASAN and
+CFISAN. You might need to experiment which sanitizers you can combine in a
+target (which means more instances can be run without a sanitized target,
+which is more effective).
+
+#### d) Modify the target
+
+If the target has features that make fuzzing more difficult, e.g.
+checksums, HMAC, etc. then modify the source code so that checks for these
+values are removed.
+This can even be done safely for source code used in operational products
+by eliminating these checks within these AFL specific blocks:
+
+```
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ // say that the checksum or HMAC was fine - or whatever is required
+ // to eliminate the need for the fuzzer to guess the right checksum
+ return 0;
+#endif
+```
+
+All AFL++ compilers will set this preprocessor definition automatically.
+
+#### e) Instrument the target
+
+In this step the target source code is compiled so that it can be fuzzed.
+
+Basically you have to tell the target build system that the selected AFL++
+compiler is used. Also - if possible - you should always configure the
+build system such that the target is compiled statically and not dynamically.
+How to do this is described below.
+
+The #1 rule when instrumenting a target is: avoid instrumenting shared
+libraries at all cost. You would need to set LD_LIBRARY_PATH to point to
+these, you could accidently type "make install" and install them system wide -
+so don't. Really don't.
+**Always compile libraries you want to have instrumented as static and link
+these to the target program!**
+
+Then build the target. (Usually with `make`)
+
+**NOTES**
+
+1. sometimes configure and build systems are fickle and do not like
+ stderr output (and think this means a test failure) - which is something
+ AFL++ likes to do to show statistics. It is recommended to disable AFL++
+ instrumentation reporting via `export AFL_QUIET=1`.
+
+2. sometimes configure and build systems error on warnings - these should be
+ disabled (e.g. `--disable-werror` for some configure scripts).
+
+3. in case the configure/build system complains about AFL++'s compiler and
+ aborts then set `export AFL_NOOPT=1` which will then just behave like the
+ real compiler. This option has to be unset again before building the target!
+
+##### configure
+
+For `configure` build systems this is usually done by:
+`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared`
+
+Note that if you are using the (better) afl-clang-lto compiler you also have to
+set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
+described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
+
+##### cmake
+
+For `cmake` build systems this is usually done by:
+`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..`
+
+Note that if you are using the (better) afl-clang-lto compiler you also have to
+set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
+described in [instrumentation/README.lto.md](../instrumentation/README.lto.md).
+
+##### meson
+
+For meson you have to set the AFL++ compiler with the very first command!
+`CC=afl-cc CXX=afl-c++ meson`
+
+##### other build systems or if configure/cmake didn't work
+
+Sometimes cmake and configure do not pick up the AFL++ compiler, or the
+ranlib/ar that is needed - because this was just not foreseen by the developer
+of the target. Or they have non-standard options. Figure out if there is a
+non-standard way to set this, otherwise set up the build normally and edit the
+generated build environment afterwards manually to point it to the right compiler
+(and/or ranlib and ar).
+
+#### f) Better instrumentation
+
+If you just fuzz a target program as-is you are wasting a great opportunity for
+much more fuzzing speed.
+
+This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast.
+
+It is the so-called `persistent mode`, which is much, much faster but
+requires that you code a source file that is specifically calling the target
+functions that you want to fuzz, plus a few specific AFL++ functions around
+it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details.
+
+Basically if you do not fuzz a target in persistent mode then you are just
+doing it for a hobby and not professionally :-).
+
+#### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput()
+
+libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard
+for fuzzing, and they can be used with AFL++ (and honggfuzz) as well!
+Compiling them is as simple as:
+```
+afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a
+```
+You can even use advanced libfuzzer features like `FuzzedDataProvider`,
+`LLVMFuzzerMutate()` etc. and they will work!
+
+The generated binary is fuzzed with afl-fuzz like any other fuzz target.
+
+Bonus: the target is already optimized for fuzzing due to persistent mode and
+shared-memory testcases and hence gives you the fastest speed possible.
+
+For more information see [utils/aflpp_driver/README.md](../utils/aflpp_driver/README.md)
+
+### 2. Preparing the fuzzing campaign
+
+As you fuzz the target with mutated input, having as diverse inputs for the
+target as possible improves the efficiency a lot.
+
+#### a) Collect inputs
+
+Try to gather valid inputs for the target from wherever you can. E.g. if it is
+the PNG picture format try to find as many png files as possible, e.g. from
+reported bugs, test suites, random downloads from the internet, unit test
+case data - from all kind of PNG software.
+
+If the input format is not known, you can also modify a target program to write
+normal data it receives and processes to a file and use these.
+
+#### b) Making the input corpus unique
+
+Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not
+produce a new path in the target.
+
+Put all files from step a) into one directory, e.g. INPUTS.
+
+If the target program is to be called by fuzzing as `bin/target -d INPUTFILE`
+the run afl-cmin like this:
+`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@`
+Note that the INPUTFILE argument that the target program would read from has to be set as `@@`.
+
+If the target reads from stdin instead, just omit the `@@` as this is the
+default.
+
+This step is highly recommended!
+
+#### c) Minimizing all corpus files
+
+The shorter the input files that still traverse the same path
+within the target, the better the fuzzing will be. This minimization
+is done with `afl-tmin` however it is a long process as this has to
+be done for every file:
+
+```
+mkdir input
+cd INPUTS_UNIQUE
+for i in *; do
+ afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@
+done
+```
+
+This step can also be parallelized, e.g. with `parallel`.
+Note that this step is rather optional though.
+
+#### Done!
+
+The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/
+if you minimized the corpus in step c) - is the resulting input corpus directory
+to be used in fuzzing! :-)
+
+### 3. Fuzzing the target
+
+In this final step we fuzz the target.
+There are not that many important options to run the target - unless you want
+to use many CPU cores/threads for the fuzzing, which will make the fuzzing much
+more useful.
+
+If you just use one CPU for fuzzing, then you are fuzzing just for fun and not
+seriously :-)
+
+#### a) Running afl-fuzz
+
+Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on
+the host if you execute afl-fuzz in a docker container). This reconfigures the
+system for optimal speed - which afl-fuzz checks and bails otherwise.
+Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot
+run afl-system-config with root privileges on the host for whatever reason.
+
+Note there is also `sudo afl-persistent-config` which sets additional permanent
+boot options for a much better fuzzing performance.
+
+Note that both scripts improve your fuzzing performance but also decrease your
+system protection against attacks! So set strong firewall rules and only
+expose SSH as a network service if you use these (which is highly recommended).
+
+If you have an input corpus from step 2 then specify this directory with the `-i`
+option. Otherwise create a new directory and create a file with any content
+as test data in there.
+
+If you do not want anything special, the defaults are already usually best,
+hence all you need is to specify the seed input directory with the result of
+step [2a. Collect inputs](#a-collect-inputs):
+`afl-fuzz -i input -o output -- bin/target -d @@`
+Note that the directory specified with -o will be created if it does not exist.
+
+It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off,
+or afl-fuzz is not aborted if you are running it in a remote ssh session where
+the connection fails in between.
+Only do that though once you have verified that your fuzzing setup works!
+Simply run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...`
+and it will start away in a screen session. To enter this session simply type
+`screen -r afl-main`. You see - it makes sense to name the screen session
+same as the afl-fuzz -M/-S naming :-)
+For more information on screen or tmux please check their documentation.
+
+If you need to stop and re-start the fuzzing, use the same command line options
+(or even change them by selecting a different power schedule or another
+mutation mode!) and switch the input directory with a dash (`-`):
+`afl-fuzz -i - -o output -- bin/target -d @@`
+
+Memory limits are not enforced by afl-fuzz by default and the system may run
+out of memory. You can decrease the memory with the `-m` option, the value is
+in MB. If this is too small for the target, you can usually see this by
+afl-fuzz bailing with the message that it could not connect to the forkserver.
+
+Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if
+something is already included for your data format, and tell afl-fuzz to load
+that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto
+you have an autodictionary generation for which you need to do nothing except
+to use afl-clang-lto as the compiler. You also have the option to generate
+a dictionary yourself, see [utils/libtokencap/README.md](../utils/libtokencap/README.md).
+
+afl-fuzz has a variety of options that help to workaround target quirks like
+specific locations for the input file (`-f`), performing deterministic
+fuzzing (`-D`) and many more. Check out `afl-fuzz -h`.
+
+We highly recommend that you set a memory limit for running the target with `-m`
+which defines the maximum memory in MB. This prevents a potential
+out-of-memory problem for your system plus helps you detect missing `malloc()`
+failure handling in the target.
+Play around with various -m values until you find one that safely works for all
+your input seeds (if you have good ones and then double or quadrouple that.
+
+By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press Control-C
+or send a signal SIGINT. You can limit the number of executions or approximate runtime
+in seconds with options also.
+
+When you start afl-fuzz you will see a user interface that shows what the status
+is:
+
+
+All labels are explained in [status_screen.md](status_screen.md).
+
+#### b) Using multiple cores
+
+If you want to seriously fuzz then use as many cores/threads as possible to
+fuzz your target.
+
+On the same machine - due to the design of how AFL++ works - there is a maximum
+number of CPU cores/threads that are useful, use more and the overall performance
+degrades instead. This value depends on the target, and the limit is between 32
+and 64 cores per machine.
+
+If you have the RAM, it is highly recommended run the instances with a caching
+of the testcases. Depending on the average testcase size (and those found
+during fuzzing) and their number, a value between 50-500MB is recommended.
+You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`.
+
+There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many secondary
+fuzzers (eg `-S variant1`) as you have cores that you use.
+Every -M/-S entry needs a unique name (that can be whatever), however the same
+-o output directory location has to be used for all instances.
+
+For every secondary fuzzer there should be a variation, e.g.:
+ * one should fuzz the target that was compiled differently: with sanitizers
+ activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ;
+ export AFL_USE_CFISAN=1`)
+ * one or two should fuzz the target with CMPLOG/redqueen (see above), at
+ least one cmplog instance should follow transformations (`-l AT`)
+ * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV
+ (see above). Important note: If you run more than one laf-intel/COMPCOV
+ fuzzer and you want them to share their intermediate results, the main
+ fuzzer (`-M`) must be one of the them! (Although this is not really
+ recommended.)
+
+All other secondaries should be used like this:
+ * A quarter to a third with the MOpt mutator enabled: `-L 0`
+ * run with a different power schedule, recommended are:
+ `fast (default), explore, coe, lin, quad, exploit and rare`
+ which you can set with e.g. `-p explore`
+ * a few instances should use the old queue cycling with `-Z`
+
+Also it is recommended to set `export AFL_IMPORT_FIRST=1` to load testcases
+from other fuzzers in the campaign first.
+
+If you have a large corpus, a corpus from a previous run or are fuzzing in
+a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
+
+You can also use different fuzzers.
+If you are using AFL spinoffs or AFL conforming fuzzers, then just use the
+same -o directory and give it a unique `-S` name.
+Examples are:
+ * [Fuzzolic](https://github.com/season-lab/fuzzolic)
+ * [symcc](https://github.com/eurecom-s3/symcc/)
+ * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/)
+ * [AFLsmart](https://github.com/aflsmart/aflsmart)
+ * [FairFuzz](https://github.com/carolemieux/afl-rb)
+ * [Neuzz](https://github.com/Dongdongshe/neuzz)
+ * [Angora](https://github.com/AngoraFuzzer/Angora)
+
+A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL)
+
+However you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc.
+Just show the main fuzzer (-M) with the `-F` option where the queue/work
+directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`.
+Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly
+recommended!
+
+#### c) Using multiple machines for fuzzing
+
+Maybe you have more than one machine you want to fuzz the same target on.
+Simply start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...)
+orchestra as you like, just ensure that your have one and only one `-M`
+instance per server, and that its name is unique, hence the recommendation
+for `-M main-$HOSTNAME`.
+
+Now there are three strategies on how you can sync between the servers:
+ * never: sounds weird, but this makes every server an island and has the
+ chance the each follow different paths into the target. You can make
+ this even more interesting by even giving different seeds to each server.
+ * regularly (~4h): this ensures that all fuzzing campaigns on the servers
+ "see" the same thing. It is like fuzzing on a huge server.
+ * in intervals of 1/10th of the overall expected runtime of the fuzzing you
+ sync. This tries a bit to combine both. have some individuality of the
+ paths each campaign on a server explores, on the other hand if one
+ gets stuck where another found progress this is handed over making it
+ unstuck.
+
+The syncing process itself is very simple.
+As the `-M main-$HOSTNAME` instance syncs to all `-S` secondaries as well
+as to other fuzzers, you have to copy only this directory to the other
+machines.
+
+Lets say all servers have the `-o out` directory in /target/foo/out, and
+you created a file `servers.txt` which contains the hostnames of all
+participating servers, plus you have an ssh key deployed to all of them,
+then run:
+```bash
+for FROM in `cat servers.txt`; do
+ for TO in `cat servers.txt`; do
+ rsync -rlpogtz --rsh=ssh $FROM:/target/foo/out/main-$FROM $TO:target/foo/out/
+ done
+done
+```
+You can run this manually, per cron job - as you need it.
+There is a more complex and configurable script in `utils/distributed_fuzzing`.
+
+#### d) The status of the fuzz campaign
+
+AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing
+campaign.
+
+Just supply the directory that afl-fuzz is given with the -o option and
+you will see a detailed status of every fuzzer in that campaign plus
+a summary.
+
+To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/`
+
+If you have multiple servers then use the command after a sync, or you have
+to execute this script per server.
+
+Another tool to inspect the current state and history of a specific instance
+is afl-plot, which generates an index.html file and a graphs that show how
+the fuzzing instance is performing.
+The syntax is `afl-plot instance_dir web_dir`, e.g. `afl-plot out/default /srv/www/htdocs/plot`
+
+#### e) Stopping fuzzing, restarting fuzzing, adding new seeds
+
+To stop an afl-fuzz run, simply press Control-C.
+
+To restart an afl-fuzz run, just reuse the same command line but replace the
+`-i directory` with `-i -` or set `AFL_AUTORESUME=1`.
+
+If you want to add new seeds to a fuzzing campaign you can run a temporary
+fuzzing instance, e.g. when your main fuzzer is using `-o out` and the new
+seeds are in `newseeds/` directory:
+```
+AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- ./target
+```
+
+#### f) Checking the coverage of the fuzzing
+
+The `paths found` value is a bad indicator for checking how good the coverage is.
+
+A better indicator - if you use default llvm instrumentation with at least
+version 9 - is to use `afl-showmap` with the collect coverage option `-C` on
+the output directory:
+```
+$ afl-showmap -C -i out -o /dev/null -- ./target -params @@
+...
+[*] Using SHARED MEMORY FUZZING feature.
+[*] Target map size: 9960
+[+] Processed 7849 input files.
+[+] Captured 4331 tuples (highest value 255, total values 67130596) in '/dev/nul
+l'.
+[+] A coverage of 4331 edges were achieved out of 9960 existing (43.48%) with 7849 input files.
+```
+It is even better to check out the exact lines of code that have been reached -
+and which have not been found so far.
+
+An "easy" helper script for this is [https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov),
+just follow the README of that separate project.
+
+If you see that an important area or a feature has not been covered so far then
+try to find an input that is able to reach that and start a new secondary in
+that fuzzing campaign with that seed as input, let it run for a few minutes,
+then terminate it. The main node will pick it up and make it available to the
+other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
+`export AFL_TRY_AFFINITY=1` if you have no free core.
+
+Note that in nearly all cases you can never reach full coverage. A lot of
+functionality is usually dependent on exclusive options that would need individual
+fuzzing campaigns each with one of these options set. E.g. if you fuzz a library to
+convert image formats and your target is the png to tiff API then you will not
+touch any of the other library APIs and features.
+
+#### g) How long to fuzz a target?
+
+This is a difficult question.
+Basically if no new path is found for a long time (e.g. for a day or a week)
+then you can expect that your fuzzing won't be fruitful anymore.
+However often this just means that you should switch out secondaries for
+others, e.g. custom mutator modules, sync to very different fuzzers, etc.
+
+Keep the queue/ directory (for future fuzzings of the same or similar targets)
+and use them to seed other good fuzzers like libfuzzer with the -entropic
+switch or honggfuzz.
+
+#### h) Improve the speed!
+
+ * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase)
+ * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [env_variables.md](env_variables.md)
+ * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can also just run `sudo afl-persistent-config`
+ * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
+ * Use your cores! [b) Using multiple cores](#b-using-multiple-cores)
+ * Run `sudo afl-system-config` before starting the first afl-fuzz instance after a reboot
+
+### The End
+
+Check out the [FAQ](FAQ.md) if it maybe answers your question (that
+you might not even have known you had ;-) ).
+
+This is basically all you need to know to professionally run fuzzing campaigns.
+If you want to know more, the tons of texts in [docs/](./) will have you covered.
+
+Note that there are also a lot of tools out there that help fuzzing with AFL++
+(some might be deprecated or unsupported), see [third_party_tools.md](third_party_tools.md).
\ No newline at end of file
diff --git a/docs/known_limitations.md b/docs/known_limitations.md
deleted file mode 100644
index a68c0a85..00000000
--- a/docs/known_limitations.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Known limitations & areas for improvement
-
-Here are some of the most important caveats for AFL:
-
- - AFL++ detects faults by checking for the first spawned process dying due to
- a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
- these signals may need to have the relevant code commented out. In the same
- vein, faults in child processes spawned by the fuzzed target may evade
- detection unless you manually add some code to catch that.
-
- - As with any other brute-force tool, the fuzzer offers limited coverage if
- encryption, checksums, cryptographic signatures, or compression are used to
- wholly wrap the actual data format to be tested.
-
- To work around this, you can comment out the relevant checks (see
- utils/libpng_no_checksum/ for inspiration); if this is not possible,
- you can also write a postprocessor, one of the hooks of custom mutators.
- See [custom_mutators.md](custom_mutators.md) on how to use
- `AFL_CUSTOM_MUTATOR_LIBRARY`
-
- - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
- isn't due to any specific fault of afl-fuzz.
-
- - There is no direct support for fuzzing network services, background
- daemons, or interactive apps that require UI interaction to work. You may
- need to make simple code changes to make them behave in a more traditional
- way. Preeny may offer a relatively simple option, too - see:
- [https://github.com/zardus/preeny](https://github.com/zardus/preeny)
-
- Some useful tips for modifying network-based services can be also found at:
- [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
-
- - Occasionally, sentient machines rise against their creators. If this
- happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/).
-
-Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/limitations.md b/docs/limitations.md
new file mode 100644
index 00000000..a68c0a85
--- /dev/null
+++ b/docs/limitations.md
@@ -0,0 +1,36 @@
+# Known limitations & areas for improvement
+
+Here are some of the most important caveats for AFL:
+
+ - AFL++ detects faults by checking for the first spawned process dying due to
+ a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
+ these signals may need to have the relevant code commented out. In the same
+ vein, faults in child processes spawned by the fuzzed target may evade
+ detection unless you manually add some code to catch that.
+
+ - As with any other brute-force tool, the fuzzer offers limited coverage if
+ encryption, checksums, cryptographic signatures, or compression are used to
+ wholly wrap the actual data format to be tested.
+
+ To work around this, you can comment out the relevant checks (see
+ utils/libpng_no_checksum/ for inspiration); if this is not possible,
+ you can also write a postprocessor, one of the hooks of custom mutators.
+ See [custom_mutators.md](custom_mutators.md) on how to use
+ `AFL_CUSTOM_MUTATOR_LIBRARY`
+
+ - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
+ isn't due to any specific fault of afl-fuzz.
+
+ - There is no direct support for fuzzing network services, background
+ daemons, or interactive apps that require UI interaction to work. You may
+ need to make simple code changes to make them behave in a more traditional
+ way. Preeny may offer a relatively simple option, too - see:
+ [https://github.com/zardus/preeny](https://github.com/zardus/preeny)
+
+ Some useful tips for modifying network-based services can be also found at:
+ [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
+
+ - Occasionally, sentient machines rise against their creators. If this
+ happens to you, please consult [https://lcamtuf.coredump.cx/prep/](https://lcamtuf.coredump.cx/prep/).
+
+Beyond this, see [INSTALL.md](INSTALL.md) for platform-specific tips.
diff --git a/docs/sister_projects.md b/docs/sister_projects.md
deleted file mode 100644
index 613bc778..00000000
--- a/docs/sister_projects.md
+++ /dev/null
@@ -1,319 +0,0 @@
-# Sister projects
-
-This doc lists some of the projects that are inspired by, derived from,
-designed for, or meant to integrate with AFL. See README.md for the general
-instruction manual.
-
-!!!
-!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz
-!!!
-
-## Support for other languages / environments:
-
-### Python AFL (Jakub Wilk)
-
-Allows fuzz-testing of Python programs. Uses custom instrumentation and its
-own forkserver.
-
-https://jwilk.net/software/python-afl
-
-### Go-fuzz (Dmitry Vyukov)
-
-AFL-inspired guided fuzzing approach for Go targets:
-
-https://github.com/dvyukov/go-fuzz
-
-### afl.rs (Keegan McAllister)
-
-Allows Rust features to be easily fuzzed with AFL (using the LLVM mode).
-
-https://github.com/kmcallister/afl.rs
-
-### OCaml support (KC Sivaramakrishnan)
-
-Adds AFL-compatible instrumentation to OCaml programs.
-
-https://github.com/ocamllabs/opam-repo-dev/pull/23
-https://canopy.mirage.io/Posts/Fuzzing
-
-### AFL for GCJ Java and other GCC frontends (-)
-
-GCC Java programs are actually supported out of the box - simply rename
-afl-gcc to afl-gcj. Unfortunately, by default, unhandled exceptions in GCJ do
-not result in abort() being called, so you will need to manually add a
-top-level exception handler that exits with SIGABRT or something equivalent.
-
-Other GCC-supported languages should be fairly easy to get working, but may
-face similar problems. See https://gcc.gnu.org/frontends.html for a list of
-options.
-
-## AFL-style in-process fuzzer for LLVM (Kostya Serebryany)
-
-Provides an evolutionary instrumentation-guided fuzzing harness that allows
-some programs to be fuzzed without the fork / execve overhead. (Similar
-functionality is now available as the "persistent" feature described in
-[the llvm_mode readme](../instrumentation/README.llvm.md))
-
-https://llvm.org/docs/LibFuzzer.html
-
-## TriforceAFL (Tim Newsham and Jesse Hertz)
-
-Leverages QEMU full system emulation mode to allow AFL to target operating
-systems and other alien worlds:
-
-https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/
-
-## WinAFL (Ivan Fratric)
-
-As the name implies, allows you to fuzz Windows binaries (using DynamoRio).
-
-https://github.com/ivanfratric/winafl
-
-Another Windows alternative may be:
-
-https://github.com/carlosgprado/BrundleFuzz/
-
-## Network fuzzing
-
-### Preeny (Yan Shoshitaishvili)
-
-Provides a fairly simple way to convince dynamically linked network-centric
-programs to read from a file or not fork. Not AFL-specific, but described as
-useful by many users. Some assembly required.
-
-https://github.com/zardus/preeny
-
-## Distributed fuzzing and related automation
-
-### roving (Richo Healey)
-
-A client-server architecture for effortlessly orchestrating AFL runs across
-a fleet of machines. You don't want to use this on systems that face the
-Internet or live in other untrusted environments.
-
-https://github.com/richo/roving
-
-### Distfuzz-AFL (Martijn Bogaard)
-
-Simplifies the management of afl-fuzz instances on remote machines. The
-author notes that the current implementation isn't secure and should not
-be exposed on the Internet.
-
-https://github.com/MartijnB/disfuzz-afl
-
-### AFLDFF (quantumvm)
-
-A nice GUI for managing AFL jobs.
-
-https://github.com/quantumvm/AFLDFF
-
-### afl-launch (Ben Nagy)
-
-Batch AFL launcher utility with a simple CLI.
-
-https://github.com/bnagy/afl-launch
-
-### AFL Utils (rc0r)
-
-Simplifies the triage of discovered crashes, start parallel instances, etc.
-
-https://github.com/rc0r/afl-utils
-
-### AFL crash analyzer (floyd)
-
-Another crash triage tool:
-
-https://github.com/floyd-fuh/afl-crash-analyzer
-
-### afl-extras (fekir)
-
-Collect data, parallel afl-tmin, startup scripts.
-
-https://github.com/fekir/afl-extras
-
-### afl-fuzzing-scripts (Tobias Ospelt)
-
-Simplifies starting up multiple parallel AFL jobs.
-
-https://github.com/floyd-fuh/afl-fuzzing-scripts/
-
-### afl-sid (Jacek Wielemborek)
-
-Allows users to more conveniently build and deploy AFL via Docker.
-
-https://github.com/d33tah/afl-sid
-
-Another Docker-related project:
-
-https://github.com/ozzyjohnson/docker-afl
-
-### afl-monitor (Paul S. Ziegler)
-
-Provides more detailed and versatile statistics about your running AFL jobs.
-
-https://github.com/reflare/afl-monitor
-
-### FEXM (Security in Telecommunications)
-
-Fully automated fuzzing framework, based on AFL
-
-https://github.com/fgsect/fexm
-
-## Crash triage, coverage analysis, and other companion tools:
-
-### afl-crash-analyzer (Tobias Ospelt)
-
-Makes it easier to navigate and annotate crashing test cases.
-
-https://github.com/floyd-fuh/afl-crash-analyzer/
-
-### Crashwalk (Ben Nagy)
-
-AFL-aware tool to annotate and sort through crashing test cases.
-
-https://github.com/bnagy/crashwalk
-
-### afl-cov (Michael Rash)
-
-Produces human-readable coverage data based on the output queue of afl-fuzz.
-
-https://github.com/mrash/afl-cov
-
-### afl-sancov (Bhargava Shastry)
-
-Similar to afl-cov, but uses clang sanitizer instrumentation.
-
-https://github.com/bshastry/afl-sancov
-
-### RecidiVM (Jakub Wilk)
-
-Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
-
-https://jwilk.net/software/recidivm
-
-### aflize (Jacek Wielemborek)
-
-Automatically build AFL-enabled versions of Debian packages.
-
-https://github.com/d33tah/aflize
-
-### afl-ddmin-mod (Markus Teufelberger)
-
-A variant of afl-tmin that uses a more sophisticated (but slower)
-minimization algorithm.
-
-https://github.com/MarkusTeufelberger/afl-ddmin-mod
-
-### afl-kit (Kuang-che Wu)
-
-Replacements for afl-cmin and afl-tmin with additional features, such
-as the ability to filter crashes based on stderr patterns.
-
-https://github.com/kcwu/afl-kit
-
-## Narrow-purpose or experimental:
-
-### Cygwin support (Ali Rizvi-Santiago)
-
-Pretty self-explanatory. As per the author, this "mostly" ports AFL to
-Windows. Field reports welcome!
-
-https://github.com/arizvisa/afl-cygwin
-
-### Pause and resume scripts (Ben Nagy)
-
-Simple automation to suspend and resume groups of fuzzing jobs.
-
-https://github.com/bnagy/afl-trivia
-
-### Static binary-only instrumentation (Aleksandar Nikolich)
-
-Allows black-box binaries to be instrumented statically (i.e., by modifying
-the binary ahead of the time, rather than translating it on the run). Author
-reports better performance compared to QEMU, but occasional translation
-errors with stripped binaries.
-
-https://github.com/vanhauser-thc/afl-dyninst
-
-### AFL PIN (Parker Thompson)
-
-Early-stage Intel PIN instrumentation support (from before we settled on
-faster-running QEMU).
-
-https://github.com/mothran/aflpin
-
-### AFL-style instrumentation in llvm (Kostya Serebryany)
-
-Allows AFL-equivalent instrumentation to be injected at compiler level.
-This is currently not supported by AFL as-is, but may be useful in other
-projects.
-
-https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters
-
-### AFL JS (Han Choongwoo)
-
-One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely
-superseded by LLVM deferred forkserver init - see README.llvm.md).
-
-https://github.com/tunz/afl-fuzz-js
-
-### AFL harness for fwknop (Michael Rash)
-
-An example of a fairly involved integration with AFL.
-
-https://github.com/mrash/fwknop/tree/master/test/afl
-
-### Building harnesses for DNS servers (Jonathan Foote, Ron Bowes)
-
-Two articles outlining the general principles and showing some example code.
-
-https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop
-https://goo.gl/j9EgFf
-
-### Fuzzer shell for SQLite (Richard Hipp)
-
-A simple SQL shell designed specifically for fuzzing the underlying library.
-
-https://www.sqlite.org/src/artifact/9e7e273da2030371
-
-### Support for Python mutation modules (Christian Holler)
-
-now integrated in AFL++, originally from here
-https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt
-
-### Support for selective instrumentation (Christian Holler)
-
-now integrated in AFL++, originally from here
-https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt
-
-### Syzkaller (Dmitry Vyukov)
-
-A similar guided approach as applied to fuzzing syscalls:
-
-https://github.com/google/syzkaller/wiki/Found-Bugs
-https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
-https://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
-
-
-### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications)
-
-https://github.com/fgsect/unicorefuzz
-
-### Android support (ele7enxxh)
-
-Based on a somewhat dated version of AFL:
-
-https://github.com/ele7enxxh/android-afl
-
-### CGI wrapper (floyd)
-
-Facilitates the testing of CGI scripts.
-
-https://github.com/floyd-fuh/afl-cgi-wrapper
-
-### Fuzzing difficulty estimation (Marcel Boehme)
-
-A fork of AFL that tries to quantify the likelihood of finding additional
-paths or crashes at any point in a fuzzing job.
-
-https://github.com/mboehme/pythia
diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md
new file mode 100644
index 00000000..ba96d0ce
--- /dev/null
+++ b/docs/third_party_tools.md
@@ -0,0 +1,33 @@
+# Tools that help fuzzing with AFL++
+
+Speeding up fuzzing:
+ * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory testcase feature :-) - recommended.
+
+Minimization of test cases:
+ * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores.
+ * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm.
+ * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization.
+
+Distributed execution:
+ * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL.
+ * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing framework.
+ * [afl-launch](https://github.com/bnagy/afl-launch) - a tool for the execution of many AFL instances.
+ * [afl-mothership](https://github.com/afl-mothership/afl-mothership) - management and execution of many synchronized AFL fuzzers on AWS cloud.
+ * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS.
+
+Deployment, management, monitoring, reporting
+ * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases.
+ * [afl-other-arch](https://github.com/shellphish/afl-other-arch) - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL.
+ * [afl-trivia](https://github.com/bnagy/afl-trivia) - a few small scripts to simplify the management of AFL.
+ * [afl-monitor](https://github.com/reflare/afl-monitor) - a script for monitoring AFL.
+ * [afl-manager](https://github.com/zx1340/afl-manager) - a web server on Python for managing multi-afl.
+ * [afl-remote](https://github.com/block8437/afl-remote) - a web server for the remote management of AFL instances.
+ * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to parallelize afl-tmin, startup, and data collection.
+
+Crash processing
+ * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL.
+ * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of scripts for the analysis of results.
+ * [atriage](https://github.com/Ayrx/atriage) - a simple triage tool.
+ * [afl-kit](https://github.com/kcwu/afl-kit) - afl-cmin on Python.
+ * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL.
+ * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data.
\ No newline at end of file
diff --git a/docs/tools.md b/docs/tools.md
deleted file mode 100644
index ba96d0ce..00000000
--- a/docs/tools.md
+++ /dev/null
@@ -1,33 +0,0 @@
-# Tools that help fuzzing with AFL++
-
-Speeding up fuzzing:
- * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory testcase feature :-) - recommended.
-
-Minimization of test cases:
- * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores.
- * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm.
- * [halfempty](https://github.com/googleprojectzero/halfempty) - is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization.
-
-Distributed execution:
- * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL.
- * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing framework.
- * [afl-launch](https://github.com/bnagy/afl-launch) - a tool for the execution of many AFL instances.
- * [afl-mothership](https://github.com/afl-mothership/afl-mothership) - management and execution of many synchronized AFL fuzzers on AWS cloud.
- * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS.
-
-Deployment, management, monitoring, reporting
- * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases.
- * [afl-other-arch](https://github.com/shellphish/afl-other-arch) - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL.
- * [afl-trivia](https://github.com/bnagy/afl-trivia) - a few small scripts to simplify the management of AFL.
- * [afl-monitor](https://github.com/reflare/afl-monitor) - a script for monitoring AFL.
- * [afl-manager](https://github.com/zx1340/afl-manager) - a web server on Python for managing multi-afl.
- * [afl-remote](https://github.com/block8437/afl-remote) - a web server for the remote management of AFL instances.
- * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to parallelize afl-tmin, startup, and data collection.
-
-Crash processing
- * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL.
- * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of scripts for the analysis of results.
- * [atriage](https://github.com/Ayrx/atriage) - a simple triage tool.
- * [afl-kit](https://github.com/kcwu/afl-kit) - afl-cmin on Python.
- * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL.
- * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data.
\ No newline at end of file
--
cgit 1.4.1
From 36514a2e4facfc9b9c1184259cb99a1c0d0ec2df Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 21 Nov 2021 15:42:46 +0100
Subject: Merge "binaryonly_fuzzing.md" into "fuzzing_binary-only_targets.md"
---
docs/binaryonly_fuzzing.md | 225 ----------------------------
docs/fuzzing_binary-only_targets.md | 289 ++++++++++++++++++++++++++++++------
2 files changed, 244 insertions(+), 270 deletions(-)
delete mode 100644 docs/binaryonly_fuzzing.md
(limited to 'docs')
diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md
deleted file mode 100644
index 2c0872cf..00000000
--- a/docs/binaryonly_fuzzing.md
+++ /dev/null
@@ -1,225 +0,0 @@
-# Fuzzing binary-only programs with AFL++
-
- AFL++, libfuzzer and others are great if you have the source code, and
- it allows for very fast and coverage guided fuzzing.
-
- However, if there is only the binary program and no source code available,
- then standard `afl-fuzz -n` (non-instrumented mode) is not effective.
-
- The following is a description of how these binaries can be fuzzed with AFL++.
-
-
-## TL;DR:
-
- qemu_mode in persistent mode is the fastest - if the stability is
- high enough. Otherwise try retrowrite, afl-dyninst and if these
- fail too then try standard qemu_mode with AFL_ENTRYPOINT to where you need it.
-
- If your target is a library use utils/afl_frida/.
-
- If your target is non-linux then use unicorn_mode/.
-
-
-## QEMU
-
- Qemu is the "native" solution to the program.
- It is available in the ./qemu_mode/ directory and once compiled it can
- be accessed by the afl-fuzz -Q command line option.
- It is the easiest to use alternative and even works for cross-platform binaries.
-
- The speed decrease is at about 50%.
- However various options exist to increase the speed:
- - using AFL_ENTRYPOINT to move the forkserver entry to a later basic block in
- the binary (+5-10% speed)
- - using persistent mode [qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md)
- this will result in 150-300% overall speed increase - so 3-8x the original
- qemu_mode speed!
- - using AFL_CODE_START/AFL_CODE_END to only instrument specific parts
-
- Note that there is also honggfuzz: [https://github.com/google/honggfuzz](https://github.com/google/honggfuzz)
- which now has a qemu_mode, but its performance is just 1.5% ...
-
- As it is included in AFL++ this needs no URL.
-
- If you like to code a customized fuzzer without much work, we highly
- recommend to check out our sister project libafl which will support QEMU
- too:
- [https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL)
-
-
-## AFL FRIDA
-
- In frida_mode you can fuzz binary-only targets easily like with QEMU,
- with the advantage that frida_mode also works on MacOS (both intel and M1).
-
- If you want to fuzz a binary-only library then you can fuzz it with
- frida-gum via utils/afl_frida/, you will have to write a harness to
- call the target function in the library, use afl-frida.c as a template.
-
- Both come with AFL++ so this needs no URL.
-
- You can also perform remote fuzzing with frida, e.g. if you want to fuzz
- on iPhone or Android devices, for this you can use
- [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/)
- as an intermediate that uses AFL++ for fuzzing.
-
- If you like to code a customized fuzzer without much work, we highly
- recommend to check out our sister project libafl which supports Frida too:
- [https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL)
- Working examples already exist :-)
-
-
-## WINE+QEMU
-
- Wine mode can run Win32 PE binaries with the QEMU instrumentation.
- It needs Wine, python3 and the pefile python package installed.
-
- As it is included in AFL++ this needs no URL.
-
-
-## UNICORN
-
- Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar.
- In contrast to QEMU, Unicorn does not offer a full system or even userland
- emulation. Runtime environment and/or loaders have to be written from scratch,
- if needed. On top, block chaining has been removed. This means the speed boost
- introduced in the patched QEMU Mode of AFL++ cannot simply be ported over to
- Unicorn. For further information, check out [unicorn_mode/README.md](../unicorn_mode/README.md).
-
- As it is included in AFL++ this needs no URL.
-
-
-## AFL UNTRACER
-
- If you want to fuzz a binary-only shared library then you can fuzz it with
- utils/afl_untracer/, use afl-untracer.c as a template.
- It is slower than AFL FRIDA (see above).
-
-
-## ZAFL
- ZAFL is a static rewriting platform supporting x86-64 C/C++, stripped/unstripped,
- and PIE/non-PIE binaries. Beyond conventional instrumentation, ZAFL's API enables
- transformation passes (e.g., laf-Intel, context sensitivity, InsTrim, etc.).
-
- Its baseline instrumentation speed typically averages 90-95% of afl-clang-fast's.
-
- [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl)
-
-
-## DYNINST
-
- Dyninst is a binary instrumentation framework similar to Pintool and
- Dynamorio (see far below). However whereas Pintool and Dynamorio work at
- runtime, dyninst instruments the target at load time, and then let it run -
- or save the binary with the changes.
- This is great for some things, e.g. fuzzing, and not so effective for others,
- e.g. malware analysis.
-
- So what we can do with dyninst is taking every basic block, and put afl's
- instrumention code in there - and then save the binary.
- Afterwards we can just fuzz the newly saved target binary with afl-fuzz.
- Sounds great? It is. The issue though - it is a non-trivial problem to
- insert instructions, which change addresses in the process space, so that
- everything is still working afterwards. Hence more often than not binaries
- crash when they are run.
-
- The speed decrease is about 15-35%, depending on the optimization options
- used with afl-dyninst.
-
- [https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst)
-
-
-## RETROWRITE
-
- If you have an x86/x86_64 binary that still has its symbols, is compiled
- with position independant code (PIC/PIE) and does not use most of the C++
- features then the retrowrite solution might be for you.
- It decompiles to ASM files which can then be instrumented with afl-gcc.
-
- It is at about 80-85% performance.
-
- [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite)
-
-
-## MCSEMA
-
- Theoretically you can also decompile to llvm IR with mcsema, and then
- use llvm_mode to instrument the binary.
- Good luck with that.
-
- [https://github.com/lifting-bits/mcsema](https://github.com/lifting-bits/mcsema)
-
-
-## INTEL-PT
-
- If you have a newer Intel CPU, you can make use of Intels processor trace.
- The big issue with Intel's PT is the small buffer size and the complex
- encoding of the debug information collected through PT.
- This makes the decoding very CPU intensive and hence slow.
- As a result, the overall speed decrease is about 70-90% (depending on
- the implementation and other factors).
-
- There are two AFL intel-pt implementations:
-
- 1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt)
- => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
-
- 2. [https://github.com/hunter-ht-2018/ptfuzzer](https://github.com/hunter-ht-2018/ptfuzzer)
- => this needs a 4.14 or 4.15 kernel. the "nopti" kernel boot option must
- be used. This one is faster than the other.
-
- Note that there is also honggfuzz: https://github.com/google/honggfuzz
- But its IPT performance is just 6%!
-
-
-## CORESIGHT
-
- Coresight is ARM's answer to Intel's PT.
- With afl++ v3.15 there is a coresight tracer implementation available in
- `coresight_mode/` which is faster than QEMU, however can not run in parallel.
- Currently only one process can be traced, it is WIP.
-
-
-## PIN & DYNAMORIO
-
- Pintool and Dynamorio are dynamic instrumentation engines, and they can be
- used for getting basic block information at runtime.
- Pintool is only available for Intel x32/x64 on Linux, Mac OS and Windows,
- whereas Dynamorio is additionally available for ARM and AARCH64.
- Dynamorio is also 10x faster than Pintool.
-
- The big issue with Dynamorio (and therefore Pintool too) is speed.
- Dynamorio has a speed decrease of 98-99%
- Pintool has a speed decrease of 99.5%
-
- Hence Dynamorio is the option to go for if everything else fails, and Pintool
- only if Dynamorio fails too.
-
- Dynamorio solutions:
- * [https://github.com/vanhauser-thc/afl-dynamorio](https://github.com/vanhauser-thc/afl-dynamorio)
- * [https://github.com/mxmssh/drAFL](https://github.com/mxmssh/drAFL)
- * [https://github.com/googleprojectzero/winafl/](https://github.com/googleprojectzero/winafl/) <= very good but windows only
-
- Pintool solutions:
- * [https://github.com/vanhauser-thc/afl-pin](https://github.com/vanhauser-thc/afl-pin)
- * [https://github.com/mothran/aflpin](https://github.com/mothran/aflpin)
- * [https://github.com/spinpx/afl_pin_mode](https://github.com/spinpx/afl_pin_mode) <= only old Pintool version supported
-
-
-## Non-AFL solutions
-
- There are many binary-only fuzzing frameworks.
- Some are great for CTFs but don't work with large binaries, others are very
- slow but have good path discovery, some are very hard to set-up ...
-
- * QSYM: [https://github.com/sslab-gatech/qsym](https://github.com/sslab-gatech/qsym)
- * Manticore: [https://github.com/trailofbits/manticore](https://github.com/trailofbits/manticore)
- * S2E: [https://github.com/S2E](https://github.com/S2E)
- * Tinyinst: [https://github.com/googleprojectzero/TinyInst](https://github.com/googleprojectzero/TinyInst) (Mac/Windows only)
- * Jackalope: [https://github.com/googleprojectzero/Jackalope](https://github.com/googleprojectzero/Jackalope)
- * ... please send me any missing that are good
-
-
-## Closing words
-
- That's it! News, corrections, updates? Send an email to vh@thc.org
diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md
index ea262f6e..0b39042f 100644
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@@ -1,83 +1,282 @@
# Fuzzing binary-only targets
-When source code is *NOT* available, AFL++ offers various support for fast,
-on-the-fly instrumentation of black-box binaries.
+AFL++, libfuzzer, and other fuzzers are great if you have the source code of the
+target. This allows for very fast and coverage guided fuzzing.
-If you do not have to use Unicorn the following setup is recommended to use
-qemu_mode:
- * run 1 afl-fuzz -Q instance with CMPLOG (`-c 0` + `AFL_COMPCOV_LEVEL=2`)
- * run 1 afl-fuzz -Q instance with QASAN (`AFL_USE_QASAN=1`)
- * run 1 afl-fuzz -Q instance with LAF (`AFL_PRELOAD=libcmpcov.so` + `AFL_COMPCOV_LEVEL=2`)
-Alternatively you can use frida_mode, just switch `-Q` with `-O` and remove the
-LAF instance.
+However, if there is only the binary program and no source code available, then
+standard `afl-fuzz -n` (non-instrumented mode) is not effective.
-Then run as many instances as you have cores left with either -Q mode or - better -
-use a binary rewriter like afl-dyninst, retrowrite, zafl, etc.
+For fast, on-the-fly instrumentation of black-box binaries, AFL++ still offers
+various support. The following is a description of how these binaries can be
+fuzzed with AFL++.
-For Qemu and Frida mode, check out the persistent mode, it gives a huge speed
-improvement if it is possible to use.
+## TL;DR:
+
+Qemu_mode in persistent mode is the fastest - if the stability is high enough.
+Otherwise, try RetroWrite, Dyninst, and if these fail, too, then try standard
+qemu_mode with AFL_ENTRYPOINT to where you need it.
+
+If your target is a library, then use frida_mode.
+
+If your target is non-linux, then use unicorn_mode.
-### QEMU
+## Fuzzing binary-only targets with AFL++
+### Qemu_mode
-For linux programs and its libraries this is accomplished with a version of
-QEMU running in the lesser-known "user space emulation" mode.
-QEMU is a project separate from AFL, but you can conveniently build the
-feature by doing:
+Qemu_mode is the "native" solution to the program. It is available in the
+./qemu_mode/ directory and, once compiled, it can be accessed by the afl-fuzz -Q
+command line option. It is the easiest to use alternative and even works for
+cross-platform binaries.
+
+For linux programs and its libraries, this is accomplished with a version of
+QEMU running in the lesser-known "user space emulation" mode. QEMU is a project
+separate from AFL++, but you can conveniently build the feature by doing:
```shell
cd qemu_mode
./build_qemu_support.sh
```
-For additional instructions and caveats, see [qemu_mode/README.md](../qemu_mode/README.md).
-If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md).
-The mode is approximately 2-5x slower than compile-time instrumentation, and is
-less conducive to parallelization.
+The following setup to use qemu_mode is recommended:
+* run 1 afl-fuzz -Q instance with CMPLOG (`-c 0` + `AFL_COMPCOV_LEVEL=2`)
+* run 1 afl-fuzz -Q instance with QASAN (`AFL_USE_QASAN=1`)
+* run 1 afl-fuzz -Q instance with LAF (`AFL_PRELOAD=libcmpcov.so` +
+ `AFL_COMPCOV_LEVEL=2`), alternatively you can use frida_mode, just switch `-Q`
+ with `-O` and remove the LAF instance
+
+Then run as many instances as you have cores left with either -Q mode or - even
+better - use a binary rewriter like Dyninst, RetroWrite, ZAFL, etc.
+
+If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for your
+binary, then you can use afl-fuzz normally and it will have twice the speed
+compared to qemu_mode (but slower than qemu persistent mode). Note that several
+other binary rewriters exist, all with their advantages and caveats.
+
+The speed decrease of qemu_mode is at about 50%. However, various options exist
+to increase the speed:
+- using AFL_ENTRYPOINT to move the forkserver entry to a later basic block in
+ the binary (+5-10% speed)
+- using persistent mode
+ [qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md) this will
+ result in a 150-300% overall speed increase - so 3-8x the original qemu_mode
+ speed!
+- using AFL_CODE_START/AFL_CODE_END to only instrument specific parts
+
+For additional instructions and caveats, see
+[qemu_mode/README.md](../qemu_mode/README.md). If possible, you should use the
+persistent mode, see
+[qemu_mode/README.persistent.md](../qemu_mode/README.persistent.md). The mode is
+approximately 2-5x slower than compile-time instrumentation, and is less
+conducive to parallelization.
+
+Note that there is also honggfuzz:
+[https://github.com/google/honggfuzz](https://github.com/google/honggfuzz) which
+now has a qemu_mode, but its performance is just 1.5% ...
+
+If you like to code a customized fuzzer without much work, we highly recommend
+to check out our sister project libafl which will support QEMU, too:
+[https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL)
+
+### WINE+QEMU
+
+Wine mode can run Win32 PE binaries with the QEMU instrumentation. It needs
+Wine, python3, and the pefile python package installed.
+
+It is included in AFL++.
-If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for
-your binary, then you can use afl-fuzz normally and it will have twice
-the speed compared to qemu_mode (but slower than qemu persistent mode).
-Note that several other binary rewriters exist, all with their advantages and
-caveats.
+### Frida_mode
-### Frida
+In frida_mode, you can fuzz binary-only targets as easily as with QEMU.
+Frida_mode is sometimes faster and sometimes slower than Qemu_mode. It is also
+newer, lacks COMPCOV, and has the advantage that it works on MacOS (both intel
+and M1).
-Frida mode is sometimes faster and sometimes slower than Qemu mode.
-It is also newer, lacks COMPCOV, but supports MacOS.
+To build frida_mode:
```shell
cd frida_mode
make
```
-For additional instructions and caveats, see [frida_mode/README.md](../frida_mode/README.md).
-If possible you should use the persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md).
-The mode is approximately 2-5x slower than compile-time instrumentation, and is
-less conducive to parallelization.
+For additional instructions and caveats, see
+[frida_mode/README.md](../frida_mode/README.md). If possible, you should use the
+persistent mode, see [qemu_frida/README.md](../qemu_frida/README.md). The mode
+is approximately 2-5x slower than compile-time instrumentation, and is less
+conducive to parallelization. But for binary-only fuzzing, it gives a huge speed
+improvement if it is possible to use.
+
+If you want to fuzz a binary-only library, then you can fuzz it with frida-gum
+via frida_mode/. You will have to write a harness to call the target function in
+the library, use afl-frida.c as a template.
+
+You can also perform remote fuzzing with frida, e.g. if you want to fuzz on
+iPhone or Android devices, for this you can use
+[https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) as
+an intermediate that uses AFL++ for fuzzing.
+
+If you like to code a customized fuzzer without much work, we highly recommend
+to check out our sister project libafl which supports Frida, too:
+[https://github.com/AFLplusplus/LibAFL](https://github.com/AFLplusplus/LibAFL).
+Working examples already exist :-)
### Unicorn
-For non-Linux binaries you can use AFL++'s unicorn mode which can emulate
+Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar. In
+contrast to QEMU, Unicorn does not offer a full system or even userland
+emulation. Runtime environment and/or loaders have to be written from scratch,
+if needed. On top, block chaining has been removed. This means the speed boost
+introduced in the patched QEMU Mode of AFL++ cannot simply be ported over to
+Unicorn.
+
+For non-Linux binaries, you can use AFL++'s unicorn_mode which can emulate
anything you want - for the price of speed and user written scripts.
-See [unicorn_mode/README.md](../unicorn_mode/README.md).
-It can be easily built by:
+To build unicorn_mode:
+
```shell
cd unicorn_mode
./build_unicorn_support.sh
```
+For further information, check out
+[unicorn_mode/README.md](../unicorn_mode/README.md).
+
### Shared libraries
-If the goal is to fuzz a dynamic library then there are two options available.
-For both you need to write a small harness that loads and calls the library.
-Then you fuzz this with either frida_mode or qemu_mode, and either use
+If the goal is to fuzz a dynamic library, then there are two options available.
+For both, you need to write a small harness that loads and calls the library.
+Then you fuzz this with either frida_mode or qemu_mode and either use
`AFL_INST_LIBS=1` or `AFL_QEMU/FRIDA_INST_RANGES`.
-Another, less precise and slower option is using ptrace with debugger interrupt
-instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
+Another, less precise and slower option is to fuzz it with utils/afl_untracer/
+and use afl-untracer.c as a template. It is slower than frida_mode.
+
+For more information, see
+[utils/afl_untracer/README.md](../utils/afl_untracer/README.md).
+
+## Binary rewriters
+
+### Coresight
+
+Coresight is ARM's answer to Intel's PT. With AFL++ v3.15, there is a coresight
+tracer implementation available in `coresight_mode/` which is faster than QEMU,
+however, cannot run in parallel. Currently, only one process can be traced, it
+is WIP.
+
+### Dyninst
+
+Dyninst is a binary instrumentation framework similar to Pintool and DynamoRIO.
+However, whereas Pintool and DynamoRIO work at runtime, Dyninst instruments the
+target at load time and then let it run - or save the binary with the changes.
+This is great for some things, e.g. fuzzing, and not so effective for others,
+e.g. malware analysis.
+
+So, what we can do with Dyninst is taking every basic block and put AFL++'s
+instrumentation code in there - and then save the binary. Afterwards, we can
+just fuzz the newly saved target binary with afl-fuzz. Sounds great? It is. The
+issue though - it is a non-trivial problem to insert instructions, which change
+addresses in the process space, so that everything is still working afterwards.
+Hence, more often than not binaries crash when they are run.
+
+The speed decrease is about 15-35%, depending on the optimization options used
+with afl-dyninst.
+
+[https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst)
+
+### Intel PT
+
+If you have a newer Intel CPU, you can make use of Intel's processor trace. The
+big issue with Intel's PT is the small buffer size and the complex encoding of
+the debug information collected through PT. This makes the decoding very CPU
+intensive and hence slow. As a result, the overall speed decrease is about
+70-90% (depending on the implementation and other factors).
+
+There are two AFL intel-pt implementations:
+
+1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt)
+ => This needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
+
+2. [https://github.com/hunter-ht-2018/ptfuzzer](https://github.com/hunter-ht-2018/ptfuzzer)
+ => This needs a 4.14 or 4.15 kernel. The "nopti" kernel boot option must be
+ used. This one is faster than the other.
+
+Note that there is also honggfuzz:
+[https://github.com/google/honggfuzz](https://github.com/google/honggfuzz). But
+its IPT performance is just 6%!
+
+### Mcsema
+
+Theoretically, you can also decompile to llvm IR with mcsema, and then use
+llvm_mode to instrument the binary. Good luck with that.
+
+[https://github.com/lifting-bits/mcsema](https://github.com/lifting-bits/mcsema)
+
+### Pintool & DynamoRIO
+
+Pintool and DynamoRIO are dynamic instrumentation engines. They can be used for
+getting basic block information at runtime. Pintool is only available for Intel
+x32/x64 on Linux, Mac OS, and Windows, whereas DynamoRIO is additionally
+available for ARM and AARCH64. DynamoRIO is also 10x faster than Pintool.
+
+The big issue with DynamoRIO (and therefore Pintool, too) is speed. DynamoRIO
+has a speed decrease of 98-99%, Pintool has a speed decrease of 99.5%.
+
+Hence, DynamoRIO is the option to go for if everything else fails and Pintool
+only if DynamoRIO fails, too.
+
+DynamoRIO solutions:
+* [https://github.com/vanhauser-thc/afl-dynamorio](https://github.com/vanhauser-thc/afl-dynamorio)
+* [https://github.com/mxmssh/drAFL](https://github.com/mxmssh/drAFL)
+* [https://github.com/googleprojectzero/winafl/](https://github.com/googleprojectzero/winafl/)
+ <= very good but windows only
+
+Pintool solutions:
+* [https://github.com/vanhauser-thc/afl-pin](https://github.com/vanhauser-thc/afl-pin)
+* [https://github.com/mothran/aflpin](https://github.com/mothran/aflpin)
+* [https://github.com/spinpx/afl_pin_mode](https://github.com/spinpx/afl_pin_mode)
+ <= only old Pintool version supported
+
+### RetroWrite
+
+If you have an x86/x86_64 binary that still has its symbols, is compiled with
+position independent code (PIC/PIE), and does not use most of the C++ features,
+then the RetroWrite solution might be for you. It decompiles to ASM files which
+can then be instrumented with afl-gcc.
+
+It is at about 80-85% performance.
+
+[https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite)
+
+### ZAFL
+ZAFL is a static rewriting platform supporting x86-64 C/C++,
+stripped/unstripped, and PIE/non-PIE binaries. Beyond conventional
+instrumentation, ZAFL's API enables transformation passes (e.g., laf-Intel,
+context sensitivity, InsTrim, etc.).
+
+Its baseline instrumentation speed typically averages 90-95% of
+afl-clang-fast's.
+
+[https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl)
+
+## Non-AFL++ solutions
+
+There are many binary-only fuzzing frameworks. Some are great for CTFs but don't
+work with large binaries, others are very slow but have good path discovery,
+some are very hard to set-up...
+
+
+* Jackalope:
+ [https://github.com/googleprojectzero/Jackalope](https://github.com/googleprojectzero/Jackalope)
+* Manticore:
+ [https://github.com/trailofbits/manticore](https://github.com/trailofbits/manticore)
+* QSYM:
+ [https://github.com/sslab-gatech/qsym](https://github.com/sslab-gatech/qsym)
+* S2E: [https://github.com/S2E](https://github.com/S2E)
+* TinyInst:
+ [https://github.com/googleprojectzero/TinyInst](https://github.com/googleprojectzero/TinyInst)
+ (Mac/Windows only)
+* ... please send me any missing that are good
-### More
+## Closing words
-A more comprehensive description of these and other options can be found in
-[binaryonly_fuzzing.md](binaryonly_fuzzing.md).
\ No newline at end of file
+That's it! News, corrections, updates? Send an email to vh@thc.org.
\ No newline at end of file
--
cgit 1.4.1
From 492dbe9fb294dec27e5c2bc7297b36526bb8e61f Mon Sep 17 00:00:00 2001
From: llzmb <46303940+llzmb@users.noreply.github.com>
Date: Sun, 21 Nov 2021 18:00:01 +0100
Subject: Clean up docs folder
---
README.md | 5 +-
docs/FAQ.md | 5 +-
docs/best_practices.md | 18 +++--
docs/parallel_fuzzing.md | 182 +++++++++++++++++++++++------------------------
qemu_mode/README.md | 5 +-
5 files changed, 109 insertions(+), 106 deletions(-)
(limited to 'docs')
diff --git a/README.md b/README.md
index b2714787..fcb6b3c9 100644
--- a/README.md
+++ b/README.md
@@ -132,9 +132,6 @@ The following branches exist:
* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!*
* (any other): experimental branches to work on specific features or testing new functionality or changes.
-For releases, please see the [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases).
-Also take a look at the list of [important changes in AFL++](docs/important_changes.md).
-
## Help wanted
We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it
@@ -233,4 +230,4 @@ presented at WOOT'20:
}
```
-
+
\ No newline at end of file
diff --git a/docs/FAQ.md b/docs/FAQ.md
index 68ca3bad..34ed4cf5 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -83,7 +83,8 @@ If you find an interesting or important question missing, submit it via
However, if there is only the binary program and no source code available, then the standard non-instrumented mode is not effective.
- To learn how these binaries can be fuzzed, read [binaryonly_fuzzing.md](binaryonly_fuzzing.md).
+ To learn how these binaries can be fuzzed, read
+ [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md).
+