From 9063002af22e916701588248eca2fd2669e4d0df Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 9 Dec 2021 13:22:10 +0100 Subject: rename path --- docs/Changelog.md | 2 +- docs/afl-fuzz_approach.md | 26 +++++++++++++------------- docs/fuzzing_in_depth.md | 8 ++++---- docs/resources/grafana-afl++.json | 12 ++++++------ docs/rpc_statsd.md | 16 ++++++++-------- 5 files changed, 32 insertions(+), 32 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 34b9affb..99768d1d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1566,7 +1566,7 @@ sending a mail to . - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted by G.M. Lime. - - Added last path / crash / hang times to fuzzer_stats, suggested by + - Added last find / crash / hang times to fuzzer_stats, suggested by Richard Hipp. - Fixed a typo, thanks to Jakub Wilk. diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 2da61cc4..058fe352 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -85,7 +85,7 @@ for parallel fuzzing. Second to last is the power schedule mode being run ``` +----------------------------------------------------+ | run time : 0 days, 8 hrs, 32 min, 43 sec | - | last new path : 0 days, 0 hrs, 6 min, 40 sec | + | last new find : 0 days, 0 hrs, 6 min, 40 sec | | last uniq crash : none seen yet | | last uniq hang : 0 days, 1 hrs, 24 min, 32 sec | +----------------------------------------------------+ @@ -485,20 +485,20 @@ directory. This includes: - `cycles_wo_finds` - number of cycles without any new paths found - `execs_done` - number of execve() calls attempted - `execs_per_sec` - overall number of execs per second -- `paths_total` - total number of entries in the queue -- `paths_favored` - number of queue entries that are favored -- `paths_found` - number of entries discovered through local fuzzing -- `paths_imported` - number of entries imported from other instances +- `corpus_count` - total number of entries in the queue +- `corpus_favored` - number of queue entries that are favored +- `corpus_found` - number of entries discovered through local fuzzing +- `corpus_imported` - number of entries imported from other instances - `max_depth` - number of levels in the generated data set -- `cur_path` - currently processed entry number +- `cur_item` - currently processed entry number - `pending_favs` - number of favored entries still waiting to be fuzzed - `pending_total` - number of all entries waiting to be fuzzed -- `variable_paths` - number of test cases showing variable behavior +- `corpus_variable` - number of test cases showing variable behavior - `stability` - percentage of bitmap bytes that behave consistently - `bitmap_cvg` - percentage of edge coverage found in the map so far -- `unique_crashes` - number of unique crashes recorded -- `unique_hangs` - number of unique hangs encountered -- `last_path` - seconds since the last path was found +- `saved_crashes` - number of unique crashes recorded +- `saved_hangs` - number of unique hangs encountered +- `last_find` - seconds since the last find was found - `last_crash` - seconds since the last crash was found - `last_hang` - seconds since the last hang was found - `execs_since_crash` - execs since the last crash was found @@ -531,9 +531,9 @@ last crash > X, etc.). The selected metrics are a subset of all the metrics found in the status and in the plot file. The list is the following: `cycle_done`, `cycles_wo_finds`, -`execs_done`,`execs_per_sec`, `paths_total`, `paths_favored`, `paths_found`, -`paths_imported`, `max_depth`, `cur_path`, `pending_favs`, `pending_total`, -`variable_paths`, `unique_crashes`, `unique_hangs`, `total_crashes`, +`execs_done`,`execs_per_sec`, `corpus_count`, `corpus_favored`, `corpus_found`, +`corpus_imported`, `max_depth`, `cur_item`, `pending_favs`, `pending_total`, +`corpus_variable`, `saved_crashes`, `saved_hangs`, `total_crashes`, `slowest_exec_ms`, `edges_found`, `var_byte_count`, `havoc_expansion`. Their definitions can be found in the addendum above. diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index aaceb600..160258e0 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -11,7 +11,7 @@ Fuzzing source code is a three-step process: 2. Prepare the fuzzing by selecting and optimizing the input corpus for the target. 3. Perform the fuzzing of the target by randomly mutating input and assessing if - a generated input was processed in a new path in the target binary. + that input was processed on a new path in the target binary. ## 0. Common sense risks @@ -354,7 +354,7 @@ You can find many good examples of starting files in the ### b) Making the input corpus unique Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not -produce a new path in the target. +produce a new path/coverage in the target. Put all files from step a) into one directory, e.g., INPUTS. @@ -633,7 +633,7 @@ AFL_BENCH_JUST_ONE=1 AFL_FAST_CAL=1 afl-fuzz -i newseeds -o out -S newseeds -- . ### g) Checking the coverage of the fuzzing -The `paths found` value is a bad indicator for checking how good the coverage +The `corpus count` value is a bad indicator for checking how good the coverage is. A better indicator - if you use default llvm instrumentation with at least @@ -822,7 +822,7 @@ as these are much shorter runnings. will impact the speed by ~15% though. * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the saturated corpus needs to be loaded. - * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the + * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the initial corpus as this very likely has been done for them already. * Keep the generated corpus, use afl-cmin and reuse it every time! diff --git a/docs/resources/grafana-afl++.json b/docs/resources/grafana-afl++.json index 96e824de..7afe89b1 100644 --- a/docs/resources/grafana-afl++.json +++ b/docs/resources/grafana-afl++.json @@ -926,7 +926,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"cur_path\"}", + "expr": "fuzzing{type=\"cur_item\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -936,7 +936,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "Curent path", + "title": "Current fuzz item", "tooltip": { "shared": true, "sort": 0, @@ -1116,7 +1116,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"paths_favored\"}", + "expr": "fuzzing{type=\"corpus_favored\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -1135,7 +1135,7 @@ } ], "timeShift": null, - "title": "Path Favored", + "title": "Corpus Favored", "tooltip": { "shared": true, "sort": 0, @@ -1428,7 +1428,7 @@ "steppedLine": false, "targets": [ { - "expr": "fuzzing{type=\"paths_imported\"}", + "expr": "fuzzing{type=\"corpus_imported\"}", "interval": "", "legendFormat": "", "refId": "A" @@ -1447,7 +1447,7 @@ } ], "timeShift": null, - "title": "Path Imported", + "title": "Corpus Imported", "tooltip": { "shared": true, "sort": 0, diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index 003b9c79..d8f0fb67 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -26,7 +26,7 @@ StatsD allows you to receive and aggregate metrics from a wide range of applications and retransmit them to a backend of your choice. From AFL++, StatsD can receive the following metrics: -- cur_path +- cur_item - cycle_done - cycles_wo_finds - edges_found @@ -34,18 +34,18 @@ From AFL++, StatsD can receive the following metrics: - execs_per_sec - havoc_expansion - max_depth -- paths_favored -- paths_found -- paths_imported -- paths_total +- corpus_favored +- corpus_found +- corpus_imported +- corpus_count - pending_favs - pending_total - slowest_exec_ms - total_crashes -- unique_crashes -- unique_hangs +- saved_crashes +- saved_hangs - var_byte_count -- variable_paths +- corpus_variable Depending on your StatsD server, you will be able to monitor, trigger alerts, or perform actions based on these metrics (for example: alert on slow exec/s for a -- cgit 1.4.1 From db360332c4cf92c3b90d8dfab9292763e677aebf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 9 Dec 2021 14:33:56 +0100 Subject: make llvm 14-dev working. again. --- GNUmakefile.llvm | 4 +-- docs/Changelog.md | 2 +- instrumentation/SanitizerCoverageLTO.so.cc | 19 +++++----- instrumentation/SanitizerCoveragePCGUARD.so.cc | 23 ++++++------ instrumentation/afl-llvm-pass.so.cc | 44 ++++++++++++++++++----- instrumentation/cmplog-instructions-pass.cc | 6 +++- instrumentation/cmplog-routines-pass.cc | 48 +++++++++++++++++++++----- instrumentation/cmplog-switches-pass.cc | 6 +++- instrumentation/compare-transform-pass.so.cc | 12 +++++-- qemu_mode/qemuafl | 2 +- test/test-llvm-lto.sh | 2 +- 11 files changed, 123 insertions(+), 45 deletions(-) (limited to 'docs') diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 1e2c411d..f1de28a4 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -390,11 +390,11 @@ instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrument ifeq "$(LLVM_MIN_4_0_1)" "0" $(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER)) endif - $(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o + $(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps ifeq "$(LLVM_10_OK)" "1" - -$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o + -$(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o endif ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o diff --git a/docs/Changelog.md b/docs/Changelog.md index 34b9affb..9c3f7a98 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -47,7 +47,7 @@ sending a mail to . - fix for shared linking on MacOS - fixed a potential crash in targets for LAF string handling - added AFL_USE_TSAN thread sanitizer support - - llvm and LTO mode modified to work with new llvm 14-dev (again) + - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD - added the very good grammar mutator "GramaTron" to the custom_mutators diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 8d7f0c80..aa1826cd 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -1123,7 +1123,7 @@ bool ModuleSanitizerCoverage::instrumentModule( M, PointerType::get(Int8Tyi, 0), false, GlobalValue::ExternalLinkage, 0, "__afl_dictionary"); - Value *AFLDictOff = IRB.CreateGEP(AFLInternalDictionary, Zero); + Value *AFLDictOff = IRB.CreateGEP(Int8Ty, AFLInternalDictionary, Zero); Value *AFLDictPtr = IRB.CreatePointerCast(AFLDictOff, PointerType::get(Int8Tyi, 0)); StoreInst *StoreDict = IRB.CreateStore(AFLDictPtr, AFLDictionary); @@ -1388,7 +1388,8 @@ void ModuleSanitizerCoverage::instrumentFunction( local_selects++; uint32_t vector_cur = 0; /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = + IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); while (1) { @@ -1399,12 +1400,12 @@ void ModuleSanitizerCoverage::instrumentFunction( /* Load counter for CurLoc */ if (!vector_cnt) { - MapPtrIdx = IRB.CreateGEP(MapPtr, result); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, result); } else { auto element = IRB.CreateExtractElement(result, vector_cur++); - MapPtrIdx = IRB.CreateGEP(MapPtr, element); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, element); } @@ -1418,7 +1419,7 @@ void ModuleSanitizerCoverage::instrumentFunction( } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1672,13 +1673,13 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, if (map_addr) { - MapPtrIdx = IRB.CreateGEP(MapPtrFixed, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtrFixed, CurLoc); } else { - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); - MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); } @@ -1693,7 +1694,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); Value *Incr = IRB.CreateAdd(Counter, One); diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index d5746cc7..7b1d1d40 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -937,7 +937,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, ConstantInt::get(IntptrTy, (++special + AllBlocks.size()) * 4)), Int32PtrTy); - LoadInst *Idx = IRB.CreateLoad(GuardPtr); + LoadInst *Idx = IRB.CreateLoad(IRB.getInt32Ty(), GuardPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Idx); callInst->setOperand(1, Idx); @@ -1059,7 +1059,8 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = + IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* @@ -1078,17 +1079,17 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, /* Load counter for CurLoc */ if (!vector_cnt) { - CurLoc = IRB.CreateLoad(result); + CurLoc = IRB.CreateLoad(IRB.getInt32Ty(), result); ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); - MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); } else { auto element = IRB.CreateExtractElement(result, vector_cur++); auto elementptr = IRB.CreateIntToPtr(element, Int32PtrTy); - auto elementld = IRB.CreateLoad(elementptr); + auto elementld = IRB.CreateLoad(IRB.getInt32Ty(), elementptr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(elementld); - MapPtrIdx = IRB.CreateGEP(MapPtr, elementld); + MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, elementld); } @@ -1102,7 +1103,7 @@ bool ModuleSanitizerCoverage::InjectCoverage(Function & F, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ @@ -1347,17 +1348,17 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, ConstantInt::get(IntptrTy, Idx * 4)), Int32PtrTy); - LoadInst *CurLoc = IRB.CreateLoad(GuardPtr); + LoadInst *CurLoc = IRB.CreateLoad(IRB.getInt32Ty(), GuardPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(CurLoc); /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad(PointerType::get(Int8Ty, 0), AFLMapPtr); ModuleSanitizerCoverage::SetNoSanitizeMetadata(MapPtr); /* Load counter for CurLoc */ - Value *MapPtrIdx = IRB.CreateGEP(MapPtr, CurLoc); + Value *MapPtrIdx = IRB.CreateGEP(Int8Ty, MapPtr, CurLoc); if (use_threadsafe_counters) { @@ -1369,7 +1370,7 @@ void ModuleSanitizerCoverage::InjectCoverageAtBlock(Function &F, BasicBlock &BB, } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad(IRB.getInt8Ty(), MapPtrIdx); ModuleSanitizerCoverage::SetNoSanitizeMetadata(Counter); /* Update bitmap */ diff --git a/instrumentation/afl-llvm-pass.so.cc b/instrumentation/afl-llvm-pass.so.cc index 8e22fde8..640aa4dd 100644 --- a/instrumentation/afl-llvm-pass.so.cc +++ b/instrumentation/afl-llvm-pass.so.cc @@ -454,7 +454,11 @@ bool AFLCoverage::runOnModule(Module &M) { #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ctx_k) { - PrevCaller = IRB.CreateLoad(AFLPrevCaller); + PrevCaller = IRB.CreateLoad( + #if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), + #endif + AFLPrevCaller); PrevCaller->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); PrevCtx = @@ -467,7 +471,11 @@ bool AFLCoverage::runOnModule(Module &M) { // load the context ID of the previous function and write to to a // local variable on the stack - LoadInst *PrevCtxLoad = IRB.CreateLoad(AFLContext); + LoadInst *PrevCtxLoad = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), +#endif + AFLContext); PrevCtxLoad->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); PrevCtx = PrevCtxLoad; @@ -620,7 +628,11 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load prev_loc */ - LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc); + LoadInst *PrevLoc = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt32Ty(), +#endif + AFLPrevLoc); PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *PrevLocTrans; @@ -644,20 +656,28 @@ bool AFLCoverage::runOnModule(Module &M) { /* Load SHM pointer */ - LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr); + LoadInst *MapPtr = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLMapPtr); MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *MapPtrIdx; #ifdef AFL_HAVE_VECTOR_INTRINSICS if (ngram_size) MapPtrIdx = IRB.CreateGEP( - MapPtr, + Int8Ty, MapPtr, IRB.CreateZExt( IRB.CreateXor(PrevLocTrans, IRB.CreateZExt(CurLoc, Int32Ty)), Int32Ty)); else #endif - MapPtrIdx = IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc)); + MapPtrIdx = IRB.CreateGEP( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + MapPtr, IRB.CreateXor(PrevLocTrans, CurLoc)); /* Update bitmap */ @@ -676,7 +696,11 @@ bool AFLCoverage::runOnModule(Module &M) { } else { - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + IRB.getInt8Ty(), +#endif + MapPtrIdx); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); Value *Incr = IRB.CreateAdd(Counter, One); @@ -813,7 +837,11 @@ bool AFLCoverage::runOnModule(Module &M) { IRBuilder<> IRB(&(*it0)); // load the old counter value atomically - LoadInst *Counter = IRB.CreateLoad(MapPtrIdx); + LoadInst *Counter = IRB.CreateLoad( + #if LLVM_VERSION_MAJOR >= 14 + IRB.getInt8Ty(), + #endif + MapPtrIdx); Counter->setAlignment(llvm::Align()); Counter->setAtomic(llvm::AtomicOrdering::Monotonic); Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); diff --git a/instrumentation/cmplog-instructions-pass.cc b/instrumentation/cmplog-instructions-pass.cc index 07f80b2c..054caee2 100644 --- a/instrumentation/cmplog-instructions-pass.cc +++ b/instrumentation/cmplog-instructions-pass.cc @@ -264,7 +264,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IRBuilder<> IRB2(selectcmpInst->getParent()); IRB2.SetInsertPoint(selectcmpInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = diff --git a/instrumentation/cmplog-routines-pass.cc b/instrumentation/cmplog-routines-pass.cc index 0565875e..82c2fa4d 100644 --- a/instrumentation/cmplog-routines-pass.cc +++ b/instrumentation/cmplog-routines-pass.cc @@ -448,7 +448,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -475,7 +479,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -506,7 +514,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -533,7 +545,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -564,7 +580,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -590,7 +610,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -616,7 +640,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); @@ -642,7 +670,11 @@ bool CmpLogRoutines::hookRtns(Module &M) { IRBuilder<> IRB2(callInst->getParent()); IRB2.SetInsertPoint(callInst); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, callInst, false); diff --git a/instrumentation/cmplog-switches-pass.cc b/instrumentation/cmplog-switches-pass.cc index bcd5f8bd..4f6f2eca 100644 --- a/instrumentation/cmplog-switches-pass.cc +++ b/instrumentation/cmplog-switches-pass.cc @@ -246,7 +246,11 @@ bool CmpLogInstructions::hookInstrs(Module &M) { IRBuilder<> IRB2(SI->getParent()); IRB2.SetInsertPoint(SI); - LoadInst *CmpPtr = IRB2.CreateLoad(AFLCmplogPtr); + LoadInst *CmpPtr = IRB2.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + PointerType::get(Int8Ty, 0), +#endif + AFLCmplogPtr); CmpPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None)); auto is_not_null = IRB2.CreateICmpNE(CmpPtr, Null); auto ThenTerm = SplitBlockAndInsertIfThen(is_not_null, SI, false); diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index ef3bd66b..2ced37c5 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -529,8 +529,16 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, IRBuilder<> cur_cmp_IRB(&*(cur_cmp_bb->getFirstInsertionPt())); Value *v = ConstantInt::get(Int64Ty, i); - Value *ele = cur_cmp_IRB.CreateInBoundsGEP(VarStr, v, "empty"); - Value *load = cur_cmp_IRB.CreateLoad(ele); + Value *ele = cur_cmp_IRB.CreateInBoundsGEP( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + VarStr, v, "empty"); + Value *load = cur_cmp_IRB.CreateLoad( +#if LLVM_VERSION_MAJOR >= 14 + Int8Ty, +#endif + ele); if (isCaseInsensitive) { diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 002e4739..8809a2b2 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 002e473939a350854d56f67ce7b2e2d9706b8bca +Subproject commit 8809a2b2ebf089d3427dd8f6a0044bcc2e13b389 diff --git a/test/test-llvm-lto.sh b/test/test-llvm-lto.sh index 3e762acf..9ff2ec10 100755 --- a/test/test-llvm-lto.sh +++ b/test/test-llvm-lto.sh @@ -3,7 +3,7 @@ . ./test-pre.sh $ECHO "$BLUE[*] Testing: LTO llvm_mode" -test -e ../afl-clang-lto -a -e ../afl-llvm-lto-instrumentation.so && { +test -e ../afl-clang-lto -a -e ../SanitizerCoverageLTO.so && { # on FreeBSD need to set AFL_CC test `uname -s` = 'FreeBSD' && { if type clang >/dev/null; then -- cgit 1.4.1 From def386ae43ad070c11112e957c09f822f72c655d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 9 Dec 2021 14:35:31 +0100 Subject: typo --- docs/fuzzing_in_depth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 160258e0..e1599c39 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -570,7 +570,7 @@ its name is unique, hence the recommendation for `-M main-$HOSTNAME`. Now there are three strategies on how you can sync between the servers: * never: sounds weird, but this makes every server an island and has the chance - the each follow different paths into the target. You can make this even more + that each follow different paths into the target. You can make this even more interesting by even giving different seeds to each server. * regularly (~4h): this ensures that all fuzzing campaigns on the servers "see" the same thing. It is like fuzzing on a huge server. -- cgit 1.4.1 From 74aa826b60601eb59038bf61298b07eb20944caa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 11 Dec 2021 11:03:36 +0100 Subject: changelog --- docs/Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 9e7b85a7..e9b62dc0 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,6 +10,10 @@ sending a mail to . ### Version ++3.15a (dev) - documentation restructuring, made possible by Google Season of Docs + - we renamed several UI and fuzzer_stat entries to be more precise, + e.g. "unique crashes" -> "saved crashes", "total paths" -> + "corpus count", "current path" -> "current item". + This might need changing custom scripting! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you -- cgit 1.4.1 From 4544a90b6ee25be552a7bf82fd6d5c18e6bbd05e Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 11 Dec 2021 18:25:28 +0100 Subject: Edit FAQ --- docs/FAQ.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 7869ee61..52b2d8dc 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -33,6 +33,19 @@ If you find an interesting or important question missing, submit it via Report](https://www.fuzzbench.com/reports/2020-08-03/index.html).

+
+ Is AFL++ a whitebox, graybox, or blackbox fuzzer?

+ + The definition of the terms whitebox, graybox, and blackbox fuzzing varies + from one source to another. For example, "graybox fuzzing" could mean + binary-only or source code fuzzing, or something completely different. + Therefore, we try to avoid them. + + [The Fuzzing Book](https://www.fuzzingbook.org/html/GreyboxFuzzer.html#AFL:-An-Effective-Greybox-Fuzzer) + describes the original AFL to be a graybox fuzzer. In that sense, AFL++ is + also a graybox fuzzer. +

+
Where can I find tutorials?

@@ -126,6 +139,16 @@ If you find an interesting or important question missing, submit it via ## Performance +

+ What makes a good performance?

+ + Good performance generally means "making the fuzzing results better". This can + be influenced by various factors, for example, speed (finding lots of paths + quickly) or thoroughness (working with decreased speed, but finding better + mutations). + +

+
How can I improve the fuzzing speed?

@@ -146,8 +169,8 @@ If you find an interesting or important question missing, submit it via the edge coverage result will be different across runs. Those edges that change are then flagged "unstable". - The more "unstable" edges, the more difficult for AFL++ to identify valid new - paths. + The more "unstable" edges there are, the harder it is for AFL++ to identify + valid new paths. A value above 90% is usually fine and a value above 80% is also still ok, and even a value above 20% can still result in successful finds of bugs. However, -- cgit 1.4.1 From 4ce1ec3219a891f9d41b59155c51ae5c089f4113 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 11 Dec 2021 18:27:38 +0100 Subject: Remove blank line --- docs/FAQ.md | 1 - 1 file changed, 1 deletion(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 52b2d8dc..f1cffe00 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -146,7 +146,6 @@ If you find an interesting or important question missing, submit it via be influenced by various factors, for example, speed (finding lots of paths quickly) or thoroughness (working with decreased speed, but finding better mutations). -

-- cgit 1.4.1 From 77ce31c8ba1f90d8895ba16a2bb509db88071a10 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sat, 11 Dec 2021 19:13:22 +0100 Subject: Add docs content overview --- dictionaries/README.md | 2 +- docs/README.md | 41 ++++++++++++++++++++++ docs/afl-fuzz_approach.md | 2 +- docs/resources/fuzzing_process_overview.drawio.svg | 4 +++ instrumentation/README.gcc_plugin.md | 5 +-- instrumentation/README.llvm.md | 2 +- qemu_mode/README.md | 2 +- testcases/README.md | 2 +- utils/libdislocator/README.md | 2 +- utils/libtokencap/README.md | 2 +- 10 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 docs/README.md create mode 100644 docs/resources/fuzzing_process_overview.drawio.svg (limited to 'docs') diff --git a/dictionaries/README.md b/dictionaries/README.md index 0b3b4d90..ab0a6798 100644 --- a/dictionaries/README.md +++ b/dictionaries/README.md @@ -1,6 +1,6 @@ # AFL++ dictionaries -(See [../README.md](../README.md) for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../docs/README.md). This subdirectory contains a set of dictionaries that can be used in conjunction with the -x option to allow the fuzzer to effortlessly explore the grammar of diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..22f86de1 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,41 @@ +# AFL++ documentation + +This is the overview of the AFL++ docs content. + +For general information on AFL++, see the +[README.md of the repository](../README.md). + +Also take a look at our [FAQ.md](FAQ.md) and +[best_practices.md](best_practices.md). + +## Fuzzing targets with the source code available + +You can find a quickstart for fuzzing targets with the source code available in +the [README.md of the repository](../README.md#quick-start-fuzzing-with-afl). + +For in-depth information on the steps of the fuzzing process, see +[fuzzing_in_depth.md](fuzzing_in_depth.md) or click on the following +image to select a step. + +![Fuzzing process overview](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/fuzzing_process_overview.drawio.svg "Fuzzing process overview") + +For further information on instrumentation, see the +[READMEs in the instrumentation/ folder](../instrumentation/). + +## Fuzzing other targets + +To learn about fuzzing other targets, see: + +* Binary-only: [fuzzing_binary-only_targets.md](fuzzing_binary-only_targets.md) +* GUI programs: + [best_practices.md#fuzzing-a-gui-program](best_practices.md#fuzzing-a-gui-program) +* Libraries: [frida_mode/README.md](../frida_mode/README.md) +* Network services: + [best_practices.md#fuzzing-a-network-service](best_practices.md#fuzzing-a-network-service) +* Non-linux: [unicorn_mode/README.md](../unicorn_mode/README.md) + +## Additional information + +* Tools that help fuzzing with AFL++: + [third_party_tools.md](third_party_tools.md) +* Tutorials: [tutorials.md](tutorials.md) \ No newline at end of file diff --git a/docs/afl-fuzz_approach.md b/docs/afl-fuzz_approach.md index 058fe352..6af39769 100644 --- a/docs/afl-fuzz_approach.md +++ b/docs/afl-fuzz_approach.md @@ -40,7 +40,7 @@ superior to blind fuzzing or coverage-only tools. This section provides an overview of the status screen - plus tips for troubleshooting any warnings and red text shown in the UI. -For the general instruction manual, see [README.md](../README.md). +For the general instruction manual, see [README.md](README.md). ### A note about colors diff --git a/docs/resources/fuzzing_process_overview.drawio.svg b/docs/resources/fuzzing_process_overview.drawio.svg new file mode 100644 index 00000000..c46bfbbc --- /dev/null +++ b/docs/resources/fuzzing_process_overview.drawio.svg @@ -0,0 +1,4 @@ + + + +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/instrumentation/README.gcc_plugin.md b/instrumentation/README.gcc_plugin.md index ef38662b..ed39af9d 100644 --- a/instrumentation/README.gcc_plugin.md +++ b/instrumentation/README.gcc_plugin.md @@ -1,7 +1,8 @@ # GCC-based instrumentation for afl-fuzz -For the general instruction manual, see [../README.md](../README.md). For the -LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). + +For the LLVM-based instrumentation, see [README.llvm.md](README.llvm.md). This document describes how to build and use `afl-gcc-fast` and `afl-g++-fast`, which instrument the target with the help of gcc plugins. diff --git a/instrumentation/README.llvm.md b/instrumentation/README.llvm.md index d220e52c..7855a987 100644 --- a/instrumentation/README.llvm.md +++ b/instrumentation/README.llvm.md @@ -1,6 +1,6 @@ # Fast LLVM-based instrumentation for afl-fuzz -For the general instruction manual, see [../README.md](../README.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). For the GCC-based instrumentation, see [README.gcc_plugin.md](README.gcc_plugin.md). diff --git a/qemu_mode/README.md b/qemu_mode/README.md index 8e04cbf9..a045ef4f 100644 --- a/qemu_mode/README.md +++ b/qemu_mode/README.md @@ -1,6 +1,6 @@ # High-performance binary-only instrumentation for afl-fuzz -For the general instruction manual, see [README.md](../README.md). +For the general instruction manual, see [docs/README.md](../docs/README.md). ## 1) Introduction diff --git a/testcases/README.md b/testcases/README.md index a2f74d68..119fd272 100644 --- a/testcases/README.md +++ b/testcases/README.md @@ -1,6 +1,6 @@ # AFL++ starting test cases - (See [../README.md](../README.md) for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../docs/README.md). The archives/, images/, multimedia/, and others/ subdirectories contain small, standalone files that can be used to seed afl-fuzz when testing parsers for a diff --git a/utils/libdislocator/README.md b/utils/libdislocator/README.md index 7150c205..116a22ba 100644 --- a/utils/libdislocator/README.md +++ b/utils/libdislocator/README.md @@ -1,6 +1,6 @@ # libdislocator, an abusive allocator - (See ../../README.md for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../../docs/README.md). This is a companion library that can be used as a drop-in replacement for the libc allocator in the fuzzed binaries. It improves the odds of bumping into diff --git a/utils/libtokencap/README.md b/utils/libtokencap/README.md index 343fcce0..4e7ed1d1 100644 --- a/utils/libtokencap/README.md +++ b/utils/libtokencap/README.md @@ -5,7 +5,7 @@ The afl-clang-fast AFL_LLVM_DICT2FILE feature is much better, afl-clang-lto has that feature automatically integrated. - (See ../../README.md for the general instruction manual.) +For the general instruction manual, see [docs/README.md](../../docs/README.md). This companion library allows you to instrument `strcmp()`, `memcmp()`, and related functions to automatically extract syntax tokens passed to any of -- cgit 1.4.1 From 9d7dd5a69f43f9fa8915afb37018f4df8e8db79c Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 17:59:14 +0100 Subject: Fix formatting and references --- docs/fuzzing_in_depth.md | 225 ++++++++++++++++++++++----------------- instrumentation/README.cmplog.md | 9 +- 2 files changed, 129 insertions(+), 105 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index e1599c39..cf44feec 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -95,38 +95,43 @@ Clickable README links for the chosen compiler: * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features -You can select the mode for the afl-cc compiler by: -1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, +You can select the mode for the afl-cc compiler by one of the following methods: + +* Using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++, - afl-gcc-fast, afl-g++-fast (recommended!) -2. using the environment variable AFL_CC_COMPILER with MODE -3. passing --afl-MODE command line options to the compiler via - CFLAGS/CXXFLAGS/CPPFLAGS + afl-gcc-fast, afl-g++-fast (recommended!). +* Using the environment variable `AFL_CC_COMPILER` with `MODE`. +* Passing --afl-MODE command line options to the compiler via + `CFLAGS`/`CXXFLAGS`/`CPPFLAGS`. + +`MODE` can be one of the following: -MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN -(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). +* LTO (afl-clang-lto*) +* LLVM (afl-clang-fast*) +* GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++) +* CLANG(afl-clang/afl-clang++) Because no AFL++ specific command-line options are accepted (beside the --afl-MODE command), the compile-time tools make fairly broad use of environment -variables, which can be listed with `afl-cc -hh` or by reading +variables, which can be listed with `afl-cc -hh` or looked up in [env_variables.md](env_variables.md). ### b) Selecting instrumentation options -The following options are available when you instrument with LTO mode -(afl-clang-fast/afl-clang-lto): +If you instrument with LTO mode (afl-clang-fast/afl-clang-lto), the following +options are available: -* Splitting integer, string, float and switch comparisons so AFL++ can easier +* Splitting integer, string, float, and switch comparisons so AFL++ can easier solve these. This is an important option if you do not have a very good and - large input corpus. This technique is called laf-intel or COMPCOV. To use this - set the following environment variable before compiling the target: `export - AFL_LLVM_LAF_ALL=1` You can read more about this in + large input corpus. This technique is called laf-intel or COMPCOV. To use + this, set the following environment variable before compiling the target: + `export AFL_LLVM_LAF_ALL=1`. You can read more about this in [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md). * A different technique (and usually a better one than laf-intel) is to instrument the target so that any compare values in the target are sent to AFL++ which then tries to put these values into the fuzzing data at different locations. This technique is very fast and good - if the target does not - transform input data before comparison. Therefore this technique is called + transform input data before comparison. Therefore, this technique is called `input to state` or `redqueen`. If you want to use this technique, then you have to compile the target twice, once specifically with/for this mode by setting `AFL_LLVM_CMPLOG=1`, and pass this binary to afl-fuzz via the `-c` @@ -135,24 +140,25 @@ The following options are available when you instrument with LTO mode about this in [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md). -If you use LTO, LLVM or GCC_PLUGIN mode -(afl-clang-fast/afl-clang-lto/afl-gcc-fast) you have the option to selectively +If you use LTO, LLVM, or GCC_PLUGIN mode +(afl-clang-fast/afl-clang-lto/afl-gcc-fast), you have the option to selectively only instrument parts of the target that you are interested in: -* To instrument only those parts of the target that you are interested in create - a file with all the filenames of the source code that should be instrumented. - For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than - DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one filename or - function per line (no directory information necessary for filenames9, and - either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** `export - AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default to - instrument unless noted (DENYLIST) or not perform instrumentation unless +* To instrument only those parts of the target that you are interested in, + create a file with all the filenames of the source code that should be + instrumented. For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode + other than DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one + filename or function per line (no directory information necessary for + filenames), and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or** + `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per default + to instrument unless noted (DENYLIST) or not perform instrumentation unless requested (ALLOWLIST). **NOTE:** During optimization functions might be inlined and then would not match! See - [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) + [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md). There are many more options and modes available, however, these are most of the time less effective. See: + * [instrumentation/README.llvm.md#6) AFL++ Context Sensitive Branch Coverage](../instrumentation/README.llvm.md#6-afl-context-sensitive-branch-coverage) * [instrumentation/README.llvm.md#7) AFL++ N-Gram Branch Coverage](../instrumentation/README.llvm.md#7-afl-n-gram-branch-coverage) @@ -166,12 +172,13 @@ It is possible to use sanitizers when instrumenting targets for fuzzing, which allows you to find bugs that would not necessarily result in a crash. Note that sanitizers have a huge impact on CPU (= less executions per second) -and RAM usage. Also you should only run one afl-fuzz instance per sanitizer +and RAM usage. Also, you should only run one afl-fuzz instance per sanitizer type. This is enough because a use-after-free bug will be picked up, e.g., by ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not all fuzzing instances need to be instrumented with ASAN. The following sanitizers have built-in support in AFL++: + * ASAN = Address SANitizer, finds memory corruption vulnerabilities like use-after-free, NULL pointer dereference, buffer overruns, etc. Enabled with `export AFL_USE_ASAN=1` before compiling. @@ -184,7 +191,7 @@ The following sanitizers have built-in support in AFL++: with `export AFL_USE_UBSAN=1` before compiling. * CFISAN = Control Flow Integrity SANitizer, finds instances where the control flow is found to be illegal. Originally this was rather to prevent return - oriented programming exploit chains from functioning, in fuzzing this is + oriented programming exploit chains from functioning. In fuzzing, this is mostly reduced to detecting type confusion vulnerabilities - which is, however, one of the most important and dangerous C++ memory corruption classes! Enabled with `export AFL_USE_CFISAN=1` before compiling. @@ -227,20 +234,20 @@ All AFL++ compilers will set this preprocessor definition automatically. ### e) Instrumenting the target -In this step the target source code is compiled so that it can be fuzzed. +In this step, the target source code is compiled so that it can be fuzzed. -Basically you have to tell the target build system that the selected AFL++ +Basically, you have to tell the target build system that the selected AFL++ compiler is used. Also - if possible - you should always configure the build -system such that the target is compiled statically and not dynamically. How to -do this is described below. +system in such way that the target is compiled statically and not dynamically. +How to do this is described below. The #1 rule when instrumenting a target is: avoid instrumenting shared libraries -at all cost. You would need to set LD_LIBRARY_PATH to point to these, you could -accidentally type "make install" and install them system wide - so don't. Really -don't. **Always compile libraries you want to have instrumented as static and -link these to the target program!** +at all cost. You would need to set `LD_LIBRARY_PATH` to point to these, you +could accidentally type "make install" and install them system wide - so don't. +Really don't. **Always compile libraries you want to have instrumented as static +and link these to the target program!** -Then build the target. (Usually with `make`) +Then build the target. (Usually with `make`.) **NOTES** @@ -258,19 +265,23 @@ Then build the target. (Usually with `make`) #### configure -For `configure` build systems this is usually done by: +For `configure` build systems, this is usually done by: -`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared` +``` +CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared +``` -Note that if you are using the (better) afl-clang-lto compiler you also have to +Note that if you are using the (better) afl-clang-lto compiler, you also have to set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). #### cmake -For `cmake` build systems this is usually done by: +For `cmake` build systems, this is usually done by: -`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..` +``` +mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .. +``` Note that if you are using the (better) afl-clang-lto compiler you also have to set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is @@ -278,21 +289,24 @@ described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). #### meson -For meson you have to set the AFL++ compiler with the very first command! -`CC=afl-cc CXX=afl-c++ meson` +For meson, you have to set the AFL++ compiler with the very first command! -#### other build systems or if configure/cmake didn't work +``` +CC=afl-cc CXX=afl-c++ meson +``` + +#### Other build systems or if configure/cmake didn't work -Sometimes cmake and configure do not pick up the AFL++ compiler, or the -ranlib/ar that is needed - because this was just not foreseen by the developer -of the target. Or they have non-standard options. Figure out if there is a -non-standard way to set this, otherwise set up the build normally and edit the -generated build environment afterwards manually to point it to the right -compiler (and/or ranlib and ar). +Sometimes cmake and configure do not pick up the AFL++ compiler or the ranlib/ar +that is needed - because this was just not foreseen by the developer of the +target. Or they have non-standard options. Figure out if there is a non-standard +way to set this, otherwise set up the build normally and edit the generated +build environment afterwards manually to point it to the right compiler (and/or +ranlib and ar). ### f) Better instrumentation -If you just fuzz a target program as-is you are wasting a great opportunity for +If you just fuzz a target program as-is, you are wasting a great opportunity for much more fuzzing speed. This variant requires the usage of afl-clang-lto, afl-clang-fast or @@ -304,7 +318,7 @@ that you want to fuzz, plus a few specific AFL++ functions around it. See [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) for details. -Basically if you do not fuzz a target in persistent mode, then you are just +Basically, if you do not fuzz a target in persistent mode, then you are just doing it for a hobby and not professionally :-). ### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() @@ -354,20 +368,24 @@ You can find many good examples of starting files in the ### b) Making the input corpus unique Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not -produce a new path/coverage in the target. +produce a new path/coverage in the target: -Put all files from step a) into one directory, e.g., INPUTS. +1. Put all files from [step a](#a-collecting-inputs) into one directory, e.g., INPUTS. +2. Run afl-cmin: + * If the target program is to be called by fuzzing as `bin/target -d + INPUTFILE`, set the INPUTFILE argument that the target program would read + from as `@@`: -If the target program is to be called by fuzzing as `bin/target -d INPUTFILE` -the run afl-cmin like this: + ``` + afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@ + ``` -`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@` + * If the target reads from stdin instead, just omit the `@@` as this is the + default: -Note that the INPUTFILE argument that the target program would read from has to -be set as `@@`. - -If the target reads from stdin instead, just omit the `@@` as this is the -default. + ``` + afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d + ``` This step is highly recommended! @@ -385,14 +403,16 @@ for i in *; do done ``` -This step can also be parallelized, e.g., with `parallel`. Note that this step -is rather optional though. +This step can also be parallelized, e.g., with `parallel`. + +Note that this step is rather optional though. ### Done! -The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/ -if you minimized the corpus in step c) - is the resulting input corpus directory -to be used in fuzzing! :-) +The INPUTS_UNIQUE/ directory from [step b](#b-making-the-input-corpus-unique) - +or even better the directory input/ if you minimized the corpus in +[step c](#c-minimizing-all-corpus-files) - is the resulting input corpus +directory to be used in fuzzing! :-) ## 3. Fuzzing the target @@ -405,28 +425,31 @@ seriously :-) ### a) Running afl-fuzz -Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on -the host if you execute afl-fuzz in a docker container). This reconfigures the +Before you do even a test run of afl-fuzz, execute `sudo afl-system-config` (on +the host if you execute afl-fuzz in a Docker container). This reconfigures the system for optimal speed - which afl-fuzz checks and bails otherwise. Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot run afl-system-config with root privileges on the host for whatever reason. -Note there is also `sudo afl-persistent-config` which sets additional permanent -boot options for a much better fuzzing performance. +Note: -Note that both scripts improve your fuzzing performance but also decrease your -system protection against attacks! So set strong firewall rules and only expose -SSH as a network service if you use these (which is highly recommended). +* There is also `sudo afl-persistent-config` which sets additional permanent + boot options for a much better fuzzing performance. +* Both scripts improve your fuzzing performance but also decrease your system + protection against attacks! So set strong firewall rules and only expose SSH + as a network service if you use these (which is highly recommended). -If you have an input corpus from step 2, then specify this directory with the -`-i` option. Otherwise, create a new directory and create a file with any -content as test data in there. +If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign), +then specify this directory with the `-i` option. Otherwise, create a new +directory and create a file with any content as test data in there. If you do not want anything special, the defaults are already usually best, hence all you need is to specify the seed input directory with the result of -step [2a) Collect inputs](#a-collect-inputs): +step [2a) Collecting inputs](#a-collecting-inputs): -`afl-fuzz -i input -o output -- bin/target -d @@` +``` +afl-fuzz -i input -o output -- bin/target -d @@ +``` Note that the directory specified with `-o` will be created if it does not exist. @@ -444,7 +467,9 @@ If you need to stop and re-start the fuzzing, use the same command line options (or even change them by selecting a different power schedule or another mutation mode!) and switch the input directory with a dash (`-`): -`afl-fuzz -i - -o output -- bin/target -d @@` +``` +afl-fuzz -i - -o output -- bin/target -d @@ +``` Adding a dictionary is helpful. See the directory [dictionaries/](../dictionaries/) if something is already included for your data @@ -461,7 +486,7 @@ specific locations for the input file (`-f`), performing deterministic fuzzing We highly recommend that you set a memory limit for running the target with `-m` which defines the maximum memory in MB. This prevents a potential out-of-memory problem for your system plus helps you detect missing `malloc()` failure -handling in the target. Play around with various -m values until you find one +handling in the target. Play around with various `-m` values until you find one that safely works for all your input seeds (if you have good ones and then double or quadruple that. @@ -469,8 +494,8 @@ By default, afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or send a signal SIGINT. You can limit the number of executions or approximate runtime in seconds with options also. -When you start afl-fuzz you will see a user interface that shows what the status -is: +When you start afl-fuzz, you will see a user interface that shows what the +status is: ![resources/screenshot.png](resources/screenshot.png) @@ -623,7 +648,7 @@ To stop an afl-fuzz run, press Control-C. To restart an afl-fuzz run, just reuse the same command line but replace the `-i directory` with `-i -` or set `AFL_AUTORESUME=1`. -If you want to add new seeds to a fuzzing campaign you can run a temporary +If you want to add new seeds to a fuzzing campaign, you can run a temporary fuzzing instance, e.g., when your main fuzzer is using `-o out` and the new seeds are in `newseeds/` directory: @@ -686,21 +711,21 @@ or honggfuzz. ### i) Improve the speed! * Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 - speed increase) + speed increase). * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input - file on a tempfs location, see [env_variables.md](env_variables.md) + file on a tempfs location, see [env_variables.md](env_variables.md). * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure) - you can - also just run `sudo afl-persistent-config` + also just run `sudo afl-persistent-config`. * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a - bit faster than on any other journaling filesystem -* Use your cores! [3c) Using multiple cores](#c-using-multiple-cores) + bit faster than on any other journaling filesystem. +* Use your cores! See [3c) Using multiple cores](#c-using-multiple-cores). * Run `sudo afl-system-config` before starting the first afl-fuzz instance after - a reboot + a reboot. ### j) Going beyond crashes @@ -800,19 +825,19 @@ mode, it will happily accept instrumented and non-instrumented binaries. In the non-crashing mode, the minimizer relies on standard AFL++ instrumentation to make the file simpler without altering the execution path. -The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with -afl-fuzz. +The minimizer accepts the `-m`, `-t`, `-f`, and `@@` syntax in a manner +compatible with afl-fuzz. Another tool in AFL++ is the afl-analyze tool. It takes an input file, attempts -to sequentially flip bytes, and observes the behavior of the tested program. It -then color-codes the input based on which sections appear to be critical, and +to sequentially flip bytes and observes the behavior of the tested program. It +then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. ## 5. CI fuzzing -Some notes on CI fuzzing - this fuzzing is different to normal fuzzing campaigns -as these are much shorter runnings. +Some notes on continuous integration (CI) fuzzing - this fuzzing is different to +normal fuzzing campaigns as these are much shorter runnings. 1. Always: * LTO has a much longer compile time which is diametrical to short fuzzing - @@ -822,8 +847,8 @@ as these are much shorter runnings. will impact the speed by ~15% though. * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the saturated corpus needs to be loaded. - * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the - initial corpus as this very likely has been done for them already. + * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the initial + corpus as this very likely has been done for them already. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: diff --git a/instrumentation/README.cmplog.md b/instrumentation/README.cmplog.md index 146b4620..668c07eb 100644 --- a/instrumentation/README.cmplog.md +++ b/instrumentation/README.cmplog.md @@ -11,12 +11,11 @@ see ## Build To use CmpLog, you have to build two versions of the instrumented target -program. +program: -The first version is built using the regular AFL++ instrumentation. - -The second one, the CmpLog binary, is built with setting AFL_LLVM_CMPLOG during -the compilation. +* The first version is built using the regular AFL++ instrumentation. +* The second one, the CmpLog binary, is built with setting `AFL_LLVM_CMPLOG` + during the compilation. For example: -- cgit 1.4.1 From d28bb47a3845a6f7318a4bfc6a04e6a2257205ad Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 20:01:44 +0100 Subject: Fix formatting and spelling --- docs/fuzzing_in_depth.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cf44feec..ebafc892 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -637,7 +637,7 @@ If you have multiple servers, then use the command after a sync or you have to execute this script per server. Another tool to inspect the current state and history of a specific instance is -afl-plot, which generates an index.html file and a graphs that show how the +afl-plot, which generates an index.html file and graphs that show how the fuzzing instance is performing. The syntax is `afl-plot instance_dir web_dir`, e.g., `afl-plot out/default /srv/www/htdocs/plot`. @@ -799,7 +799,7 @@ making it easier to diagnose faults. Having said that, it's important to acknowledge that some fuzzing crashes can be difficult to quickly evaluate for exploitability without a lot of debugging and code analysis work. To assist with this task, afl-fuzz supports a very unique -"crash exploration" mode enabled with the -C flag. +"crash exploration" mode enabled with the `-C` flag. In this mode, the fuzzer takes one or more crashing test cases as the input and uses its feedback-driven fuzzing strategies to very quickly enumerate all code @@ -845,7 +845,7 @@ normal fuzzing campaigns as these are much shorter runnings. * If you compile with CMPLOG, then you can save fuzzing time and reuse that compiled target for both the `-c` option and the main fuzz target. This will impact the speed by ~15% though. - * `AFL_FAST_CAL` - Enable fast calibration, this halves the time the + * `AFL_FAST_CAL` - enables fast calibration, this halves the time the saturated corpus needs to be loaded. * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new finds, not the initial corpus as this very likely has been done for them already. -- cgit 1.4.1 From 0993bcdc4e44a66b6d0b5e7ee234c834b00a5413 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 20:04:42 +0100 Subject: Delete image --- docs/resources/fuzzing_process_overview.drawio.svg | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 docs/resources/fuzzing_process_overview.drawio.svg (limited to 'docs') diff --git a/docs/resources/fuzzing_process_overview.drawio.svg b/docs/resources/fuzzing_process_overview.drawio.svg deleted file mode 100644 index c46bfbbc..00000000 --- a/docs/resources/fuzzing_process_overview.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1 From ed3eb616106ad512aa034f9d97bde012707cb30a Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 20:05:26 +0100 Subject: Add image with fuzzing process overview --- docs/resources/fuzzing_process_overview.drawio.svg | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/resources/fuzzing_process_overview.drawio.svg (limited to 'docs') diff --git a/docs/resources/fuzzing_process_overview.drawio.svg b/docs/resources/fuzzing_process_overview.drawio.svg new file mode 100644 index 00000000..c46bfbbc --- /dev/null +++ b/docs/resources/fuzzing_process_overview.drawio.svg @@ -0,0 +1,4 @@ + + + +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1 From 52cae6d132b0cc678eba737a755f10e656a8fe86 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 22:35:11 +0100 Subject: Fix formatting and spelling --- docs/fuzzing_in_depth.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index ebafc892..b280ca0a 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -272,12 +272,12 @@ CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared ``` Note that if you are using the (better) afl-clang-lto compiler, you also have to -set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is +set `AR` to llvm-ar[-VERSION] and `RANLIB` to llvm-ranlib[-VERSION] - as is described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). -#### cmake +#### CMake -For `cmake` build systems, this is usually done by: +For CMake build systems, this is usually done by: ``` mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ .. @@ -287,9 +287,10 @@ Note that if you are using the (better) afl-clang-lto compiler you also have to set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is described in [instrumentation/README.lto.md](../instrumentation/README.lto.md). -#### meson +#### Meson Build System -For meson, you have to set the AFL++ compiler with the very first command! +For the Meson Build System, you have to set the AFL++ compiler with the very +first command! ``` CC=afl-cc CXX=afl-c++ meson @@ -297,12 +298,12 @@ CC=afl-cc CXX=afl-c++ meson #### Other build systems or if configure/cmake didn't work -Sometimes cmake and configure do not pick up the AFL++ compiler or the ranlib/ar -that is needed - because this was just not foreseen by the developer of the -target. Or they have non-standard options. Figure out if there is a non-standard -way to set this, otherwise set up the build normally and edit the generated -build environment afterwards manually to point it to the right compiler (and/or -ranlib and ar). +Sometimes `cmake` and `configure` do not pick up the AFL++ compiler or the +`RANLIB`/`AR` that is needed - because this was just not foreseen by the +developer of the target. Or they have non-standard options. Figure out if there +is a non-standard way to set this, otherwise set up the build normally and edit +the generated build environment afterwards manually to point it to the right +compiler (and/or `RANLIB` and `AR`). ### f) Better instrumentation @@ -621,7 +622,8 @@ done ``` You can run this manually, per cron job - as you need it. There is a more -complex and configurable script in `utils/distributed_fuzzing`. +complex and configurable script in +[utils/distributed_fuzzing](../utils/distributed_fuzzing). ### e) The status of the fuzz campaign -- cgit 1.4.1 From 5c7e84c5c8da8e1a3d9fe3c0ccaa93a321f685ed Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 22:41:19 +0100 Subject: Add images --- docs/resources/0_fuzzing_process_overview.drawio.svg | 4 ++++ docs/resources/1_instrument_target.drawio.svg | 4 ++++ docs/resources/2_prepare_campaign.drawio.svg | 4 ++++ docs/resources/3_fuzz_target.drawio.svg | 4 ++++ docs/resources/4_manage_campaign.drawio.svg | 4 ++++ 5 files changed, 20 insertions(+) create mode 100644 docs/resources/0_fuzzing_process_overview.drawio.svg create mode 100644 docs/resources/1_instrument_target.drawio.svg create mode 100644 docs/resources/2_prepare_campaign.drawio.svg create mode 100644 docs/resources/3_fuzz_target.drawio.svg create mode 100644 docs/resources/4_manage_campaign.drawio.svg (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg new file mode 100644 index 00000000..7f45490c --- /dev/null +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -0,0 +1,4 @@ + + + +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg new file mode 100644 index 00000000..95afe77b --- /dev/null +++ b/docs/resources/1_instrument_target.drawio.svg @@ -0,0 +1,4 @@ + + + +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg new file mode 100644 index 00000000..44427908 --- /dev/null +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -0,0 +1,4 @@ + + + +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique

Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file

Use afl-tmin on input files.
Minimize corpus file...
Collect inputs

Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg new file mode 100644 index 00000000..dbe34a87 --- /dev/null +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -0,0 +1,4 @@ + + + +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg new file mode 100644 index 00000000..3263b5bd --- /dev/null +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -0,0 +1,4 @@ + + + +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1 From 2c144e88fb95c6d78dbd1925127645df4df26ff4 Mon Sep 17 00:00:00 2001 From: Jana Aydinbas <46303940+llzmb@users.noreply.github.com> Date: Sun, 12 Dec 2021 22:42:15 +0100 Subject: Delete fuzzing_process_overview.drawio.svg --- docs/resources/fuzzing_process_overview.drawio.svg | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 docs/resources/fuzzing_process_overview.drawio.svg (limited to 'docs') diff --git a/docs/resources/fuzzing_process_overview.drawio.svg b/docs/resources/fuzzing_process_overview.drawio.svg deleted file mode 100644 index c46bfbbc..00000000 --- a/docs/resources/fuzzing_process_overview.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1 From 57bc3c07018463ad6d069850be9f2bce5c450dd6 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 13 Dec 2021 15:45:41 +0100 Subject: fix qemu/unicorn oob --- docs/Changelog.md | 2 ++ src/afl-sharedmem.c | 3 +++ 2 files changed, 5 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index e9b62dc0..00502efe 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -34,6 +34,8 @@ sending a mail to . - better banner - more effective cmplog mode - more often update the UI when in input2stage mode + - qemu_mode/unicorn_mode: fixed OOB write when using libcompcov, + thanks to kotee4ko for reporting! - frida_mode: - better performance, bug fixes - David Carlier added Android support :) diff --git a/src/afl-sharedmem.c b/src/afl-sharedmem.c index 7fb8f821..09941d61 100644 --- a/src/afl-sharedmem.c +++ b/src/afl-sharedmem.c @@ -242,6 +242,9 @@ u8 *afl_shm_init(sharedmem_t *shm, size_t map_size, #else u8 *shm_str; + // handle qemu/unicorn compcov map overwrite + if (map_size == MAP_SIZE) { map_size += 8; } + shm->shm_id = shmget(IPC_PRIVATE, map_size, IPC_CREAT | IPC_EXCL | DEFAULT_PERMISSION); if (shm->shm_id < 0) { -- cgit 1.4.1 From 3a60f6a251210497f001673edefbe7a4e1627703 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:03:02 +0100 Subject: Add image references, update image --- docs/README.md | 28 ++++++++++++++++++++-- .../0_fuzzing_process_overview.drawio.svg | 4 ++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 docs/resources/0_fuzzing_process_overview.drawio.svg (limited to 'docs') diff --git a/docs/README.md b/docs/README.md index 22f86de1..2bd07bb6 100644 --- a/docs/README.md +++ b/docs/README.md @@ -15,13 +15,37 @@ the [README.md of the repository](../README.md#quick-start-fuzzing-with-afl). For in-depth information on the steps of the fuzzing process, see [fuzzing_in_depth.md](fuzzing_in_depth.md) or click on the following -image to select a step. +image and select a step. -![Fuzzing process overview](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/fuzzing_process_overview.drawio.svg "Fuzzing process overview") +![Fuzzing process overview](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/0_fuzzing_process_overview.drawio.svg "Fuzzing process overview") For further information on instrumentation, see the [READMEs in the instrumentation/ folder](../instrumentation/). +### Instrumenting the target + +For more information, click on the following image and select a step. + +![Instrumenting the target](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/1_instrument_target.drawio.svg "Instrumenting the target") + +### Preparing the fuzzing campaign + +For more information, click on the following image and select a step. + +![Preparing the fuzzing campaign](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/2_prepare_campaign.drawio.svg "Preparing the fuzzing campaign") + +### Fuzzing the target + +For more information, click on the following image and select a step. + +![Fuzzing the target](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/3_fuzz_target.drawio.svg "Fuzzing the target") + +### Managing the fuzzing campaign + +For more information, click on the following image and select a step. + +![Managing the fuzzing campaign](https://raw.githubusercontent.com/AFLplusplus/AFLplusplus/dev/docs/resources/4_manage_campaign.drawio.svg "Managing the fuzzing campaign") + ## Fuzzing other targets To learn about fuzzing other targets, see: diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg new file mode 100644 index 00000000..f7c5c7c8 --- /dev/null +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -0,0 +1,4 @@ + + + +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1 From 9de3de6cdf4df87822cd77ce968380200fdddd26 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Mon, 13 Dec 2021 21:14:20 +0100 Subject: Update images --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- docs/resources/1_instrument_target.drawio.svg | 6 +++++- docs/resources/2_prepare_campaign.drawio.svg | 6 +++++- docs/resources/3_fuzz_target.drawio.svg | 6 +++++- docs/resources/4_manage_campaign.drawio.svg | 6 +++++- 5 files changed, 21 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index f7c5c7c8..0cccee6f 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Check coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaign
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 95afe77b..3b3502da 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,8 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
\ No newline at end of file +<<<<<<< HEAD +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
+======= +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
+>>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index 44427908..5f2ef991 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,4 +1,8 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique

Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file

Use afl-tmin on input files.
Minimize corpus file...
Collect inputs

Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
\ No newline at end of file +<<<<<<< HEAD +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
+======= +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique

Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file

Use afl-tmin on input files.
Minimize corpus file...
Collect inputs

Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
+>>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index dbe34a87..9147b6e7 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,8 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
\ No newline at end of file +<<<<<<< HEAD +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
+======= +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
+>>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index 3263b5bd..d066cd21 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,8 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
\ No newline at end of file +<<<<<<< HEAD +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
+======= +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
+>>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb -- cgit 1.4.1 From 83487415b1ba3f11a6a03516b20923e6278cb97a Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Mon, 13 Dec 2021 21:22:33 +0100 Subject: Fix images --- docs/resources/1_instrument_target.drawio.svg | 6 +----- docs/resources/2_prepare_campaign.drawio.svg | 6 +----- docs/resources/3_fuzz_target.drawio.svg | 6 +----- docs/resources/4_manage_campaign.drawio.svg | 6 +----- 4 files changed, 4 insertions(+), 20 deletions(-) (limited to 'docs') diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 3b3502da..9e2d8734 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,8 +1,4 @@ -<<<<<<< HEAD -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
-======= -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
->>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index 5f2ef991..92cc61c0 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,8 +1,4 @@ -<<<<<<< HEAD -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
-======= -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique

Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file

Use afl-tmin on input files.
Minimize corpus file...
Collect inputs

Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
->>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index 9147b6e7..a4e5c940 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,8 +1,4 @@ -<<<<<<< HEAD -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
-======= -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
->>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...
Viewer does not support full SVG 1.1
\ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index d066cd21..dae9fbf9 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,8 +1,4 @@ -<<<<<<< HEAD -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
-======= -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
->>>>>>> aceb1af908cd0d2b0b03cd23b917e59a18e7b0eb +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...
Viewer does not support full SVG 1.1
\ No newline at end of file -- cgit 1.4.1