From 5bcbb2f59affc411a1e8bb7ccaabaa5ba63e6596 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 9 Jul 2021 12:42:17 +0200 Subject: port custom mutator changes --- docs/custom_mutators.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index 129d6676..110c4758 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -47,7 +47,7 @@ int afl_custom_post_trim(void *data, unsigned char success); size_t afl_custom_havoc_mutation(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, size_t max_size); unsigned char afl_custom_havoc_mutation_probability(void *data); unsigned char afl_custom_queue_get(void *data, const unsigned char *filename); -void afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue); +u8 afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue); const char* afl_custom_introspection(my_mutator_t *data); void afl_custom_deinit(void *data); ``` @@ -88,7 +88,7 @@ def queue_get(filename): return True def queue_new_entry(filename_new_queue, filename_orig_queue): - pass + return False def introspection(): return string @@ -156,6 +156,7 @@ def deinit(): # optional for Python - `queue_new_entry` (optional): This methods is called after adding a new test case to the queue. + If the contents of the file was changed return True, False otherwise. - `introspection` (optional): -- cgit 1.4.1 From 0daffb6283de80511c0cca416817725bd1a201e0 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 19 Jul 2021 11:15:51 +0200 Subject: 3.15a init --- docs/Changelog.md | 4 ++++ include/config.h | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index fcfd2ce8..3f3dc642 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -8,6 +8,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . +### Version ++3.15a (dev) + - ... + + ### Version ++3.14c (release) - afl-fuzz: - fix -F when a '/' was part of the parameter diff --git a/include/config.h b/include/config.h index 443cdc04..da74989e 100644 --- a/include/config.h +++ b/include/config.h @@ -26,7 +26,7 @@ /* Version string: */ // c = release, a = volatile github dev, e = experimental branch -#define VERSION "++3.14c" +#define VERSION "++3.15a" /****************************************************** * * -- cgit 1.4.1 From 3101e9c88df72755b461e82870879fbe9e7429fa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 20 Jul 2021 11:10:58 +0200 Subject: add gramatron --- .gitmodules | 3 + custom_mutators/gramatron/JSONC_VERSION | 1 + custom_mutators/gramatron/Makefile | 7 -- custom_mutators/gramatron/README.md | 18 +-- .../gramatron/build_gramatron_mutator.sh | 140 +++++++++++++++++++++ custom_mutators/gramatron/gramfuzz-helpers.c | 6 +- custom_mutators/gramatron/gramfuzz-mutators.c | 11 +- custom_mutators/gramatron/gramfuzz.c | 4 +- custom_mutators/gramatron/gramfuzz.h | 2 + custom_mutators/gramatron/json-c | 1 + docs/Changelog.md | 2 +- 11 files changed, 164 insertions(+), 31 deletions(-) create mode 100644 custom_mutators/gramatron/JSONC_VERSION delete mode 100644 custom_mutators/gramatron/Makefile create mode 100755 custom_mutators/gramatron/build_gramatron_mutator.sh create mode 160000 custom_mutators/gramatron/json-c (limited to 'docs') diff --git a/.gitmodules b/.gitmodules index c787ec0e..6edefd72 100644 --- a/.gitmodules +++ b/.gitmodules @@ -7,3 +7,6 @@ [submodule "qemu_mode/qemuafl"] path = qemu_mode/qemuafl url = https://github.com/AFLplusplus/qemuafl +[submodule "custom_mutators/gramatron/json-c"] + path = custom_mutators/gramatron/json-c + url = https://github.com/json-c/json-c diff --git a/custom_mutators/gramatron/JSONC_VERSION b/custom_mutators/gramatron/JSONC_VERSION new file mode 100644 index 00000000..7663833a --- /dev/null +++ b/custom_mutators/gramatron/JSONC_VERSION @@ -0,0 +1 @@ +af8dd4a307e7b837f9fa2959549548ace4afe08b diff --git a/custom_mutators/gramatron/Makefile b/custom_mutators/gramatron/Makefile deleted file mode 100644 index d24f3dd4..00000000 --- a/custom_mutators/gramatron/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -all: gramatron.so - -gramatron.so: gramfuzz.c gramfuzz.h gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c hashmap.h test.c test.h utarray.h uthash.h - $(CC) -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c test.c -ljson-c - -clean: - rm -f gramatron.so diff --git a/custom_mutators/gramatron/README.md b/custom_mutators/gramatron/README.md index 6659cb95..91f93355 100644 --- a/custom_mutators/gramatron/README.md +++ b/custom_mutators/gramatron/README.md @@ -1,20 +1,15 @@ # GramaTron Gramatron is a coverage-guided fuzzer that uses grammar automatons to perform -grammar-aware fuzzing. Technical details about our framework are available in our -[ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). The artifact to reproduce the -experiments presented in our paper are present in `artifact/`. Instructions to run -a sample campaign and incorporate new grammars is presented below: +grammar-aware fuzzing. Technical details about our framework are available +in the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). +The artifact to reproduce the experiments presented in the paper are present +in `artifact/`. Instructions to run a sample campaign and incorporate new +grammars is presented below: # Compiling -- Install `json-c` -``` -git clone https://github.com/json-c/json-c.git -cd json-c && git reset --hard af8dd4a307e7b837f9fa2959549548ace4afe08b && sh autogen.sh && ./configure && make && make install -``` - -afterwards you can just `make` GrammaTron +Simply execute `./build_gramatron_mutator.sh` # Running @@ -48,4 +43,3 @@ Eg. ./preprocess/prep_automaton.sh ~/grammars/ruby/source.json PROGRAM Eg. ./test SanityCheck ~/grammars/ruby/source_automata.json ``` - diff --git a/custom_mutators/gramatron/build_gramatron_mutator.sh b/custom_mutators/gramatron/build_gramatron_mutator.sh new file mode 100755 index 00000000..c1cdf0e7 --- /dev/null +++ b/custom_mutators/gramatron/build_gramatron_mutator.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# +# american fuzzy lop++ - gramatron build script +# ------------------------------------------------ +# +# Originally written by Nathan Voss +# +# Adapted from code by Andrew Griffiths and +# Michal Zalewski +# +# Adapted for AFLplusplus by Dominik Maier +# +# Copyright 2017 Battelle Memorial Institute. All rights reserved. +# Copyright 2019-2020 AFLplusplus Project. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# This script downloads, patches, and builds a version of Unicorn with +# minor tweaks to allow Unicorn-emulated binaries to be run under +# afl-fuzz. +# +# The modifications reside in patches/*. The standalone Unicorn library +# will be written to /usr/lib/libunicornafl.so, and the Python bindings +# will be installed system-wide. +# +# You must make sure that Unicorn Engine is not already installed before +# running this script. If it is, please uninstall it first. + +JSONC_VERSION="$(cat ./JSONC_VERSION)" +JSONC_REPO="https://github.com/json-c/json-c" + +echo "=================================================" +echo "Gramatron Mutator build script" +echo "=================================================" +echo + +echo "[*] Performing basic sanity checks..." + +PLT=`uname -s` + +if [ ! -f "../../config.h" ]; then + + echo "[-] Error: key files not found - wrong working directory?" + exit 1 + +fi + +PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3` +MAKECMD=make +TARCMD=tar + +if [ "$PLT" = "Darwin" ]; then + CORES=`sysctl -n hw.ncpu` + TARCMD=tar +fi + +if [ "$PLT" = "FreeBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then + MAKECMD=gmake + CORES=`sysctl -n hw.ncpu` + TARCMD=gtar +fi + +PREREQ_NOTFOUND= +for i in git $MAKECMD $TARCMD; do + + T=`command -v "$i" 2>/dev/null` + + if [ "$T" = "" ]; then + + echo "[-] Error: '$i' not found. Run 'sudo apt-get install $i' or similar." + PREREQ_NOTFOUND=1 + + fi + +done + +test -z "$CC" && export CC=cc + +if echo "$CC" | grep -qF /afl-; then + + echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool." + PREREQ_NOTFOUND=1 + +fi + +if [ "$PREREQ_NOTFOUND" = "1" ]; then + exit 1 +fi + +echo "[+] All checks passed!" + +echo "[*] Making sure json-c is checked out" + +git status 1>/dev/null 2>/dev/null +if [ $? -eq 0 ]; then + echo "[*] initializing json-c submodule" + git submodule init || exit 1 + git submodule update ./json-c 2>/dev/null # ignore errors +else + echo "[*] cloning json-c" + test -d json-c || { + CNT=1 + while [ '!' -d json-c -a "$CNT" -lt 4 ]; do + echo "Trying to clone json-c (attempt $CNT/3)" + git clone "$JSONC_REPO" + CNT=`expr "$CNT" + 1` + done + } +fi + +test -d json-c || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; } +echo "[+] Got json-c." + +cd "json-c" || exit 1 +echo "[*] Checking out $JSONC_VERSION" +sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null +git checkout "$JSONC_VERSION" || exit 1 +sh autogen.sh || exit 1 +export CFLAGS=-fPIC +./configure --disable-shared || exit 1 +make || exit 1 +cd .. + +echo +echo +echo "[+] Json-c successfully prepared!" +echo "[+] Builing gramatron now." +$CC -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c json-c/.libs/libjson-c.a || exit 1 +echo +echo "[+] gramatron successfully built!" diff --git a/custom_mutators/gramatron/gramfuzz-helpers.c b/custom_mutators/gramatron/gramfuzz-helpers.c index f894c850..378a3d90 100644 --- a/custom_mutators/gramatron/gramfuzz-helpers.c +++ b/custom_mutators/gramatron/gramfuzz-helpers.c @@ -73,7 +73,7 @@ void concatPrefixFeature(Array *prefix, Array *feature) { // the recursive feature. Might want to fix it to choose a random number upper // bounded by a static value instead. terminal *featureptr; - int len = rand() % RECUR_THRESHOLD; + int len = rand_below(global_afl, RECUR_THRESHOLD); for (int x = 0; x < len; x++) { for (int y = 0; y < feature->used; y++) { @@ -149,7 +149,7 @@ Array *gen_input(state *pda, Array *input) { state_ptr = pda + curr_state; // Get a random trigger - randval = rand() % (state_ptr->trigger_len); + randval = rand_below(global_afl, state_ptr->trigger_len); trigger_ptr = (state_ptr->ptr) + randval; // Insert into the dynamic array @@ -187,7 +187,7 @@ Array *gen_input_count(state *pda, Array *input, int *mut_count) { state_ptr = pda + curr_state; // Get a random trigger - randval = rand() % (state_ptr->trigger_len); + randval = rand_below(global_afl, state_ptr->trigger_len); trigger_ptr = (state_ptr->ptr) + randval; // Insert into the dynamic array diff --git a/custom_mutators/gramatron/gramfuzz-mutators.c b/custom_mutators/gramatron/gramfuzz-mutators.c index 0255e1d0..0fc9c307 100644 --- a/custom_mutators/gramatron/gramfuzz-mutators.c +++ b/custom_mutators/gramatron/gramfuzz-mutators.c @@ -13,7 +13,7 @@ Array *performRandomMutation(state *pda, Array *input) { Array *sliced; // Get offset at which to generate new input and slice it - int idx = rand() % input->used; + int idx = rand_below(global_afl, input->used); sliced = slice(input, idx); // print_repr(sliced, "Slice"); @@ -58,7 +58,7 @@ Array *performSpliceOne(Array *originput, IdxMap_new *statemap_orig, int length = utarray_len(stateptr); if (length) { - int *splice_idx = (int *)utarray_eltptr(stateptr, rand() % length); + int *splice_idx = (int *)utarray_eltptr(stateptr, rand_below(global_afl, length)); ip.orig_idx = *splice_idx; ip.splice_idx = x; utarray_push_back(pairs, &ip); @@ -69,7 +69,7 @@ Array *performSpliceOne(Array *originput, IdxMap_new *statemap_orig, // Pick a random pair int length = utarray_len(pairs); - cand = (intpair_t *)utarray_eltptr(pairs, rand() % length); + cand = (intpair_t *)utarray_eltptr(pairs, rand_below(global_afl, length)); // printf("\n Orig_idx:%d Splice_idx:%d", cand->orig_idx, cand->splice_idx); // Perform the splicing @@ -162,7 +162,7 @@ UT_array **get_dupes(Array *input, int *recur_len) { Array *doMult(Array *input, UT_array **recur, int recurlen) { int offset = 0; - int idx = rand() % (recurlen); + int idx = rand_below(global_afl, recurlen); UT_array *recurMap = recur[idx]; UT_array *recurPtr; Array * prefix; @@ -225,14 +225,13 @@ void getTwoIndices(UT_array *recur, int recurlen, int *firstIdx, for (int i = offset - 1; i > 0; i--) { // Pick a random index from 0 to i - int j = rand() % (i + 1); + int j = rand_below(global_afl, i + 1); // Swap arr[i] with the element at random index swap(&ArrayRecurIndices[i], &ArrayRecurIndices[j]); } - // Get the first two indices *firstIdx = ArrayRecurIndices[0]; *secondIdx = ArrayRecurIndices[1]; diff --git a/custom_mutators/gramatron/gramfuzz.c b/custom_mutators/gramatron/gramfuzz.c index fd126ec0..d64d2fa9 100644 --- a/custom_mutators/gramatron/gramfuzz.c +++ b/custom_mutators/gramatron/gramfuzz.c @@ -125,7 +125,6 @@ state *create_pda(u8 *automaton_file) { my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { - srand(seed); my_mutator_t *data = calloc(1, sizeof(my_mutator_t)); if (!data) { @@ -142,6 +141,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) { } data->afl = afl; + global_afl = afl; // dirty data->seed = seed; data->mut_alloced = 0; @@ -211,7 +211,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size, } else if (data->mut_idx == 2) { // Perform splice mutation // we cannot use the supplied splice data so choose a new random file - u32 tid = rand() % data->afl->queued_paths; + u32 tid = rand_below(global_afl, data->afl->queued_paths); struct queue_entry *q = data->afl->queue_buf[tid]; // Read the input representation for the splice candidate diff --git a/custom_mutators/gramatron/gramfuzz.h b/custom_mutators/gramatron/gramfuzz.h index e6912074..1e599f0c 100644 --- a/custom_mutators/gramatron/gramfuzz.h +++ b/custom_mutators/gramatron/gramfuzz.h @@ -23,6 +23,8 @@ 3600 // Inputs that gave new coverage will be dumped every FLUSH_INTERVAL // seconds +afl_state_t *global_afl; + typedef struct trigger { char * id; diff --git a/custom_mutators/gramatron/json-c b/custom_mutators/gramatron/json-c new file mode 160000 index 00000000..af8dd4a3 --- /dev/null +++ b/custom_mutators/gramatron/json-c @@ -0,0 +1 @@ +Subproject commit af8dd4a307e7b837f9fa2959549548ace4afe08b diff --git a/docs/Changelog.md b/docs/Changelog.md index 3f3dc642..cb22c272 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,7 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - ... + - added the very good grammar mutator "GramaTron" to the custom_mutators ### Version ++3.14c (release) -- cgit 1.4.1 From 53327f9ee7ee3d8643a5d67f213e19e6425595c7 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 20 Jul 2021 14:50:14 +0200 Subject: remove realpath dependency --- docs/INSTALL.md | 21 +++++++++++++++++++-- frida_mode/GNUmakefile | 2 +- frida_mode/many-linux/realpath | 2 -- 3 files changed, 20 insertions(+), 5 deletions(-) delete mode 100644 frida_mode/many-linux/realpath (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index fc57f546..f6c126a1 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,12 +74,29 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. +`brew install wget git make llvm` + +Be sure to setup PATH to point to the correct clang binaries and use gmake, e.g.: + +``` +export PATH="/usr/local/Cellar/llvm/12.0.1/bin/:$PATH" +gmake +cd frida_mode +gmake +cd .. +gmake install +``` + afl-gcc will fail unless you have GCC installed, but that is using outdated instrumentation anyway. You don't want that. +Note that afl-clang-lto, afl-gcc-fast and qemu_mode are not working on MacOS. The crash reporting daemon that comes by default with MacOS X will cause -problems with fuzzing. You need to turn it off by following the instructions -provided here: http://goo.gl/CCcd5u +problems with fuzzing. You need to turn it off: +``` +launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist +sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist +``` The `fork()` semantics on OS X are a bit unusual compared to other unix systems and definitely don't look POSIX-compliant. This means two things: diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile index fad183e1..6b17982d 100644 --- a/frida_mode/GNUmakefile +++ b/frida_mode/GNUmakefile @@ -1,5 +1,5 @@ PWD:=$(shell pwd)/ -ROOT:=$(shell realpath $(PWD)..)/ +ROOT:=$(PWD)../ INC_DIR:=$(PWD)include/ SRC_DIR:=$(PWD)src/ INCLUDES:=$(wildcard $(INC_DIR)*.h) diff --git a/frida_mode/many-linux/realpath b/frida_mode/many-linux/realpath deleted file mode 100644 index 1fdc49a7..00000000 --- a/frida_mode/many-linux/realpath +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -readlink -f -- "$@" -- cgit 1.4.1 From 4d7c23e2312236b20a61531c70df297a35455822 Mon Sep 17 00:00:00 2001 From: Max Kunzelmann Date: Wed, 21 Jul 2021 00:38:23 +0200 Subject: Fix typos (#1037) --- docs/env_variables.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/env_variables.md b/docs/env_variables.md index e058f377..cb0a68d7 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -372,7 +372,7 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_CUSTOM_MUTATOR_LIBRARY` to a shared library with afl_custom_fuzz() creates additional mutations through this library. - If afl-fuzz is compiled with Python (which is autodetected during builing + If afl-fuzz is compiled with Python (which is autodetected during building afl-fuzz), setting `AFL_PYTHON_MODULE` to a Python module can also provide additional mutations. If `AFL_CUSTOM_MUTATOR_ONLY` is also set, all mutations will solely be @@ -456,8 +456,8 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_MAX_DET_EXRAS` will change the threshold at what number of elements in the `-x` dictionary and LTO autodict (combined) the probabilistic mode will - kick off. In probabilistic mode not all dictionary entires will be used all - of the times for fuzzing mutations to not slow down fuzzing. + kick off. In probabilistic mode, not all dictionary entries will be used all + of the time for fuzzing mutations to not slow down fuzzing. The default count is `200` elements. So for the 200 + 1st element, there is a 1 in 201 chance, that one of the dictionary entries will not be used directly. -- cgit 1.4.1 From 60cbe5b4bec445438718d27dc0cfda6a4d5de81e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 21 Jul 2021 09:55:22 +0200 Subject: optimin nits --- custom_mutators/grammar_mutator/grammar_mutator | 2 +- docs/Changelog.md | 5 +- qemu_mode/qemuafl | 2 +- unicorn_mode/unicornafl | 2 +- utils/optimin/README.md | 49 +++++++++++----- utils/optimin/build_optimin.sh | 7 ++- utils/optimin/src/OptiMin.cpp | 75 +++++++++++++++++++++++++ utils/optimin/src/ProgressBar.h | 13 +++++ 8 files changed, 133 insertions(+), 22 deletions(-) (limited to 'docs') diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator index b3c4fcfa..b79d51a8 160000 --- a/custom_mutators/grammar_mutator/grammar_mutator +++ b/custom_mutators/grammar_mutator/grammar_mutator @@ -1 +1 @@ -Subproject commit b3c4fcfa6ae28918bc410f7747135eafd4fb7263 +Subproject commit b79d51a8daccbd7a693f9b6765c81ead14f28e26 diff --git a/docs/Changelog.md b/docs/Changelog.md index cb22c272..d81fdf49 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,7 +9,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) - - added the very good grammar mutator "GramaTron" to the custom_mutators + - added the very good grammar mutator "GramaTron" to the + custom_mutators + - added optimin, a faster and better corpus minimizer by + Adrian Herrera. Thank you! ### Version ++3.14c (release) diff --git a/qemu_mode/qemuafl b/qemu_mode/qemuafl index 21ff3438..a6758d1c 160000 --- a/qemu_mode/qemuafl +++ b/qemu_mode/qemuafl @@ -1 +1 @@ -Subproject commit 21ff34383764a8c6f66509b3b8d5282468c721e1 +Subproject commit a6758d1cc3e4dde88fca3f0b3a903581b7c8b2e5 diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0d82727f..019b8715 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0d82727f2b477de82fa355edef9bc158bd25d374 +Subproject commit 019b871539fe9ed3f41d882385a8b02c243d49ad diff --git a/utils/optimin/README.md b/utils/optimin/README.md index 5001b59d..ec9c4b0a 100644 --- a/utils/optimin/README.md +++ b/utils/optimin/README.md @@ -10,27 +10,46 @@ heuristic and/or greedy algorithms to identify these functionally distinct files. This means that minimized corpora are generally much smaller than those produced by other tools. -## Usage +## Building -To build the `optimin` executable (when cloned from github): +To build the `optimin` just execute the `build_optimin.sh` script. -```bash -# Ensure EvalMaxSAT is available -git submodule init -git submodule update +## Running -mkdir build -cd build +Running `optimin` is the same as running `afl-cmin`: -# You may have to specify -DLLVM_DIR=`llvm-config --cmakedir` if you have a -# non-standard LLVM install (e.g., install via apt) -cmake .. -make -j -make install +``` +Required parameters: + -i dir - input directory with starting corpus + -o dir - output directory for minimized files + +Execution control settings: + -f file - location read by the fuzzed program (stdin) + -m megs - memory limit for child process (none MB) + -t msec - run time limit for child process (none) + -O - use binary-only instrumentation (FRIDA mode) + -Q - use binary-only instrumentation (QEMU mode) + -U - use unicorn-based instrumentation (unicorn mode) + +Minimization settings: + -C - keep crashing inputs, reject everything else + -e - solve for edge coverage only, ignore hit counts + +For additional tips, please consult README.md + +Environment variables used: +AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp +AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash +AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the forkserver to come up +AFL_KEEP_TRACES: leave the temporary /.traces directory +AFL_KILL_SIGNAL: Signal delivered to child processes on timeout (default: SIGKILL) +AFL_NO_FORKSRV: run target via execve instead of using the forkserver +AFL_PATH: path for the afl-showmap binary if not found anywhere in PATH +AFL_PRINT_FILENAMES: If set, the filename currently processed will be printed to stdout +AFL_SKIP_BIN_CHECK: skip afl instrumentation checks for target binary ``` -Otherwise, run the `build_optimin.sh` script. Running `optimin` is the same as -running `afl-cmin`. +Example: `optimin -i files -o seeds -- ./target @@` ### Weighted Minimizations diff --git a/utils/optimin/build_optimin.sh b/utils/optimin/build_optimin.sh index 7397aa45..9480f966 100755 --- a/utils/optimin/build_optimin.sh +++ b/utils/optimin/build_optimin.sh @@ -122,9 +122,10 @@ echo echo "[+] EvalMaxSAT successfully prepared!" echo "[+] Building OptiMin now." mkdir -p build -cd build -cmake .. -DLLVM_DIR=`$LLVM_CONFIG --cmakedir` -make -j$CORES +cd build || exit 1 +cmake .. -DLLVM_DIR=`$LLVM_CONFIG --cmakedir` || exit 1 +make -j$CORES || exit 1 cd .. echo +cp -fv build/src/optimin . || exit 1 echo "[+] OptiMin successfully built!" diff --git a/utils/optimin/src/OptiMin.cpp b/utils/optimin/src/OptiMin.cpp index e02fcbe5..4fbf3416 100644 --- a/utils/optimin/src/OptiMin.cpp +++ b/utils/optimin/src/OptiMin.cpp @@ -33,16 +33,20 @@ namespace { /// Ensure seed weights default to 1 class Weight { + public: Weight() : Weight(1){}; Weight(uint32_t V) : Value(V){}; operator unsigned() const { + return Value; + } private: const unsigned Value; + }; // -------------------------------------------------------------------------- // @@ -89,16 +93,27 @@ static std::string AFLShowmapPath; static bool TargetArgsHasAtAt = false; static const auto ErrMsg = [] { + return WithColor(errs(), HighlightColor::Error) << "[-] "; + }; + static const auto WarnMsg = [] { + return WithColor(errs(), HighlightColor::Warning) << "[-] "; + }; + static const auto SuccMsg = [] { + return WithColor(outs(), HighlightColor::String) << "[+] "; + }; + static const auto StatMsg = [] { + return WithColor(outs(), HighlightColor::Remark) << "[*] "; + }; static cl::opt CorpusDir("i", cl::desc("Input directory"), @@ -124,6 +139,7 @@ static cl::opt Timeout( static cl::opt CrashMode( "C", cl::desc("Keep crashing inputs, reject everything else")); static cl::opt QemuMode("Q", cl::desc("Use binary-only instrumentation")); + } // anonymous namespace // -------------------------------------------------------------------------- // @@ -131,24 +147,33 @@ static cl::opt QemuMode("Q", cl::desc("Use binary-only instrumentation")); // -------------------------------------------------------------------------- // static void GetWeights(const MemoryBuffer &MB, WeightsMap &Weights) { + SmallVector Lines; MB.getBuffer().trim().split(Lines, '\n'); unsigned Weight = 0; for (const auto &Line : Lines) { + const auto &[Seed, WeightStr] = Line.split(','); if (to_integer(WeightStr, Weight, 10)) { + Weights.try_emplace(Seed, Weight); + } else { + WarnMsg() << "Failed to read weight for `" << Seed << "`. Skipping...\n"; + } + } + } [[nodiscard]] static std::error_code getAFLCoverage(const StringRef Seed, AFLCoverageVector &Cov) { + Optional Redirects[] = {None, None, None}; std::error_code EC; @@ -159,6 +184,7 @@ static void GetWeights(const MemoryBuffer &MB, WeightsMap &Weights) { // Prepare afl-showmap arguments SmallVector AFLShowmapArgs{ + AFLShowmapPath, "-m", MemLimit, "-t", Timeout, "-q", "-o", OutputPath}; if (TargetArgsHasAtAt) @@ -180,8 +206,10 @@ static void GetWeights(const MemoryBuffer &MB, WeightsMap &Weights) { // Parse afl-showmap output const auto CovOrErr = MemoryBuffer::getFile(OutputPath); if (EC = CovOrErr.getError()) { + sys::fs::remove(OutputPath); return EC; + } SmallVector Lines; @@ -191,21 +219,27 @@ static void GetWeights(const MemoryBuffer &MB, WeightsMap &Weights) { unsigned Freq = 0; for (const auto &Line : Lines) { + const auto &[EdgeStr, FreqStr] = Line.split(':'); to_integer(EdgeStr, Edge, 10); to_integer(FreqStr, Freq, 10); Cov.push_back({Edge, Freq}); + } return sys::fs::remove(OutputPath); + } static inline void StartTimer(bool ShowProgBar) { + StartTime = std::chrono::system_clock::now(); + } static inline void EndTimer(bool ShowProgBar) { + EndTime = std::chrono::system_clock::now(); Duration = std::chrono::duration_cast(EndTime - StartTime); @@ -214,6 +248,7 @@ static inline void EndTimer(bool ShowProgBar) { outs() << '\n'; else outs() << Duration.count() << "s\n"; + } // -------------------------------------------------------------------------- // @@ -221,6 +256,7 @@ static inline void EndTimer(bool ShowProgBar) { // -------------------------------------------------------------------------- // int main(int argc, char *argv[]) { + WeightsMap Weights; ProgressBar ProgBar; std::error_code EC; @@ -234,8 +270,10 @@ int main(int argc, char *argv[]) { cl::ParseCommandLineOptions(argc, argv, "Optimal corpus minimizer"); if (!sys::fs::is_directory(OutputDir)) { + ErrMsg() << "Invalid output directory `" << OutputDir << "`\n"; return 1; + } for (const auto &Arg : TargetArgs) @@ -247,9 +285,12 @@ int main(int argc, char *argv[]) { const auto AFLShowmapOrErr = sys::findProgramByName("afl-showmap"); if (AFLShowmapOrErr.getError()) { + ErrMsg() << "Failed to find afl-showmap. Check your PATH\n"; return 1; + } + AFLShowmapPath = *AFLShowmapOrErr; // ------------------------------------------------------------------------ // @@ -260,19 +301,23 @@ int main(int argc, char *argv[]) { // ------------------------------------------------------------------------ // if (WeightsFile != "") { + StatMsg() << "Reading weights from `" << WeightsFile << "`... "; StartTimer(/*ShowProgBar=*/false); const auto WeightsOrErr = MemoryBuffer::getFile(WeightsFile); if (EC = WeightsOrErr.getError()) { + ErrMsg() << "Failed to read weights from `" << WeightsFile << "`: " << EC.message() << '\n'; return 1; + } GetWeights(*WeightsOrErr.get(), Weights); EndTimer(/*ShowProgBar=*/false); + } // ------------------------------------------------------------------------ // @@ -289,20 +334,26 @@ int main(int argc, char *argv[]) { for (sys::fs::directory_iterator Dir(CorpusDir, EC), DirEnd; Dir != DirEnd && !EC; Dir.increment(EC)) { + if (EC) { + ErrMsg() << "Failed to traverse corpus directory `" << CorpusDir << "`: " << EC.message() << '\n'; return 1; + } const auto &Path = Dir->path(); if (EC = sys::fs::status(Path, Status)) { + WarnMsg() << "Failed to access seed file `" << Path << "`: " << EC.message() << ". Skipping...\n"; continue; + } switch (Status.type()) { + case sys::fs::file_type::regular_file: case sys::fs::file_type::symlink_file: case sys::fs::file_type::type_unknown: @@ -310,7 +361,9 @@ int main(int argc, char *argv[]) { default: /* Ignore */ break; + } + } EndTimer(/*ShowProgBar=*/false); @@ -336,12 +389,15 @@ int main(int argc, char *argv[]) { AFLCoverageVector Cov; for (const auto &SeedFile : SeedFiles) { + // Execute seed Cov.clear(); if (EC = getAFLCoverage(SeedFile, Cov)) { + ErrMsg() << "Failed to get coverage for seed " << SeedFile << ": " << EC.message() << '\n'; return 1; + } // Create a variable to represent the seed @@ -350,18 +406,25 @@ int main(int argc, char *argv[]) { // Record the set of seeds that cover a particular edge for (const auto &[Edge, Freq] : Cov) { + if (EdgesOnly) { + // Ignore edge frequency SeedCoverage[Edge].insert(Var); + } else { + // Executing edge `E` `N` times means that it was executed `N - 1` times for (unsigned I = 0; I < Freq; ++I) SeedCoverage[MAX_EDGE_FREQ * Edge + I].insert(Var); + } + } if ((++SeedCount % 10 == 0) && ShowProgBar) ProgBar.update(SeedCount * 100 / NumSeeds, "Generating seed coverage"); + } EndTimer(ShowProgBar); @@ -379,6 +442,7 @@ int main(int argc, char *argv[]) { // (hard constraint) std::vector Clauses; for (const auto &[_, Seeds] : SeedCoverage) { + if (Seeds.empty()) continue; Clauses.clear(); @@ -390,6 +454,7 @@ int main(int argc, char *argv[]) { if ((++SeedCount % 10 == 0) && ShowProgBar) ProgBar.update(SeedCount * 100 / SeedCoverage.size(), "Generating clauses"); + } // Select the minimum number of seeds that cover a particular set of edges @@ -420,12 +485,16 @@ int main(int argc, char *argv[]) { SmallString<32> OutputSeed; if (Solved) { + for (const auto &[Var, Seed] : SeedVars) if (Solver.getValue(Var) > 0) Solution.push_back(Seed); + } else { + ErrMsg() << "Failed to find an optimal solution for `" << CorpusDir << "`\n"; return 1; + } SuccMsg() << "Minimized corpus size: " << Solution.size() << " seeds\n"; @@ -436,20 +505,26 @@ int main(int argc, char *argv[]) { SeedCount = 0; for (const auto &Seed : Solution) { + OutputSeed = OutputDir; sys::path::append(OutputSeed, sys::path::filename(Seed)); if (EC = sys::fs::copy_file(Seed, OutputSeed)) { + WarnMsg() << "Failed to copy `" << Seed << "` to `" << OutputDir << "`: " << EC.message() << '\n'; + } if ((++SeedCount % 10 == 0) && ShowProgBar) ProgBar.update(SeedCount * 100 / Solution.size(), "Copying seeds"); + } EndTimer(ShowProgBar); SuccMsg() << "Done!\n"; return 0; + } + diff --git a/utils/optimin/src/ProgressBar.h b/utils/optimin/src/ProgressBar.h index 2f8d7403..9b75594b 100644 --- a/utils/optimin/src/ProgressBar.h +++ b/utils/optimin/src/ProgressBar.h @@ -11,6 +11,7 @@ /// Display a progress bar in the terminal class ProgressBar { + private: const size_t BarWidth; const std::string Fill; @@ -18,14 +19,17 @@ class ProgressBar { public: ProgressBar() : ProgressBar(60, "#", " ") { + } ProgressBar(size_t Width, const llvm::StringRef F, const llvm::StringRef R) : BarWidth(Width), Fill(F), Remainder(R) { + } void update(float Progress, const llvm::StringRef Status = "", llvm::raw_ostream &OS = llvm::outs()) { + // No need to write once progress is 100% if (Progress > 100.0f) return; @@ -39,11 +43,17 @@ class ProgressBar { const auto Completed = static_cast(Progress * static_cast(BarWidth) / 100.0); for (size_t I = 0; I < BarWidth; ++I) { + if (I <= Completed) { + OS << Fill; + } else { + OS << Remainder; + } + } // End bar @@ -54,5 +64,8 @@ class ProgressBar { // Write status text OS << " " << Status; + } + }; + -- cgit 1.4.1 From 549b01e68b7ff25e87a1b81a70721dc231882034 Mon Sep 17 00:00:00 2001 From: yuawn Date: Wed, 21 Jul 2021 10:29:51 +0000 Subject: fix links in FAQ.md --- docs/FAQ.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 0f447044..8e5b5535 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -58,8 +58,8 @@ Solution: `git pull ; make clean install` of afl++ ## How to improve the fuzzing speed? - 1. Use [llvm_mode](docs/llvm_mode/README.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) - 2. Use [persistent mode](llvm_mode/README.persistent_mode.md) (x2-x20 speed increase) + 1. Use [llvm_mode](/instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) + 2. Use [persistent mode](/instrumentation/README.persistent_mode.md) (x2-x20 speed increase) 3. Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) 4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md) 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure) @@ -77,7 +77,7 @@ Using a network channel is inadequate for several reasons: The established method to fuzz network services is to modify the source code to read from a file or stdin (fd 0) (or even faster via shared memory, combine -this with persistent mode [llvm_mode/README.persistent_mode.md](llvm_mode/README.persistent_mode.md) +this with persistent mode [instrumentation/README.persistent_mode.md](/instrumentation/README.persistent_mode.md) and you have a performance gain of x10 instead of a performance loss of over x10 - that is a x100 difference!). @@ -197,7 +197,7 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. b) For PCGUARD instrumented binaries it is much more difficult. Here you can either modify the __sanitizer_cov_trace_pc_guard function in - llvm_mode/afl-llvm-rt.o.c to write a backtrace to a file if the ID in + instrumentation/afl-llvm-rt.o.c to write a backtrace to a file if the ID in __afl_area_ptr[*guard] is one of the unstable edge IDs. (Example code is already there). Then recompile and reinstall llvm_mode and rebuild your target. @@ -225,7 +225,7 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. remove from instrumentation, or just specify the functions you want to skip for instrumentation. Note that optimization might inline functions! - Simply follow this document on how to do this: [llvm_mode/README.instrument_list.md](llvm_mode/README.instrument_list.md) + Simply follow this document on how to do this: [instrumentation/README.instrument_list.md](/instrumentation/README.instrument_list.md) If PCGUARD is used, then you need to follow this guide (needs llvm 12+!): [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) -- cgit 1.4.1 From 3e00184c9a5ce160629ab2bf33e63451e3635f51 Mon Sep 17 00:00:00 2001 From: yuawn Date: Wed, 21 Jul 2021 13:29:54 +0000 Subject: update relative path --- docs/FAQ.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 8e5b5535..0eeea1c5 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -58,8 +58,8 @@ Solution: `git pull ; make clean install` of afl++ ## How to improve the fuzzing speed? - 1. Use [llvm_mode](/instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) - 2. Use [persistent mode](/instrumentation/README.persistent_mode.md) (x2-x20 speed increase) + 1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) + 2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) 3. Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) 4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md) 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure) @@ -77,7 +77,7 @@ Using a network channel is inadequate for several reasons: The established method to fuzz network services is to modify the source code to read from a file or stdin (fd 0) (or even faster via shared memory, combine -this with persistent mode [instrumentation/README.persistent_mode.md](/instrumentation/README.persistent_mode.md) +this with persistent mode [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) and you have a performance gain of x10 instead of a performance loss of over x10 - that is a x100 difference!). @@ -225,7 +225,7 @@ afl-clang-fast PCGUARD and afl-clang-lto LTO instrumentation. remove from instrumentation, or just specify the functions you want to skip for instrumentation. Note that optimization might inline functions! - Simply follow this document on how to do this: [instrumentation/README.instrument_list.md](/instrumentation/README.instrument_list.md) + Simply follow this document on how to do this: [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) If PCGUARD is used, then you need to follow this guide (needs llvm 12+!): [http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation](http://clang.llvm.org/docs/SanitizerCoverage.html#partially-disabling-instrumentation) -- cgit 1.4.1 From 183d9a3f07acf0ab9bb28359c2c0852eab8e7c10 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 22 Jul 2021 15:16:04 +0200 Subject: MacOS nits --- GNUmakefile | 14 +++++++++++++- GNUmakefile.llvm | 4 +++- docs/INSTALL.md | 7 +++++-- utils/optimin/src/OptiMin.cpp | 4 ++-- 4 files changed, 23 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/GNUmakefile b/GNUmakefile index 7a1ba88a..e4f486fe 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -315,7 +315,9 @@ llvm: .PHONY: gcc_plugin gcc_plugin: +ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin +endif .PHONY: man man: $(MANPAGES) @@ -561,7 +563,7 @@ all_done: test_build .PHONY: clean clean: - rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand + rm -rf $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand *.dSYM -$(MAKE) -f GNUmakefile.llvm clean -$(MAKE) -f GNUmakefile.gcc_plugin clean $(MAKE) -C utils/libdislocator clean @@ -595,15 +597,19 @@ endif .PHONY: distrib distrib: all -$(MAKE) -j -f GNUmakefile.llvm +ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin +endif $(MAKE) -C utils/libdislocator $(MAKE) -C utils/libtokencap $(MAKE) -C utils/afl_network_proxy $(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/argv_fuzzing -$(MAKE) -C frida_mode +ifneq "$(SYS)" "Darwin" -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh +endif .PHONY: binary-only binary-only: test_shm test_python ready $(PROGS) @@ -613,13 +619,17 @@ binary-only: test_shm test_python ready $(PROGS) $(MAKE) -C utils/socket_fuzzing $(MAKE) -C utils/argv_fuzzing -$(MAKE) -C frida_mode +ifneq "$(SYS)" "Darwin" -cd qemu_mode && sh ./build_qemu_support.sh -cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh +endif .PHONY: source-only source-only: all -$(MAKE) -j -f GNUmakefile.llvm +ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin +endif $(MAKE) -C utils/libdislocator $(MAKE) -C utils/libtokencap @@ -662,7 +672,9 @@ install: all $(MANPAGES) @if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi @if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi -$(MAKE) -f GNUmakefile.llvm install +ifneq "$(SYS)" "Darwin" -$(MAKE) -f GNUmakefile.gcc_plugin install +endif ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-g++ ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 83eb91a9..a6f646f3 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -53,7 +53,7 @@ LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9] LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null) LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null) LLVM_STDCXX = gnu++11 -LLVM_APPLE_XCODE = $(shell clang -v 2>&1 | grep -q Apple && echo 1 || echo 0) +LLVM_APPLE_XCODE = $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0) LLVM_LTO = 0 ifeq "$(LLVMVER)" "" @@ -279,6 +279,8 @@ CLANG_LFL = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS) # User teor2345 reports that this is required to make things work on MacOS X. ifeq "$(SYS)" "Darwin" CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress + override LLVM_HAVE_LTO := 0 + override LLVM_LTO := 0 else CLANG_CPPFL += -Wl,-znodelete endif diff --git a/docs/INSTALL.md b/docs/INSTALL.md index f6c126a1..b3f9fb96 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,12 +74,15 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. -`brew install wget git make llvm` +`brew install wget git make cmake llvm` -Be sure to setup PATH to point to the correct clang binaries and use gmake, e.g.: +Be sure to setup PATH to point to the correct clang binaries and use the +freshly installed clang, clang++ and gmake, e.g.: ``` export PATH="/usr/local/Cellar/llvm/12.0.1/bin/:$PATH" +export CC=clang +export CXX=clang++ gmake cd frida_mode gmake diff --git a/utils/optimin/src/OptiMin.cpp b/utils/optimin/src/OptiMin.cpp index 4fbf3416..b82acbb6 100644 --- a/utils/optimin/src/OptiMin.cpp +++ b/utils/optimin/src/OptiMin.cpp @@ -134,8 +134,8 @@ static cl::opt MemLimit( "m", cl::desc("Memory limit for child process (default=none)"), cl::value_desc("megs"), cl::init("none")); static cl::opt Timeout( - "t", cl::desc("Run time limit for child process (default=none)"), - cl::value_desc("msec"), cl::init("none")); + "t", cl::desc("Run time limit for child process (default=5000)"), + cl::value_desc("msec"), cl::init("4000")); static cl::opt CrashMode( "C", cl::desc("Keep crashing inputs, reject everything else")); static cl::opt QemuMode("Q", cl::desc("Use binary-only instrumentation")); -- cgit 1.4.1 From 4d55a427f07ba61d4f784b14bb1e6bb309781e9c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 23 Jul 2021 09:06:18 +0200 Subject: afl-persistent-config Linux support + documentation --- GNUmakefile | 2 +- README.md | 7 +++ afl-persistent-config | 153 +++++++++++++++++++++++++++++++++++++------------- afl-system-config | 6 +- docs/Changelog.md | 3 + docs/perf_tips.md | 1 + 6 files changed, 129 insertions(+), 43 deletions(-) (limited to 'docs') diff --git a/GNUmakefile b/GNUmakefile index e4f486fe..bf642b9a 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -32,7 +32,7 @@ VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f # PROGS intentionally omit afl-as, which gets installed elsewhere. PROGS = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze -SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config +SH_PROGS = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config afl-persistent-config MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8 ASAN_OPTIONS=detect_leaks=0 diff --git a/README.md b/README.md index 8fcc31ff..35f6c278 100644 --- a/README.md +++ b/README.md @@ -623,6 +623,13 @@ system for optimal speed - which afl-fuzz checks and bails otherwise. Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot run afl-system-config with root privileges on the host for whatever reason. +Note there is also `sudo afl-persistent-config` which sets additional permanent +boot options for a much better fuzzing performance. + +Note that both scripts improve your fuzzing performance but also decrease your +system protection against attacks! So set strong firewall rules and only +expose SSH as a network service if you use these (which is highly recommended). + If you have an input corpus from step 2 then specify this directory with the `-i` option. Otherwise create a new directory and create a file with any content as test data in there. diff --git a/afl-persistent-config b/afl-persistent-config index 3c280e55..a6b05e07 100755 --- a/afl-persistent-config +++ b/afl-persistent-config @@ -2,58 +2,131 @@ # written by jhertz # -PLATFORM=`uname -s` +test "$1" = "-h" -o "$1" = "-hh" && { + echo 'afl-persistent-config' + echo + echo $0 + echo + echo afl-persistent-config has no command line options + echo + echo afl-persistent-config permanently reconfigures the system to a high performance fuzzing state. + echo "WARNING: this reduces the security of the system!" + echo + echo Note that there is also afl-system-config which sets additional runtime + echo configuration options. + exit 0 +} +echo +echo "WARNING: This scripts makes permanent configuration changes to the system to" +echo " increase the performance for fuzzing. As a result, the system also" +echo " becomes less secure against attacks! If you use this script, setup" +echo " strong firewall rules and only make SSH available as a network" +echo " service!" +echo +echo -n "Type \"YES\" to continue: " +read ANSWER +if [[ "$ANSWER" != "YES" ]]; then + echo Input was not YES, aborting ... + exit 1 +fi + +echo +PLATFORM=`uname -s` # check that we're on Mac -if [[ ! "$PLATFORM" = "Darwin" ]] ; then - echo "This script is for Mac OS" - exit 1 -fi +if [[ "$PLATFORM" = "Darwin" ]] ; then -# check if UID == 0 -if [[ $EUID -ne 0 ]]; then - echo "You really should be root to do this" - exit 1 -fi + # check if UID == 0 + if [[ "$EUID" -ne 0 ]]; then + echo "You need to be root to do this. E.g. use \"sudo\"" + exit 1 + fi -# check if SIP is disabled -if [[ ! $(csrutil status | grep "disabled") ]]; then - echo "SIP needs to be disabled" - exit 1 -fi + # check if SIP is disabled + if [[ ! $(csrutil status | grep "disabled") ]]; then + echo "SIP needs to be disabled. Restart and press Command-R at reboot, Utilities => Terminal => enter \"csrutil disable\"" + exit 1 + fi -echo "Okay cool, checks passed" + echo "Checks passed." -echo "Installing plist" + echo "Installing /Library/LaunchDaemons/shm_setup.plist" -cat << EOF > /Library/LaunchDaemons/shm_setup.plist + cat << EOF > /Library/LaunchDaemons/shm_setup.plist - - Label - shmemsetup - UserName - root - GroupName - wheel - ProgramArguments - - /usr/sbin/sysctl - -w - kern.sysv.shmmax=268435456 - kern.sysv.shmmni=128 - kern.sysv.shmseg=32 - kern.sysv.shmall=65536 - - KeepAlive - - RunAtLoad - - + + Label + shmemsetup + UserName + root + GroupName + wheel + ProgramArguments + + /usr/sbin/sysctl + -w + kern.sysv.shmmax=268435456 + kern.sysv.shmmni=128 + kern.sysv.shmseg=32 + kern.sysv.shmall=65536 + + KeepAlive + + RunAtLoad + + EOF -echo "Reboot and enjoy your fuzzing" + echo + echo "Reboot and enjoy your fuzzing" + exit 0 +fi + +if [[ "$PLATFORM" = "Linux" ]] ; then + + # check if UID == 0 + if [[ "$EUID" -ne 0 ]]; then + echo "You need to be root to do this. E.g. use \"sudo\"" + exit 1 + fi + + echo "Checks passed." + + test -d /etc/sysctl.d || echo Error: /etc/sysctl.d directory not found, cannot install shmem config + test -d /etc/sysctl.d -a '!' -e /etc/sysctl.d/99-fuzzing && { + echo "Installing /etc/sysctl.d/99-fuzzing" + cat << EOF > /etc/sysctl.d/99-fuzzing +kernel.core_uses_pid=0 +kernel.core_pattern=core +kernel.randomize_va_space=0 +kernel.sched_child_runs_first=1 +kernel.sched_autogroup_enabled=1 +kernel.sched_migration_cost_ns=50000000 +kernel.sched_latency_ns=250000000 +EOF + } + + egrep -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options + egrep -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && { + egrep '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | egrep -q hardened_usercopy=off || { + echo "Configuring performance boot options" + LINE=`egrep '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'` + OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off" + echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\" + sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub + } + } + + echo + echo "Reboot and enjoy your fuzzing" + exit 0 +fi + + +echo "Error: Unknown platform \"$PLATFORM\", currently supported are Linux and MacOS." +exit 1 diff --git a/afl-system-config b/afl-system-config index e149e4cd..a2ffa490 100755 --- a/afl-system-config +++ b/afl-system-config @@ -6,10 +6,12 @@ test "$1" = "-h" -o "$1" = "-hh" && { echo echo afl-system-config has no command line options echo - echo afl-system reconfigures the system to a high performance fuzzing state + echo afl-system-config reconfigures the system to a high performance fuzzing state. echo "WARNING: this reduces the security of the system!" echo - exit 1 + echo Note that there is also afl-persistent-config which sets additional permanent + echo configuration options. + exit 0 } DONE= diff --git a/docs/Changelog.md b/docs/Changelog.md index d81fdf49..74bdc4b1 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -13,6 +13,9 @@ sending a mail to . custom_mutators - added optimin, a faster and better corpus minimizer by Adrian Herrera. Thank you! + - added afl-persistent-config script to set perform permanent system + configuration setting for fuzzing, for Linux and Macos. + thanks to jhertz! ### Version ++3.14c (release) diff --git a/docs/perf_tips.md b/docs/perf_tips.md index 9c31e56b..1e8fd4d0 100644 --- a/docs/perf_tips.md +++ b/docs/perf_tips.md @@ -170,6 +170,7 @@ spectre_v2=off stf_barrier=off ``` In most Linux distributions you can put this into a `/etc/default/grub` variable. + You can use `sudo afl-persistent-config` to set these options for you. The following list of changes are made when executing `afl-system-config`: -- cgit 1.4.1 From 0f299a3bef12b2a8f27a5ba629a2ecb1201fcd60 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 23 Jul 2021 13:29:53 +0200 Subject: removed utils/afl_frida --- docs/Changelog.md | 3 +- utils/README.md | 15 ++ utils/afl_frida/GNUmakefile | 23 -- utils/afl_frida/Makefile | 2 - utils/afl_frida/README.md | 34 --- utils/afl_frida/afl-frida.c | 397 ---------------------------- utils/afl_frida/afl-frida.h | 53 ---- utils/afl_frida/android/README.md | 1 - utils/afl_frida/android/frida-gum-example.c | 130 --------- utils/afl_frida/libtestinstr.c | 35 --- utils/qbdi_mode/README.md | 2 +- 11 files changed, 18 insertions(+), 677 deletions(-) delete mode 100644 utils/afl_frida/GNUmakefile delete mode 100644 utils/afl_frida/Makefile delete mode 100644 utils/afl_frida/README.md delete mode 100644 utils/afl_frida/afl-frida.c delete mode 100644 utils/afl_frida/afl-frida.h delete mode 100644 utils/afl_frida/android/README.md delete mode 100644 utils/afl_frida/android/frida-gum-example.c delete mode 100644 utils/afl_frida/libtestinstr.c (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 74bdc4b1..e51a94b5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -14,8 +14,9 @@ sending a mail to . - added optimin, a faster and better corpus minimizer by Adrian Herrera. Thank you! - added afl-persistent-config script to set perform permanent system - configuration setting for fuzzing, for Linux and Macos. + configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! + - removed utils/afl_frida because frida_mode/ is now so much better ### Version ++3.14c (release) diff --git a/utils/README.md b/utils/README.md index 92619fd0..eb2e36b7 100644 --- a/utils/README.md +++ b/utils/README.md @@ -2,6 +2,9 @@ Here's a quick overview of the stuff you can find in this directory: + - aflpp_driver - easily instrument LLVMFuzzerTestOneInput() + harnesses. + - afl_network_proxy - fuzz a target over the network: afl-fuzz on a host, target on an embedded system. @@ -12,12 +15,16 @@ Here's a quick overview of the stuff you can find in this directory: - afl_untracer - fuzz binary-only libraries much faster but with less coverage than qemu_mode + - analysis_scripts - random -o out analysis scripts + - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed (e.g., to test setuid programs). - asan_cgroups - a contributed script to simplify fuzzing ASAN binaries with robust memory limits on Linux. + - autodict_ql - generate dictionary files from source code. + - bash_shellshock - a simple hack used to find a bunch of post-Shellshock bugs in bash. @@ -35,9 +42,15 @@ Here's a quick overview of the stuff you can find in this directory: C and Python. Note: They were moved to ../custom_mutators/examples/ + - defork - intercept fork() in targets + - distributed_fuzzing - a sample script for synchronizing fuzzer instances across multiple machines (see parallel_fuzzing.md). + - libdislocator - like ASAN but lightweight. + + - libtokencap - collect string tokens for a dictionary. + - libpng_no_checksum - a sample patch for removing CRC checks in libpng. - optimin - An optimal corpus minimizer. @@ -45,6 +58,8 @@ Here's a quick overview of the stuff you can find in this directory: - persistent_mode - an example of how to use the LLVM persistent process mode to speed up certain fuzzing jobs. + - qemu_persistent_hook - persistent mode support module for qemu. + - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin for fuzzing access with afl++ diff --git a/utils/afl_frida/GNUmakefile b/utils/afl_frida/GNUmakefile deleted file mode 100644 index 8b56415b..00000000 --- a/utils/afl_frida/GNUmakefile +++ /dev/null @@ -1,23 +0,0 @@ -ifdef DEBUG - OPT=-O0 -D_DEBUG=\"1\" -else - OPT=-O3 -funroll-loops -endif - -all: afl-frida libtestinstr.so - -libfrida-gum.a: - @echo Download and extract frida-gum-devkit-VERSION-PLATFORM.tar.xz for your platform from https://github.com/frida/frida/releases/latest - @exit 1 - -afl-frida: afl-frida.c libfrida-gum.a - $(CC) -g $(OPT) -o afl-frida -Wno-format -Wno-pointer-sign -I. -fpermissive -fPIC afl-frida.c ../../afl-compiler-rt.o libfrida-gum.a -ldl -lresolv -pthread - -libtestinstr.so: libtestinstr.c - $(CC) -g -O0 -fPIC -o libtestinstr.so -shared libtestinstr.c - -clean: - rm -f afl-frida *~ core *.o libtestinstr.so - -deepclean: clean - rm -f libfrida-gum.a frida-gum* diff --git a/utils/afl_frida/Makefile b/utils/afl_frida/Makefile deleted file mode 100644 index 0b306dde..00000000 --- a/utils/afl_frida/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -all: - @echo please use GNU make, thanks! diff --git a/utils/afl_frida/README.md b/utils/afl_frida/README.md deleted file mode 100644 index 68b62009..00000000 --- a/utils/afl_frida/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# afl-frida - faster fuzzing of binary-only libraries - -## Introduction - -afl-frida is an example skeleton file which can easily be used to fuzz -a closed source library. - -It requires less memory and is x5-10 faster than qemu_mode but does not -provide interesting features like compcov or cmplog. - -## How-to - -### Modify afl-frida.c - -Read and modify afl-frida.c then `make`. -To adapt afl-frida.c to your needs, read the header of the file and then -search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. - -### Fuzzing - -Example (after modifying afl-frida.c to your needs and compile it): -``` -LD_LIBRARY_PATH=/path/to/the/target/library/ afl-fuzz -i in -o out -- ./afl-frida -``` -(or even remote via afl-network-proxy). - -# Speed and stability - -The speed is very good, about x12 of fork() qemu_mode. -However the stability is low. Reason is currently unknown. - -# Background - -This code is copied for a larger part from https://github.com/meme/hotwax diff --git a/utils/afl_frida/afl-frida.c b/utils/afl_frida/afl-frida.c deleted file mode 100644 index e49d6f42..00000000 --- a/utils/afl_frida/afl-frida.c +++ /dev/null @@ -1,397 +0,0 @@ -/* - american fuzzy lop++ - afl-frida skeleton example - ------------------------------------------------- - - Copyright 2020 AFLplusplus Project. All rights reserved. - - Written mostly by meme -> https://github.com/meme/hotwax - - Modifications by Marc Heuse - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - HOW-TO - ====== - - You only need to change the following: - - 1. set the defines and function call parameters. - 2. dl load the library you want to fuzz, lookup the functions you need - and setup the calls to these. - 3. in the while loop you call the functions in the necessary order - - incl the cleanup. the cleanup is important! - - Just look these steps up in the code, look for "// STEP x:" - -*/ - -#include -#include -#include -#include -#include -#include -#include - -#ifdef __APPLE__ - #include - #include -#else - #include - #include -#endif - -int debug = 0; - -// STEP 1: - -// The presets are for the example libtestinstr.so: - -/* What is the name of the library to fuzz */ -#define TARGET_LIBRARY "libtestinstr.so" - -/* What is the name of the function to fuzz */ -#define TARGET_FUNCTION "testinstr" - -/* here you need to specify the parameter for the target function */ -static void *(*o_function)(uint8_t *, int); - -// END STEP 1 - -#include "frida-gum.h" - -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data); -void afl_setup(void); -void afl_start_forkserver(void); -int __afl_persistent_loop(unsigned int max_cnt); - -#include "../../config.h" - -// Shared memory fuzzing. -int __afl_sharedmem_fuzzing = 1; -extern unsigned int * __afl_fuzz_len; -extern unsigned char *__afl_fuzz_ptr; - -// Notify AFL about persistent mode. -static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##\0"; -int __afl_persistent_loop(unsigned int); - -// Notify AFL about deferred forkserver. -static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##\0"; -void __afl_manual_init(); - -// Because we do our own logging. -extern uint8_t * __afl_area_ptr; -static __thread guint64 previous_pc; - -// Frida stuff below. -typedef struct { - - GumAddress base_address; - guint64 code_start, code_end; - GumAddress current_log_impl; - uint64_t afl_prev_loc; - -} range_t; - -inline static void afl_maybe_log(guint64 current_pc) { - - // fprintf(stderr, "PC: %p ^ %p\n", current_pc, previous_pc); - - current_pc = (current_pc >> 4) ^ (current_pc << 8); - current_pc &= MAP_SIZE - 1; - - __afl_area_ptr[current_pc ^ previous_pc]++; - previous_pc = current_pc >> 1; - -} - -#ifdef __x86_64__ - -static const guint8 afl_maybe_log_code[] = { - - 0x9c, // pushfq - 0x50, // push rax - 0x51, // push rcx - 0x52, // push rdx - 0x56, // push rsi - - 0x89, 0xf8, // mov eax, edi - 0xc1, 0xe0, 0x08, // shl eax, 8 - 0xc1, 0xef, 0x04, // shr edi, 4 - 0x31, 0xc7, // xor edi, eax - 0x0f, 0xb7, 0xc7, // movzx eax, di - 0x48, 0x8d, 0x0d, 0x30, 0x00, 0x00, 0x00, // lea rcx, sym._afl_area_ptr_ptr - 0x48, 0x8b, 0x09, // mov rcx, qword [rcx] - 0x48, 0x8b, 0x09, // mov rcx, qword [rcx] - 0x48, 0x8d, 0x15, 0x1b, 0x00, 0x00, 0x00, // lea rdx, sym._afl_prev_loc_ptr - 0x48, 0x8b, 0x32, // mov rsi, qword [rdx] - 0x48, 0x8b, 0x36, // mov rsi, qword [rsi] - 0x48, 0x31, 0xc6, // xor rsi, rax - 0xfe, 0x04, 0x31, // inc byte [rcx + rsi] - - 0x48, 0xd1, 0xe8, // shr rax, 1 - 0x48, 0x8b, 0x0a, // mov rcx, qword [rdx] - 0x48, 0x89, 0x01, // mov qword [rcx], rax - - 0x5e, // pop rsi - 0x5a, // pop rdx - 0x59, // pop rcx - 0x58, // pop rax - 0x9d, // popfq - - 0xc3, // ret - // Read-only data goes here: - // uint64_t* afl_prev_loc_ptr - // uint8_t** afl_area_ptr_ptr - // unsigned int afl_instr_rms - -}; - -#else - -static void on_basic_block(GumCpuContext *context, gpointer user_data) { - - afl_maybe_log((guint64)user_data); - -} - -#endif - -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data) { - - range_t *range = (range_t *)user_data; - - const cs_insn *instr; - gboolean begin = TRUE; - while (gum_stalker_iterator_next(iterator, &instr)) { - - if (begin) { - - if (instr->address >= range->code_start && - instr->address <= range->code_end) { - -#ifdef __x86_64__ - GumX86Writer *cw = output->writer.x86; - if (range->current_log_impl == 0 || - !gum_x86_writer_can_branch_directly_between( - cw->pc, range->current_log_impl) || - !gum_x86_writer_can_branch_directly_between( - cw->pc + 128, range->current_log_impl)) { - - gconstpointer after_log_impl = cw->code + 1; - - gum_x86_writer_put_jmp_near_label(cw, after_log_impl); - - range->current_log_impl = cw->pc; - gum_x86_writer_put_bytes(cw, afl_maybe_log_code, - sizeof(afl_maybe_log_code)); - - uint64_t *afl_prev_loc_ptr = &range->afl_prev_loc; - uint8_t **afl_area_ptr_ptr = &__afl_area_ptr; - gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_prev_loc_ptr, - sizeof(afl_prev_loc_ptr)); - gum_x86_writer_put_bytes(cw, (const guint8 *)&afl_area_ptr_ptr, - sizeof(afl_area_ptr_ptr)); - gum_x86_writer_put_label(cw, after_log_impl); - - } - - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - -GUM_RED_ZONE_SIZE); - gum_x86_writer_put_push_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDI, - GUM_ADDRESS(instr->address)); - gum_x86_writer_put_call_address(cw, range->current_log_impl); - gum_x86_writer_put_pop_reg(cw, GUM_REG_RDI); - gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, - GUM_RED_ZONE_SIZE); -#else - gum_stalker_iterator_put_callout(iterator, on_basic_block, - (gpointer)instr->address, NULL); -#endif - begin = FALSE; - - } - - } - - gum_stalker_iterator_keep(iterator); - - } - -} - -/* Because this CAN be called more than once, it will return the LAST range */ -static int enumerate_ranges(const GumRangeDetails *details, - gpointer user_data) { - - GumMemoryRange *code_range = (GumMemoryRange *)user_data; - memcpy(code_range, details->range, sizeof(*code_range)); - return 0; - -} - -int main(int argc, char **argv) { - -#ifndef __APPLE__ - (void)personality(ADDR_NO_RANDOMIZE); // disable ASLR -#endif - - // STEP 2: load the library you want to fuzz and lookup the functions, - // inclusive of the cleanup functions. - // If there is just one function, then there is nothing to change - // or add here. - - void *dl = NULL; - if (argc > 2) { - - dl = dlopen(argv[1], RTLD_LAZY); - - } else { - - dl = dlopen(TARGET_LIBRARY, RTLD_LAZY); - - } - - if (!dl) { - - if (argc > 2) - fprintf(stderr, "Could not load %s\n", argv[1]); - else - fprintf(stderr, "Could not load %s\n", TARGET_LIBRARY); - exit(-1); - - } - - if (argc > 2) - o_function = dlsym(dl, argv[2]); - else - o_function = dlsym(dl, TARGET_FUNCTION); - if (!o_function) { - - if (argc > 2) - fprintf(stderr, "Could not find function %s\n", argv[2]); - else - fprintf(stderr, "Could not find function %s\n", TARGET_FUNCTION); - exit(-1); - - } - - // END STEP 2 - - if (!getenv("AFL_FRIDA_TEST_INPUT")) { - - gum_init_embedded(); - if (!gum_stalker_is_supported()) { - - gum_deinit_embedded(); - return 1; - - } - - GumStalker *stalker = gum_stalker_new(); - - GumAddress base_address; - if (argc > 2) - base_address = gum_module_find_base_address(argv[1]); - else - base_address = gum_module_find_base_address(TARGET_LIBRARY); - GumMemoryRange code_range; - if (argc > 2) - gum_module_enumerate_ranges(argv[1], GUM_PAGE_RX, enumerate_ranges, - &code_range); - else - gum_module_enumerate_ranges(TARGET_LIBRARY, GUM_PAGE_RX, enumerate_ranges, - &code_range); - - guint64 code_start = code_range.base_address; - guint64 code_end = code_range.base_address + code_range.size; - range_t instr_range = {0, code_start, code_end, 0, 0}; - - printf("Frida instrumentation: base=0x%lx instrumenting=0x%lx-%lx\n", - base_address, code_start, code_end); - if (!code_start || !code_end) { - - if (argc > 2) - fprintf(stderr, "Error: no valid memory address found for %s\n", - argv[1]); - else - fprintf(stderr, "Error: no valid memory address found for %s\n", - TARGET_LIBRARY); - exit(-1); - - } - - GumStalkerTransformer *transformer = - gum_stalker_transformer_make_from_callback(instr_basic_block, - &instr_range, NULL); - - // to ensure that the signatures are not optimized out - memcpy(__afl_area_ptr, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); - memcpy(__afl_area_ptr + 32, (void *)AFL_DEFER_FORKSVR, - sizeof(AFL_DEFER_FORKSVR)); - __afl_manual_init(); - - // - // any expensive target library initialization that has to be done just once - // - put that here - // - - gum_stalker_follow_me(stalker, transformer, NULL); - - while (__afl_persistent_loop(UINT32_MAX) != 0) { - - previous_pc = 0; // Required! - -#ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", - hash64(__afl_fuzz_ptr, *__afl_fuzz_len), *__afl_fuzz_len); - fprintf(stderr, "RECV:"); - for (int i = 0; i < *__afl_fuzz_len; i++) - fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr, "\n"); -#endif - - // STEP 3: ensure the minimum length is present and setup the target - // function to fuzz. - - if (*__afl_fuzz_len > 0) { - - __afl_fuzz_ptr[*__afl_fuzz_len] = 0; // if you need to null terminate - (*o_function)(__afl_fuzz_ptr, *__afl_fuzz_len); - - } - - // END STEP 3 - - } - - gum_stalker_unfollow_me(stalker); - - while (gum_stalker_garbage_collect(stalker)) - g_usleep(10000); - - g_object_unref(stalker); - g_object_unref(transformer); - gum_deinit_embedded(); - - } else { - - char buf[8 * 1024] = {0}; - int count = read(0, buf, sizeof(buf)); - buf[8 * 1024 - 1] = '\0'; - (*o_function)(buf, count); - - } - - return 0; - -} - diff --git a/utils/afl_frida/afl-frida.h b/utils/afl_frida/afl-frida.h deleted file mode 100644 index efa3440f..00000000 --- a/utils/afl_frida/afl-frida.h +++ /dev/null @@ -1,53 +0,0 @@ -extern int is_persistent; - -G_BEGIN_DECLS - -#define GUM_TYPE_FAKE_EVENT_SINK (gum_fake_event_sink_get_type()) - -G_DECLARE_FINAL_TYPE(GumFakeEventSink, gum_fake_event_sink, GUM, - FAKE_EVENT_SINK, GObject) - -struct _GumFakeEventSink { - - GObject parent; - GumEventType mask; - -}; - -GumEventSink *gum_fake_event_sink_new(void); -void gum_fake_event_sink_reset(GumFakeEventSink *self); - -G_END_DECLS - -typedef struct { - - GumAddress base_address; - guint64 code_start, code_end; - -} range_t; - -void instr_basic_block(GumStalkerIterator *iterator, GumStalkerOutput *output, - gpointer user_data); -#pragma once - -void afl_setup(void); -void afl_start_forkserver(void); -int __afl_persistent_loop(unsigned int max_cnt); - -inline static inline void afl_maybe_log(guint64 current_pc) { - - extern unsigned int afl_instr_rms; - extern uint8_t * afl_area_ptr; - - static __thread guint64 previous_pc; - - current_pc = (current_pc >> 4) ^ (current_pc << 8); - current_pc &= MAP_SIZE - 1; - - if (current_pc >= afl_instr_rms) return; - - afl_area_ptr[current_pc ^ previous_pc]++; - previous_pc = current_pc >> 1; - -} - diff --git a/utils/afl_frida/android/README.md b/utils/afl_frida/android/README.md deleted file mode 100644 index 044b48a1..00000000 --- a/utils/afl_frida/android/README.md +++ /dev/null @@ -1 +0,0 @@ -For android, frida-gum package (ex. https://github.com/frida/frida/releases/download/14.2.6/frida-gum-devkit-14.2.6-android-arm64.tar.xz) is needed to be extracted in the directory. diff --git a/utils/afl_frida/android/frida-gum-example.c b/utils/afl_frida/android/frida-gum-example.c deleted file mode 100644 index 14d98248..00000000 --- a/utils/afl_frida/android/frida-gum-example.c +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Compile with: - * - * clang -fPIC -DANDROID -ffunction-sections -fdata-sections -Os -pipe -g3 frida-gum-example.c -o frida-gum-example -L. -lfrida-gum -llog -ldl -lm -pthread -Wl,--gc-sections,-z,noexecstack,-z,relro,-z,now -fuse-ld=gold -fuse-ld=gold -Wl,--icf=all - * - * Visit https://frida.re to learn more about Frida. - */ - -#include "frida-gum.h" - -#include -#include - -typedef struct _ExampleListener ExampleListener; -typedef enum _ExampleHookId ExampleHookId; - -struct _ExampleListener -{ - GObject parent; - - guint num_calls; -}; - -enum _ExampleHookId -{ - EXAMPLE_HOOK_OPEN, - EXAMPLE_HOOK_CLOSE -}; - -static void example_listener_iface_init (gpointer g_iface, gpointer iface_data); - -#define EXAMPLE_TYPE_LISTENER (example_listener_get_type ()) -G_DECLARE_FINAL_TYPE (ExampleListener, example_listener, EXAMPLE, LISTENER, GObject) -G_DEFINE_TYPE_EXTENDED (ExampleListener, - example_listener, - G_TYPE_OBJECT, - 0, - G_IMPLEMENT_INTERFACE (GUM_TYPE_INVOCATION_LISTENER, - example_listener_iface_init)) - -int -main (int argc, - char * argv[]) -{ - GumInterceptor * interceptor; - GumInvocationListener * listener; - - gum_init_embedded (); - - interceptor = gum_interceptor_obtain (); - listener = g_object_new (EXAMPLE_TYPE_LISTENER, NULL); - - gum_interceptor_begin_transaction (interceptor); - gum_interceptor_attach (interceptor, - GSIZE_TO_POINTER (gum_module_find_export_by_name (NULL, "open")), - listener, - GSIZE_TO_POINTER (EXAMPLE_HOOK_OPEN)); - gum_interceptor_attach (interceptor, - GSIZE_TO_POINTER (gum_module_find_export_by_name (NULL, "close")), - listener, - GSIZE_TO_POINTER (EXAMPLE_HOOK_CLOSE)); - gum_interceptor_end_transaction (interceptor); - - close (open ("/etc/hosts", O_RDONLY)); - close (open ("/etc/fstab", O_RDONLY)); - - g_print ("[*] listener got %u calls\n", EXAMPLE_LISTENER (listener)->num_calls); - - gum_interceptor_detach (interceptor, listener); - - close (open ("/etc/hosts", O_RDONLY)); - close (open ("/etc/fstab", O_RDONLY)); - - g_print ("[*] listener still has %u calls\n", EXAMPLE_LISTENER (listener)->num_calls); - - g_object_unref (listener); - g_object_unref (interceptor); - - gum_deinit_embedded (); - - return 0; -} - -static void -example_listener_on_enter (GumInvocationListener * listener, - GumInvocationContext * ic) -{ - ExampleListener * self = EXAMPLE_LISTENER (listener); - ExampleHookId hook_id = GUM_IC_GET_FUNC_DATA (ic, ExampleHookId); - - switch (hook_id) - { - case EXAMPLE_HOOK_OPEN: - g_print ("[*] open(\"%s\")\n", (const gchar *) gum_invocation_context_get_nth_argument (ic, 0)); - break; - case EXAMPLE_HOOK_CLOSE: - g_print ("[*] close(%d)\n", GPOINTER_TO_INT (gum_invocation_context_get_nth_argument (ic, 0))); - break; - } - - self->num_calls++; -} - -static void -example_listener_on_leave (GumInvocationListener * listener, - GumInvocationContext * ic) -{ -} - -static void -example_listener_class_init (ExampleListenerClass * klass) -{ - (void) EXAMPLE_IS_LISTENER; - (void) glib_autoptr_cleanup_ExampleListener; -} - -static void -example_listener_iface_init (gpointer g_iface, - gpointer iface_data) -{ - GumInvocationListenerInterface * iface = g_iface; - - iface->on_enter = example_listener_on_enter; - iface->on_leave = example_listener_on_leave; -} - -static void -example_listener_init (ExampleListener * self) -{ -} diff --git a/utils/afl_frida/libtestinstr.c b/utils/afl_frida/libtestinstr.c deleted file mode 100644 index 96b1cf21..00000000 --- a/utils/afl_frida/libtestinstr.c +++ /dev/null @@ -1,35 +0,0 @@ -/* - american fuzzy lop++ - a trivial program to test the build - -------------------------------------------------------- - Originally written by Michal Zalewski - Copyright 2014 Google Inc. All rights reserved. - Copyright 2019-2020 AFLplusplus Project. All rights reserved. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - http://www.apache.org/licenses/LICENSE-2.0 - */ - -#include -#include -#include -#include -#include -#include -#include - -void testinstr(char *buf, int len) { - - if (len < 1) return; - buf[len] = 0; - - // we support three input cases - if (buf[0] == '0') - printf("Looks like a zero to me!\n"); - else if (buf[0] == '1') - printf("Pretty sure that is a one!\n"); - else - printf("Neither one or zero? How quaint!\n"); - -} - diff --git a/utils/qbdi_mode/README.md b/utils/qbdi_mode/README.md index cf5d3359..334199f2 100755 --- a/utils/qbdi_mode/README.md +++ b/utils/qbdi_mode/README.md @@ -2,7 +2,7 @@ NOTE: this code is outdated and first would need to be adapted to the current afl++ versions first. -Try afl_frida or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need. +Try frida_mode/ or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need. ## 1) Introduction -- cgit 1.4.1 From c3fbf5dca309e80e91f9bee9ff6d13f6aa240427 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 30 Jul 2021 08:33:18 +0200 Subject: add more string functions for dictionary features --- docs/Changelog.md | 1 + instrumentation/SanitizerCoverageLTO.so.cc | 39 +++++++++++++-- instrumentation/afl-llvm-dict2file.so.cc | 55 ++++++++++++++++++---- instrumentation/afl-llvm-lto-instrumentation.so.cc | 38 +++++++++++++-- instrumentation/compare-transform-pass.so.cc | 39 ++++++++++++--- test/test-compcov.c | 2 + 6 files changed, 150 insertions(+), 24 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index e51a94b5..10d25754 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,7 @@ sending a mail to . - added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! + - added xml, curl and exotic string functions to llvm dictionary features - removed utils/afl_frida because frida_mode/ is now so much better diff --git a/instrumentation/SanitizerCoverageLTO.so.cc b/instrumentation/SanitizerCoverageLTO.so.cc index 91b81910..e06f8b93 100644 --- a/instrumentation/SanitizerCoverageLTO.so.cc +++ b/instrumentation/SanitizerCoverageLTO.so.cc @@ -626,12 +626,41 @@ bool ModuleSanitizerCoverage::instrumentModule( if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; std::string FuncName = Callee->getName().str(); - isStrcmp &= !FuncName.compare("strcmp"); + + isStrcmp &= (!FuncName.compare("strcmp") || + !FuncName.compare("xmlStrcmp") || + !FuncName.compare("xmlStrEqual") || + !FuncName.compare("g_strcmp0") || + !FuncName.compare("curl_strequal") || + !FuncName.compare("strcsequal")); isMemcmp &= - (!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); - isStrncmp &= !FuncName.compare("strncmp"); - isStrcasecmp &= !FuncName.compare("strcasecmp"); - isStrncasecmp &= !FuncName.compare("strncasecmp"); + (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") || + !FuncName.compare("CRYPTO_memcmp") || + !FuncName.compare("OPENSSL_memcmp") || + !FuncName.compare("memcmp_const_time") || + !FuncName.compare("memcmpct")); + isStrncmp &= (!FuncName.compare("strncmp") || + !FuncName.compare("xmlStrncmp") || + !FuncName.compare("curl_strnequal")); + isStrcasecmp &= (!FuncName.compare("strcasecmp") || + !FuncName.compare("stricmp") || + !FuncName.compare("ap_cstr_casecmp") || + !FuncName.compare("OPENSSL_strcasecmp") || + !FuncName.compare("xmlStrcasecmp") || + !FuncName.compare("g_strcasecmp") || + !FuncName.compare("g_ascii_strcasecmp") || + !FuncName.compare("Curl_strcasecompare") || + !FuncName.compare("Curl_safe_strcasecompare") || + !FuncName.compare("cmsstrcasecmp")); + isStrncasecmp &= (!FuncName.compare("strncasecmp") || + !FuncName.compare("strnicmp") || + !FuncName.compare("ap_cstr_casecmpn") || + !FuncName.compare("OPENSSL_strncasecmp") || + !FuncName.compare("xmlStrncasecmp") || + !FuncName.compare("g_ascii_strncasecmp") || + !FuncName.compare("Curl_strncasecompare") || + !FuncName.compare("g_strncasecmp")); + isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isStdString &= ((FuncName.find("basic_string") != std::string::npos && diff --git a/instrumentation/afl-llvm-dict2file.so.cc b/instrumentation/afl-llvm-dict2file.so.cc index 9daa75a8..4622e488 100644 --- a/instrumentation/afl-llvm-dict2file.so.cc +++ b/instrumentation/afl-llvm-dict2file.so.cc @@ -288,6 +288,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { bool isStrncasecmp = true; bool isIntMemcpy = true; bool isStdString = true; + bool isStrstr = true; bool addedNull = false; size_t optLen = 0; @@ -295,12 +296,46 @@ bool AFLdict2filePass::runOnModule(Module &M) { if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; std::string FuncName = Callee->getName().str(); - isStrcmp &= !FuncName.compare("strcmp"); + isStrcmp &= + (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") || + !FuncName.compare("xmlStrEqual") || + !FuncName.compare("g_strcmp0") || + !FuncName.compare("curl_strequal") || + !FuncName.compare("strcsequal")); isMemcmp &= - (!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); - isStrncmp &= !FuncName.compare("strncmp"); - isStrcasecmp &= !FuncName.compare("strcasecmp"); - isStrncasecmp &= !FuncName.compare("strncasecmp"); + (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") || + !FuncName.compare("CRYPTO_memcmp") || + !FuncName.compare("OPENSSL_memcmp") || + !FuncName.compare("memcmp_const_time") || + !FuncName.compare("memcmpct")); + isStrncmp &= (!FuncName.compare("strncmp") || + !FuncName.compare("xmlStrncmp") || + !FuncName.compare("curl_strnequal")); + isStrcasecmp &= (!FuncName.compare("strcasecmp") || + !FuncName.compare("stricmp") || + !FuncName.compare("ap_cstr_casecmp") || + !FuncName.compare("OPENSSL_strcasecmp") || + !FuncName.compare("xmlStrcasecmp") || + !FuncName.compare("g_strcasecmp") || + !FuncName.compare("g_ascii_strcasecmp") || + !FuncName.compare("Curl_strcasecompare") || + !FuncName.compare("Curl_safe_strcasecompare") || + !FuncName.compare("cmsstrcasecmp")); + isStrncasecmp &= (!FuncName.compare("strncasecmp") || + !FuncName.compare("strnicmp") || + !FuncName.compare("ap_cstr_casecmpn") || + !FuncName.compare("OPENSSL_strncasecmp") || + !FuncName.compare("xmlStrncasecmp") || + !FuncName.compare("g_ascii_strncasecmp") || + !FuncName.compare("Curl_strncasecompare") || + !FuncName.compare("g_strncasecmp")); + isStrstr &= (!FuncName.compare("strstr") || + !FuncName.compare("g_strstr_len") || + !FuncName.compare("ap_strcasestr") || + !FuncName.compare("xmlStrstr") || + !FuncName.compare("xmlStrcasestr") || + !FuncName.compare("g_str_has_prefix") || + !FuncName.compare("g_str_has_suffix")); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isStdString &= ((FuncName.find("basic_string") != std::string::npos && FuncName.find("compare") != std::string::npos) || @@ -308,13 +343,17 @@ bool AFLdict2filePass::runOnModule(Module &M) { FuncName.find("find") != std::string::npos)); if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && - !isStrncasecmp && !isIntMemcpy && !isStdString) + !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr) continue; /* Verify the strcmp/memcmp/strncmp/strcasecmp/strncasecmp function * prototype */ FunctionType *FT = Callee->getFunctionType(); + isStrstr &= + FT->getNumParams() == 2 && + FT->getParamType(0) == FT->getParamType(1) && + FT->getParamType(0) == IntegerType::getInt8PtrTy(M.getContext()); isStrcmp &= FT->getNumParams() == 2 && FT->getReturnType()->isIntegerTy(32) && FT->getParamType(0) == FT->getParamType(1) && @@ -345,7 +384,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { FT->getParamType(1)->isPointerTy(); if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && - !isStrncasecmp && !isIntMemcpy && !isStdString) + !isStrncasecmp && !isIntMemcpy && !isStdString && !isStrstr) continue; /* is a str{n,}{case,}cmp/memcmp, check if we have @@ -359,7 +398,7 @@ bool AFLdict2filePass::runOnModule(Module &M) { bool HasStr1; getConstantStringInfo(Str1P, TmpStr); - if (TmpStr.empty()) { + if (isStrstr || TmpStr.empty()) { HasStr1 = false; diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 263d947d..e300044c 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -393,12 +393,40 @@ bool AFLLTOPass::runOnModule(Module &M) { if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; std::string FuncName = Callee->getName().str(); - isStrcmp &= !FuncName.compare("strcmp"); + + isStrcmp &= (!FuncName.compare("strcmp") || + !FuncName.compare("xmlStrcmp") || + !FuncName.compare("xmlStrEqual") || + !FuncName.compare("g_strcmp0") || + !FuncName.compare("curl_strequal") || + !FuncName.compare("strcsequal")); isMemcmp &= - (!FuncName.compare("memcmp") || !FuncName.compare("bcmp")); - isStrncmp &= !FuncName.compare("strncmp"); - isStrcasecmp &= !FuncName.compare("strcasecmp"); - isStrncasecmp &= !FuncName.compare("strncasecmp"); + (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") || + !FuncName.compare("CRYPTO_memcmp") || + !FuncName.compare("OPENSSL_memcmp") || + !FuncName.compare("memcmp_const_time") || + !FuncName.compare("memcmpct")); + isStrncmp &= (!FuncName.compare("strncmp") || + !FuncName.compare("xmlStrncmp") || + !FuncName.compare("curl_strnequal")); + isStrcasecmp &= (!FuncName.compare("strcasecmp") || + !FuncName.compare("stricmp") || + !FuncName.compare("ap_cstr_casecmp") || + !FuncName.compare("OPENSSL_strcasecmp") || + !FuncName.compare("xmlStrcasecmp") || + !FuncName.compare("g_strcasecmp") || + !FuncName.compare("g_ascii_strcasecmp") || + !FuncName.compare("Curl_strcasecompare") || + !FuncName.compare("Curl_safe_strcasecompare") || + !FuncName.compare("cmsstrcasecmp")); + isStrncasecmp &= (!FuncName.compare("strncasecmp") || + !FuncName.compare("strnicmp") || + !FuncName.compare("ap_cstr_casecmpn") || + !FuncName.compare("OPENSSL_strncasecmp") || + !FuncName.compare("xmlStrncasecmp") || + !FuncName.compare("g_ascii_strncasecmp") || + !FuncName.compare("Curl_strncasecompare") || + !FuncName.compare("g_strncasecmp")); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); isStdString &= ((FuncName.find("basic_string") != std::string::npos && diff --git a/instrumentation/compare-transform-pass.so.cc b/instrumentation/compare-transform-pass.so.cc index f5dd4a53..288e8282 100644 --- a/instrumentation/compare-transform-pass.so.cc +++ b/instrumentation/compare-transform-pass.so.cc @@ -151,12 +151,39 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp, if (!Callee) continue; if (callInst->getCallingConv() != llvm::CallingConv::C) continue; StringRef FuncName = Callee->getName(); - isStrcmp &= !FuncName.compare(StringRef("strcmp")); - isMemcmp &= (!FuncName.compare(StringRef("memcmp")) || - !FuncName.compare(StringRef("bcmp"))); - isStrncmp &= !FuncName.compare(StringRef("strncmp")); - isStrcasecmp &= !FuncName.compare(StringRef("strcasecmp")); - isStrncasecmp &= !FuncName.compare(StringRef("strncasecmp")); + isStrcmp &= + (!FuncName.compare("strcmp") || !FuncName.compare("xmlStrcmp") || + !FuncName.compare("xmlStrEqual") || + !FuncName.compare("g_strcmp0") || + !FuncName.compare("curl_strequal") || + !FuncName.compare("strcsequal")); + isMemcmp &= + (!FuncName.compare("memcmp") || !FuncName.compare("bcmp") || + !FuncName.compare("CRYPTO_memcmp") || + !FuncName.compare("OPENSSL_memcmp") || + !FuncName.compare("memcmp_const_time") || + !FuncName.compare("memcmpct")); + isStrncmp &= (!FuncName.compare("strncmp") || + !FuncName.compare("xmlStrncmp") || + !FuncName.compare("curl_strnequal")); + isStrcasecmp &= (!FuncName.compare("strcasecmp") || + !FuncName.compare("stricmp") || + !FuncName.compare("ap_cstr_casecmp") || + !FuncName.compare("OPENSSL_strcasecmp") || + !FuncName.compare("xmlStrcasecmp") || + !FuncName.compare("g_strcasecmp") || + !FuncName.compare("g_ascii_strcasecmp") || + !FuncName.compare("Curl_strcasecompare") || + !FuncName.compare("Curl_safe_strcasecompare") || + !FuncName.compare("cmsstrcasecmp")); + isStrncasecmp &= (!FuncName.compare("strncasecmp") || + !FuncName.compare("strnicmp") || + !FuncName.compare("ap_cstr_casecmpn") || + !FuncName.compare("OPENSSL_strncasecmp") || + !FuncName.compare("xmlStrncasecmp") || + !FuncName.compare("g_ascii_strncasecmp") || + !FuncName.compare("Curl_strncasecompare") || + !FuncName.compare("g_strncasecmp")); isIntMemcpy &= !FuncName.compare("llvm.memcpy.p0i8.p0i8.i64"); if (!isStrcmp && !isMemcmp && !isStrncmp && !isStrcasecmp && diff --git a/test/test-compcov.c b/test/test-compcov.c index 4959c39c..ae63ca45 100644 --- a/test/test-compcov.c +++ b/test/test-compcov.c @@ -29,6 +29,8 @@ int main(int argc, char **argv) { printf("your string was APRI\n"); else if (strcasecmp(input, "Kiwi") == 0) printf("your string was Kiwi\n"); + else if (strstr(input, "tsala") == 0) + printf("your string is a fruit salad\n"); else if (strncasecmp(input, "avocado", 9) == 0) printf("your string was avocado\n"); else if (strncasecmp(input, "Grapes", argc > 2 ? atoi(argv[2]) : 3) == 0) -- cgit 1.4.1 From 8ad6e7c1404be214ea25692cbd9093aad3dff9ae Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 2 Aug 2021 10:15:13 +0200 Subject: fix afl_preload issues on macos --- docs/Changelog.md | 1 + docs/INSTALL.md | 2 +- src/afl-fuzz.c | 5 +++-- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 10d25754..d397a764 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . configuration settings for fuzzing, for Linux and Macos. thanks to jhertz! - added xml, curl and exotic string functions to llvm dictionary features + - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b3f9fb96..17af532a 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -74,7 +74,7 @@ and depend mostly on user feedback. To build AFL, install llvm (and perhaps gcc) from brew and follow the general instructions for Linux. If possible avoid Xcode at all cost. -`brew install wget git make cmake llvm` +`brew install wget git make cmake llvm gdb` Be sure to setup PATH to point to the correct clang binaries and use the freshly installed clang, clang++ and gmake, e.g.: diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index b6da5a72..c97427e1 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1398,6 +1398,9 @@ int main(int argc, char **argv_orig, char **envp) { afl->fsrv.use_fauxsrv = afl->non_instrumented_mode == 1 || afl->no_forkserver; + check_crash_handling(); + check_cpu_governor(afl); + if (getenv("LD_PRELOAD")) { WARNF( @@ -1498,8 +1501,6 @@ int main(int argc, char **argv_orig, char **envp) { } - check_crash_handling(); - check_cpu_governor(afl); get_core_count(afl); -- cgit 1.4.1 From 1cffe27185419ef45d32d7fbc07d5a24e527546d Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 8 Aug 2021 01:28:56 +0200 Subject: Clean up docs folder (#1059) Changes: - Move files to docs/resources. - Fix references. - Delete unused files. --- README.md | 2 +- docs/resources/afl_gzip.png | Bin 0 -> 594870 bytes docs/resources/grafana-afl++.json | 1816 ++++++++++++++++++++ docs/resources/screenshot.png | Bin 0 -> 117199 bytes docs/resources/statsd-grafana.png | Bin 0 -> 163646 bytes docs/rpc_statsd.md | 4 +- docs/screenshot.png | Bin 117199 -> 0 bytes docs/statsd/grafana-afl++.json | 1816 -------------------- docs/technical_details.md | 2 +- docs/visualization/afl_gzip.png | Bin 594870 -> 0 bytes docs/visualization/statsd-grafana.png | Bin 163646 -> 0 bytes docs/vuln_samples/bash-cmd-exec.var | 1 - docs/vuln_samples/bash-uninit-mem.var | 1 - docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 | Bin 10377 -> 0 bytes docs/vuln_samples/ffmpeg-h264-bad-read.mp4 | Bin 4376 -> 0 bytes .../ffmpeg-h264-call-stack-overflow.mp4 | Bin 1259 -> 0 bytes docs/vuln_samples/file-fpu-exception.elf | Bin 2572 -> 0 bytes docs/vuln_samples/firefox-bmp-leak.bmp | Bin 892 -> 0 bytes docs/vuln_samples/firefox-chrome-leak.jpg | Bin 1771 -> 0 bytes docs/vuln_samples/firefox-gif-leak.gif | Bin 38 -> 0 bytes docs/vuln_samples/firefox-gif-leak2.gif | Bin 179 -> 0 bytes docs/vuln_samples/jxrlib-crash.jxr | Bin 512 -> 0 bytes docs/vuln_samples/jxrlib-crash2.jxr | Bin 472 -> 0 bytes docs/vuln_samples/jxrlib-crash3.jxr | Bin 492 -> 0 bytes docs/vuln_samples/jxrlib-crash4.jxr | Bin 526 -> 0 bytes docs/vuln_samples/lesspipe-cpio-bad-write.cpio | Bin 512 -> 0 bytes docs/vuln_samples/libjpeg-sos-leak.jpg | Bin 642 -> 0 bytes docs/vuln_samples/libjpeg-turbo-dht-leak.jpg | Bin 595 -> 0 bytes docs/vuln_samples/libtiff-bad-write.tif | Bin 360 -> 0 bytes docs/vuln_samples/libtiff-uninit-mem.tif | Bin 408 -> 0 bytes docs/vuln_samples/libtiff-uninit-mem2.tif | Bin 408 -> 0 bytes docs/vuln_samples/libtiff-uninit-mem3.tif | Bin 216 -> 0 bytes docs/vuln_samples/libtiff-uninit-mem4.tif | Bin 216 -> 0 bytes docs/vuln_samples/libxml2-bad-read.xml | 3 - docs/vuln_samples/msie-dht-leak.jpg | Bin 876 -> 0 bytes docs/vuln_samples/msie-jxr-mem-leak.jxr | Bin 882 -> 0 bytes docs/vuln_samples/msie-png-mem-leak.png | Bin 293 -> 0 bytes docs/vuln_samples/msie-tiff-mem-leak.tif | Bin 408 -> 0 bytes docs/vuln_samples/msie-zlib-dos.png | Bin 434 -> 0 bytes docs/vuln_samples/openssl-null-ptr.der | Bin 15 -> 0 bytes docs/vuln_samples/openssl-null-ptr2.der | Bin 398 -> 0 bytes docs/vuln_samples/photoshop-mem-leak.jpg | Bin 996 -> 0 bytes docs/vuln_samples/sqlite-bad-free.sql | 2 - docs/vuln_samples/sqlite-bad-ptr.sql | 1 - docs/vuln_samples/sqlite-bad-ptr2.sql | 1 - docs/vuln_samples/sqlite-bad-ptr3.sql | Bin 199 -> 0 bytes docs/vuln_samples/sqlite-heap-overflow.sql | 2 - docs/vuln_samples/sqlite-heap-overwrite.sql | 1 - docs/vuln_samples/sqlite-negative-memset.sql | 1 - docs/vuln_samples/sqlite-null-ptr1.sql | 2 - docs/vuln_samples/sqlite-null-ptr10.sql | 1 - docs/vuln_samples/sqlite-null-ptr11.sql | 1 - docs/vuln_samples/sqlite-null-ptr12.sql | 1 - docs/vuln_samples/sqlite-null-ptr13.sql | 1 - docs/vuln_samples/sqlite-null-ptr14.sql | 1 - docs/vuln_samples/sqlite-null-ptr15.sql | 1 - docs/vuln_samples/sqlite-null-ptr2.sql | 1 - docs/vuln_samples/sqlite-null-ptr3.sql | 1 - docs/vuln_samples/sqlite-null-ptr4.sql | 1 - docs/vuln_samples/sqlite-null-ptr5.sql | 1 - docs/vuln_samples/sqlite-null-ptr6.sql | 1 - docs/vuln_samples/sqlite-null-ptr7.sql | 1 - docs/vuln_samples/sqlite-null-ptr8.sql | 1 - docs/vuln_samples/sqlite-null-ptr9.sql | 1 - docs/vuln_samples/sqlite-oob-read.sql | 1 - docs/vuln_samples/sqlite-oob-write.sql | 6 - docs/vuln_samples/sqlite-stack-buf-overflow.sql | 1 - docs/vuln_samples/sqlite-stack-exhaustion.sql | 1 - docs/vuln_samples/sqlite-unint-mem.sql | 1 - docs/vuln_samples/sqlite-use-after-free.sql | 1 - docs/vuln_samples/strings-bfd-badptr.elf | Bin 324 -> 0 bytes docs/vuln_samples/strings-bfd-badptr2.elf | Bin 324 -> 0 bytes docs/vuln_samples/strings-stack-overflow | 3 - docs/vuln_samples/strings-unchecked-ctr.elf | Bin 141 -> 0 bytes docs/vuln_samples/tcpdump-arp-crash.pcap | Bin 114 -> 0 bytes docs/vuln_samples/tcpdump-ppp-crash.pcap | Bin 1126 -> 0 bytes docs/vuln_samples/unrtf-arbitrary-read.rtf | Bin 551 -> 0 bytes docs/vuln_samples/unzip-t-mem-corruption.zip | Bin 344 -> 0 bytes 78 files changed, 1820 insertions(+), 1863 deletions(-) create mode 100644 docs/resources/afl_gzip.png create mode 100644 docs/resources/grafana-afl++.json create mode 100644 docs/resources/screenshot.png create mode 100644 docs/resources/statsd-grafana.png delete mode 100644 docs/screenshot.png delete mode 100644 docs/statsd/grafana-afl++.json delete mode 100644 docs/visualization/afl_gzip.png delete mode 100644 docs/visualization/statsd-grafana.png delete mode 100644 docs/vuln_samples/bash-cmd-exec.var delete mode 100644 docs/vuln_samples/bash-uninit-mem.var delete mode 100644 docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4 delete mode 100644 docs/vuln_samples/ffmpeg-h264-bad-read.mp4 delete mode 100644 docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4 delete mode 100644 docs/vuln_samples/file-fpu-exception.elf delete mode 100644 docs/vuln_samples/firefox-bmp-leak.bmp delete mode 100644 docs/vuln_samples/firefox-chrome-leak.jpg delete mode 100644 docs/vuln_samples/firefox-gif-leak.gif delete mode 100644 docs/vuln_samples/firefox-gif-leak2.gif delete mode 100644 docs/vuln_samples/jxrlib-crash.jxr delete mode 100644 docs/vuln_samples/jxrlib-crash2.jxr delete mode 100644 docs/vuln_samples/jxrlib-crash3.jxr delete mode 100644 docs/vuln_samples/jxrlib-crash4.jxr delete mode 100644 docs/vuln_samples/lesspipe-cpio-bad-write.cpio delete mode 100644 docs/vuln_samples/libjpeg-sos-leak.jpg delete mode 100644 docs/vuln_samples/libjpeg-turbo-dht-leak.jpg delete mode 100644 docs/vuln_samples/libtiff-bad-write.tif delete mode 100644 docs/vuln_samples/libtiff-uninit-mem.tif delete mode 100644 docs/vuln_samples/libtiff-uninit-mem2.tif delete mode 100644 docs/vuln_samples/libtiff-uninit-mem3.tif delete mode 100644 docs/vuln_samples/libtiff-uninit-mem4.tif delete mode 100644 docs/vuln_samples/libxml2-bad-read.xml delete mode 100644 docs/vuln_samples/msie-dht-leak.jpg delete mode 100644 docs/vuln_samples/msie-jxr-mem-leak.jxr delete mode 100644 docs/vuln_samples/msie-png-mem-leak.png delete mode 100644 docs/vuln_samples/msie-tiff-mem-leak.tif delete mode 100644 docs/vuln_samples/msie-zlib-dos.png delete mode 100644 docs/vuln_samples/openssl-null-ptr.der delete mode 100644 docs/vuln_samples/openssl-null-ptr2.der delete mode 100644 docs/vuln_samples/photoshop-mem-leak.jpg delete mode 100644 docs/vuln_samples/sqlite-bad-free.sql delete mode 100644 docs/vuln_samples/sqlite-bad-ptr.sql delete mode 100644 docs/vuln_samples/sqlite-bad-ptr2.sql delete mode 100644 docs/vuln_samples/sqlite-bad-ptr3.sql delete mode 100644 docs/vuln_samples/sqlite-heap-overflow.sql delete mode 100644 docs/vuln_samples/sqlite-heap-overwrite.sql delete mode 100644 docs/vuln_samples/sqlite-negative-memset.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr1.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr10.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr11.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr12.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr13.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr14.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr15.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr2.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr3.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr4.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr5.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr6.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr7.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr8.sql delete mode 100644 docs/vuln_samples/sqlite-null-ptr9.sql delete mode 100644 docs/vuln_samples/sqlite-oob-read.sql delete mode 100644 docs/vuln_samples/sqlite-oob-write.sql delete mode 100644 docs/vuln_samples/sqlite-stack-buf-overflow.sql delete mode 100644 docs/vuln_samples/sqlite-stack-exhaustion.sql delete mode 100644 docs/vuln_samples/sqlite-unint-mem.sql delete mode 100644 docs/vuln_samples/sqlite-use-after-free.sql delete mode 100644 docs/vuln_samples/strings-bfd-badptr.elf delete mode 100644 docs/vuln_samples/strings-bfd-badptr2.elf delete mode 100644 docs/vuln_samples/strings-stack-overflow delete mode 100644 docs/vuln_samples/strings-unchecked-ctr.elf delete mode 100644 docs/vuln_samples/tcpdump-arp-crash.pcap delete mode 100644 docs/vuln_samples/tcpdump-ppp-crash.pcap delete mode 100644 docs/vuln_samples/unrtf-arbitrary-read.rtf delete mode 100644 docs/vuln_samples/unzip-t-mem-corruption.zip (limited to 'docs') diff --git a/README.md b/README.md index 92b6071c..24d369e2 100644 --- a/README.md +++ b/README.md @@ -684,7 +684,7 @@ in seconds with options also. When you start afl-fuzz you will see a user interface that shows what the status is: -![docs/screenshot.png](docs/screenshot.png) +![docs/resources/screenshot.png](docs/resources/screenshot.png) All labels are explained in [docs/status_screen.md](docs/status_screen.md). diff --git a/docs/resources/afl_gzip.png b/docs/resources/afl_gzip.png new file mode 100644 index 00000000..7c461d8f Binary files /dev/null and b/docs/resources/afl_gzip.png differ diff --git a/docs/resources/grafana-afl++.json b/docs/resources/grafana-afl++.json new file mode 100644 index 00000000..96e824de --- /dev/null +++ b/docs/resources/grafana-afl++.json @@ -0,0 +1,1816 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": 1, + "links": [], + "panels": [ + { + "datasource": null, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 16, + "title": "Row title", + "type": "row" + }, + { + "alert": { + "alertRuleTags": {}, + "conditions": [ + { + "evaluator": { + "params": [ + 500 + ], + "type": "lt" + }, + "operator": { + "type": "and" + }, + "query": { + "params": [ + "A", + "5m", + "now" + ] + }, + "reducer": { + "params": [], + "type": "avg" + }, + "type": "query" + } + ], + "executionErrorState": "alerting", + "for": "5m", + "frequency": "1m", + "handler": 1, + "name": "Slow exec per sec", + "noDataState": "no_data", + "notifications": [] + }, + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 10, + "x": 0, + "y": 1 + }, + "hiddenSeries": false, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"execs_per_sec\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [ + { + "colorMode": "critical", + "fill": true, + "line": true, + "op": "lt", + "value": 500 + } + ], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Exec/s", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 10, + "x": 10, + "y": 1 + }, + "hiddenSeries": false, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"total_crashes\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Total Crashes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 4, + "x": 20, + "y": 1 + }, + "hiddenSeries": false, + "id": 19, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"var_byte_count\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Var Byte Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 10, + "x": 0, + "y": 7 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"unique_crashes\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Unique Crashes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 10, + "x": 10, + "y": 7 + }, + "hiddenSeries": false, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"unique_hangs\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Unique Hangs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 0, + "y": 13 + }, + "hiddenSeries": false, + "id": 23, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"slowest_exec_ms\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Slowest Exec Ms", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 5, + "y": 13 + }, + "hiddenSeries": false, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"cycle_done\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Cycles dones", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 10, + "y": 13 + }, + "hiddenSeries": false, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"execs_done\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Total Execs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 15, + "y": 13 + }, + "hiddenSeries": false, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"cur_path\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Curent path", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 0, + "y": 18 + }, + "hiddenSeries": false, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"cycles_wo_finds\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Cycles done without find", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 5, + "y": 18 + }, + "hiddenSeries": false, + "id": 25, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"paths_favored\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Path Favored", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 10, + "y": 18 + }, + "hiddenSeries": false, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"havoc_expansion\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Havoc Expansion", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 15, + "y": 18 + }, + "hiddenSeries": false, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"edges_found\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Edges Found", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 0, + "y": 23 + }, + "hiddenSeries": false, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"paths_imported\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Path Imported", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 5, + "y": 23 + }, + "hiddenSeries": false, + "id": 21, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"pending_total\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Pending Total", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 10, + "y": 23 + }, + "hiddenSeries": false, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"pending_favs\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Pending favs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": null, + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fill": 1, + "fillGradient": 0, + "gridPos": { + "h": 5, + "w": 5, + "x": 15, + "y": 23 + }, + "hiddenSeries": false, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "7.3.7", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "fuzzing{type=\"max_depth\"}", + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [ + { + "colorMode": "background6", + "fill": true, + "fillColor": "rgba(234, 112, 112, 0.12)", + "line": false, + "lineColor": "rgba(237, 46, 24, 0.60)", + "op": "time" + } + ], + "timeShift": null, + "title": "Max Depth", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": false, + "schemaVersion": 26, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-30m", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Fuzzing", + "uid": "sRI6PCfGz", + "version": 2 +} \ No newline at end of file diff --git a/docs/resources/screenshot.png b/docs/resources/screenshot.png new file mode 100644 index 00000000..7b4dd7e4 Binary files /dev/null and b/docs/resources/screenshot.png differ diff --git a/docs/resources/statsd-grafana.png b/docs/resources/statsd-grafana.png new file mode 100644 index 00000000..1bdc1722 Binary files /dev/null and b/docs/resources/statsd-grafana.png differ diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index fb97aa09..898ad099 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -31,9 +31,9 @@ By doing so, you might be able to see when the fuzzing process has reached a sta (according to your own criteria) for your targets, etc. And doing so without requiring to log into each instance manually. An example visualisation may look like the following: -![StatsD Grafana](visualization/statsd-grafana.png) +![StatsD Grafana](resources/statsd-grafana.png) -*Notes: The exact same dashboard can be imported with [this JSON template](statsd/grafana-afl++.json).* +*Notes: The exact same dashboard can be imported with [this JSON template](resources/grafana-afl++.json).* ## How to use diff --git a/docs/screenshot.png b/docs/screenshot.png deleted file mode 100644 index 7b4dd7e4..00000000 Binary files a/docs/screenshot.png and /dev/null differ diff --git a/docs/statsd/grafana-afl++.json b/docs/statsd/grafana-afl++.json deleted file mode 100644 index 96e824de..00000000 --- a/docs/statsd/grafana-afl++.json +++ /dev/null @@ -1,1816 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "id": 1, - "links": [], - "panels": [ - { - "datasource": null, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 16, - "title": "Row title", - "type": "row" - }, - { - "alert": { - "alertRuleTags": {}, - "conditions": [ - { - "evaluator": { - "params": [ - 500 - ], - "type": "lt" - }, - "operator": { - "type": "and" - }, - "query": { - "params": [ - "A", - "5m", - "now" - ] - }, - "reducer": { - "params": [], - "type": "avg" - }, - "type": "query" - } - ], - "executionErrorState": "alerting", - "for": "5m", - "frequency": "1m", - "handler": 1, - "name": "Slow exec per sec", - "noDataState": "no_data", - "notifications": [] - }, - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 10, - "x": 0, - "y": 1 - }, - "hiddenSeries": false, - "id": 12, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"execs_per_sec\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [ - { - "colorMode": "critical", - "fill": true, - "line": true, - "op": "lt", - "value": 500 - } - ], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Exec/s", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 10, - "x": 10, - "y": 1 - }, - "hiddenSeries": false, - "id": 8, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"total_crashes\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Total Crashes", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 4, - "x": 20, - "y": 1 - }, - "hiddenSeries": false, - "id": 19, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"var_byte_count\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Var Byte Count", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 10, - "x": 0, - "y": 7 - }, - "hiddenSeries": false, - "id": 10, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"unique_crashes\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Unique Crashes", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 6, - "w": 10, - "x": 10, - "y": 7 - }, - "hiddenSeries": false, - "id": 14, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"unique_hangs\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Unique Hangs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 0, - "y": 13 - }, - "hiddenSeries": false, - "id": 23, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"slowest_exec_ms\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Slowest Exec Ms", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 5, - "y": 13 - }, - "hiddenSeries": false, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"cycle_done\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Cycles dones", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 10, - "y": 13 - }, - "hiddenSeries": false, - "id": 13, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"execs_done\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Total Execs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 15, - "y": 13 - }, - "hiddenSeries": false, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"cur_path\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Curent path", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 0, - "y": 18 - }, - "hiddenSeries": false, - "id": 6, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"cycles_wo_finds\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Cycles done without find", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 5, - "y": 18 - }, - "hiddenSeries": false, - "id": 25, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"paths_favored\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Path Favored", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 10, - "y": 18 - }, - "hiddenSeries": false, - "id": 22, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"havoc_expansion\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Havoc Expansion", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 15, - "y": 18 - }, - "hiddenSeries": false, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"edges_found\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Edges Found", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 0, - "y": 23 - }, - "hiddenSeries": false, - "id": 24, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"paths_imported\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Path Imported", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 5, - "y": 23 - }, - "hiddenSeries": false, - "id": 21, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"pending_total\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Pending Total", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 10, - "y": 23 - }, - "hiddenSeries": false, - "id": 20, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"pending_favs\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Pending favs", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "datasource": null, - "fieldConfig": { - "defaults": { - "custom": {} - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "h": 5, - "w": 5, - "x": 15, - "y": 23 - }, - "hiddenSeries": false, - "id": 18, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "null", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.3.7", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "fuzzing{type=\"max_depth\"}", - "interval": "", - "legendFormat": "", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [ - { - "colorMode": "background6", - "fill": true, - "fillColor": "rgba(234, 112, 112, 0.12)", - "line": false, - "lineColor": "rgba(237, 46, 24, 0.60)", - "op": "time" - } - ], - "timeShift": null, - "title": "Max Depth", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "refresh": false, - "schemaVersion": 26, - "style": "dark", - "tags": [], - "templating": { - "list": [] - }, - "time": { - "from": "now-30m", - "to": "now" - }, - "timepicker": {}, - "timezone": "", - "title": "Fuzzing", - "uid": "sRI6PCfGz", - "version": 2 -} \ No newline at end of file diff --git a/docs/technical_details.md b/docs/technical_details.md index 6a4660a2..b0ca493e 100644 --- a/docs/technical_details.md +++ b/docs/technical_details.md @@ -156,7 +156,7 @@ In contrast to more greedy genetic algorithms, this approach allows the tool to progressively explore various disjoint and possibly mutually incompatible features of the underlying data format, as shown in this image: - ![gzip_coverage](./visualization/afl_gzip.png) + ![gzip_coverage](./resources/afl_gzip.png) Several practical examples of the results of this algorithm are discussed here: diff --git a/docs/visualization/afl_gzip.png b/docs/visualization/afl_gzip.png deleted file mode 100644 index 7c461d8f..00000000 Binary files a/docs/visualization/afl_gzip.png and /dev/null differ diff --git a/docs/visualization/statsd-grafana.png b/docs/visualization/statsd-grafana.png deleted file mode 100644 index 1bdc1722..00000000 Binary files a/docs/visualization/statsd-grafana.png and /dev/null differ diff --git a/docs/vuln_samples/bash-cmd-exec.var b/docs/vuln_samples/bash-cmd-exec.var deleted file mode 100644 index 6422d427..00000000 --- a/docs/vuln_samples/bash-cmd-exec.var +++ /dev/null @@ -1 +0,0 @@ -() { _; } >_[$($())] { id; } \ No newline at end of file diff --git a/docs/vuln_samples/bash-uninit-mem.var b/docs/vuln_samples/bash-uninit-mem.var deleted file mode 100644 index 6d7d5360..00000000 --- a/docs/vuln_samples/bash-uninit-mem.var +++ /dev/null @@ -1 +0,0 @@ -() { x() { _; }; x() { _; } <O));insert into t0 -select randomblob(0)-trim(0); diff --git a/docs/vuln_samples/sqlite-bad-ptr.sql b/docs/vuln_samples/sqlite-bad-ptr.sql deleted file mode 100644 index 46e78afa..00000000 --- a/docs/vuln_samples/sqlite-bad-ptr.sql +++ /dev/null @@ -1 +0,0 @@ -SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; diff --git a/docs/vuln_samples/sqlite-bad-ptr2.sql b/docs/vuln_samples/sqlite-bad-ptr2.sql deleted file mode 100644 index cd613d08..00000000 --- a/docs/vuln_samples/sqlite-bad-ptr2.sql +++ /dev/null @@ -1 +0,0 @@ -PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); diff --git a/docs/vuln_samples/sqlite-bad-ptr3.sql b/docs/vuln_samples/sqlite-bad-ptr3.sql deleted file mode 100644 index 7518816c..00000000 Binary files a/docs/vuln_samples/sqlite-bad-ptr3.sql and /dev/null differ diff --git a/docs/vuln_samples/sqlite-heap-overflow.sql b/docs/vuln_samples/sqlite-heap-overflow.sql deleted file mode 100644 index 066fc835..00000000 --- a/docs/vuln_samples/sqlite-heap-overflow.sql +++ /dev/null @@ -1,2 +0,0 @@ -DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 -select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; diff --git a/docs/vuln_samples/sqlite-heap-overwrite.sql b/docs/vuln_samples/sqlite-heap-overwrite.sql deleted file mode 100644 index 51ed82c3..00000000 --- a/docs/vuln_samples/sqlite-heap-overwrite.sql +++ /dev/null @@ -1 +0,0 @@ -ATTACH "file:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?mode=memory&cache=shared" AS x; \ No newline at end of file diff --git a/docs/vuln_samples/sqlite-negative-memset.sql b/docs/vuln_samples/sqlite-negative-memset.sql deleted file mode 100644 index d647bea0..00000000 --- a/docs/vuln_samples/sqlite-negative-memset.sql +++ /dev/null @@ -1 +0,0 @@ -SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); diff --git a/docs/vuln_samples/sqlite-null-ptr1.sql b/docs/vuln_samples/sqlite-null-ptr1.sql deleted file mode 100644 index 3f9d46c7..00000000 --- a/docs/vuln_samples/sqlite-null-ptr1.sql +++ /dev/null @@ -1,2 +0,0 @@ -create table t0(t);insert into t0 -select strftime(); diff --git a/docs/vuln_samples/sqlite-null-ptr10.sql b/docs/vuln_samples/sqlite-null-ptr10.sql deleted file mode 100644 index 798bbf14..00000000 --- a/docs/vuln_samples/sqlite-null-ptr10.sql +++ /dev/null @@ -1 +0,0 @@ -SELECT fts3_tokenizer(@0()); diff --git a/docs/vuln_samples/sqlite-null-ptr11.sql b/docs/vuln_samples/sqlite-null-ptr11.sql deleted file mode 100644 index f6bcf65f..00000000 --- a/docs/vuln_samples/sqlite-null-ptr11.sql +++ /dev/null @@ -1 +0,0 @@ -select''like''like''like#0; diff --git a/docs/vuln_samples/sqlite-null-ptr12.sql b/docs/vuln_samples/sqlite-null-ptr12.sql deleted file mode 100644 index 8d14a86b..00000000 --- a/docs/vuln_samples/sqlite-null-ptr12.sql +++ /dev/null @@ -1 +0,0 @@ -PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; diff --git a/docs/vuln_samples/sqlite-null-ptr13.sql b/docs/vuln_samples/sqlite-null-ptr13.sql deleted file mode 100644 index e730db32..00000000 --- a/docs/vuln_samples/sqlite-null-ptr13.sql +++ /dev/null @@ -1 +0,0 @@ -WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; diff --git a/docs/vuln_samples/sqlite-null-ptr14.sql b/docs/vuln_samples/sqlite-null-ptr14.sql deleted file mode 100644 index 37b9baed..00000000 --- a/docs/vuln_samples/sqlite-null-ptr14.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; diff --git a/docs/vuln_samples/sqlite-null-ptr15.sql b/docs/vuln_samples/sqlite-null-ptr15.sql deleted file mode 100644 index 83d5c9d1..00000000 --- a/docs/vuln_samples/sqlite-null-ptr15.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); diff --git a/docs/vuln_samples/sqlite-null-ptr2.sql b/docs/vuln_samples/sqlite-null-ptr2.sql deleted file mode 100644 index 11c5a378..00000000 --- a/docs/vuln_samples/sqlite-null-ptr2.sql +++ /dev/null @@ -1 +0,0 @@ -DETACH(select group_concat(q)); diff --git a/docs/vuln_samples/sqlite-null-ptr3.sql b/docs/vuln_samples/sqlite-null-ptr3.sql deleted file mode 100644 index 14df82a7..00000000 --- a/docs/vuln_samples/sqlite-null-ptr3.sql +++ /dev/null @@ -1 +0,0 @@ -select(select strftime()); diff --git a/docs/vuln_samples/sqlite-null-ptr4.sql b/docs/vuln_samples/sqlite-null-ptr4.sql deleted file mode 100644 index fdb80476..00000000 --- a/docs/vuln_samples/sqlite-null-ptr4.sql +++ /dev/null @@ -1 +0,0 @@ -select n()AND+#00; diff --git a/docs/vuln_samples/sqlite-null-ptr5.sql b/docs/vuln_samples/sqlite-null-ptr5.sql deleted file mode 100644 index 7bbb7856..00000000 --- a/docs/vuln_samples/sqlite-null-ptr5.sql +++ /dev/null @@ -1 +0,0 @@ -select e.*,0 from(s,(L))e; diff --git a/docs/vuln_samples/sqlite-null-ptr6.sql b/docs/vuln_samples/sqlite-null-ptr6.sql deleted file mode 100644 index 2eb04bc4..00000000 --- a/docs/vuln_samples/sqlite-null-ptr6.sql +++ /dev/null @@ -1 +0,0 @@ -PRAGMA encoding='UTF16';CREATE VIRTUAL TABLE È USING s; \ No newline at end of file diff --git a/docs/vuln_samples/sqlite-null-ptr7.sql b/docs/vuln_samples/sqlite-null-ptr7.sql deleted file mode 100644 index 57ab12c5..00000000 --- a/docs/vuln_samples/sqlite-null-ptr7.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE VIRTUAL TABLE t USING fts4(tokenize=); diff --git a/docs/vuln_samples/sqlite-null-ptr8.sql b/docs/vuln_samples/sqlite-null-ptr8.sql deleted file mode 100644 index 4d5db064..00000000 --- a/docs/vuln_samples/sqlite-null-ptr8.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; diff --git a/docs/vuln_samples/sqlite-null-ptr9.sql b/docs/vuln_samples/sqlite-null-ptr9.sql deleted file mode 100644 index 0ae836a2..00000000 --- a/docs/vuln_samples/sqlite-null-ptr9.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; diff --git a/docs/vuln_samples/sqlite-oob-read.sql b/docs/vuln_samples/sqlite-oob-read.sql deleted file mode 100644 index 4fe53b4f..00000000 --- a/docs/vuln_samples/sqlite-oob-read.sql +++ /dev/null @@ -1 +0,0 @@ -create table t0(‰ DEFAULT(0=0)NOT/**/NULL);REPLACE into t0 select''; \ No newline at end of file diff --git a/docs/vuln_samples/sqlite-oob-write.sql b/docs/vuln_samples/sqlite-oob-write.sql deleted file mode 100644 index 9b2c427d..00000000 --- a/docs/vuln_samples/sqlite-oob-write.sql +++ /dev/null @@ -1,6 +0,0 @@ -CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); -INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); -INSERT INTO t0 VALUES(''); -INSERT INTO t0 VALUES(''); -INSeRT INTO t0 VALUES('o'); -SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; diff --git a/docs/vuln_samples/sqlite-stack-buf-overflow.sql b/docs/vuln_samples/sqlite-stack-buf-overflow.sql deleted file mode 100644 index 4be57fd0..00000000 --- a/docs/vuln_samples/sqlite-stack-buf-overflow.sql +++ /dev/null @@ -1 +0,0 @@ -SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; diff --git a/docs/vuln_samples/sqlite-stack-exhaustion.sql b/docs/vuln_samples/sqlite-stack-exhaustion.sql deleted file mode 100644 index 6031a93b..00000000 --- a/docs/vuln_samples/sqlite-stack-exhaustion.sql +++ /dev/null @@ -1 +0,0 @@ -CREATE VIRTUAL TABLE t0 USING fts4(content=t0); diff --git a/docs/vuln_samples/sqlite-unint-mem.sql b/docs/vuln_samples/sqlite-unint-mem.sql deleted file mode 100644 index 83b77112..00000000 --- a/docs/vuln_samples/sqlite-unint-mem.sql +++ /dev/null @@ -1 +0,0 @@ -REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); diff --git a/docs/vuln_samples/sqlite-use-after-free.sql b/docs/vuln_samples/sqlite-use-after-free.sql deleted file mode 100644 index 4083ee64..00000000 --- a/docs/vuln_samples/sqlite-use-after-free.sql +++ /dev/null @@ -1 +0,0 @@ -create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; diff --git a/docs/vuln_samples/strings-bfd-badptr.elf b/docs/vuln_samples/strings-bfd-badptr.elf deleted file mode 100644 index 1df629b6..00000000 Binary files a/docs/vuln_samples/strings-bfd-badptr.elf and /dev/null differ diff --git a/docs/vuln_samples/strings-bfd-badptr2.elf b/docs/vuln_samples/strings-bfd-badptr2.elf deleted file mode 100644 index 085d3c11..00000000 Binary files a/docs/vuln_samples/strings-bfd-badptr2.elf and /dev/null differ diff --git a/docs/vuln_samples/strings-stack-overflow b/docs/vuln_samples/strings-stack-overflow deleted file mode 100644 index a673b273..00000000 --- a/docs/vuln_samples/strings-stack-overflow +++ /dev/null @@ -1,3 +0,0 @@ -$$@$$$@$o -S…Ôo -S…Ô \ No newline at end of file diff --git a/docs/vuln_samples/strings-unchecked-ctr.elf b/docs/vuln_samples/strings-unchecked-ctr.elf deleted file mode 100644 index dc531d5c..00000000 Binary files a/docs/vuln_samples/strings-unchecked-ctr.elf and /dev/null differ diff --git a/docs/vuln_samples/tcpdump-arp-crash.pcap b/docs/vuln_samples/tcpdump-arp-crash.pcap deleted file mode 100644 index 40d199a2..00000000 Binary files a/docs/vuln_samples/tcpdump-arp-crash.pcap and /dev/null differ diff --git a/docs/vuln_samples/tcpdump-ppp-crash.pcap b/docs/vuln_samples/tcpdump-ppp-crash.pcap deleted file mode 100644 index b6831155..00000000 Binary files a/docs/vuln_samples/tcpdump-ppp-crash.pcap and /dev/null differ diff --git a/docs/vuln_samples/unrtf-arbitrary-read.rtf b/docs/vuln_samples/unrtf-arbitrary-read.rtf deleted file mode 100644 index b7f4c283..00000000 Binary files a/docs/vuln_samples/unrtf-arbitrary-read.rtf and /dev/null differ diff --git a/docs/vuln_samples/unzip-t-mem-corruption.zip b/docs/vuln_samples/unzip-t-mem-corruption.zip deleted file mode 100644 index d34fa39e..00000000 Binary files a/docs/vuln_samples/unzip-t-mem-corruption.zip and /dev/null differ -- cgit 1.4.1 From df74625df0324e17178dbf3c7c03484719ef6dd0 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 8 Aug 2021 01:29:32 +0200 Subject: Change afl to AFL in *.md (#1057) Changes in *.md files: - afl++ > AFL++ (acronym) - afl > AFL (compare https://github.com/google/AFL) Excluded from changes: - source code - function names - paths (folder and file names) - URLs --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- README.md | 120 +++++++++++++++--------------- custom_mutators/README.md | 12 +-- custom_mutators/honggfuzz/README.md | 2 +- docs/Changelog.md | 34 ++++----- docs/FAQ.md | 20 ++--- docs/binaryonly_fuzzing.md | 22 +++--- docs/custom_mutators.md | 2 +- docs/docs.md | 30 ++++---- docs/env_variables.md | 16 ++-- docs/ideas.md | 2 +- docs/parallel_fuzzing.md | 4 +- docs/status_screen.md | 4 +- instrumentation/README.instrument_list.md | 6 +- instrumentation/README.laf-intel.md | 2 +- instrumentation/README.lto.md | 2 +- instrumentation/README.out_of_line.md | 2 +- instrumentation/README.persistent_mode.md | 2 +- qemu_mode/libcompcov/README.md | 2 +- unicorn_mode/README.md | 6 +- utils/README.md | 4 +- utils/aflpp_driver/README.md | 2 +- utils/argv_fuzzing/README.md | 2 +- utils/defork/README.md | 2 +- utils/qbdi_mode/README.md | 2 +- utils/socket_fuzzing/README.md | 2 +- 26 files changed, 153 insertions(+), 153 deletions(-) (limited to 'docs') diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index d62da0a8..31152cd2 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -11,7 +11,7 @@ assignees: '' 1. You have verified that the issue to be present in the current `dev` branch 2. Please supply the command line options and relevant environment variables, e.g. a copy-paste of the contents of `out/default/fuzzer_setup` -Thank you for making afl++ better! +Thank you for making AFL++ better! **Describe the bug** A clear and concise description of what the bug is. diff --git a/README.md b/README.md index 24d369e2..28cd4e4c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# American Fuzzy Lop plus plus (afl++) +# American Fuzzy Lop plus plus (AFL++) AFL++ Logo @@ -8,7 +8,7 @@ Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) - afl++ is maintained by: + AFL++ is maintained by: * Marc "van Hauser" Heuse , * Heiko "hexcoder-" Eißfeldt , @@ -17,36 +17,36 @@ Originally developed by MichaƂ "lcamtuf" Zalewski. - afl++ is a superior fork to Google's afl - more speed, more and better + AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support, etc. - If you want to use afl++ for your academic work, check the [papers page](https://aflplus.plus/papers/) + If you want to use AFL++ for your academic work, check the [papers page](https://aflplus.plus/papers/) on the website. To cite our work, look at the [Cite](#cite) section. For comparisons use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. -## Major behaviour changes in afl++ 3.00 onwards: +## Major behaviour changes in AFL++ 3.00 onwards: -With afl++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for +With AFL++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for binary-only fuzzing. It is slower than Qemu mode but works on MacOS, Android, iOS etc. -With afl++ 3.15 we introduced the following changes from previous behaviours: +With AFL++ 3.15 we introduced the following changes from previous behaviours: * Also -M main mode does not do deterministic fuzzing by default anymore * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not) -With afl++ 3.14 we introduced the following changes from previous behaviours: +With AFL++ 3.14 we introduced the following changes from previous behaviours: * afl-fuzz: deterministic fuzzing it not a default for -M main anymore * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash however does not) -With afl++ 3.10 we introduced the following changes from previous behaviours: +With AFL++ 3.10 we introduced the following changes from previous behaviours: * The '+' feature of the '-t' option now means to auto-calculate the timeout with the value given being the maximum timeout. The original meaning of "skipping timeouts instead of abort" is now inherent to the -t option. -With afl++ 3.00 we introduced changes that break some previous afl and afl++ +With AFL++ 3.00 we introduced changes that break some previous AFL and AFL++ behaviours and defaults: * There are no llvm_mode and gcc_plugin subdirectories anymore and there is only one compiler: afl-cc. All previous compilers now symlink to this one. @@ -82,18 +82,18 @@ behaviours and defaults: ## Contents 1. [Features](#important-features-of-afl) - 2. [How to compile and install afl++](#building-and-installing-afl) + 2. [How to compile and install AFL++](#building-and-installing-afl) 3. [How to fuzz a target](#how-to-fuzz-with-afl) 4. [Fuzzing binary-only targets](#fuzzing-binary-only-targets) - 5. [Good examples and writeups of afl++ usages](#good-examples-and-writeups) + 5. [Good examples and writeups of AFL++ usages](#good-examples-and-writeups) 6. [CI Fuzzing](#ci-fuzzing) 7. [Branches](#branches) 8. [Want to help?](#help-wanted) - 9. [Detailed help and description of afl++](#challenges-of-guided-fuzzing) + 9. [Detailed help and description of AFL++](#challenges-of-guided-fuzzing) -## Important features of afl++ +## Important features of AFL++ - afl++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1 + AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1 with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full *BSD, Mac OS, Solaris and Android support and much, much, much more. @@ -136,7 +136,7 @@ behaviours and defaults: * QBDI mode to fuzz android native libraries via Quarkslab's [QBDI](https://github.com/QBDI/QBDI) framework * Frida and ptrace mode to fuzz binary-only libraries, etc. - So all in all this is the best-of afl that is out there :-) + So all in all this is the best-of AFL that is out there :-) For new versions and additional information, check out: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) @@ -151,9 +151,9 @@ behaviours and defaults: The following branches exist: - * [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/) : stable state of afl++ - it is synced from dev from time to + * [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/) : stable state of AFL++ - it is synced from dev from time to time when we are satisfied with its stability - * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of afl++ - bleeding edge and you might catch a + * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* * [release](https://github.com/AFLplusplus/AFLplusplus/tree/release) : the latest release * (any other) : experimental branches to work on specific features or testing @@ -175,9 +175,9 @@ We have an idea list in [docs/ideas.md](docs/ideas.md). For everyone who wants to contribute (and send pull requests) please read [CONTRIBUTING.md](CONTRIBUTING.md) before your submit. -## Building and installing afl++ +## Building and installing AFL++ -An easy way to install afl++ with everything compiled is available via docker: +An easy way to install AFL++ with everything compiled is available via docker: You can use the [Dockerfile](Dockerfile) (which has gcc-10 and clang-11 - hence afl-clang-lto is available!) or just pull directly from the docker hub: ```shell @@ -187,7 +187,7 @@ docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus This image is automatically generated when a push to the stable repo happens. You will find your target source code in /src in the container. -If you want to build afl++ yourself you have many options. +If you want to build AFL++ yourself you have many options. The easiest choice is to build and install everything: ```shell @@ -205,7 +205,7 @@ It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! Note that "make distrib" also builds instrumentation, qemu_mode, unicorn_mode and -more. If you just want plain afl++ then do "make all", however compiling and +more. If you just want plain AFL++ then do "make all", however compiling and using at least instrumentation is highly recommended for much better results - hence in this case @@ -216,7 +216,7 @@ is what you should choose. These build targets exist: -* all: just the main afl++ binaries +* all: just the main AFL++ binaries * binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap * source-only: everything for source code fuzzing: instrumentation, libdislocator, libtokencap * distrib: everything (for both binary-only and source code fuzzing) @@ -230,7 +230,7 @@ These build targets exist: * help: shows these build options [Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the -afl++ binaries by passing the STATIC=1 argument to make: +AFL++ binaries by passing the STATIC=1 argument to make: ```shell make STATIC=1 @@ -264,14 +264,14 @@ Here are some good writeups to show how to effectively use AFL++: If you are interested in fuzzing structured data (where you define what the structure is), these links have you covered: - * Superion for afl++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) - * libprotobuf for afl++: [https://github.com/P1umer/AFLplusplus-protobuf-mutator](https://github.com/P1umer/AFLplusplus-protobuf-mutator) + * Superion for AFL++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) + * libprotobuf for AFL++: [https://github.com/P1umer/AFLplusplus-protobuf-mutator](https://github.com/P1umer/AFLplusplus-protobuf-mutator) * libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator) - * libprotobuf for old afl++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) + * libprotobuf for old AFL++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator) If you find other good ones, please send them to us :-) -## How to fuzz with afl++ +## How to fuzz with AFL++ The following describes how to fuzz with a target if source code is available. If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps) @@ -287,9 +287,9 @@ Fuzzing source code is a three-step process. ### 1. Instrumenting that target -#### a) Selecting the best afl++ compiler for instrumenting the target +#### a) Selecting the best AFL++ compiler for instrumenting the target -afl++ comes with a central compiler `afl-cc` that incorporates various different +AFL++ comes with a central compiler `afl-cc` that incorporates various different kinds of compiler targets and and instrumentation options. The following evaluation flow will help you to select the best possible. @@ -339,7 +339,7 @@ You can select the mode for the afl-cc compiler by: MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++). -Because no afl specific command-line options are accepted (beside the +Because no AFL specific command-line options are accepted (beside the --afl-MODE command), the compile-time tools make fairly broad use of environment variables, which can be listed with `afl-cc -hh` or by reading [docs/env_variables.md](docs/env_variables.md). @@ -347,7 +347,7 @@ variables, which can be listed with `afl-cc -hh` or by reading [docs/env_variabl The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto): - * Splitting integer, string, float and switch comparisons so afl++ can easier + * Splitting integer, string, float and switch comparisons so AFL++ can easier solve these. This is an important option if you do not have a very good and large input corpus. This technique is called laf-intel or COMPCOV. To use this set the following environment variable before compiling the @@ -355,7 +355,7 @@ The following options are available when you instrument with LTO mode (afl-clang You can read more about this in [instrumentation/README.laf-intel.md](instrumentation/README.laf-intel.md) * A different technique (and usually a better one than laf-intel) is to instrument the target so that any compare values in the target are sent to - afl++ which then tries to put these values into the fuzzing data at different + AFL++ which then tries to put these values into the fuzzing data at different locations. This technique is very fast and good - if the target does not transform input data before comparison. Therefore this technique is called `input to state` or `redqueen`. @@ -388,7 +388,7 @@ time less effective. See: * [instrumentation/README.ctx.md](instrumentation/README.ctx.md) * [instrumentation/README.ngram.md](instrumentation/README.ngram.md) -afl++ performs "never zero" counting in its bitmap. You can read more about this +AFL++ performs "never zero" counting in its bitmap. You can read more about this here: * [instrumentation/README.neverzero.md](instrumentation/README.neverzero.md) @@ -403,7 +403,7 @@ This is enough because a use-after-free bug will be picked up, e.g. by ASAN (address sanitizer) anyway when syncing to other fuzzing instances, so not all fuzzing instances need to be instrumented with ASAN. -The following sanitizers have built-in support in afl++: +The following sanitizers have built-in support in AFL++: * ASAN = Address SANitizer, finds memory corruption vulnerabilities like use-after-free, NULL pointer dereference, buffer overruns, etc. Enabled with `export AFL_USE_ASAN=1` before compiling. @@ -457,13 +457,13 @@ by eliminating these checks within these AFL specific blocks: #endif ``` -All afl++ compilers will set this preprocessor definition automatically. +All AFL++ compilers will set this preprocessor definition automatically. #### e) Instrument the target In this step the target source code is compiled so that it can be fuzzed. -Basically you have to tell the target build system that the selected afl++ +Basically you have to tell the target build system that the selected AFL++ compiler is used. Also - if possible - you should always configure the build system such that the target is compiled statically and not dynamically. How to do this is described below. @@ -474,13 +474,13 @@ Then build the target. (Usually with `make`) 1. sometimes configure and build systems are fickle and do not like stderr output (and think this means a test failure) - which is something - afl++ likes to do to show statistics. It is recommended to disable afl++ + AFL++ likes to do to show statistics. It is recommended to disable AFL++ instrumentation reporting via `export AFL_QUIET=1`. 2. sometimes configure and build systems error on warnings - these should be disabled (e.g. `--disable-werror` for some configure scripts). -3. in case the configure/build system complains about afl++'s compiler and +3. in case the configure/build system complains about AFL++'s compiler and aborts then set `export AFL_NOOPT=1` which will then just behave like the real compiler. This option has to be unset again before building the target! @@ -504,12 +504,12 @@ described in [instrumentation/README.lto.md](instrumentation/README.lto.md). ##### meson -For meson you have to set the afl++ compiler with the very first command! +For meson you have to set the AFL++ compiler with the very first command! `CC=afl-cc CXX=afl-c++ meson` ##### other build systems or if configure/cmake didn't work -Sometimes cmake and configure do not pick up the afl++ compiler, or the +Sometimes cmake and configure do not pick up the AFL++ compiler, or the ranlib/ar that is needed - because this was just not foreseen by the developer of the target. Or they have non-standard options. Figure out if there is a non-standard way to set this, otherwise set up the build normally and edit the @@ -525,7 +525,7 @@ This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast It is the so-called `persistent mode`, which is much, much faster but requires that you code a source file that is specifically calling the target -functions that you want to fuzz, plus a few specific afl++ functions around +functions that you want to fuzz, plus a few specific AFL++ functions around it. See [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md) for details. Basically if you do not fuzz a target in persistent mode then you are just @@ -534,7 +534,7 @@ doing it for a hobby and not professionally :-). #### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput() libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard -for fuzzing, and they can be used with afl++ (and honggfuzz) as well! +for fuzzing, and they can be used with AFL++ (and honggfuzz) as well! Compiling them is as simple as: ``` afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a @@ -566,7 +566,7 @@ normal data it receives and processes to a file and use these. #### b) Making the input corpus unique -Use the afl++ tool `afl-cmin` to remove inputs from the corpus that do not +Use the AFL++ tool `afl-cmin` to remove inputs from the corpus that do not produce a new path in the target. Put all files from step a) into one directory, e.g. INPUTS. @@ -678,7 +678,7 @@ failure handling in the target. Play around with various -m values until you find one that safely works for all your input seeds (if you have good ones and then double or quadrouple that. -By default afl-fuzz never stops fuzzing. To terminate afl++ simply press Control-C +By default afl-fuzz never stops fuzzing. To terminate AFL++ simply press Control-C or send a signal SIGINT. You can limit the number of executions or approximate runtime in seconds with options also. @@ -693,7 +693,7 @@ All labels are explained in [docs/status_screen.md](docs/status_screen.md). If you want to seriously fuzz then use as many cores/threads as possible to fuzz your target. -On the same machine - due to the design of how afl++ works - there is a maximum +On the same machine - due to the design of how AFL++ works - there is a maximum number of CPU cores/threads that are useful, use more and the overall performance degrades instead. This value depends on the target, and the limit is between 32 and 64 cores per machine. @@ -734,7 +734,7 @@ If you have a large corpus, a corpus from a previous run or are fuzzing in a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`. You can also use different fuzzers. -If you are using afl spinoffs or afl conforming fuzzers, then just use the +If you are using AFL spinoffs or AFL conforming fuzzers, then just use the same -o directory and give it a unique `-S` name. Examples are: * [Fuzzolic](https://github.com/season-lab/fuzzolic) @@ -747,7 +747,7 @@ Examples are: A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL) -However you can also sync afl++ with honggfuzz, libfuzzer with `-entropic=1`, etc. +However you can also sync AFL++ with honggfuzz, libfuzzer with `-entropic=1`, etc. Just show the main fuzzer (-M) with the `-F` option where the queue/work directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`. Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly @@ -794,7 +794,7 @@ There is a more complex and configurable script in `utils/distributed_fuzzing`. #### d) The status of the fuzz campaign -afl++ comes with the `afl-whatsup` script to show the status of the fuzzing +AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing campaign. Just supply the directory that afl-fuzz is given with the -o option and @@ -886,7 +886,7 @@ This is basically all you need to know to professionally run fuzzing campaigns. If you want to know more, the rest of this README and the tons of texts in [docs/](docs/) will have you covered. -Note that there are also a lot of tools out there that help fuzzing with afl++ +Note that there are also a lot of tools out there that help fuzzing with AFL++ (some might be deprecated or unsupported): Speeding up fuzzing: @@ -938,7 +938,7 @@ campaigns as these are much shorter runnings. initial corpus as this very likely has been done for them already. * Keep the generated corpus, use afl-cmin and reuse it every time! -2. Additionally randomize the afl++ compilation options, e.g. +2. Additionally randomize the AFL++ compilation options, e.g. * 40% for `AFL_LLVM_CMPLOG` * 10% for `AFL_LLVM_LAF_ALL` @@ -954,12 +954,12 @@ campaigns as these are much shorter runnings. `-M` enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs. -How this can look like can e.g. be seen at afl++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl) +How this can look like can e.g. be seen at AFL++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl) and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py). ## Fuzzing binary-only targets -When source code is *NOT* available, afl++ offers various support for fast, +When source code is *NOT* available, AFL++ offers various support for fast, on-the-fly instrumentation of black-box binaries. If you do not have to use Unicorn the following setup is recommended to use @@ -1013,7 +1013,7 @@ less conducive to parallelization. ### Unicorn -For non-Linux binaries you can use afl++'s unicorn mode which can emulate +For non-Linux binaries you can use AFL++'s unicorn mode which can emulate anything you want - for the price of speed and user written scripts. See [unicorn_mode](unicorn_mode/README.md). @@ -1227,13 +1227,13 @@ can be operated in a very simple way: The tool works with crashing and non-crashing test cases alike. In the crash mode, it will happily accept instrumented and non-instrumented binaries. In the -non-crashing mode, the minimizer relies on standard afl++ instrumentation to make +non-crashing mode, the minimizer relies on standard AFL++ instrumentation to make the file simpler without altering the execution path. The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with afl-fuzz. -Another tool in afl++ is the afl-analyze tool. It takes an input +Another tool in AFL++ is the afl-analyze tool. It takes an input file, attempts to sequentially flip bytes, and observes the behavior of the tested program. It then color-codes the input based on which sections appear to be critical, and which are not; while not bulletproof, it can often offer quick @@ -1276,7 +1276,7 @@ tasks, fuzzing may put a strain on your hardware and on the OS. In particular: for something to blow up. - Targeted programs may end up erratically grabbing gigabytes of memory or - filling up disk space with junk files. afl++ tries to enforce basic memory + filling up disk space with junk files. AFL++ tries to enforce basic memory limits, but can't prevent each and every possible mishap. The bottom line is that you shouldn't be fuzzing on systems where the prospect of data loss is not an acceptable risk. @@ -1305,7 +1305,7 @@ tasks, fuzzing may put a strain on your hardware and on the OS. In particular: Here are some of the most important caveats for AFL: - - afl++ detects faults by checking for the first spawned process dying due to + - AFL++ detects faults by checking for the first spawned process dying due to a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for these signals may need to have the relevant code commented out. In the same vein, faults in child processes spawned by the fuzzed target may evade @@ -1341,7 +1341,7 @@ Beyond this, see INSTALL for platform-specific tips. ## Special thanks -Many of the improvements to the original afl and afl++ wouldn't be possible +Many of the improvements to the original AFL and AFL++ wouldn't be possible without feedback, bug reports, or patches from: ``` @@ -1425,7 +1425,7 @@ Bibtex: Questions? Concerns? Bug reports? The contributors can be reached via [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus) -There is also a mailing list for the afl/afl++ project; to join, send a mail to +There is also a mailing list for the AFL/AFL++ project; to join, send a mail to . Or, if you prefer to browse archives first, try: [https://groups.google.com/group/afl-users](https://groups.google.com/group/afl-users) diff --git a/custom_mutators/README.md b/custom_mutators/README.md index 13172cdc..fa877f34 100644 --- a/custom_mutators/README.md +++ b/custom_mutators/README.md @@ -1,6 +1,6 @@ # Custom Mutators -Custom mutators enhance and alter the mutation strategies of afl++. +Custom mutators enhance and alter the mutation strategies of AFL++. For further information and documentation on how to write your own, read [the docs](../docs/custom_mutators.md). ## Examples @@ -11,9 +11,9 @@ The `./examples` folder contains examples for custom mutators in python and C. In `./rust`, you will find rust bindings, including a simple example in `./rust/example` and an example for structured fuzzing, based on lain, in`./rust/example_lain`. -## The afl++ Grammar Mutator +## The AFL++ Grammar Mutator -If you use git to clone afl++, then the following will incorporate our +If you use git to clone AFL++, then the following will incorporate our excellent grammar custom mutator: ```sh git submodule update --init @@ -40,7 +40,7 @@ Multiple custom mutators can be used by separating their paths with `:` in the e ### Superion Mutators -Adrian Tiron ported the Superion grammar fuzzer to afl++, it is WIP and +Adrian Tiron ported the Superion grammar fuzzer to AFL++, it is WIP and requires cmake (among other things): [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) @@ -52,8 +52,8 @@ transforms protobuf raw: https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator has a transform function you need to fill for your protobuf format, however -needs to be ported to the updated afl++ custom mutator API (not much work): +needs to be ported to the updated AFL++ custom mutator API (not much work): https://github.com/thebabush/afl-libprotobuf-mutator -same as above but is for current afl++: +same as above but is for current AFL++: https://github.com/P1umer/AFLplusplus-protobuf-mutator diff --git a/custom_mutators/honggfuzz/README.md b/custom_mutators/honggfuzz/README.md index e1cab281..4bf5c462 100644 --- a/custom_mutators/honggfuzz/README.md +++ b/custom_mutators/honggfuzz/README.md @@ -1,7 +1,7 @@ # custum mutator: honggfuzz mangle this is the honggfuzz mutator in mangle.c as a custom mutator -module for afl++. It is the original mangle.c, mangle.h and honggfuzz.h +module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h with a lot of mocking around it :-) just type `make` to build diff --git a/docs/Changelog.md b/docs/Changelog.md index d397a764..c5ff8adb 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -83,7 +83,7 @@ sending a mail to . - on a crashing seed potentially the wrong input was disabled - added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in -i dir crashes the target or results in a timeout. By default - afl++ ignores these and uses them for splicing instead. + AFL++ ignores these and uses them for splicing instead. - added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after no new paths have been found for n seconds - when AFL_FAST_CAL is set a variable path will now be calibrated @@ -237,7 +237,7 @@ sending a mail to . - Updated utils/afl_frida to be 5% faster, 7% on x86_x64 - Added `AFL_KILL_SIGNAL` env variable (thanks @v-p-b) - @Edznux added a nice documentation on how to use rpc.statsd with - afl++ in docs/rpc_statsd.md, thanks! + AFL++ in docs/rpc_statsd.md, thanks! ### Version ++3.00c (release) - llvm_mode/ and gcc_plugin/ moved to instrumentation/ @@ -293,7 +293,7 @@ sending a mail to . - custom mutators - added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/ - added a new custom mutator: libfuzzer that integrates libfuzzer mutations - - Our afl++ Grammar-Mutator is now better integrated into custom_mutators/ + - Our AFL++ Grammar-Mutator is now better integrated into custom_mutators/ - added INTROSPECTION support for custom modules - python fuzz function was not optional, fixed - some python mutator speed improvements @@ -304,7 +304,7 @@ sending a mail to . ### Version ++2.68c (release) - - added the GSoC excellent afl++ grammar mutator by Shengtuo to our + - added the GSoC excellent AFL++ grammar mutator by Shengtuo to our custom_mutators/ (see custom_mutators/README.md) - or get it here: https://github.com/AFLplusplus/Grammar-Mutator - a few QOL changes for Apple and its outdated gmake @@ -327,12 +327,12 @@ sending a mail to . - llvm_mode: - ported SanCov to LTO, and made it the default for LTO. better instrumentation locations - - Further llvm 12 support (fast moving target like afl++ :-) ) + - Further llvm 12 support (fast moving target like AFL++ :-) ) - deprecated LLVM SKIPSINGLEBLOCK env environment ### Version ++2.67c (release) - - Support for improved afl++ snapshot module: + - Support for improved AFL++ snapshot module: https://github.com/AFLplusplus/AFL-Snapshot-LKM - Due to the instrumentation needing more memory, the initial memory sizes for -m have been increased @@ -434,7 +434,7 @@ sending a mail to . files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc. - fix afl-cmin.bash - - slightly better performance compilation options for afl++ and targets + - slightly better performance compilation options for AFL++ and targets - fixed afl-gcc/afl-as that could break on fast systems reusing pids in the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk @@ -447,7 +447,7 @@ sending a mail to . - afl-fuzz: - AFL_MAP_SIZE was not working correctly - better python detection - - an old, old bug in afl that would show negative stability in rare + - an old, old bug in AFL that would show negative stability in rare circumstances is now hopefully fixed - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY instead (see docs/custom_mutators.md) @@ -506,8 +506,8 @@ sending a mail to . - extended forkserver: map_size and more information is communicated to afl-fuzz (and afl-fuzz acts accordingly) - new environment variable: AFL_MAP_SIZE to specify the size of the shared map - - if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed - (this bug is in vanilla afl too) + - if AFL_CC/AFL_CXX is set but empty AFL compilers did fail, fixed + (this bug is in vanilla AFL too) - added NO_PYTHON flag to disable python support when building afl-fuzz - more refactoring @@ -521,7 +521,7 @@ sending a mail to . - all: - big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn multiple fuzzing threads in the future or even become a library - - afl basic tools now report on the environment variables picked up + - AFL basic tools now report on the environment variables picked up - more tools get environment variable usage info in the help output - force all output to stdout (some OK/SAY/WARN messages were sent to stdout, some to stderr) @@ -670,7 +670,7 @@ sending a mail to . - qemu and unicorn download scripts now try to download until the full download succeeded. f*ckin travis fails downloading 40% of the time! - more support for Android (please test!) - - added the few Android stuff we didnt have already from Google afl repository + - added the few Android stuff we didnt have already from Google AFL repository - removed unnecessary warnings @@ -718,7 +718,7 @@ sending a mail to . - big code refactoring: * all includes are now in include/ - * all afl sources are now in src/ - see src/README.md + * all AFL sources are now in src/ - see src/README.md * afl-fuzz was split up in various individual files for including functionality in other programs (e.g. forkserver, memory map, etc.) for better readability. @@ -734,7 +734,7 @@ sending a mail to . - fix building on *BSD (thanks to tobias.kortkamp for the patch) - fix for a few features to support different map sized than 2^16 - afl-showmap: new option -r now shows the real values in the buckets (stock - afl never did), plus shows tuple content summary information now + AFL never did), plus shows tuple content summary information now - small docu updates - NeverZero counters for QEMU - NeverZero counters for Unicorn @@ -777,7 +777,7 @@ sending a mail to . debugging - added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions. - - added a -s seed switch to allow afl run with a fixed initial + - added a -s seed switch to allow AFL run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then - llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_... @@ -1598,7 +1598,7 @@ sending a mail to . ### Version 1.63b: - Updated cgroups_asan/ with a new version from Sam, made a couple changes - to streamline it and keep parallel afl instances in separate groups. + to streamline it and keep parallel AFL instances in separate groups. - Fixed typos, thanks to Jakub Wilk. @@ -2396,7 +2396,7 @@ sending a mail to . - Added AFL_KEEP_ASSEMBLY for easier troubleshooting. - - Added an override for AFL_USE_ASAN if set at afl compile time. Requested by + - Added an override for AFL_USE_ASAN if set at AFL compile time. Requested by Hanno Boeck. ### Version 0.79b: diff --git a/docs/FAQ.md b/docs/FAQ.md index 0eeea1c5..0e816062 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -1,8 +1,8 @@ -# Frequently asked questions about afl++ +# Frequently asked questions about AFL++ ## Contents - * [What is the difference between afl and afl++?](#what-is-the-difference-between-afl-and-afl) + * [What is the difference between AFL and AFL++?](#what-is-the-difference-between-afl-and-afl) * [I got a weird compile error from clang](#i-got-a-weird-compile-error-from-clang) * [How to improve the fuzzing speed?](#how-to-improve-the-fuzzing-speed) * [How do I fuzz a network service?](#how-do-i-fuzz-a-network-service) @@ -14,7 +14,7 @@ If you find an interesting or important question missing, submit it via [https://github.com/AFLplusplus/AFLplusplus/issues](https://github.com/AFLplusplus/AFLplusplus/issues) -## What is the difference between afl and afl++? +## What is the difference between AFL and AFL++? American Fuzzy Lop (AFL) was developed by MichaƂ "lcamtuf" Zalewski starting in 2013/2014, and when he left Google end of 2017 he stopped developing it. @@ -24,13 +24,13 @@ it is only accepting PRs from the community and is not developing enhancements anymore. In the second quarter of 2019, 1 1/2 year later when no further development of -AFL had happened and it became clear there would none be coming, afl++ +AFL had happened and it became clear there would none be coming, AFL++ was born, where initially community patches were collected and applied for bug fixes and enhancements. Then from various AFL spin-offs - mostly academic research - features were integrated. This already resulted in a much advanced AFL. -Until the end of 2019 the afl++ team had grown to four active developers which +Until the end of 2019 the AFL++ team had grown to four active developers which then implemented their own research and features, making it now by far the most flexible and feature rich guided fuzzer available as open source. And in independent fuzzing benchmarks it is one of the best fuzzers available, @@ -52,15 +52,15 @@ clang-13: note: diagnostic msg: ******************** ``` Then this means that your OS updated the clang installation from an upgrade -package and because of that the afl++ llvm plugins do not match anymore. +package and because of that the AFL++ llvm plugins do not match anymore. -Solution: `git pull ; make clean install` of afl++ +Solution: `git pull ; make clean install` of AFL++ ## How to improve the fuzzing speed? 1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended) 2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase) - 3. Use the [afl++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) + 3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase) 4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md) 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure) 6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem @@ -86,7 +86,7 @@ and perform binary fuzzing) you can also use a shared library with AFL_PRELOAD to emulate the network. This is also much faster than the real network would be. See [utils/socket_fuzzing/](../utils/socket_fuzzing/). -There is an outdated afl++ branch that implements networking if you are +There is an outdated AFL++ branch that implements networking if you are desperate though: [https://github.com/AFLplusplus/AFLplusplus/tree/networking](https://github.com/AFLplusplus/AFLplusplus/tree/networking) - however a better option is AFLnet ([https://github.com/aflnet/aflnet](https://github.com/aflnet/aflnet)) which allows you to define network state with different type of data packets. @@ -158,7 +158,7 @@ reaction to timing, etc. then in some of the re-executions with the same data the edge coverage result will be different accross runs. Those edges that change are then flagged "unstable". -The more "unstable" edges, the more difficult for afl++ to identify valid new +The more "unstable" edges, the more difficult for AFL++ to identify valid new paths. A value above 90% is usually fine and a value above 80% is also still ok, and diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 3b32f5ed..90ea3b66 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -1,12 +1,12 @@ -# Fuzzing binary-only programs with afl++ +# Fuzzing binary-only programs with AFL++ - afl++, libfuzzer and others are great if you have the source code, and + AFL++, libfuzzer and others are great if you have the source code, and it allows for very fast and coverage guided fuzzing. However, if there is only the binary program and no source code available, then standard `afl-fuzz -n` (non-instrumented mode) is not effective. - The following is a description of how these binaries can be fuzzed with afl++. + The following is a description of how these binaries can be fuzzed with AFL++. ## TL;DR: @@ -39,7 +39,7 @@ Note that there is also honggfuzz: [https://github.com/google/honggfuzz](https://github.com/google/honggfuzz) which now has a qemu_mode, but its performance is just 1.5% ... - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. If you like to code a customized fuzzer without much work, we highly recommend to check out our sister project libafl which will support QEMU @@ -56,12 +56,12 @@ frida-gum via utils/afl_frida/, you will have to write a harness to call the target function in the library, use afl-frida.c as a template. - Both come with afl++ so this needs no URL. + Both come with AFL++ so this needs no URL. You can also perform remote fuzzing with frida, e.g. if you want to fuzz on iPhone or Android devices, for this you can use [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) - as an intermediate that uses afl++ for fuzzing. + as an intermediate that uses AFL++ for fuzzing. If you like to code a customized fuzzer without much work, we highly recommend to check out our sister project libafl which supports Frida too: @@ -74,7 +74,7 @@ Wine mode can run Win32 PE binaries with the QEMU instrumentation. It needs Wine, python3 and the pefile python package installed. - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. ## UNICORN @@ -83,10 +83,10 @@ In contrast to QEMU, Unicorn does not offer a full system or even userland emulation. Runtime environment and/or loaders have to be written from scratch, if needed. On top, block chaining has been removed. This means the speed boost - introduced in the patched QEMU Mode of afl++ cannot simply be ported over to + introduced in the patched QEMU Mode of AFL++ cannot simply be ported over to Unicorn. For further information, check out [unicorn_mode/README.md](../unicorn_mode/README.md). - As it is included in afl++ this needs no URL. + As it is included in AFL++ this needs no URL. ## AFL UNTRACER @@ -153,7 +153,7 @@ As a result, the overall speed decrease is about 70-90% (depending on the implementation and other factors). - There are two afl intel-pt implementations: + There are two AFL intel-pt implementations: 1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt) => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel. @@ -175,7 +175,7 @@ the ARM chip is difficult too. My guess is that it is slower than Qemu, but faster than Intel PT. - If anyone finds any coresight implementation for afl please ping me: vh@thc.org + If anyone finds any coresight implementation for AFL please ping me: vh@thc.org ## PIN & DYNAMORIO diff --git a/docs/custom_mutators.md b/docs/custom_mutators.md index dc036efc..8b5a4068 100644 --- a/docs/custom_mutators.md +++ b/docs/custom_mutators.md @@ -21,7 +21,7 @@ fuzzing by using libraries that perform mutations according to a given grammar. The custom mutator is passed to `afl-fuzz` via the `AFL_CUSTOM_MUTATOR_LIBRARY` or `AFL_PYTHON_MODULE` environment variable, and must export a fuzz function. -Now afl also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. +Now AFL also supports multiple custom mutators which can be specified in the same `AFL_CUSTOM_MUTATOR_LIBRARY` environment variable like this. ```bash export AFL_CUSTOM_MUTATOR_LIBRARY="full/path/to/mutator_first.so;full/path/to/mutator_second.so" ``` diff --git a/docs/docs.md b/docs/docs.md index ed6ec85e..aa8a4d48 100644 --- a/docs/docs.md +++ b/docs/docs.md @@ -1,9 +1,9 @@ -# Restructure afl++'s documentation +# Restructure AFL++'s documentation ## About us We are dedicated to everything around fuzzing, our main and most well known -contribution is the fuzzer `afl++` which is part of all major Unix +contribution is the fuzzer `AFL++` which is part of all major Unix distributions (e.g. Debian, Arch, FreeBSD, etc.) and is deployed on Google's oss-fuzz and clusterfuzz. It is rated the top fuzzer on Google's fuzzbench. @@ -11,27 +11,27 @@ We are four individuals from Europe supported by a large community. All our tools are open source. -## About the afl++ fuzzer project +## About the AFL++ fuzzer project -afl++ inherited it's documentation from the original Google afl project. +AFL++ inherited it's documentation from the original Google AFL project. Since then it has been massively improved - feature and performance wise - and although the documenation has likewise been continued it has grown out of proportion. The documentation is done by non-natives to the English language, plus none of us has a writer background. -We see questions on afl++ usage on mailing lists (e.g. afl-users), discord +We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord channels, web forums and as issues in our repository. -This only increases as afl++ has been on the top of Google's fuzzbench +This only increases as AFL++ has been on the top of Google's fuzzbench statistics (which measures the performance of fuzzers) and is now being integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix packaging repositories, e.g. Debian, FreeBSD, etc. -afl++ now has 44 (!) documentation files with 13k total lines of content. +AFL++ now has 44 (!) documentation files with 13k total lines of content. This is way too much. -Hence afl++ needs a complete overhaul of it's documentation, both on a +Hence AFL++ needs a complete overhaul of it's documentation, both on a organisation/structural level as well as the content. Overall the following actions have to be performed: @@ -44,9 +44,9 @@ Overall the following actions have to be performed: * The documents have been written and modified by a lot of different people, most of them non-native English speaker. Hence an overall review where parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of afl++ + * Create a cheat-sheet for a very short best-setup build and run of AFL++ * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with afl++: + explain the workflow with AFL++: - the build workflow - the fuzzing workflow - the fuzzing campaign management workflow @@ -65,8 +65,8 @@ us. ## Metrics -afl++ is a the highest performant fuzzer publicly available - but is also the -most feature rich and complex. With the publicity of afl++' success and +AFL++ is a the highest performant fuzzer publicly available - but is also the +most feature rich and complex. With the publicity of AFL++' success and deployment in Google projects internally and externally and availability as a package on most Linux distributions we see more and more issues being created and help requests on our Discord channel that would not be @@ -75,7 +75,7 @@ is unrealistic. We expect the the new documenation after this project to be cleaner, easier accessible and lighter to digest by our users, resulting in much less -help requests. On the other hand the amount of users using afl++ should +help requests. On the other hand the amount of users using AFL++ should increase as well as it will be more accessible which would also increase questions again - but overall resulting in a reduction of help requests. @@ -103,7 +103,7 @@ graphics (but again - this is basically just guessing). Technical Writer 10000$ Volunteer stipends 0$ (waved) T-Shirts for the top 10 contributors and helpers to this documentation project: - 10 afl++ logo t-shirts 20$ each 200$ + 10 AFL++ logo t-shirts 20$ each 200$ 10 shipping cost of t-shirts 10$ each 100$ Total: 10.300$ @@ -118,5 +118,5 @@ We have no experience with a technical writer, but we will support that person with video calls, chats, emails and messaging, provide all necessary information and write technical contents that is required for the success of this project. It is clear to us that a technical writer knows how to write, but cannot know -the technical details in a complex tooling like in afl++. This guidance, input, +the technical details in a complex tooling like in AFL++. This guidance, input, etc. has to come from us. diff --git a/docs/env_variables.md b/docs/env_variables.md index cb0a68d7..5444e3a3 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -11,7 +11,7 @@ ## 1) Settings for all compilers -Starting with afl++ 3.0 there is only one compiler: afl-cc +Starting with AFL++ 3.0 there is only one compiler: afl-cc To select the different instrumentation modes this can be done by 1. passing the --afl-MODE command line option to the compiler 2. or using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++, @@ -23,10 +23,10 @@ To select the different instrumentation modes this can be done by (afl-g*-fast) or `GCC` (afl-gcc/afl-g++). Because (with the exception of the --afl-MODE command line option) the -compile-time tools do not accept afl specific command-line options, they +compile-time tools do not accept AFL specific command-line options, they make fairly broad use of environmental variables instead: - - Some build/configure scripts break with afl++ compilers. To be able to + - Some build/configure scripts break with AFL++ compilers. To be able to pass them, do: ``` export CC=afl-cc @@ -37,7 +37,7 @@ make fairly broad use of environmental variables instead: make ``` - - Most afl tools do not print any output if stdout/stderr are redirected. + - Most AFL tools do not print any output if stdout/stderr are redirected. If you want to get the output into a file then set the `AFL_DEBUG` environment variable. This is sadly necessary for various build processes which fail otherwise. @@ -149,7 +149,7 @@ Then there are a few specific features that are only available in instrumentatio This is a different kind way of instrumentation: first it compiles all code in LTO (link time optimization) and then performs an edge inserting instrumentation which is 100% collision free (collisions are a big issue - in afl and afl-like instrumentations). This is performed by using + in AFL and AFL-like instrumentations). This is performed by using afl-clang-lto/afl-clang-lto++ instead of afl-clang-fast, but is only built if LLVM 11 or newer is used. @@ -167,7 +167,7 @@ Then there are a few specific features that are only available in instrumentatio or which functions were touched by an input. - `AFL_LLVM_MAP_ADDR` sets the fixed map address to a different address than the default `0x10000`. A value of 0 or empty sets the map address to be - dynamic (the original afl way, which is slower) + dynamic (the original AFL way, which is slower) - `AFL_LLVM_MAP_DYNAMIC` sets the shared memory address to be dynamic - `AFL_LLVM_LTO_STARTID` sets the starting location ID for the instrumentation. This defaults to 1 @@ -480,11 +480,11 @@ checks or alter some of the more exotic semantics of the tool: allows you to add tags to your fuzzing instances. This is especially useful when running multiple instances (`-M/-S` for example). Applied tags are `banner` and `afl_version`. `banner` corresponds to the name of the fuzzer provided through `-M/-S`. - `afl_version` corresponds to the currently running afl version (e.g `++3.0c`). + `afl_version` corresponds to the currently running AFL version (e.g `++3.0c`). Default (empty/non present) will add no tags to the metrics. See [rpc_statsd.md](rpc_statsd.md) for more information. - - Setting `AFL_CRASH_EXITCODE` sets the exit code afl treats as crash. + - Setting `AFL_CRASH_EXITCODE` sets the exit code AFL treats as crash. For example, if `AFL_CRASH_EXITCODE='-1'` is set, each input resulting in an `-1` return code (i.e. `exit(-1)` got called), will be treated as if a crash had ocurred. diff --git a/docs/ideas.md b/docs/ideas.md index 0ee69851..325e7031 100644 --- a/docs/ideas.md +++ b/docs/ideas.md @@ -1,4 +1,4 @@ -# Ideas for afl++ +# Ideas for AFL++ In the following, we describe a variety of ideas that could be implemented for future AFL++ versions. diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index 23872899..90e12e89 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -27,7 +27,7 @@ will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. -Note that afl++ has AFLfast's power schedules implemented. +Note that AFL++ has AFLfast's power schedules implemented. It is therefore a good idea to use different power schedules if you run several instances in parallel. See [power_schedules.md](power_schedules.md) @@ -116,7 +116,7 @@ distribute the deterministic fuzzing across. Note that if you boot up fewer fuzzers than indicated by the second number passed to -M, you may end up with poor coverage. -## 4) Syncing with non-afl fuzzers or independant instances +## 4) Syncing with non-AFL fuzzers or independant instances A -M main node can be told with the `-F other_fuzzer_queue_directory` option to sync results from other fuzzers, e.g. libfuzzer or honggfuzz. diff --git a/docs/status_screen.md b/docs/status_screen.md index e3abcc5f..b1cb9696 100644 --- a/docs/status_screen.md +++ b/docs/status_screen.md @@ -35,7 +35,7 @@ american fuzzy lop ++3.01a (default) [fast] {0} The top line shows you which mode afl-fuzz is running in (normal: "american fuzy lop", crash exploration mode: "peruvian rabbit mode") -and the version of afl++. +and the version of AFL++. Next to the version is the banner, which, if not set with -T by hand, will either show the binary name being fuzzed, or the -M/-S main/secondary name for parallel fuzzing. @@ -409,7 +409,7 @@ directory. This includes: - `edges_found` - how many edges have been found - `var_byte_count` - how many edges are non-deterministic - `afl_banner` - banner text (e.g. the target name) - - `afl_version` - the version of afl used + - `afl_version` - the version of AFL used - `target_mode` - default, persistent, qemu, unicorn, non-instrumented - `command_line` - full command line used for the fuzzing session diff --git a/instrumentation/README.instrument_list.md b/instrumentation/README.instrument_list.md index 2116d24c..7db9c055 100644 --- a/instrumentation/README.instrument_list.md +++ b/instrumentation/README.instrument_list.md @@ -1,4 +1,4 @@ -# Using afl++ with partial instrumentation +# Using AFL++ with partial instrumentation This file describes two different mechanisms to selectively instrument only specific parts in the target. @@ -13,7 +13,7 @@ the program, leaving the rest uninstrumented. This helps to focus the fuzzer on the important parts of the program, avoiding undesired noise and disturbance by uninteresting code being exercised. -For this purpose, "partial instrumentation" support is provided by afl++ that +For this purpose, "partial instrumentation" support is provided by AFL++ that allows to specify what should be instrumented and what not. Both mechanisms can be used together. @@ -100,7 +100,7 @@ exists somewhere else in the project directories. You can also specify function names. Note that for C++ the function names must be mangled to match! `nm` can print these names. -afl++ is able to identify whether an entry is a filename or a function. +AFL++ is able to identify whether an entry is a filename or a function. However if you want to be sure (and compliant to the sancov allow/blocklist format), you can specify source file entries like this: ``` diff --git a/instrumentation/README.laf-intel.md b/instrumentation/README.laf-intel.md index c50a6979..229807e8 100644 --- a/instrumentation/README.laf-intel.md +++ b/instrumentation/README.laf-intel.md @@ -7,7 +7,7 @@ His blog [Circumventing Fuzzing Roadblocks with Compiler Transformations] (https://lafintel.wordpress.com/) and gitlab repo [laf-llvm-pass] (https://gitlab.com/laf-intel/laf-llvm-pass/) describe some code transformations that -help afl++ to enter conditional blocks, where conditions consist of +help AFL++ to enter conditional blocks, where conditions consist of comparisons of large values. ## Usage diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 39f6465a..626bc9cb 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -19,7 +19,7 @@ This version requires a current llvm 11+ compiled from the github master. ## Introduction and problem description -A big issue with how afl/afl++ works is that the basic block IDs that are +A big issue with how AFL/AFL++ works is that the basic block IDs that are set during compilation are random - and hence naturally the larger the number of instrumented locations, the higher the number of edge collisions are in the map. This can result in not discovering new paths and therefore degrade the diff --git a/instrumentation/README.out_of_line.md b/instrumentation/README.out_of_line.md index 2264f91f..346fe98d 100644 --- a/instrumentation/README.out_of_line.md +++ b/instrumentation/README.out_of_line.md @@ -1,4 +1,4 @@ -## Using afl++ without inlined instrumentation +## Using AFL++ without inlined instrumentation This file describes how you can disable inlining of instrumentation. diff --git a/instrumentation/README.persistent_mode.md b/instrumentation/README.persistent_mode.md index 26c7aa8f..0517886b 100644 --- a/instrumentation/README.persistent_mode.md +++ b/instrumentation/README.persistent_mode.md @@ -2,7 +2,7 @@ ## 1) Introduction -In persistent mode, afl++ fuzzes a target multiple times +In persistent mode, AFL++ fuzzes a target multiple times in a single process, instead of forking a new process for each fuzz execution. This is the most effective way to fuzz, as the speed can easily be x10 or x20 times faster without any disadvanges. diff --git a/qemu_mode/libcompcov/README.md b/qemu_mode/libcompcov/README.md index 5aaa3dd8..fca20a69 100644 --- a/qemu_mode/libcompcov/README.md +++ b/qemu_mode/libcompcov/README.md @@ -1,4 +1,4 @@ -# strcmp() / memcmp() CompareCoverage library for afl++ QEMU +# strcmp() / memcmp() CompareCoverage library for AFL++ QEMU Written by Andrea Fioraldi diff --git a/unicorn_mode/README.md b/unicorn_mode/README.md index b3df44fa..d2b7d16f 100644 --- a/unicorn_mode/README.md +++ b/unicorn_mode/README.md @@ -2,13 +2,13 @@ The idea and much of the original implementation comes from Nathan Voss . -The port to afl++ is by Dominik Maier . +The port to AFL++ is by Dominik Maier . The CompareCoverage and NeverZero counters features are by Andrea Fioraldi . ## 1) Introduction -The code in ./unicorn_mode allows you to build the (Unicorn Engine)[https://github.com/unicorn-engine/unicorn] with afl support. +The code in ./unicorn_mode allows you to build the (Unicorn Engine)[https://github.com/unicorn-engine/unicorn] with AFL support. This means, you can run anything that can be emulated in unicorn and obtain instrumentation output for black-box, closed-source binary code snippets. This mechanism can be then used by afl-fuzz to stress-test targets that couldn't be built @@ -24,7 +24,7 @@ For some pointers for more advanced emulation, take a look at [BaseSAFE](https:/ ### Building AFL++'s Unicorn Mode -First, make afl++ as usual. +First, make AFL++ as usual. Once that completes successfully you need to build and add in the Unicorn Mode features: diff --git a/utils/README.md b/utils/README.md index 7fd6177a..b8df0b47 100644 --- a/utils/README.md +++ b/utils/README.md @@ -41,7 +41,7 @@ Here's a quick overview of the stuff you can find in this directory: - crash_triage - a very rudimentary example of how to annotate crashes with additional gdb metadata. - - custom_mutators - examples for the afl++ custom mutator interface in + - custom_mutators - examples for the AFL++ custom mutator interface in C and Python. Note: They were moved to ../custom_mutators/examples/ @@ -64,7 +64,7 @@ Here's a quick overview of the stuff you can find in this directory: - qemu_persistent_hook - persistent mode support module for qemu. - socket_fuzzing - a LD_PRELOAD library 'redirects' a socket to stdin - for fuzzing access with afl++ + for fuzzing access with AFL++ Note that the minimize_corpus.sh tool has graduated from the utils/ directory and is now available as ../afl-cmin. The LLVM mode has likewise diff --git a/utils/aflpp_driver/README.md b/utils/aflpp_driver/README.md index 4ca59776..30e2412f 100644 --- a/utils/aflpp_driver/README.md +++ b/utils/aflpp_driver/README.md @@ -1,4 +1,4 @@ -# afl++ drivers +# AFL++ drivers ## aflpp_driver diff --git a/utils/argv_fuzzing/README.md b/utils/argv_fuzzing/README.md index fa8cad80..192d72f7 100644 --- a/utils/argv_fuzzing/README.md +++ b/utils/argv_fuzzing/README.md @@ -1,6 +1,6 @@ # argvfuzz -afl supports fuzzing file inputs or stdin. When source is available, +AFL supports fuzzing file inputs or stdin. When source is available, `argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin. `argvfuzz` tries to provide the same functionality for binaries. When loaded diff --git a/utils/defork/README.md b/utils/defork/README.md index 7e950323..657ef274 100644 --- a/utils/defork/README.md +++ b/utils/defork/README.md @@ -8,4 +8,4 @@ the target will belive it is running as the child, post-fork. This is defork.c from the amazing preeny project https://github.com/zardus/preeny -It is altered for afl++ to work with its fork-server: the initial fork will go through, the second fork will be blocked. +It is altered for AFL++ to work with its fork-server: the initial fork will go through, the second fork will be blocked. diff --git a/utils/qbdi_mode/README.md b/utils/qbdi_mode/README.md index 334199f2..a68da616 100755 --- a/utils/qbdi_mode/README.md +++ b/utils/qbdi_mode/README.md @@ -1,7 +1,7 @@ # qbdi-based binary-only instrumentation for afl-fuzz NOTE: this code is outdated and first would need to be adapted to the current -afl++ versions first. +AFL++ versions first. Try frida_mode/ or fpicker [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) first, maybe they suite your need. ## 1) Introduction diff --git a/utils/socket_fuzzing/README.md b/utils/socket_fuzzing/README.md index 79f28bea..84398a71 100644 --- a/utils/socket_fuzzing/README.md +++ b/utils/socket_fuzzing/README.md @@ -8,4 +8,4 @@ a network socket. This is desock_dup.c from the amazing preeny project https://github.com/zardus/preeny -It is packaged in afl++ to have it at hand if needed +It is packaged in AFL++ to have it at hand if needed -- cgit 1.4.1 From 3f1a2d596f1e722f4f61806a04bed2e12e9b93ac Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Mon, 9 Aug 2021 16:19:21 +0200 Subject: Clean up references to notes_for_asan.md --- README.md | 3 +-- docs/env_variables.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/README.md b/README.md index 28cd4e4c..41672379 100644 --- a/README.md +++ b/README.md @@ -1322,8 +1322,7 @@ Here are some of the most important caveats for AFL: `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This - isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md) - for tips. + isn't due to any specific fault of afl-fuzz. - There is no direct support for fuzzing network services, background daemons, or interactive apps that require UI interaction to work. You may diff --git a/docs/env_variables.md b/docs/env_variables.md index 5444e3a3..cceffa68 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -55,8 +55,7 @@ make fairly broad use of environmental variables instead: overridden. - Setting `AFL_USE_ASAN` automatically enables ASAN, provided that your - compiler supports it. Note that fuzzing with ASAN is mildly challenging - - see [notes_for_asan.md](notes_for_asan.md). + compiler supports it. (You can also enable MSAN via `AFL_USE_MSAN`; ASAN and MSAN come with the same gotchas; the modes are mutually exclusive. UBSAN can be enabled -- cgit 1.4.1 From c775f40ebf935ec85619fa3903af7a20a38baf98 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 12 Aug 2021 14:32:44 +0200 Subject: AFL_IGNORE_PROBLEMS + library checks and documentation --- README.md | 7 +++++++ docs/Changelog.md | 4 ++++ docs/env_variables.md | 4 ++++ include/afl-fuzz.h | 2 +- include/envs.h | 1 + instrumentation/README.lto.md | 28 ++++++++++++++++++++++++++++ src/afl-fuzz-state.c | 7 +++++++ src/afl-fuzz-stats.c | 14 ++++++++++++++ src/afl-fuzz.c | 1 + 9 files changed, 67 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/README.md b/README.md index 438f9425..b3e464e1 100644 --- a/README.md +++ b/README.md @@ -473,6 +473,13 @@ compiler is used. Also - if possible - you should always configure the build system such that the target is compiled statically and not dynamically. How to do this is described below. +The #1 rule when instrumenting a target is: avoid instrumenting shared +libraries at all cost. You would need to set LD_LIBRARY_PATH to point to +these, you could accidently type "make install" and install them system wide - +so don't. Really don't. +**Always compile libraries you want to have instrumented as static and link +these to the target program!** + Then build the target. (Usually with `make`) **NOTES** diff --git a/docs/Changelog.md b/docs/Changelog.md index c5ff8adb..daa014e4 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,10 @@ Want to stay in the loop on major new features? Join our mailing list by sending a mail to . ### Version ++3.15a (dev) + - afl-fuzz: + added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/docs/env_variables.md b/docs/env_variables.md index cceffa68..0686f1a8 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -432,6 +432,10 @@ checks or alter some of the more exotic semantics of the tool: and RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be enabled in config.h first! + - If afl-fuzz encounters an incorrect fuzzing setup during a fuzzing session + (not at startup), it will terminate. If you do not want this then you can + set `AFL_IGNORE_PROBLEMS`. + - If you are Jakub, you may need `AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES`. Others need not apply, unless they also want to disable the `/proc/sys/kernel/core_pattern` check. diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 3d528bc4..4b19e698 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -384,7 +384,7 @@ typedef struct afl_env_vars { afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one, afl_bench_until_crash, afl_debug_child, afl_autoresume, afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd, afl_cmplog_only_new, - afl_exit_on_seed_issues, afl_try_affinity; + afl_exit_on_seed_issues, afl_try_affinity, afl_ignore_problems; u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path, *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_preload, diff --git a/include/envs.h b/include/envs.h index 26cc250f..49605330 100644 --- a/include/envs.h +++ b/include/envs.h @@ -88,6 +88,7 @@ static char *afl_environment_variables[] = { "AFL_HARDEN", "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", "AFL_IGNORE_UNKNOWN_ENVS", + "AFL_IGNORE_PROBLEMS", "AFL_IMPORT_FIRST", "AFL_INST_LIBS", "AFL_INST_RATIO", diff --git a/instrumentation/README.lto.md b/instrumentation/README.lto.md index 626bc9cb..38252308 100644 --- a/instrumentation/README.lto.md +++ b/instrumentation/README.lto.md @@ -138,6 +138,34 @@ make NOTE: some targets also need to set the linker, try both `afl-clang-lto` and `afl-ld-lto` for `LD=` before `configure`. +## Instrumenting shared libraries + +Note: this is highly discouraged! Try to compile to static libraries with +afl-clang-lto instead of shared libraries! + +To make instrumented shared libraries work with afl-clang-lto you have to do +quite some extra steps. + +Every shared library you want to instrument has to be individually compiled- +The environment variable `AFL_LLVM_LTO_DONTWRITEID=1` has to be set during +compilation. +Additionally the environment variable `AFL_LLVM_LTO_STARTID` has to be set to +the combined edge values of all previous compiled instrumented shared +libraries for that target. +E.g. for the first shared library this would be `AFL_LLVM_LTO_STARTID=0` and +afl-clang-lto will then report how many edges have been instrumented (let's say +it reported 1000 instrumented edges). +The second shared library then has to be set to that value +(`AFL_LLVM_LTO_STARTID=1000` in our example), the third to all previous +combined, etc. + +The final program compilation step then may *not* have `AFL_LLVM_LTO_DONTWRITEID` +set, and `AFL_LLVM_LTO_STARTID` must be set to all combined edges of all shared +libaries it will be linked to. + +This is quite some hands-on work, so better stay away from instrumenting +shared libraries :-) + ## AUTODICTIONARY feature While compiling, a dictionary based on string comparisons is automatically diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c index b832c11e..24ccc108 100644 --- a/src/afl-fuzz-state.c +++ b/src/afl-fuzz-state.c @@ -267,6 +267,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) { afl->afl_env.afl_force_ui = get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_IGNORE_PROBLEMS", + + afl_environment_variable_len)) { + + afl->afl_env.afl_ignore_problems = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; + } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index ead65b1d..a9deb22d 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -534,6 +534,20 @@ void show_stats(afl_state_t *afl) { t_bytes = count_non_255_bytes(afl, afl->virgin_bits); t_byte_ratio = ((double)t_bytes * 100) / afl->fsrv.real_map_size; + if (unlikely(t_bytes > afl->fsrv.real_map_size)) { + + if (unlikely(!afl->afl_env.afl_ignore_problems)) { + + FATAL( + "Incorrect fuzzing setup detected. Your target seems to have loaded " + "incorrectly instrumented shared libraries. If you use LTO mode " + "please see instrumentation/README.lto.md. To ignore this problem " + "and continue fuzzing just set 'AFL_IGNORE_PROBLEMS=1'.\n"); + + } + + } + if (likely(t_bytes) && unlikely(afl->var_byte_count)) { stab_ratio = 100 - (((double)afl->var_byte_count * 100) / t_bytes); diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 9b9e01a4..8ffc0e77 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -216,6 +216,7 @@ static void usage(u8 *argv0, int more_help) { "AFL_HANG_TMOUT: override timeout value (in milliseconds)\n" "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers\n" "AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars\n" + "AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run\n" "AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first\n" "AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n" "AFL_MAP_SIZE: the shared memory size for that target. must be >= the size\n" -- cgit 1.4.1 From 6191af744002ec06661dc996a61eeb11e4a58a79 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 17 Aug 2021 10:29:22 +0200 Subject: uninstall makefile target --- .gitignore | 7 +++++++ GNUmakefile | 14 ++++++++++++++ docs/Changelog.md | 1 + 3 files changed, 22 insertions(+) (limited to 'docs') diff --git a/.gitignore b/.gitignore index 5627d8ab..5268bb37 100644 --- a/.gitignore +++ b/.gitignore @@ -54,6 +54,7 @@ afl-showmap.8 afl-system-config.8 afl-tmin.8 afl-whatsup.8 +afl-persistent-config.8 afl-c++ afl-cc afl-lto @@ -87,3 +88,9 @@ utils/afl_network_proxy/afl-network-client utils/afl_network_proxy/afl-network-server utils/plot_ui/afl-plot-ui *.o.tmp +utils/afl_proxy/afl-proxy +utils/optimin/build +utils/optimin/optimin +utils/persistent_mode/persistent_demo +utils/persistent_mode/persistent_demo_new +utils/persistent_mode/test-instr diff --git a/GNUmakefile b/GNUmakefile index 66fc0f07..2161e68d 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -353,6 +353,7 @@ help: @echo "install: installs everything you have compiled with the build option above" @echo "clean: cleans everything compiled (not downloads when on a checkout)" @echo "deepclean: cleans everything including downloads" + @echo "uninstall: uninstall afl++ from the system" @echo "code-format: format the code, do this before you commit and send a PR please!" @echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem" @echo "unit: perform unit tests (based on cmocka and GNU linker)" @@ -691,3 +692,16 @@ endif install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH) cp -r testcases/ $${DESTDIR}$(MISC_PATH) cp -r dictionaries/ $${DESTDIR}$(MISC_PATH) + +.PHONY: uninstall +uninstall: + -cd $${DESTDIR}$(BIN_PATH) && rm -f $(PROGS) $(SH_PROGS) afl-qemu-trace afl-plot-ui afl-fuzz-document afl-network-server afl-g* afl-plot.sh afl-as afl-ld-lto afl-c* afl-lto* + -cd $${DESTDIR}$(HELPER_PATH) && rm -f afl-g*.*o afl-llvm-*.*o afl-compiler-*.*o libdislocator.so libtokencap.so libcompcov.so libqasan.so afl-frida-trace.so socketfuzz*.so argvfuzz*.so libAFLDriver.a libAFLQemuDriver.a as afl-as SanitizerCoverage*.so compare-transform-pass.so cmplog-*-pass.so split-*-pass.so dynamic_list.txt + -rm -rf $${DESTDIR}$(MISC_PATH)/testcases $${DESTDIR}$(MISC_PATH)/dictionaries + -sh -c "ls docs/*.md | sed 's|^docs/|$${DESTDIR}$(DOC_PATH)/|' | xargs rm -f" + -cd $${DESTDIR}$(MAN_PATH) && rm -f $(MANPAGES) + -rmdir $${DESTDIR}$(BIN_PATH) 2>/dev/null + -rmdir $${DESTDIR}$(HELPER_PATH) 2>/dev/null + -rmdir $${DESTDIR}$(MISC_PATH) 2>/dev/null + -rmdir $${DESTDIR}$(DOC_PATH) 2>/dev/null + -rmdir $${DESTDIR}$(MAN_PATH) 2>/dev/null diff --git a/docs/Changelog.md b/docs/Changelog.md index daa014e4..3a2658f0 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,7 @@ sending a mail to . - added xml, curl and exotic string functions to llvm dictionary features - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better + - added uninstall target to makefile (todo: update new readme!) ### Version ++3.14c (release) -- cgit 1.4.1 From 591d6c59c758d1043f8690e4e9dda22dbbefbc1c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 19 Aug 2021 17:02:17 +0200 Subject: fix shared linking on macos --- docs/Changelog.md | 8 +++++--- instrumentation/afl-compiler-rt.o.c | 7 ++++++- src/afl-cc.c | 13 +++++++++++++ 3 files changed, 24 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 3a2658f0..7ccae7c2 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -10,9 +10,11 @@ sending a mail to . ### Version ++3.15a (dev) - afl-fuzz: - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on - incorrect LTO usage setups and enhanced the READMEs for better - information on how to deal with instrumenting libraries + - added AFL_IGNORE_PROBLEMS plus checks to identify and abort on + incorrect LTO usage setups and enhanced the READMEs for better + information on how to deal with instrumenting libraries + - afl-cc: + - fix for shared linking on MacOS - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/instrumentation/afl-compiler-rt.o.c b/instrumentation/afl-compiler-rt.o.c index 18b0a55b..9acab4e7 100644 --- a/instrumentation/afl-compiler-rt.o.c +++ b/instrumentation/afl-compiler-rt.o.c @@ -1273,7 +1273,12 @@ __attribute__((constructor(1))) void __afl_auto_second(void) { if (__afl_already_initialized_second) return; __afl_already_initialized_second = 1; - if (getenv("AFL_DEBUG")) { __afl_debug = 1; } + if (getenv("AFL_DEBUG")) { + + __afl_debug = 1; + fprintf(stderr, "DEBUG: debug enabled\n"); + + } if (getenv("AFL_DISABLE_LLVM_INSTRUMENTATION")) return; u8 *ptr; diff --git a/src/afl-cc.c b/src/afl-cc.c index a61635a2..e49addc4 100644 --- a/src/afl-cc.c +++ b/src/afl-cc.c @@ -793,6 +793,7 @@ static void edit_params(u32 argc, char **argv, char **envp) { if (!strcmp(cur, "-x")) x_set = 1; if (!strcmp(cur, "-E")) preprocessor_only = 1; if (!strcmp(cur, "-shared")) shared_linking = 1; + if (!strcmp(cur, "-dynamiclib")) shared_linking = 1; if (!strcmp(cur, "-Wl,-r")) partial_linking = 1; if (!strcmp(cur, "-Wl,-i")) partial_linking = 1; if (!strcmp(cur, "-Wl,--relocatable")) partial_linking = 1; @@ -1085,6 +1086,18 @@ static void edit_params(u32 argc, char **argv, char **envp) { alloc_printf("-Wl,--dynamic-list=%s/dynamic_list.txt", obj_path); #endif + #if defined(__APPLE__) + if (shared_linking || partial_linking) { + + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___afl_area_ptr"; + cc_params[cc_par_cnt++] = "-Wl,-U"; + cc_params[cc_par_cnt++] = "-Wl,___sanitizer_cov_trace_pc_guard_init"; + + } + + #endif + } #if defined(USEMMAP) && !defined(__HAIKU__) -- cgit 1.4.1