From 26a5bd625ccbd8de4fbc9b5eea263d092bd405e5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 18 Nov 2022 12:23:18 +0100 Subject: write queue statistics --- docs/Changelog.md | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index c5eb6be3..4df47645 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -9,6 +9,9 @@ send fuzz data to the target as you need, e.g. via IPC. - cmplog mode now has -l R option for random colorization, thanks to guyf2010 for the PR! + - queue statistics are written every 30 minutes to + out/NAME/queue_data - likely this will be moved to a debug flag + in the future. - afl-showmap/afl-cmin - -t none now translates to -t 120000 (120 seconds) - unicorn_mode updated -- cgit 1.4.1 From b7c87350cf3481416b782fe19bc56467090ff220 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Fri, 18 Nov 2022 17:04:16 +0100 Subject: Make env description extra clear --- docs/env_variables.md | 8 ++++---- unicorn_mode/unicornafl | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/env_variables.md b/docs/env_variables.md index d1c13e15..22a5c386 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -378,10 +378,10 @@ checks or alter some of the more exotic semantics of the tool: valid terminal was detected (for virtual consoles). - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout - to wait for the forkserver to spin up. The default is the `-t` value times - `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the - default would wait for `1000` milliseconds. Setting a different time here is - useful if the target has a very slow startup time, for example, when doing + to wait for the forkserver to spin up. The specified value is the new timeout, in milliseconds. + The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds. + The `AFL_FORKSRV_INIT_TMOUT` value does not get multiplied. It overwrites the initial timeout afl-fuzz waits for the target to come up with a constant time. + Setting a different time here is useful if the target has a very slow startup time, for example, when doing full-system fuzzing or emulation, but you don't want the actual runs to wait too long for timeouts. diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6e00ceac..0a31c2b2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6e00ceac6fd5627e42e1858c543c84f2fbdaedda +Subproject commit 0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe -- cgit 1.4.1 From ef0921d858be0d54f3ebfe88e361ba54fb9ba69d Mon Sep 17 00:00:00 2001 From: fedotoff Date: Mon, 21 Nov 2022 12:59:23 +0300 Subject: Add CASR as third party tool in docs. --- docs/third_party_tools.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/third_party_tools.md b/docs/third_party_tools.md index 1175d9e5..97f2c362 100644 --- a/docs/third_party_tools.md +++ b/docs/third_party_tools.md @@ -62,3 +62,5 @@ generates builds of debian packages suitable for AFL. * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data. +* [CASR](https://github.com/ispras/casr) - a set of tools for crash triage and + analysis. -- cgit 1.4.1 From 2c39c51263fd38de50ef41ff30075c1282997e14 Mon Sep 17 00:00:00 2001 From: fedotoff Date: Mon, 21 Nov 2022 15:18:19 +0300 Subject: casr-afl short description in fuzzing_in_depth. --- docs/fuzzing_in_depth.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index a0bf1566..1645ba5c 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -900,6 +900,32 @@ then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. +`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides a +straightforward CASR integration with AFL++. While walking through afl +instances, `casr-afl` generates crash reports depending on target binary. For +binary with ASAN `casr-san` is used, otherwise `casr-gdb`. On the next step +report deduplication is done by `casr-cluster`. Finally, reports are triaged +into clusters. Crash reports contain many useful information: severity +(like [exploitable](https://github.com/jfoote/exploitable)), OS and package +versions, command line, stack trace, register values, disassembly, and even +source code fragment where crash appeared. + +**NOTE:** `casr-gdb` and `casr-san` should be in PATH to make `casr-afl` work. +Before using casr-afl, please, follow the installation +[guide](https://github.com/ispras/casr#getting-started). Using `casr-afl` is +very simple: + +```shell +casr-afl -i /path/to/afl/out/dir -o /path/to/casr/out/dir +``` + +Output directory contains subdirectories (cl1...clN) with report clusters. To +view reports you could use `casr-cli` tool: + +```shell +casr-cli /path/to/casr/out/dir/cl1/report.casrep +``` + ## 5. CI fuzzing Some notes on continuous integration (CI) fuzzing - this fuzzing is different to -- cgit 1.4.1 From a16726039f167548da86ce51d0cf4bd1b04e5374 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 21 Nov 2022 13:28:07 +0100 Subject: shorten text --- docs/fuzzing_in_depth.md | 25 +++---------------------- unicorn_mode/unicornafl | 2 +- 2 files changed, 4 insertions(+), 23 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index 1645ba5c..87f31a58 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -900,32 +900,13 @@ then color-codes the input based on which sections appear to be critical and which are not; while not bulletproof, it can often offer quick insights into complex file formats. -`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides a -straightforward CASR integration with AFL++. While walking through afl -instances, `casr-afl` generates crash reports depending on target binary. For -binary with ASAN `casr-san` is used, otherwise `casr-gdb`. On the next step -report deduplication is done by `casr-cluster`. Finally, reports are triaged -into clusters. Crash reports contain many useful information: severity -(like [exploitable](https://github.com/jfoote/exploitable)), OS and package -versions, command line, stack trace, register values, disassembly, and even -source code fragment where crash appeared. - -**NOTE:** `casr-gdb` and `casr-san` should be in PATH to make `casr-afl` work. -Before using casr-afl, please, follow the installation -[guide](https://github.com/ispras/casr#getting-started). Using `casr-afl` is -very simple: - +`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides +comfortable triaging for crashes found by AFL++. Reports are clustered and +contain severity and other information. ```shell casr-afl -i /path/to/afl/out/dir -o /path/to/casr/out/dir ``` -Output directory contains subdirectories (cl1...clN) with report clusters. To -view reports you could use `casr-cli` tool: - -```shell -casr-cli /path/to/casr/out/dir/cl1/report.casrep -``` - ## 5. CI fuzzing Some notes on continuous integration (CI) fuzzing - this fuzzing is different to diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 0a31c2b2..6e00ceac 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 0a31c2b28bf7037fe8b0ff376521fdbdf28a9efe +Subproject commit 6e00ceac6fd5627e42e1858c543c84f2fbdaedda -- cgit 1.4.1