From 179b118bc93c9b3308f62deeebd13db528d8349d Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:13:04 +0100 Subject: Fix some typos and wrong words. --- docs/important_changes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/important_changes.md b/docs/important_changes.md index 040a086d..39fe56b9 100644 --- a/docs/important_changes.md +++ b/docs/important_changes.md @@ -12,11 +12,11 @@ With AFL++ 4.00, we introduced the following changes from previous behaviors: * better naming for several fields in the UI With AFL++ 3.15, we introduced the following changes from previous behaviors: - * afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz + * afl-cmin and afl-showmap -Ci now descend into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not) With AFL++ 3.14, we introduced the following changes from previous behaviors: - * afl-fuzz: deterministic fuzzing it not a default for -M main anymore + * afl-fuzz: deterministic fuzzing is not a default for -M main anymore * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash, however, does not) @@ -44,9 +44,9 @@ behaviors and defaults: * if neither -M or -S is specified, `-S default` is assumed, so more fuzzers can easily be added later * `-i` input directory option now descends into subdirectories. It also does - not fatal on crashes and too large files, instead it skips them and uses + not fail on crashes and too large files, instead it skips them and uses them for splicing mutations - * -m none is now default, set memory limits (in MB) with, e.g., -m 250 + * -m none is now the default, set memory limits (in MB) with, e.g., -m 250 * deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D * a caching of test cases can now be performed and can be modified by -- cgit 1.4.1 From add85f34d1f1b6a0a9850537f908316db73cf6de Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 15:26:30 +0100 Subject: Format some terms as code. --- docs/INSTALL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index efec0d8b..2c1eaeb9 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -12,7 +12,7 @@ docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus ``` This image is automatically generated when a push to the stable repo happens. -You will find your target source code in /src in the container. +You will find your target source code in `/src` in the container. If you want to build AFL++ yourself, you have many options. The easiest choice is to build and install everything: @@ -33,8 +33,8 @@ sudo make install It is recommended to install the newest available gcc, clang and llvm-dev possible in your distribution! -Note that "make distrib" also builds FRIDA mode, QEMU mode, unicorn_mode -and more. If you just want plain AFL++, then do "make all". If you want +Note that `make distrib` also builds FRIDA mode, QEMU mode, unicorn_mode +and more. If you just want plain AFL++, then do `make all`. If you want some assisting tooling compiled but are not interested in binary-only targets then instead choose: -- cgit 1.4.1 From 30666cb81eca8b36b7f95ee569ec3fd85ae616b5 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 16:59:37 +0100 Subject: Highlight what a basic block is. Highlight the different parts that characterize what a basic block is. This makes it slightly easier to read/understand IMHO. --- docs/FAQ.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 3d3dce20..7ca7b178 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -58,10 +58,10 @@ If you find an interesting or important question missing, submit it via A program contains `functions`, `functions` contain the compiled machine code. The compiled machine code in a `function` can be in a single or many `basic - blocks`. A `basic block` is the largest possible number of subsequent machine - code instructions that has exactly one entry point (which can be be entered by - multiple other basic blocks) and runs linearly without branching or jumping to - other addresses (except at the end). + blocks`. A `basic block` is the **largest possible number of subsequent machine + code instructions** that has **exactly one entry point** (which can be be entered by + multiple other basic blocks) and runs linearly **without branching or jumping to + other addresses** (except at the end). ``` function() { @@ -225,4 +225,4 @@ If you find an interesting or important question missing, submit it via package and because of that the AFL++ llvm plugins do not match anymore. Solution: `git pull ; make clean install` of AFL++. -

\ No newline at end of file +

-- cgit 1.4.1 From 6a7f184c4e27796734a1d8408c8f8abdfc04cad5 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:00:26 +0100 Subject: Fix broken `code` formatting --- docs/FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 7ca7b178..90cae453 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -191,7 +191,7 @@ If you find an interesting or important question missing, submit it via AFL++ comes with several power schedules, initially ported from [AFLFast](https://github.com/mboehme/aflfast) however modified to be more effective and several more modes added. - The most effective modes are '-p fast` (default) and `-p explore`. + The most effective modes are `-p fast` (default) and `-p explore`. If you fuzz with several parallel afl-fuzz instances, then it is beneficial to assign a different schedule to each instance, however the majority should -- cgit 1.4.1 From d8920e31f861501156f366a54f80f9a9f9368df7 Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:13:25 +0100 Subject: Add a comma to make sentence easier to understand. --- docs/best_practices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/best_practices.md b/docs/best_practices.md index 96c6e3c2..133c645e 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -116,7 +116,7 @@ allows you to define network state with different type of data packets. ### Improving stability -For fuzzing a 100% stable target that covers all edges is the best case. A 90% +For fuzzing, a 100% stable target that covers all edges is the best case. A 90% stable target that covers all edges is, however, better than a 100% stable target that ignores 10% of the edges. @@ -189,4 +189,4 @@ coding and/or disassembly and is effectively possible only with `afl-clang-fast` Recompile, fuzz it, be happy :) This link explains this process for - [Fuzzbench](https://github.com/google/fuzzbench/issues/677). \ No newline at end of file + [Fuzzbench](https://github.com/google/fuzzbench/issues/677). -- cgit 1.4.1 From 091fa09e5eb8b69108933bac268fbc214cb49a65 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:42:38 +0100 Subject: Update fuzzing_binary-only_targets.md Fixing some parts in the description of Retrowrite. --- docs/fuzzing_binary-only_targets.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 855d7756..3d3e0ddb 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -198,8 +198,8 @@ afl-clang-fast's. ### RetroWrite -If you have an x86/x86_64 binary that still has its symbols, is compiled with -position independent code (PIC/PIE), and does not use most of the C++ features, +If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), is compiled with +position independent code (PIC/PIE), and does not contain C++ exceptions, then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. @@ -302,4 +302,4 @@ some are very hard to set-up... ## Closing words -That's it! News, corrections, updates? Send an email to vh@thc.org. \ No newline at end of file +That's it! News, corrections, updates? Send an email to vh@thc.org. -- cgit 1.4.1 From 2342c85db4669c1d130249dcc4f68a7db9d68ff1 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Tue, 11 Jan 2022 18:08:52 +0100 Subject: Update fuzzing_binary-only_targets.md --- docs/fuzzing_binary-only_targets.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 3d3e0ddb..874cf068 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -198,12 +198,15 @@ afl-clang-fast's. ### RetroWrite -If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), is compiled with -position independent code (PIC/PIE), and does not contain C++ exceptions, +RetroWrite is a static binary rewriter that can be combined with AFL++. +If you have an x86_64 binary that still has its symbols (i.e., not stripped binary), +is compiled with position independent code (PIC/PIE), and does not contain C++ exceptions, then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. -It is at about 80-85% performance. +Binaries that are statically instrumented for fuzzing using RetroWrite are identical +in performance to compiler-instrumented binaries and outperform +the QEMU-based instrumentation by 4.5x. [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) -- cgit 1.4.1 From 8764375357df2a37d97de4bdb509781cec661923 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 10:36:22 +0100 Subject: test svg background --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index 0cccee6f..dff9f351 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From b7ddde636be70caf84bf2ab910b021dbe0044098 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 10:42:40 +0100 Subject: svg test --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index dff9f351..aca85185 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From e663897a8a07e4631ca6d3eccac7e6717be9a4dd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 12 Jan 2022 11:27:19 +0100 Subject: fix --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index aca85185..0cccee6f 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 5e478294627aa7ab58dc1545805e5141be44ac3c Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:27:09 +0100 Subject: Add white background to SVG files --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/2_prepare_campaign.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index 0cccee6f..d4ae9cab 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 9e2d8734..90c52760 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index 92cc61c0..aaf50758 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index a4e5c940..9a30a57c 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index dae9fbf9..b8296257 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From e7ddd15fa50d58a02523dd079f33246cb2fa21c5 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:46:37 +0100 Subject: Incorporate feedback --- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 90c52760..5dcc8525 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LTO)

CmpLog
(only LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Select one sanitizer
per instance:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

All AFL++ compilers
do this automatically.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index 9a30a57c..8c97b8e2 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1

Use up to 32/64 cores
on each machine.

Cache test cases.
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index b8296257..969f47fd 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use afl-analyze to find
critical sections in test cases.
Triage crashes...
Start new campaign

Stop instances without
crashes.

Start new instances with
different options.

Select new test cases
based on insights.
Start new campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 9e38c43686dad2feb2db30a065bda570421e217a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 10:32:47 +0100 Subject: update changelog --- docs/Changelog.md | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index c4786bf3..6ab1794c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -56,6 +56,7 @@ sending a mail to . - better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST on filename matching (requires llvm 11 or newer) - fixed a potential crash in targets for LAF string handling + - fixed a bad assert in LAF split switches - added AFL_USE_TSAN thread sanitizer support - llvm and LTO mode modified to work with new llvm 14-dev (again. again.) - fix for AFL_REAL_LD -- cgit 1.4.1 From 8f7e584b82e14eced00e7bd3f8c0eaf041263e12 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 13 Jan 2022 12:15:19 +0100 Subject: more faq --- docs/FAQ.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'docs') diff --git a/docs/FAQ.md b/docs/FAQ.md index 90cae453..73328d6e 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -203,6 +203,31 @@ If you find an interesting or important question missing, submit it via ## Troubleshooting +
+ FATAL: forkserver is already up but an instrumented dlopen library loaded afterwards

+ + It can happen that you see this error on startup when fuzzing a target: + + ``` + [-] FATAL: forkserver is already up, but an instrumented dlopen() library + loaded afterwards. You must AFL_PRELOAD such libraries to be able + to fuzz them or LD_PRELOAD to run outside of afl-fuzz. + To ignore this set AFL_IGNORE_PROBLEMS=1. + ``` + + As the error describes, a dlopen() call is happening in the target that is loading an instrumented library after the forkserver is already in place, + This is a problem for afl-fuzz because when the forkserver is started we must know the map size already and it can't be changed later. + + The best solution is to simply set `AFL_PRELOAD=foo.so` the libraries that + are dlopen'ed (e.g. use `strace` to see which), or to set a manual forkserver + after the final dlopen(). + + If this is not a viable option you can set `AFL_IGNORE_PROBLEMS=1` but then + the existing map will be used also for the newly loaded libraries, which + allows it to work, however the efficiency of the fuzzing will be partially + degraded. +

+
I got a weird compile error from clang.

-- cgit 1.4.1 From 4c07e37eae093687169245fd473ad01cc3a37736 Mon Sep 17 00:00:00 2001 From: Majid Salehi <64958231+pwnforce@users.noreply.github.com> Date: Thu, 13 Jan 2022 14:48:05 +0100 Subject: Update fuzzing_binary-only_targets.md --- docs/fuzzing_binary-only_targets.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 874cf068..32e6c6c2 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -204,9 +204,9 @@ is compiled with position independent code (PIC/PIE), and does not contain C++ e then the RetroWrite solution might be for you. It decompiles to ASM files which can then be instrumented with afl-gcc. -Binaries that are statically instrumented for fuzzing using RetroWrite are identical +Binaries that are statically instrumented for fuzzing using RetroWrite are close in performance to compiler-instrumented binaries and outperform -the QEMU-based instrumentation by 4.5x. +the QEMU-based instrumentation. [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) -- cgit 1.4.1 From 1ca33174253ab430c9327927f6116458d6f1b793 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 14 Jan 2022 11:22:16 +0100 Subject: Add link to image --- docs/resources/4_manage_campaign.drawio.svg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index 969f47fd..6c531388 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From f42c0047c8c5a988123f7b66bad4e33234680ebc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 14 Jan 2022 15:01:05 +0100 Subject: nits --- README.md | 1 + docs/docs.md | 122 -------------------------------------------------- docs/docs2.md | 124 --------------------------------------------------- src/afl-fuzz-queue.c | 7 ++- 4 files changed, 4 insertions(+), 250 deletions(-) delete mode 100644 docs/docs.md delete mode 100644 docs/docs2.md (limited to 'docs') diff --git a/README.md b/README.md index 9e41a088..f7d5e40d 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ AFL++ is maintained by: * Heiko "hexcoder-" Eißfeldt , * Andrea Fioraldi and * Dominik Maier . +* Documentation: Jana Aydinbas Originally developed by Michał "lcamtuf" Zalewski. diff --git a/docs/docs.md b/docs/docs.md deleted file mode 100644 index aa8a4d48..00000000 --- a/docs/docs.md +++ /dev/null @@ -1,122 +0,0 @@ -# Restructure AFL++'s documentation - -## About us - -We are dedicated to everything around fuzzing, our main and most well known -contribution is the fuzzer `AFL++` which is part of all major Unix -distributions (e.g. Debian, Arch, FreeBSD, etc.) and is deployed on Google's -oss-fuzz and clusterfuzz. It is rated the top fuzzer on Google's fuzzbench. - -We are four individuals from Europe supported by a large community. - -All our tools are open source. - -## About the AFL++ fuzzer project - -AFL++ inherited it's documentation from the original Google AFL project. -Since then it has been massively improved - feature and performance wise - -and although the documenation has likewise been continued it has grown out -of proportion. -The documentation is done by non-natives to the English language, plus -none of us has a writer background. - -We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord -channels, web forums and as issues in our repository. - -This only increases as AFL++ has been on the top of Google's fuzzbench -statistics (which measures the performance of fuzzers) and is now being -integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix -packaging repositories, e.g. Debian, FreeBSD, etc. - -AFL++ now has 44 (!) documentation files with 13k total lines of content. -This is way too much. - -Hence AFL++ needs a complete overhaul of it's documentation, both on a -organisation/structural level as well as the content. - -Overall the following actions have to be performed: - * Create a better structure of documentation so it is easier to find the - information that is being looked for, combining and/or splitting up the - existing documents as needed. - * Rewrite some documentation to remove duplication. Several information is - present several times in the documentation. These should be removed to - where needed so that we have as little bloat as possible. - * The documents have been written and modified by a lot of different people, - most of them non-native English speaker. Hence an overall review where - parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of AFL++ - * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with AFL++: - - the build workflow - - the fuzzing workflow - - the fuzzing campaign management workflow - - the overall workflow that is an overview of the above - - maybe more? where the technical writes seems it necessary for - understanding. - -Requirements: - * Documentation has to be in Markdown format - * Images have to be either in SVG or PNG format. - * All documentation should be (moved) in(to) docs/ - -The project does not require writing new documentation or tutorials beside the -cheat sheet. The technical information for the cheat sheet will be provided by -us. - -## Metrics - -AFL++ is a the highest performant fuzzer publicly available - but is also the -most feature rich and complex. With the publicity of AFL++' success and -deployment in Google projects internally and externally and availability as -a package on most Linux distributions we see more and more issues being -created and help requests on our Discord channel that would not be -necessary if people would have read through all our documentation - which -is unrealistic. - -We expect the the new documenation after this project to be cleaner, easier -accessible and lighter to digest by our users, resulting in much less -help requests. On the other hand the amount of users using AFL++ should -increase as well as it will be more accessible which would also increase -questions again - but overall resulting in a reduction of help requests. - -In numbers: we currently have per week on average 5 issues on Github, -10 questions on discord and 1 on mailing lists that would not be necessary -with perfect documentation and perfect people. - -We would consider this project a success if afterwards we only have -2 issues on Github and 3 questions on discord anymore that would be answered -by reading the documentation. The mailing list is usually used by the most -novice users and we don't expect any less questions there. - -## Project Budget - -We have zero experience with technical writers, so this is very hard for us -to calculate. We expect it to be a lot of work though because of the amount -of documentation we have that needs to be restructured and partially rewritten -(44 documents with 13k total lines of content). - -We assume the daily rate of a very good and experienced technical writer in -times of a pandemic to be ~500$ (according to web research), and calculate -the overall amout of work to be around 20 days for everything incl. the -graphics (but again - this is basically just guessing). - -Technical Writer 10000$ -Volunteer stipends 0$ (waved) -T-Shirts for the top 10 contributors and helpers to this documentation project: - 10 AFL++ logo t-shirts 20$ each 200$ - 10 shipping cost of t-shirts 10$ each 100$ - -Total: 10.300$ -(in the submission form 10.280$ was entered) - -## Additional Information - -We have participated in Google Summer of Code in 2020 and hope to be selected -again in 2021. - -We have no experience with a technical writer, but we will support that person -with video calls, chats, emails and messaging, provide all necessary information -and write technical contents that is required for the success of this project. -It is clear to us that a technical writer knows how to write, but cannot know -the technical details in a complex tooling like in AFL++. This guidance, input, -etc. has to come from us. diff --git a/docs/docs2.md b/docs/docs2.md deleted file mode 100644 index 23ef61c5..00000000 --- a/docs/docs2.md +++ /dev/null @@ -1,124 +0,0 @@ -# Restructure AFL++'s documentation - Case Study - -## Problem statement - -AFL++ inherited it's documentation from the original Google AFL project. -Since then it has been massively improved - feature and performance wise - -and although the documenation has likewise been continued it has grown out -of proportion. -The documentation is done by non-natives to the English language, plus -none of us has a writer background. - -We see questions on AFL++ usage on mailing lists (e.g. afl-users), discord -channels, web forums and as issues in our repository. -Most of them could be answered if people would read through all the -documentation. - -This only increases as AFL++ has been on the top of Google's fuzzbench -statistics (which measures the performance of fuzzers) and has been -integrated in Google's oss-fuzz and clusterfuzz - and is in many Unix -packaging repositories, e.g. Debian, FreeBSD, etc. - -AFL++ had 44 (!) documentation files with 13k total lines of content. -This was way too much. - -## Proposal abstract - -AFL++'s documentatin needs a complete overhaul, both on a -organisation/structural level as well as the content. - -Overall the following actions have to be performed: - * Create a better structure of documentation so it is easier to find the - information that is being looked for, combining and/or splitting up the - existing documents as needed. - * Rewrite some documentation to remove duplication. Several information is - present several times in the documentation. These should be removed to - where needed so that we have as little bloat as possible. - * The documents have been written and modified by a lot of different people, - most of them non-native English speaker. Hence an overall review where - parts should be rewritten has to be performed and then the rewrite done. - * Create a cheat-sheet for a very short best-setup build and run of AFL++ - * Pictures explain more than 1000 words. We need at least 4 images that - explain the workflow with AFL++: - - the build workflow - - the fuzzing workflow - - the fuzzing campaign management workflow - - the overall workflow that is an overview of the above - - maybe more? where the technical writes seems it necessary for - understanding. - -Requirements: - * Documentation has to be in Markdown format - * Images have to be either in SVG or PNG format. - * All documentation should be (moved) in(to) docs/ - -## Project description - -We created our proposal by discussing in the team what the issues are and -what was needed to fix it. -This resulted in the [project proposal](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/docs.md). - -We did not want to be selected by a writer but select a writer ourselves, so -we combed through the list and reviewed every single one of them. -We were not looking for coders writing technical documentation, but rather -someone who is an experienced writer and has documented experience with -structuring documentation. -Few fit that profile and we sent out messages to 6 people. -We finally decided on Jana because she had a strong background in technical -documentation and structuring information. -She had no technical experience in fuzzing whatsoever, but we saw that as -a plus - of course this made the whole process longer to explain details, -but overall ensured that the documentation can be read by (mostly) everyone. - -We communicated via video calls every few weeks and she kept a public kanban -board about her todos, additional we used a Signal channel. -Her changes were imported via PRs where we discussed details. - -The project was off to a good start, but then Jana got pregnant with serious -side effects that made working impossible for her for a longer time, hence -the schedule was thrown back. -She offered to rescind the payment and we select a new writer, but we saw -little opportunity in that, as that would mean a new selection of a writer, -someone else with a different vision on how the result should look like so -basically a full restart of the project and a large impact on our own time. -So we agreed on - after discussion with the Google GSoD team - that she -continues the project after the GSoD completion deadline as best as she can. - -End of November she took one week off from work and fully dedicated her time -for the documenation which brought the project a big step forward. - -Originally the project should have been ended begin of October, but now - at -nearing the end of November, we are at about 85% completion, with the end -being expected around mid of December. - -## Metrics - -We merged most of the changes in our development branch and are getting -close to a state where the user documentation part is completed and we -can create a new release. Only then the new documentatin is actually visible -to users. Therefore no metrics could be collected so far. - -We plan on a user-assisted QA review end of November/begin of December. - -The documentation was reviewed by a few test users so far however who gave -it a thumbs up. - -## Summary - -The GSoD project itself is great. It helps to get the documentation back in -line. -It was and is a larger time investment from our side, but we expected that. -When the project is done, the documentation will be more accessible by users -and also need less maintenance by us. -There is still follow-up work to be done by us afterwards (web site for the -docs, etc.). - -Not sure what we would do differently next time. I think we prepared best as -possible and reacted best as possible to the unexpected. - -Recommendations for other organizations who would like to participate in GSoD: - - expect the process to take a larger part of your time. the writer needs - your full support. - - have someone dedicated from the dev/org side to support, educate and - supervice the writer - - set clear goals and expectations diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 9ca89944..fc8a0d55 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -769,8 +769,7 @@ void cull_queue(afl_state_t *afl) { afl->top_rated[i]->favored = 1; ++afl->queued_favored; - if (afl->top_rated[i]->fuzz_level == 0 || - !afl->top_rated[i]->was_fuzzed) { + if (!afl->top_rated[i]->was_fuzzed) { ++afl->pending_favored; @@ -936,7 +935,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { n_items = 0; // Don't modify perf_score for unfuzzed seeds - if (q->fuzz_level == 0) break; + if (!q->fuzz_level) break; u32 i; for (i = 0; i < afl->queued_items; i++) { @@ -967,7 +966,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { case FAST: // Don't modify unfuzzed seeds - if (q->fuzz_level == 0) break; + if (!q->fuzz_level) break; switch ((u32)log2(afl->n_fuzz[q->n_fuzz_entry])) { -- cgit 1.4.1 From 8c58bdb5045ceea92fd11ca5f3f8946cd416695d Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 14 Jan 2022 15:17:25 +0100 Subject: Add margin to images --- docs/resources/0_fuzzing_process_overview.drawio.svg | 2 +- docs/resources/1_instrument_target.drawio.svg | 2 +- docs/resources/2_prepare_campaign.drawio.svg | 2 +- docs/resources/3_fuzz_target.drawio.svg | 2 +- docs/resources/4_manage_campaign.drawio.svg | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) (limited to 'docs') diff --git a/docs/resources/0_fuzzing_process_overview.drawio.svg b/docs/resources/0_fuzzing_process_overview.drawio.svg index d4ae9cab..fa596e21 100644 --- a/docs/resources/0_fuzzing_process_overview.drawio.svg +++ b/docs/resources/0_fuzzing_process_overview.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional taskCheck coverageMonitor statusTriage crashesUse multiple coresUse multiple machinesRun afl-fuzzMake input corpus uniqueMinimize corpus fileCollect inputsSelect compilerSelect optionsSelect sanitizerCompile target source codeWrite and compile harnessModify target
Instrument target
Instrument target
Fuzz target
Fuzz target
Manage campaign
Manage campaignViewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/1_instrument_target.drawio.svg b/docs/resources/1_instrument_target.drawio.svg index 5dcc8525..af6ac397 100644 --- a/docs/resources/1_instrument_target.drawio.svg +++ b/docs/resources/1_instrument_target.drawio.svg @@ -1,4 +1,4 @@ -
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file +
Instrument target
Instrument target
Required task
Required task
Optional task
Optional task
Select compiler

LTO mode
(clang/clang++ 11+)

LLVM mode
(clang/clang++ 3.8+)

GCC_PLUGIN mode
(gcc 5+)

GCC/CLANG mode
(other)
Select compiler...
Select options

Select options depending on
the compiler:

COMPCOV
(only LLVM & LTO)

CmpLog
(only LLVM & LTO)

selective instrumentation
(LTO, LLVM, GCC_PLUGIN)
Select options...
Select sanitizer

Max. one sanitizer type each
in a fuzzing campaign:

ASAN
CFISAN
LSAN
MSAN
TSAN
UBSAN
Select sanitizer...
Compile target source code

Compile target source code depending on the build system:

configure
CMake
Meson Build System
other
Compile target source code...
Modify target

Create a fuzzing harness
by hand for better efficiency.
Modify target...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/2_prepare_campaign.drawio.svg b/docs/resources/2_prepare_campaign.drawio.svg index aaf50758..f4de62b9 100644 --- a/docs/resources/2_prepare_campaign.drawio.svg +++ b/docs/resources/2_prepare_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file +
Prepare campaign
Prepare campaign
Required task
Required task
Optional task
Optional task
Make input corpus unique


Use afl-cmin on input corpus.
Make input corpus unique...
Minimize corpus file


Use afl-tmin on input files.
Minimize corpus file...
Collect inputs


Collect one or more input files.
Collect inputs...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/3_fuzz_target.drawio.svg b/docs/resources/3_fuzz_target.drawio.svg index 8c97b8e2..de5982ed 100644 --- a/docs/resources/3_fuzz_target.drawio.svg +++ b/docs/resources/3_fuzz_target.drawio.svg @@ -1,4 +1,4 @@ -
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file +
Fuzz target
Fuzz target
Required task
Required task
Optional task
Optional task
Use multiple cores

Fuzz one target with
multiple instances:

One main fuzzer:
-M main

Secondary fuzzers:
-S variant1
Use multiple cores...
Use multiple machines

Fuzz one target with
multiple machines:

One main fuzzer per server:
-M main-$HOSTNAME

Secondary fuzzers:
-S variant1

Sync between the servers.
Use multiple machines...
Run afl-fuzz

Reconfigure the
system for optimal speed.

Specify the input corpus directory.

Add a dictionary.

Set a memory limit.
Run afl-fuzz...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/resources/4_manage_campaign.drawio.svg b/docs/resources/4_manage_campaign.drawio.svg index 6c531388..041a2a23 100644 --- a/docs/resources/4_manage_campaign.drawio.svg +++ b/docs/resources/4_manage_campaign.drawio.svg @@ -1,4 +1,4 @@ -
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file +
Check coverage

Use afl-showmap to get
code coverage statistics.

Use afl-cov to generate an HTML report on coverage.
Check coverage...
Manage campaign
Manage campaign
Required task
Required task
Optional task
Optional task
Monitor status

Use afl-whatsup to show the status of the fuzzing campaign.

Use afl-plot to generate an HTML report with graphs.
Monitor status...
Triage crashes

Use afl-fuzz with -C flag to run crash exploration mode.

Use afl-tmin on test cases
for minimization.

Use gdb or third-party
exploitable tools to analyze crashes.
Triage crashes...
Optimize campaign

Stop instances that are not performing well.

Start new instances with
different options.

Select new test cases
based on insights.
Optimize campaign...Viewer does not support full SVG 1.1 \ No newline at end of file -- cgit 1.4.1 From 861bd5e04b5030b3fc345c1022c46e92eb52a312 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 17 Jan 2022 20:31:08 +0100 Subject: update macos path info --- docs/INSTALL.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 2c1eaeb9..3c96a4fd 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -96,11 +96,16 @@ brew install wget git make cmake llvm gdb coreutils ``` Be sure to setup `PATH` to point to the correct clang binaries and use the -freshly installed clang, clang++, gmake and coreutils, e.g.: +freshly installed clang, clang++, llvm-config, gmake and coreutils, e.g.: ```shell -export -PATH="/usr/local/Cellar/llvm/13.0.0_2/bin/:/usr/local/opt/coreutils/libexec/gnubin:/usr/local/bin:$PATH" +# Depending on your MacOS system + brew version it is either +export PATH="/opt/homebrew/opt/llvm/bin:$PATH" +# or +export PATH="/usr/local/opt/llvm/bin:$PATH" +# you can check with "brew info llvm" + +export PATH="/usr/local/opt/coreutils/libexec/gnubin:/usr/local/bin:$PATH" export CC=clang export CXX=clang++ gmake -- cgit 1.4.1 From 1e5699ccaabe627380b5c868dd93bc420aeb0af3 Mon Sep 17 00:00:00 2001 From: Hardik Shah Date: Wed, 19 Jan 2022 19:36:29 +0530 Subject: Update tutorials.md --- docs/tutorials.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/tutorials.md b/docs/tutorials.md index 0a44602d..81f0ea6a 100644 --- a/docs/tutorials.md +++ b/docs/tutorials.md @@ -28,4 +28,13 @@ structure is), these links have you covered: * Superion for AFL++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) -If you find other good ones, please send them to us :-) \ No newline at end of file +# Video Tutorials +* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) +* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) +* [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc) +* [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4) +* [Blackbox Fuzzing #1: Start Binary-Only Fuzzing using AFL++ QEMU mode](https://www.youtube.com/watch?v=sjLFf9q2NRc) +* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) +* [HOPE 2020 (2020): Hunting Bugs in Your Sleep - How to Fuzz (Almost) Anything With AFL/AFL++](https://www.youtube.com/watch?v=A8ex1hqaQ7E) + +If you find other good ones, please send them to us :-) -- cgit 1.4.1 From a3cf7c1224da802d1bfbea95883a91dadb1551f0 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 15:22:03 +0100 Subject: change video order --- docs/tutorials.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/tutorials.md b/docs/tutorials.md index 81f0ea6a..9d4f50eb 100644 --- a/docs/tutorials.md +++ b/docs/tutorials.md @@ -29,12 +29,12 @@ structure is), these links have you covered: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator) # Video Tutorials -* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) -* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) +* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) * [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc) * [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4) * [Blackbox Fuzzing #1: Start Binary-Only Fuzzing using AFL++ QEMU mode](https://www.youtube.com/watch?v=sjLFf9q2NRc) -* [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA) * [HOPE 2020 (2020): Hunting Bugs in Your Sleep - How to Fuzz (Almost) Anything With AFL/AFL++](https://www.youtube.com/watch?v=A8ex1hqaQ7E) +* [How Fuzzing with AFL works!](https://www.youtube.com/watch?v=COHUWuLTbdk) +* [WOOT '20 - AFL++ : Combining Incremental Steps of Fuzzing Research](https://www.youtube.com/watch?v=cZidm6I7KWU) If you find other good ones, please send them to us :-) -- cgit 1.4.1 From d9fefafae771c02f0071d953d4871204cefd1af5 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 Jan 2022 22:10:29 +0100 Subject: move to unicorn2 --- docs/Changelog.md | 5 ++++- unicorn_mode/UNICORNAFL_VERSION | 2 +- unicorn_mode/unicornafl | 2 +- unicorn_mode/update_uc_ref.sh | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 6ab1794c..fe2ce06d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -47,7 +47,7 @@ sending a mail to . - fix bug where targets are not killed on timeouts - moved hidden afl-showmap -A option to -H to be used for coresight_mode - - Prevent accidently killing non-afl/fuzz services when aborting + - Prevent accidentaly killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: - new cmplog mode (incompatible with older afl++ versions) @@ -101,6 +101,9 @@ sending a mail to . - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) + - unicorn_mode: + - Moved to unicorn2! By Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), riscv support - afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not! - afl_analyze: diff --git a/unicorn_mode/UNICORNAFL_VERSION b/unicorn_mode/UNICORNAFL_VERSION index dbe3999f..7d435717 100644 --- a/unicorn_mode/UNICORNAFL_VERSION +++ b/unicorn_mode/UNICORNAFL_VERSION @@ -1 +1 @@ -9df92d6868e8b219886e4b7458e5e134c48ff2c9 +6c7392fb5a607c0ad53b3082fa6cbfae9720306a diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..6c7392fb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a diff --git a/unicorn_mode/update_uc_ref.sh b/unicorn_mode/update_uc_ref.sh index 6e809a7b..85c4c7ef 100755 --- a/unicorn_mode/update_uc_ref.sh +++ b/unicorn_mode/update_uc_ref.sh @@ -24,7 +24,7 @@ cd ./unicornafl || exit 1 git fetch origin uc1 1>/dev/null || exit 1 git stash 1>/dev/null 2>/dev/null git stash drop 1>/dev/null 2>/dev/null -git checkout uc1 +git checkout main if [ -z "$NEW_VERSION" ]; then # No version provided, take HEAD. -- cgit 1.4.1 From 409a6517c1e60e91b6d6154496b5f77fdce2186a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 19 Jan 2022 22:12:14 +0100 Subject: update changelog --- docs/Changelog.md | 1 + unicorn_mode/unicornafl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index fe2ce06d..9c0a6be5 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,6 +16,7 @@ sending a mail to . This might need changing custom scripting! - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! + - unicorn_mode got upgraded to Unicorn 2! More speed! - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 6c7392fb..9df92d68 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a +Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 -- cgit 1.4.1 From 25c8336c0c45e44c569997627b133491cbc4d252 Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Wed, 19 Jan 2022 22:23:25 +0100 Subject: tidy up unicornafl, changelog --- docs/Changelog.md | 9 ++++----- unicorn_mode/unicornafl | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 9c0a6be5..bdd6c405 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -16,7 +16,10 @@ sending a mail to . This might need changing custom scripting! - Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv! - - unicorn_mode got upgraded to Unicorn 2! More speed! + - unicorn_mode: + - Moved to unicorn2! By Ziqiao Kong (@lazymio) + - Faster, more accurate emulation (newer QEMU base), riscv support + - removed indirections in rust callbacks - new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting! - if instrumented libaries are dlopen()'ed after the forkserver you @@ -74,7 +77,6 @@ sending a mail to . - fix AFL_PRELOAD issues on MacOS - removed utils/afl_frida because frida_mode/ is now so much better - added uninstall target to makefile (todo: update new readme!) - - removed indirections in rust callbacks for unicornafl ### Version ++3.14c (release) - afl-fuzz: @@ -102,9 +104,6 @@ sending a mail to . - less coverage collision - feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan) - - unicorn_mode: - - Moved to unicorn2! By Ziqiao Kong (@lazymio) - - Faster, more accurate emulation (newer QEMU base), riscv support - afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not! - afl_analyze: diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 9df92d68..6c7392fb 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 9df92d6868e8b219886e4b7458e5e134c48ff2c9 +Subproject commit 6c7392fb5a607c0ad53b3082fa6cbfae9720306a -- cgit 1.4.1