From 1840c27b6ffa8f6231e477e5cf92009f17a28c17 Mon Sep 17 00:00:00 2001 From: Adam Doupe Date: Sat, 26 Feb 2022 22:08:06 +0000 Subject: Clarify in docs that AFL_TARGET_ENV will apply to QEMU in QEMU mode, and note that QEMU_SET_ENV should be used instead in QEMU mode. Closes #1328 --- docs/env_variables.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/env_variables.md b/docs/env_variables.md index 4626a9b6..edd57fb6 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -518,7 +518,12 @@ checks or alter some of the more exotic semantics of the tool: the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz ... `. This exists mostly for things like `LD_LIBRARY_PATH` but it would theoretically allow fuzzing of AFL++ itself (with 'target' AFL++ using some - AFL_ vars that would disrupt work of 'fuzzer' AFL++). + AFL_ vars that would disrupt work of 'fuzzer' AFL++). Note that when using + QEMU mode, the `AFL_TARGET_ENV` environment variables will apply to QEMU, as + well as the target binary. Therefore, in this case, you might want to use + QEMU's `QEMU_SET_ENV` environment variable (see QEMU's documentation because + the format is different from `AFL_TARGET_ENV`) to apply the environment + variables to the target and not QEMU. - `AFL_TESTCACHE_SIZE` allows you to override the size of `#define TESTCASE_CACHE` in config.h. Recommended values are 50-250MB - or more if -- cgit v1.2.3 From 744ad172e12e051117e54b2e97f3727532190064 Mon Sep 17 00:00:00 2001 From: martinclauss <51541424+martinclauss@users.noreply.github.com> Date: Tue, 1 Mar 2022 15:42:04 +0100 Subject: Update fuzzing_in_depth.md add libdesock as an additional way to ease the fuzzing for network servers (#1341) --- docs/fuzzing_in_depth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index ac72c757..a9151a25 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -817,9 +817,9 @@ Here are some of the most important caveats for AFL++: - There is no direct support for fuzzing network services, background daemons, or interactive apps that require UI interaction to work. You may need to make - simple code changes to make them behave in a more traditional way. Preeny may + simple code changes to make them behave in a more traditional way. Preeny or libdesock may offer a relatively simple option, too - see: - [https://github.com/zardus/preeny](https://github.com/zardus/preeny) + [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock) Some useful tips for modifying network-based services can be also found at: [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop) -- cgit v1.2.3 From d84a8da1e9b68f03597f17a9c6c53503551fcb51 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 1 Mar 2022 19:30:17 +0100 Subject: allow for -c0 also for src targets --- docs/Changelog.md | 3 +++ docs/fuzzing_binary-only_targets.md | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index f4ae0e43..549d5e4a 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -12,6 +12,9 @@ sending a mail to . - fix */build_...sh scripts to work outside of git - new custom_mutator: libafl with token fuzzing :) - afl-fuzz: + - when you just want to compile once and set CMPLOG, then just + set -c 0 to tell afl-fuzz that the fuzzing binary is also for + CMPLOG. - new commandline options -g/G to set min/max length of generated fuzz inputs - reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index 1a2b27c7..c97af1b9 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -48,11 +48,12 @@ The following setup to use QEMU mode is recommended: Then run as many instances as you have cores left with either -Q mode or - even better - use a binary rewriter like Dyninst, RetroWrite, ZAFL, etc. +The binary rewriters all have their own advantages and caveats. +ZAFL is the best but cannot be used in a business/commercial context. -If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for your -binary, then you can use afl-fuzz normally and it will have twice the speed -compared to QEMU mode (but slower than QEMU persistent mode). Note that several -other binary rewriters exist, all with their advantages and caveats. +If a binary rewriter works for your target then you can use afl-fuzz normally +and it will have twice the speed compared to QEMU mode (but slower than QEMU +persistent mode). The speed decrease of QEMU mode is at about 50%. However, various options exist to increase the speed: -- cgit v1.2.3 From 90fd61d14a3a154ed58461a9e3eaf2c91d094a86 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 17 Mar 2022 19:43:14 +0100 Subject: forgot one pass --- docs/Changelog.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 549d5e4a..18a4debf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,8 @@ sending a mail to . - add AFL_EARY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - afl-cc: + - converted all passed to use the new llvm pass manager for llvm 11+ - frida_mode: - update to new frida release, handles now c++ throw/catch -- cgit v1.2.3 From bdfac291ba653b34a1d304d6135111d68b8d8267 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 18 Mar 2022 08:47:45 +0100 Subject: fix split pass loading --- docs/Changelog.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 18a4debf..d672686d 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,6 +24,8 @@ sending a mail to . possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) - afl-cc: + ! llvm15-dev with LTO and extra features (LAF/CMPLOG etc.) might have + issues at the moment - converted all passed to use the new llvm pass manager for llvm 11+ - frida_mode: - update to new frida release, handles now c++ throw/catch -- cgit v1.2.3 From 69c9a176eb6ded2e7087ab437950a8ec324cdb1b Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 18 Mar 2022 12:57:51 +0100 Subject: our own PCGUARD mode not for llvm 10.0.1 --- docs/Changelog.md | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index d672686d..f47a9b7c 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -27,6 +27,7 @@ sending a mail to . ! llvm15-dev with LTO and extra features (LAF/CMPLOG etc.) might have issues at the moment - converted all passed to use the new llvm pass manager for llvm 11+ + - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) - frida_mode: - update to new frida release, handles now c++ throw/catch -- cgit v1.2.3 From fa2b0404763f69c3bff0912a44a11e2e8c3734ab Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 18 Mar 2022 15:00:24 +0100 Subject: fix LTO with cmplog and laf --- docs/Changelog.md | 2 -- 1 file changed, 2 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index f47a9b7c..74631a88 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,8 +24,6 @@ sending a mail to . possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) - afl-cc: - ! llvm15-dev with LTO and extra features (LAF/CMPLOG etc.) might have - issues at the moment - converted all passed to use the new llvm pass manager for llvm 11+ - AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only) - frida_mode: -- cgit v1.2.3 From a133aa91064df78298f762b5dc52e69ae7b0ae96 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 18 Mar 2022 15:47:20 +0000 Subject: docs: Document linker scripts change required in some projects AFL instrumentation modifies the binary to export extra symbols which must be visible if the main binary dlopen()s an instrumented DLL. This change was required by nbdkit since it uses a linker script to limit the symbols exported from the main binary: https://gitlab.com/nbdkit/nbdkit/-/commit/355cacb812126f5e37a2468f6939821b15017373 Signed-off-by: Richard W.M. Jones --- docs/fuzzing_in_depth.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index ac72c757..f7f5f2e8 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -333,6 +333,24 @@ is a non-standard way to set this, otherwise set up the build normally and edit the generated build environment afterwards manually to point it to the right compiler (and/or `RANLIB` and `AR`). +#### Linker scripts + +If the project uses linker scripts to hide the symbols exported by the +binary, then you may see errors such as: + +``` +undefined symbol: __afl_area_ptr +``` + +The solution is to modify the linker script to add: + +``` +{ + global: + __afl_*; +} +``` + ### f) Better instrumentation If you just fuzz a target program as-is, you are wasting a great opportunity for -- cgit v1.2.3 From d4734f6d9b2bcb3d66fe4cd602991009ea36a4ab Mon Sep 17 00:00:00 2001 From: clchrlls <102234184+clchrlls@users.noreply.github.com> Date: Wed, 23 Mar 2022 14:57:24 +0100 Subject: fix installation packages for debian 10 --- docs/INSTALL.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b0090e77..26b125b8 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -16,7 +16,21 @@ This image is automatically generated when a push to the stable repo happens. You will find your target source code in `/src` in the container. If you want to build AFL++ yourself, you have many options. The easiest choice -is to build and install everything: +is to build and install everything. + +First install the required packages: + +On Debian 10: +```shell +sudo apt-get update +sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools +# try to install llvm 11 and install the distro default if that fails +sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang +sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev +sudo apt-get install -y ninja-build # for QEMU mode +``` + +On other distributions and versions of Debian: ```shell sudo apt-get update @@ -25,6 +39,10 @@ sudo apt-get install -y build-essential python3-dev automake cmake git flex biso sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev sudo apt-get install -y ninja-build # for QEMU mode +``` + +Then install AFLplusplus +```shell git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make distrib -- cgit v1.2.3 From d012358748ec7a6100d24ae5f82822b88245e4c0 Mon Sep 17 00:00:00 2001 From: clchrlls <102234184+clchrlls@users.noreply.github.com> Date: Wed, 23 Mar 2022 15:02:47 +0100 Subject: missing column --- docs/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 26b125b8..a3af2a87 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -41,7 +41,7 @@ sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*// sudo apt-get install -y ninja-build # for QEMU mode ``` -Then install AFLplusplus +Then install AFLplusplus: ```shell git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus -- cgit v1.2.3 From ce0db35f186f442da8c9e2947093e570d35ce251 Mon Sep 17 00:00:00 2001 From: clchrlls <102234184+clchrlls@users.noreply.github.com> Date: Wed, 23 Mar 2022 15:03:56 +0100 Subject: Not sure the fix is needed only for debian 10 --- docs/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index a3af2a87..381c34fd 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -30,7 +30,7 @@ sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* // sudo apt-get install -y ninja-build # for QEMU mode ``` -On other distributions and versions of Debian: +On other systems: ```shell sudo apt-get update -- cgit v1.2.3 From a601b56627d74b0146e3efab1743f8a63c1a5605 Mon Sep 17 00:00:00 2001 From: clchrlls <102234184+clchrlls@users.noreply.github.com> Date: Wed, 23 Mar 2022 17:09:31 +0100 Subject: reverted to simply changing gcc version retrieval --- docs/INSTALL.md | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 381c34fd..e003e124 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -1,4 +1,4 @@ -# Building and installing AFL++ + ## Linux on x86 @@ -16,11 +16,8 @@ This image is automatically generated when a push to the stable repo happens. You will find your target source code in `/src` in the container. If you want to build AFL++ yourself, you have many options. The easiest choice -is to build and install everything. - -First install the required packages: +is to build and install everything: -On Debian 10: ```shell sudo apt-get update sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools @@ -28,21 +25,6 @@ sudo apt-get install -y build-essential python3-dev automake cmake git flex biso sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev sudo apt-get install -y ninja-build # for QEMU mode -``` - -On other systems: - -```shell -sudo apt-get update -sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools -# try to install llvm 11 and install the distro default if that fails -sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang -sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev -sudo apt-get install -y ninja-build # for QEMU mode -``` - -Then install AFLplusplus: -```shell git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make distrib @@ -196,4 +178,4 @@ sysctl kern.sysv.shmall=98304 See [http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) -for documentation for these settings and how to make them permanent. +for documentation for these settings and how to make them permanent. \ No newline at end of file -- cgit v1.2.3 From 0dca6ee038898836a7ac043bb2fc20a0e48815cc Mon Sep 17 00:00:00 2001 From: clchrlls <102234184+clchrlls@users.noreply.github.com> Date: Wed, 23 Mar 2022 17:11:22 +0100 Subject: put back the title of the page deleted by mistake --- docs/INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index e003e124..3fa7fd13 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -1,4 +1,4 @@ - +# Building and installing AFL++ ## Linux on x86 -- cgit v1.2.3