From e9288bcfad6e350b6f3e85d45a42bae5aea480c1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 22:44:10 +0200 Subject: add AFL_KEEP_TIMEOUTS --- docs/Changelog.md | 3 +++ docs/env_variables.md | 3 +++ 2 files changed, 6 insertions(+) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 2406e7ba..689cc94b 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -23,6 +23,9 @@ sending a mail to . - add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto) + - "saved timeouts" was wrong information, timeouts are still thrown + away by default even if they have new coverage (hangs are always + kept), unless AFL_KEEP_TIMEOUTS are set - document and auto-activate pizza mode on condition - afl-cc: - converted all passed to use the new llvm pass manager for llvm 11+ diff --git a/docs/env_variables.md b/docs/env_variables.md index 9ffb08e7..fe9c6e07 100644 --- a/docs/env_variables.md +++ b/docs/env_variables.md @@ -349,6 +349,9 @@ checks or alter some of the more exotic semantics of the tool: - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is usually a bad idea! + - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach + new coverage + - `AFL_EXIT_ON_SEED_ISSUES` will restore the vanilla afl-fuzz behavior which does not allow crashes or timeout seeds in the initial -i corpus. -- cgit 1.4.1 From d8317182ef5e2afbff56de697be85b10a4abece1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 8 Apr 2022 23:10:35 +0200 Subject: update fuzzing in depth --- docs/fuzzing_in_depth.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/fuzzing_in_depth.md b/docs/fuzzing_in_depth.md index cff00f77..2bbfa1c1 100644 --- a/docs/fuzzing_in_depth.md +++ b/docs/fuzzing_in_depth.md @@ -911,16 +911,17 @@ normal fuzzing campaigns as these are much shorter runnings. * Keep the generated corpus, use afl-cmin and reuse it every time! 2. Additionally randomize the AFL++ compilation options, e.g.: - * 40% for `AFL_LLVM_CMPLOG` - * 10% for `AFL_LLVM_LAF_ALL` + * 30% for `AFL_LLVM_CMPLOG` + * 5% for `AFL_LLVM_LAF_ALL` 3. Also randomize the afl-fuzz runtime options, e.g.: * 65% for `AFL_DISABLE_TRIM` + * 50% for `AFL_KEEP_TIMEOUTS` * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE` * 40% use MOpt (`-L 0`) * 40% for `AFL_EXPAND_HAVOC_NOW` * 20% for old queue processing (`-Z`) - * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3` + * for CMPLOG targets, 70% for `-l 2`, 10% for `-l 3`, 20% for `-l 2AT` 4. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing -- cgit 1.4.1