From 82ef4a90b0ff12a297e1bc3f1c8256ae9ace4f25 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Fri, 10 Sep 2021 21:37:55 +0200 Subject: Fix links --- docs/best_practices.md | 2 +- docs/branches.md | 2 +- docs/fuzzing_expert.md | 2 +- docs/interpreting_output.md | 2 +- docs/known_limitations.md | 2 +- docs/life_pro_tips.md | 20 ++++++++++---------- docs/rpc_statsd.md | 2 +- docs/triaging_crashes.md | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) (limited to 'docs') diff --git a/docs/best_practices.md b/docs/best_practices.md index 23fa237d..1521748a 100644 --- a/docs/best_practices.md +++ b/docs/best_practices.md @@ -59,7 +59,7 @@ which allows you to define network state with different type of data packets. 1. Use [llvm_mode](../instrumentation/README.llvm.md): afl-clang-lto (llvm >= 11) or afl-clang-fast (llvm >= 9 recommended). 2. Use [persistent mode](../instrumentation/README.persistent_mode.md) (x2-x20 speed increase). 3. Use the [AFL++ snapshot module](https://github.com/AFLplusplus/AFL-Snapshot-LKM) (x2 speed increase). -4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [docs/env_variables.md](docs/env_variables.md). +4. If you do not use shmem persistent mode, use `AFL_TMPDIR` to put the input file directory on a tempfs location, see [env_variables.md](env_variables.md). 5. Improve Linux kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system less secure). 6. Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem. 7. Use your cores! [README.md:3.b) Using multiple cores/threads](../README.md#b-using-multiple-coresthreads). diff --git a/docs/branches.md b/docs/branches.md index 1e4ebbb2..81c73a0f 100644 --- a/docs/branches.md +++ b/docs/branches.md @@ -7,4 +7,4 @@ The following branches exist: * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state of AFL++ - bleeding edge and you might catch a checkout which does not compile or has a bug. *We only accept PRs in dev!!* * (any other): experimental branches to work on specific features or testing new functionality or changes. -For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [major behaviour changes in AFL++](behaviour_changes.md). \ No newline at end of file +For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab. Also take a look at the list of [important changes in AFL++](important_changes.md). \ No newline at end of file diff --git a/docs/fuzzing_expert.md b/docs/fuzzing_expert.md index 23b24ad0..37ab8e2f 100644 --- a/docs/fuzzing_expert.md +++ b/docs/fuzzing_expert.md @@ -620,4 +620,4 @@ This is basically all you need to know to professionally run fuzzing campaigns. If you want to know more, the tons of texts in [docs/](./) will have you covered. Note that there are also a lot of tools out there that help fuzzing with AFL++ -(some might be deprecated or unsupported), see [links_tools.md](links_tools.md). \ No newline at end of file +(some might be deprecated or unsupported), see [tools.md](tools.md). \ No newline at end of file diff --git a/docs/interpreting_output.md b/docs/interpreting_output.md index 54ad76df..364d2cf4 100644 --- a/docs/interpreting_output.md +++ b/docs/interpreting_output.md @@ -1,6 +1,6 @@ # Interpreting output -See the [docs/status_screen.md](docs/status_screen.md) file for information on +See the [status_screen.md](status_screen.md) file for information on how to interpret the displayed stats and monitor the health of the process. Be sure to consult this file especially if any UI elements are highlighted in red. diff --git a/docs/known_limitations.md b/docs/known_limitations.md index deb539e2..b5fc8446 100644 --- a/docs/known_limitations.md +++ b/docs/known_limitations.md @@ -15,7 +15,7 @@ Here are some of the most important caveats for AFL: To work around this, you can comment out the relevant checks (see utils/libpng_no_checksum/ for inspiration); if this is not possible, you can also write a postprocessor, one of the hooks of custom mutators. - See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use + See [custom_mutators.md](custom_mutators.md) on how to use `AFL_CUSTOM_MUTATOR_LIBRARY` - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This diff --git a/docs/life_pro_tips.md b/docs/life_pro_tips.md index 13ffcea0..e79bcafa 100644 --- a/docs/life_pro_tips.md +++ b/docs/life_pro_tips.md @@ -27,16 +27,16 @@ Run the bundled `afl-plot` utility to generate browser-friendly graphs. Check out the `fuzzer_stats` file in the AFL output dir or try `afl-whatsup`. ## Puzzled by something showing up in red or purple in the AFL UI? -It could be important - consult docs/status_screen.md right away! +It could be important - consult [status_screen.md](status_screen.md) right away! ## Know your target? Convert it to persistent mode for a huge performance gain! -Consult section #5 in README.llvm.md for tips. +Consult section #5 in [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) for tips. ## Using clang? -Check out instrumentation/ for a faster alternative to afl-gcc! +Check out [instrumentation/](../instrumentation/) for a faster alternative to afl-gcc! ## Did you know that AFL can fuzz closed-source or cross-platform binaries? -Check out qemu_mode/README.md and unicorn_mode/README.md for more. +Check out [qemu_mode/README.md](../qemu_mode/README.md) and [unicorn_mode/README.md](../unicorn_mode/README.md) for more. ## Did you know that afl-fuzz can minimize any test case for you? Try the bundled `afl-tmin` tool - and get small repro files fast! @@ -46,7 +46,7 @@ Try the bundled `afl-tmin` tool - and get small repro files fast! ## Trouble dealing with a machine uprising? Relax, we've all been there. -Find essential survival tips at http://lcamtuf.coredump.cx/prep/. +Find essential survival tips at [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/). ## Want to automatically spot non-crashing memory handling bugs? @@ -54,7 +54,7 @@ Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind. ## Good selection of input files is critical to a successful fuzzing job. -See docs/perf_tips.md for pro tips. +See [perf_tips.md](perf_tips.md) for pro tips. ## You can improve the odds of automatically spotting stack corruption issues. @@ -70,18 +70,18 @@ sanity-checking `assert()` / `abort()` statements to effortlessly catch logic bu ## Hey kid... pssst... want to figure out how AFL really works? -Check out docs/technical_details.md for all the gory details in one place! +Check out [technical_details.md](technical_details.md) for all the gory details in one place! ## There's a ton of third-party helper tools designed to work with AFL! -Be sure to check out docs/sister_projects.md before writing your own. +Be sure to check out [sister_projects.md](sister_projects.md) before writing your own. ## Need to fuzz the command-line arguments of a particular program? -You can find a simple solution in utils/argv_fuzzing. +You can find a simple solution in [utils/argv_fuzzing](../utils/argv_fuzzing/). ## Attacking a format that uses checksums? Remove the checksum-checking code or use a postprocessor! -See `afl_custom_post_process` in custom_mutators/examples/example.c for more. +See `afl_custom_post_process` in [custom_mutators/examples/example.c](../custom_mutators/examples/example.c) for more. diff --git a/docs/rpc_statsd.md b/docs/rpc_statsd.md index 898ad099..efbd550b 100644 --- a/docs/rpc_statsd.md +++ b/docs/rpc_statsd.md @@ -41,7 +41,7 @@ To enable the StatsD reporting on your fuzzer instances, you need to set the env Setting `AFL_STATSD_TAGS_FLAVOR` to the provider of your choice will assign tags / labels to each metric based on their format. The possible values are `dogstatsd`, `librato`, `signalfx` or `influxdb`. -For more information on these env vars, check out `docs/env_variables.md`. +For more information on these env vars, check out [env_variables.md](env_variables.md). The simplest way of using this feature is to use any metric provider and change the host/port of your StatsD daemon, with `AFL_STATSD_HOST` and `AFL_STATSD_PORT`, if required (defaults are `localhost` and port `8125`). diff --git a/docs/triaging_crashes.md b/docs/triaging_crashes.md index 1857c4b1..21ccecaa 100644 --- a/docs/triaging_crashes.md +++ b/docs/triaging_crashes.md @@ -43,4 +43,4 @@ file, attempts to sequentially flip bytes, and observes the behavior of the tested program. It then color-codes the input based on which sections appear to be critical, and which are not; while not bulletproof, it can often offer quick insights into complex file formats. More info about its operation can be found -near the end of [docs/technical_details.md](docs/technical_details.md). \ No newline at end of file +near the end of [technical_details.md](technical_details.md). \ No newline at end of file -- cgit 1.4.1 From 228f6c5dad1a593b4113006e587e9885459a53c2 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Sun, 10 Oct 2021 16:00:21 +0200 Subject: Update fuzzing_binary-only_targets.md --- docs/fuzzing_binary-only_targets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/fuzzing_binary-only_targets.md b/docs/fuzzing_binary-only_targets.md index a39e40a0..d568b976 100644 --- a/docs/fuzzing_binary-only_targets.md +++ b/docs/fuzzing_binary-only_targets.md @@ -71,7 +71,7 @@ cd unicorn_mode If the goal is to fuzz a dynamic library then there are two options available. For both you need to write a small harness that loads and calls the library. -Faster is the frida solution: [utils/afl_frida/README.md](../utils/afl_frida/README.md) +Faster is the frida solution: [frida_mode/README.md](../frida_mode/README.md) Another, less precise and slower option is using ptrace with debugger interrupt instrumentation: [utils/afl_untracer/README.md](../utils/afl_untracer/README.md). -- cgit 1.4.1 From 7cd98f565ffdf3e0c0ccd34c04ed2f3126ab4189 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 12:16:58 +0200 Subject: lto and llvm14-dev --- docs/Changelog.md | 2 +- instrumentation/SanitizerCoveragePCGUARD.so.cc | 2 -- instrumentation/afl-llvm-lto-instrumentation.so.cc | 4 ++++ instrumentation/afl-llvm-lto-instrumentlist.so.cc | 5 +++++ 4 files changed, 10 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index d8dac557..6db013cf 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -24,7 +24,7 @@ sending a mail to . afl-showmap and other tools. - afl-cc: - fix for shared linking on MacOS - - llvm and LTO mode verified to work with new llvm 14-dev + - llvm and LTO mode modified to work with new llvm 14-dev (again) - added the very good grammar mutator "GramaTron" to the custom_mutators - added optimin, a faster and better corpus minimizer by diff --git a/instrumentation/SanitizerCoveragePCGUARD.so.cc b/instrumentation/SanitizerCoveragePCGUARD.so.cc index 48ad2d02..013492f9 100644 --- a/instrumentation/SanitizerCoveragePCGUARD.so.cc +++ b/instrumentation/SanitizerCoveragePCGUARD.so.cc @@ -881,8 +881,6 @@ void ModuleSanitizerCoverage::InjectCoverageForIndirectCalls( Function &F, ArrayRef IndirCalls) { if (IndirCalls.empty()) return; - assert(Options.TracePC || Options.TracePCGuard || - Options.Inline8bitCounters /*|| Options.InlineBoolFlag*/); for (auto I : IndirCalls) { IRBuilder<> IRB(I); diff --git a/instrumentation/afl-llvm-lto-instrumentation.so.cc b/instrumentation/afl-llvm-lto-instrumentation.so.cc index 73e41f60..4eb8424f 100644 --- a/instrumentation/afl-llvm-lto-instrumentation.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentation.so.cc @@ -244,7 +244,11 @@ bool AFLLTOPass::runOnModule(Module &M) { // the instrument file list check AttributeList Attrs = F.getAttributes(); +#if LLVM_VERSION_MAJOR < 14 if (Attrs.hasAttribute(-1, StringRef("skipinstrument"))) { +#else + if (Attrs.hasFnAttr(StringRef("skipinstrument"))) { +#endif if (debug) fprintf(stderr, diff --git a/instrumentation/afl-llvm-lto-instrumentlist.so.cc b/instrumentation/afl-llvm-lto-instrumentlist.so.cc index 416dbb88..0ec0e427 100644 --- a/instrumentation/afl-llvm-lto-instrumentlist.so.cc +++ b/instrumentation/afl-llvm-lto-instrumentlist.so.cc @@ -116,10 +116,15 @@ bool AFLcheckIfInstrument::runOnModule(Module &M) { auto & Ctx = F.getContext(); AttributeList Attrs = F.getAttributes(); +#if LLVM_VERSION_MAJOR < 14 AttrBuilder NewAttrs; NewAttrs.addAttribute("skipinstrument"); F.setAttributes( Attrs.addAttributes(Ctx, AttributeList::FunctionIndex, NewAttrs)); +#else + AttributeList NewAttrs = Attrs.addFnAttribute(Ctx, "skipinstrument"); + F.setAttributes(NewAttrs); +#endif } -- cgit 1.4.1 From 45d668a671316821c3f9793381cb54956b535491 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 18 Oct 2021 13:17:07 +0200 Subject: better ui banner --- docs/Changelog.md | 1 + include/afl-fuzz.h | 1 - src/afl-fuzz-init.c | 37 ------------------------------------- src/afl-fuzz-stats.c | 49 +++++++++++++++++++++++++++++-------------------- src/afl-fuzz.c | 17 +++++++++++++---- 5 files changed, 43 insertions(+), 62 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 6db013cf..63896622 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -17,6 +17,7 @@ sending a mail to . coverage being detected. thanks to Collin May for reporting! - fix -n dumb mode (nobody should use this) - fix stability issue with LTO and cmplog + - better banner - frida_mode: David Carlier added Android support :) - afl-showmap, afl-tmin and afl-analyze now honor persistent mode for more speed. thanks to dloffre-snl for reporting! diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index 4b19e698..eaf55fb8 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -1130,7 +1130,6 @@ void get_core_count(afl_state_t *); void fix_up_sync(afl_state_t *); void check_asan_opts(afl_state_t *); void check_binary(afl_state_t *, u8 *); -void fix_up_banner(afl_state_t *, u8 *); void check_if_tty(afl_state_t *); void setup_signal_handlers(void); void save_cmdline(afl_state_t *, u32, char **); diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 9bb25785..9c45f08a 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -2815,43 +2815,6 @@ void check_binary(afl_state_t *afl, u8 *fname) { } -/* Trim and possibly create a banner for the run. */ - -void fix_up_banner(afl_state_t *afl, u8 *name) { - - if (!afl->use_banner) { - - if (afl->sync_id) { - - afl->use_banner = afl->sync_id; - - } else { - - u8 *trim = strrchr(name, '/'); - if (!trim) { - - afl->use_banner = name; - - } else { - - afl->use_banner = trim + 1; - - } - - } - - } - - if (strlen(afl->use_banner) > 32) { - - u8 *tmp = ck_alloc(36); - sprintf(tmp, "%.32s...", afl->use_banner); - afl->use_banner = tmp; - - } - -} - /* Check if we're on TTY. */ void check_if_tty(afl_state_t *afl) { diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c index 870ba69a..0c06232b 100644 --- a/src/afl-fuzz-stats.c +++ b/src/afl-fuzz-stats.c @@ -441,9 +441,10 @@ void show_stats(afl_state_t *afl) { u64 cur_ms; u32 t_bytes, t_bits; - u32 banner_len, banner_pad; - u8 tmp[256]; - u8 time_tmp[64]; + static u8 banner[128]; + u32 banner_len, banner_pad; + u8 tmp[256]; + u8 time_tmp[64]; u8 val_buf[8][STRINGIFY_VAL_SIZE_MAX]; #define IB(i) (val_buf[(i)]) @@ -656,26 +657,34 @@ void show_stats(afl_state_t *afl) { } /* Let's start by drawing a centered banner. */ + if (unlikely(!banner[0])) { - banner_len = (afl->crash_mode ? 24 : 22) + strlen(VERSION) + - strlen(afl->use_banner) + strlen(afl->power_name) + 3 + 5; - banner_pad = (79 - banner_len) / 2; - memset(tmp, ' ', banner_pad); + char *si = ""; + if (afl->sync_id) { si = afl->sync_id; } + memset(banner, 0, sizeof(banner)); + banner_len = (afl->crash_mode ? 20 : 18) + strlen(VERSION) + strlen(si) + + strlen(afl->power_name) + 4 + 6; -#ifdef HAVE_AFFINITY - sprintf( - tmp + banner_pad, - "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]" cBLU " {%d}", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name, afl->cpu_aff); -#else - sprintf( - tmp + banner_pad, "%s " cLCY VERSION cLGN " (%s) " cPIN "[%s]", - afl->crash_mode ? cPIN "peruvian were-rabbit" : cYEL "american fuzzy lop", - afl->use_banner, afl->power_name); -#endif /* HAVE_AFFINITY */ + if (strlen(afl->use_banner) + banner_len > 75) { + + afl->use_banner += (strlen(afl->use_banner) + banner_len) - 76; + memset(afl->use_banner, '.', 3); + + } + + banner_len += strlen(afl->use_banner); + banner_pad = (79 - banner_len) / 2; + memset(banner, ' ', banner_pad); + + sprintf(banner + banner_pad, + "%s " cLCY VERSION cLBL " {%s} " cLGN "(%s) " cPIN "[%s]", + afl->crash_mode ? cPIN "peruvian were-rabbit" + : cYEL "american fuzzy lop", + si, afl->use_banner, afl->power_name); + + } - SAYF("\n%s\n", tmp); + SAYF("\n%s\n", banner); /* "Handy" shortcuts for drawing boxes... */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 92a37697..26886a4f 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -1189,7 +1189,17 @@ int main(int argc, char **argv_orig, char **envp) { } - if (afl->sync_id) { fix_up_sync(afl); } + if (afl->sync_id) { + + if (strlen(afl->sync_id) > 24) { + + FATAL("sync_id max length is 24 characters"); + + } + + fix_up_sync(afl); + + } if (!strcmp(afl->in_dir, afl->out_dir)) { @@ -1218,6 +1228,8 @@ int main(int argc, char **argv_orig, char **envp) { if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); } + if (!afl->use_banner) { afl->use_banner = argv[optind]; } + if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) { WARNF(cLRD @@ -1486,9 +1498,6 @@ int main(int argc, char **argv_orig, char **envp) { } save_cmdline(afl, argc, argv); - - fix_up_banner(afl, argv[optind]); - check_if_tty(afl); if (afl->afl_env.afl_force_ui) { afl->not_on_tty = 0; } -- cgit 1.4.1 From 47a333af4d7c64209570e7459b1bd5259c207dc9 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 19 Oct 2021 15:42:26 +0200 Subject: add ninja to apt install readme --- docs/INSTALL.md | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b60a7048..960de1af 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -22,6 +22,7 @@ sudo apt-get install -y build-essential python3-dev automake git flex bison libg # try to install llvm 11 and install the distro default if that fails sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev +sudo apt-get install -y ninja-build # for qemu_mode git clone https://github.com/AFLplusplus/AFLplusplus cd AFLplusplus make distrib -- cgit 1.4.1 From 4e3fec2666c3d317db275f4af8875b56009621e1 Mon Sep 17 00:00:00 2001 From: Stefan Nagy Date: Wed, 20 Oct 2021 17:09:18 -0400 Subject: Update binaryonly_fuzzing.md with zafl --- docs/binaryonly_fuzzing.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 90ea3b66..903afb70 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -95,13 +95,28 @@ utils/afl_untracer/, use afl-untracer.c as a template. It is slower than AFL FRIDA (see above). +## ZAFL + ZAFL is a static rewriting platform for fast, space-efficient, and inlined + binary fuzzing instrumentation. It currently supports x86-64 C and C++, + stripped and unstripped, and PIE and non-PIE binaries of all sizes and complexity. + + Beyond conventional instrumentation, ZAFL's API enables transformation passes + for more effective/efficient fuzzing. Some built-in transformations include + laf-Intel-style constraint unrolling, Angora-style context sensitivity, and + InsTrim-style CFG optimizations. + + ZAFL's baseline instrumentation speed averages about 90-95% that of afl-clang-fast's + conventional LLVM instrumentation (but is even faster when enabling CFG optimizations). + + [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) + ## DYNINST Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio (see far below). However whereas Pintool and Dynamorio work at runtime, dyninst instruments the target at load time, and then let it run - - or save the binary with the changes. + or save the binary with the changes. This is great for some things, e.g. fuzzing, and not so effective for others, e.g. malware analysis. @@ -116,13 +131,10 @@ The speed decrease is about 15-35%, depending on the optimization options used with afl-dyninst. - So if Dyninst works, it is the best option available. Otherwise it just - doesn't work well. - [https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) -## RETROWRITE, ZAFL, ... other binary rewriter +## RETROWRITE If you have an x86/x86_64 binary that still has its symbols, is compiled with position independant code (PIC/PIE) and does not use most of the C++ @@ -131,7 +143,6 @@ It is at about 80-85% performance. - [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) [https://github.com/HexHive/retrowrite](https://github.com/HexHive/retrowrite) -- cgit 1.4.1 From e637ca216e4559960feec6b7f887571efde4f0ba Mon Sep 17 00:00:00 2001 From: Stefan Nagy Date: Thu, 21 Oct 2021 04:52:38 -0400 Subject: Tidy-up zafl info --- docs/binaryonly_fuzzing.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) (limited to 'docs') diff --git a/docs/binaryonly_fuzzing.md b/docs/binaryonly_fuzzing.md index 903afb70..de360543 100644 --- a/docs/binaryonly_fuzzing.md +++ b/docs/binaryonly_fuzzing.md @@ -95,18 +95,13 @@ utils/afl_untracer/, use afl-untracer.c as a template. It is slower than AFL FRIDA (see above). + ## ZAFL - ZAFL is a static rewriting platform for fast, space-efficient, and inlined - binary fuzzing instrumentation. It currently supports x86-64 C and C++, - stripped and unstripped, and PIE and non-PIE binaries of all sizes and complexity. - - Beyond conventional instrumentation, ZAFL's API enables transformation passes - for more effective/efficient fuzzing. Some built-in transformations include - laf-Intel-style constraint unrolling, Angora-style context sensitivity, and - InsTrim-style CFG optimizations. - - ZAFL's baseline instrumentation speed averages about 90-95% that of afl-clang-fast's - conventional LLVM instrumentation (but is even faster when enabling CFG optimizations). + ZAFL is a static rewriting platform supporting x86-64 C/C++, stripped/unstripped, + and PIE/non-PIE binaries. Beyond conventional instrumentation, ZAFL's API enables + transformation passes (e.g., laf-Intel, context sensitivity, InsTrim, etc.). + + Its baseline instrumentation speed typically averages 90-95% of afl-clang-fast's. [https://git.zephyr-software.com/opensrc/zafl](https://git.zephyr-software.com/opensrc/zafl) -- cgit 1.4.1 From e03897a0703673aa0de7772185a5b5230641cb6a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 23 Oct 2021 20:54:24 +0200 Subject: fix timeout bug in afl tools --- docs/Changelog.md | 6 ++++-- src/afl-analyze.c | 12 ++++++++++++ src/afl-fuzz-init.c | 4 ++-- src/afl-showmap.c | 13 +++++++++++++ src/afl-tmin.c | 12 ++++++++++++ 5 files changed, 43 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/Changelog.md b/docs/Changelog.md index 63896622..04b2fb2e 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -19,8 +19,10 @@ sending a mail to . - fix stability issue with LTO and cmplog - better banner - frida_mode: David Carlier added Android support :) - - afl-showmap, afl-tmin and afl-analyze now honor persistent mode - for more speed. thanks to dloffre-snl for reporting! + - afl-showmap, afl-tmin and afl-analyze: + - honor persistent mode for more speed. thanks to dloffre-snl for + reporting! + - fix bug where targets are not killed on timeouts - Prevent accidently killing non-afl/fuzz services when aborting afl-showmap and other tools. - afl-cc: diff --git a/src/afl-analyze.c b/src/afl-analyze.c index 8295488d..09b01541 100644 --- a/src/afl-analyze.c +++ b/src/afl-analyze.c @@ -120,6 +120,17 @@ static u8 count_class_lookup[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv.child_pid > 0) { + + kill(fsrv.child_pid, fsrv.kill_signal); + fsrv.child_pid = -1; + + } + +} + static void classify_counts(u8 *mem) { u32 i = map_size; @@ -1053,6 +1064,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv.target_path = find_binary(argv[optind]); fsrv.trace_bits = afl_shm_init(&shm, map_size, 0); detect_file_args(argv + optind, fsrv.out_file, &use_stdin); + signal(SIGALRM, kill_child); if (qemu_mode) { diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index f0e1a80d..1170715f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -1325,8 +1325,8 @@ void pivot_inputs(afl_state_t *afl) { } - nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", afl->out_dir, id, - afl->fsrv.total_execs, use_name); + nfn = alloc_printf("%s/queue/id:%06u,time:0,execs:%llu,orig:%s", + afl->out_dir, id, afl->fsrv.total_execs, use_name); #else diff --git a/src/afl-showmap.c b/src/afl-showmap.c index 5df07bf2..3a244c04 100644 --- a/src/afl-showmap.c +++ b/src/afl-showmap.c @@ -146,6 +146,17 @@ static const u8 count_class_binary[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv->child_pid > 0) { + + kill(fsrv->child_pid, fsrv->kill_signal); + fsrv->child_pid = -1; + + } + +} + static void classify_counts(afl_forkserver_t *fsrv) { u8 * mem = fsrv->trace_bits; @@ -526,6 +537,8 @@ static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) { } + signal(SIGALRM, kill_child); + setitimer(ITIMER_REAL, &it, NULL); if (waitpid(fsrv->child_pid, &status, 0) <= 0) { FATAL("waitpid() failed"); } diff --git a/src/afl-tmin.c b/src/afl-tmin.c index 4f3a6b80..ce2a0b8f 100644 --- a/src/afl-tmin.c +++ b/src/afl-tmin.c @@ -120,6 +120,17 @@ static const u8 count_class_lookup[256] = { #undef TIMES8 #undef TIMES4 +static void kill_child() { + + if (fsrv->child_pid > 0) { + + kill(fsrv->child_pid, fsrv->kill_signal); + fsrv->child_pid = -1; + + } + +} + static sharedmem_t *deinit_shmem(afl_forkserver_t *fsrv, sharedmem_t * shm_fuzz) { @@ -1125,6 +1136,7 @@ int main(int argc, char **argv_orig, char **envp) { fsrv->target_path = find_binary(argv[optind]); fsrv->trace_bits = afl_shm_init(&shm, map_size, 0); detect_file_args(argv + optind, out_file, &fsrv->use_stdin); + signal(SIGALRM, kill_child); if (fsrv->qemu_mode) { -- cgit 1.4.1 From 651133ea00ae803377f941b95a9d396bf92eb407 Mon Sep 17 00:00:00 2001 From: llzmb <46303940+llzmb@users.noreply.github.com> Date: Wed, 3 Nov 2021 21:11:11 +0100 Subject: Clean up references to power_schedules.md --- docs/parallel_fuzzing.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/parallel_fuzzing.md b/docs/parallel_fuzzing.md index e37276a5..d24f2837 100644 --- a/docs/parallel_fuzzing.md +++ b/docs/parallel_fuzzing.md @@ -27,9 +27,8 @@ will not be able to use that input to guide their work. To help with this problem, afl-fuzz offers a simple way to synchronize test cases on the fly. -Note that AFL++ has AFLfast's power schedules implemented. -It is therefore a good idea to use different power schedules if you run -several instances in parallel. See [power_schedules.md](power_schedules.md) +It is a good idea to use different power schedules if you run several instances +in parallel (`-p` option). Alternatively running other AFL spinoffs in parallel can be of value, e.g. Angora (https://github.com/AngoraFuzzer/Angora/) @@ -39,7 +38,7 @@ e.g. Angora (https://github.com/AngoraFuzzer/Angora/) If you wish to parallelize a single job across multiple cores on a local system, simply create a new, empty output directory ("sync dir") that will be shared by all the instances of afl-fuzz; and then come up with a naming scheme -for every instance - say, "fuzzer01", "fuzzer02", etc. +for every instance - say, "fuzzer01", "fuzzer02", etc. Run the first one ("main node", -M) like this: @@ -93,7 +92,7 @@ file name. There is support for parallelizing the deterministic checks. This is only needed where - + 1. many new paths are found fast over a long time and it looks unlikely that main node will ever catch up, and 2. deterministic fuzzing is actively helping path discovery (you can see this @@ -195,7 +194,7 @@ to keep in mind: - You do not want a "main" instance of afl-fuzz on every system; you should run them all with -S, and just designate a single process somewhere within the fleet to run with -M. - + - Syncing is only necessary for the main nodes on a system. It is possible to run main-less with only secondaries. However then you need to find out which secondary took over the temporary role to be the main node. Look for -- cgit 1.4.1