From 80ddb484deb82aefc9ba35c766ffca313d74e377 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 6 May 2020 11:51:28 +0200 Subject: added InsTrimLTO :-) --- llvm_mode/README.lto.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'llvm_mode/README.lto.md') diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index d8e4766d..674531f5 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -6,6 +6,8 @@ This version requires a current llvm 11 compiled from the github master. 1. Use afl-clang-lto/afl-clang-lto++ because it is faster and gives better coverage than anything else that is out there in the AFL world + 1a. Set AFL_LLVM_INSTRUMENT=CFG if you want the InsTrimLTO version + (recommended) 2. You can use it together with llvm_mode: laf-intel and whitelisting features and can be combined with cmplog/Redqueen @@ -41,7 +43,7 @@ and many dead ends until we got to this: -fsanitize=coverage edge coverage mode :) The result: - * 10-20% speed gain compared to llvm_mode + * 10-25% speed gain compared to llvm_mode * guaranteed non-colliding edge coverage :-) * The compile time especially for libraries can be longer @@ -80,11 +82,13 @@ Just use afl-clang-lto like you did with afl-clang-fast or afl-gcc. Also whitelisting (AFL_LLVM_WHITELIST -> [README.whitelist.md](README.whitelist.md)) and laf-intel/compcov (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. -Instrim does not - but we can not really use it anyway for our approach. +InsTrim (control flow graph instrumentation) is supported and recommended! + (set `AFL_LLVM_INTRUMENT=CFG`) Example: ``` -CC=afl-clang-lto CXX=afl-clang-lto++ ./configure +CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure +export AFL_LLVM_INTRUMENT=CFG make ``` -- cgit 1.4.1 From 0559d1d171a8d8a1585cc7dffa802642d3e6f90a Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 7 May 2020 10:27:24 +0200 Subject: fix typos --- llvm_mode/README.lto.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'llvm_mode/README.lto.md') diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 674531f5..110b5e9c 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -83,12 +83,12 @@ Just use afl-clang-lto like you did with afl-clang-fast or afl-gcc. Also whitelisting (AFL_LLVM_WHITELIST -> [README.whitelist.md](README.whitelist.md)) and laf-intel/compcov (AFL_LLVM_LAF_* -> [README.laf-intel.md](README.laf-intel.md)) work. InsTrim (control flow graph instrumentation) is supported and recommended! - (set `AFL_LLVM_INTRUMENT=CFG`) + (set `AFL_LLVM_INSTRUMENT=CFG`) Example: ``` CC=afl-clang-lto CXX=afl-clang-lto++ RANLIB=llvm-ranlib AR=llvm-ar ./configure -export AFL_LLVM_INTRUMENT=CFG +export AFL_LLVM_INSTRUMENT=CFG make ``` -- cgit 1.4.1 From d91640392763ac84cb9fc1dab9b86d870172b549 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 11:33:33 +0200 Subject: document workaround for targets with _init for LTO --- llvm_mode/README.lto.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'llvm_mode/README.lto.md') diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index 110b5e9c..f930c560 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -16,6 +16,11 @@ This version requires a current llvm 11 compiled from the github master. 4. AUTODICTIONARY feature! see below +5. If any problems arise be sure to set `AR=llvm-ar RANLIB=llvm-ranlib` also + note that if that target uses _init functions or early constructors then + also set `AFL_LLVM_MAP_DYNAMIC=1` as your target will crash otherwise + + ## Introduction and problem description A big issue with how afl/afl++ works is that the basic block IDs that are @@ -134,7 +139,7 @@ Other targets ignore environment variables and need the parameters set via afl-clang-lto is still work in progress. Known issues: - * Anything that llvm11 cannot compile, afl-clang-lto can not compile either - obviously + * Anything that llvm 11 cannot compile, afl-clang-lto can not compile either - obviously * Anything that does not compile with LTO, afl-clang-lto can not compile either - obviously Hence if building a target with afl-clang-lto fails try to build it with llvm11 @@ -143,6 +148,13 @@ and LTO enabled (`CC=clang-11` `CXX=clang++-11` `CFLAGS=-flto=full` and If this succeeeds then there is an issue with afl-clang-lto. Please report at [https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226) +### Target crashes immediately + +If the target is using early constructors (values smaller than 6) or have their +own _init/.init functions and these are instrumented then the target will +likely crash when started. This can be avoided by compiling with +`AFL_LLVM_MAP_DYNAMIC=1` . + ## Upcoming Work 1. Currently the LTO whitelist feature does not allow to instrument main, -- cgit 1.4.1 From 38dac93f631356d6a1288931e01f9effec9c8c88 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Mon, 11 May 2020 22:44:44 +0200 Subject: fix typos --- examples/afl_untracer/README.md | 4 ++-- examples/afl_untracer/afl-untracer.c | 2 +- llvm_mode/README.lto.md | 11 ++++++++--- llvm_mode/afl-llvm-lto-instrim.so.cc | 3 ++- 4 files changed, 13 insertions(+), 7 deletions(-) (limited to 'llvm_mode/README.lto.md') diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 29234889..05fd8776 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -16,7 +16,7 @@ Supported is so far Intel (i386/x86_64) and AARCH64. ### Modify afl-untracer.c Read and modify afl-untracer.c then `make`. -To adapt afl-untracer.c to your need read the header of the file and then +To adapt afl-untracer.c to your needs, read the header of the file and then search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. ### Generate patches.txt file @@ -25,7 +25,7 @@ To generate the `patches.txt` file for your target library use the `ida_get_patchpoints.py` script for IDA Pro or `ghidra_get_patchpoints.java` for Ghidra. -The patches.txt file has to pointed to by `AFL_UNTRACER_FILE`. +The patches.txt file has to be pointed to by `AFL_UNTRACER_FILE`. To easily run the scripts without needing to run the GUI with Ghidra: ``` diff --git a/examples/afl_untracer/afl-untracer.c b/examples/afl_untracer/afl-untracer.c index 5dbc71bf..af16a6bf 100644 --- a/examples/afl_untracer/afl-untracer.c +++ b/examples/afl_untracer/afl-untracer.c @@ -276,7 +276,7 @@ library_list_t *find_library(char *name) { } -/* for having an easy breakpoint after load the shared library */ +/* for having an easy breakpoint location after loading the shared library */ // this seems to work for clang too. nice :) requires gcc 4.4+ #pragma GCC push_options #pragma GCC optimize("O0") diff --git a/llvm_mode/README.lto.md b/llvm_mode/README.lto.md index f930c560..fa5b8665 100644 --- a/llvm_mode/README.lto.md +++ b/llvm_mode/README.lto.md @@ -145,16 +145,21 @@ Known issues: Hence if building a target with afl-clang-lto fails try to build it with llvm11 and LTO enabled (`CC=clang-11` `CXX=clang++-11` `CFLAGS=-flto=full` and `CXXFLAGS=-flto=full`). + +An example that does not build with llvm 11 and LTO is ffmpeg. + If this succeeeds then there is an issue with afl-clang-lto. Please report at [https://github.com/AFLplusplus/AFLplusplus/issues/226](https://github.com/AFLplusplus/AFLplusplus/issues/226) ### Target crashes immediately -If the target is using early constructors (values smaller than 6) or have their -own _init/.init functions and these are instrumented then the target will -likely crash when started. This can be avoided by compiling with +If the target is using early constructors (priority values smaller than 6) +or have their own _init/.init functions and these are instrumented then the +target will likely crash when started. This can be avoided by compiling with `AFL_LLVM_MAP_DYNAMIC=1` . +This can e.g. happen with OpenSSL. + ## Upcoming Work 1. Currently the LTO whitelist feature does not allow to instrument main, diff --git a/llvm_mode/afl-llvm-lto-instrim.so.cc b/llvm_mode/afl-llvm-lto-instrim.so.cc index a686bb81..a7d9b756 100644 --- a/llvm_mode/afl-llvm-lto-instrim.so.cc +++ b/llvm_mode/afl-llvm-lto-instrim.so.cc @@ -10,7 +10,8 @@ http://www.apache.org/licenses/LICENSE-2.0 - This library is plugged into LLVM when invoking clang through afl-clang-fast. + This library is plugged into LLVM when invoking clang through afl-clang-fast + or afl-clang-lto with AFL_LLVM_INSTRUMENT=CFG or =INSTRIM */ -- cgit 1.4.1