ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 10:08:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix structure and formatting

Browse Source
This commit is contained in:
llzmb
2022-01-20 20:54:38 +01:00
parent 686a595df3
commit 237a475d9b
1 changed files with 59 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
docs/features.md
View File

@ -4,67 +4,85 @@ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with
QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full
*BSD, Mac OS, Solaris and Android support and much, much, much more. *BSD, Mac OS, Solaris and Android support and much, much, much more.
| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)| ## Features and instrumentation
| ------------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
| Threadsafe counters [A] | | x(3) | | | | | x | | | Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) | unicorn_mode(10) | nyx_mode(12) | coresight_mode(11) |
| NeverZero [B] | x86[_64]| x(1) | x | x | x | x | | | | ------------------------------|:--------:|:---------:|:----------:|:--------------:|:----------------:|:----------------:|:------------:|:------------------:|
| Persistent Mode [C] | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | | | Threadsafe counters [A] | | x(3) | | | | | x | |
| LAF-Intel / CompCov [D] | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | | | NeverZero [B] | x86[_64] | x(1) | x | x | x | x | | |
| CmpLog [E] | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | | | Persistent Mode [C] | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | |
| Selective Instrumentation [F] | | x | x | x | x | | | | | LAF-Intel / CompCov [D] | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | |
| Non-Colliding Coverage [G] | | x(4) | | | (x)(5) | | | | | CmpLog [E] | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | |
| Ngram prev_loc Coverage [H] | | x(6) | | | | | | | | Selective Instrumentation [F] | | x | x | x | x | | | |
| Context Coverage [I] | | x(6) | | | | | | | | Non-Colliding Coverage [G] | | x(4) | | | (x)(5) | | | |
| Auto Dictionary [J] | | x(7) | | | | | | | | Ngram prev_loc Coverage [H] | | x(6) | | | | | | |
| Snapshot Support (K) | | (x)(8) | (x)(8) | | (x)(5) | | x | | | Context Coverage [I] | | x(6) | | | | | | |
| Shared Memory Test cases [L] | | x | x | x86[_64]/arm64 | x | x | x | | | Auto Dictionary [J] | | x(7) | | | | | | |
| Snapshot Support [K] | | (x)(8) | (x)(8) | | (x)(5) | | x | |
| Shared Memory Test cases [L] | | x | x | x86[_64]/arm64 | x | x | x | |
## More information about features
A. Default is not thread-safe coverage counter updates for better performance, A. Default is not thread-safe coverage counter updates for better performance,
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
B. On wrapping coverage counters (255 + 1) skip the 0 value and jump to 1
instead. This has shown to give better coverage data and is the default; B. On wrapping coverage counters (255 + 1), skip the 0 value and jump to 1
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) instead. This has shown to give better coverage data and is the default; see
[instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
C. Instead of forking, reiterate the fuzz target function in a loop (like C. Instead of forking, reiterate the fuzz target function in a loop (like
`LLVMFuzzerTestOneInput`. Great speed increase but only work with target `LLVMFuzzerTestOneInput`. Great speed increase but only works with target
functions that does not keep state, leak memory or exit; functions that do not keep state, leak memory, or exit; see
see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
D. Split any non-8-bit comparison to 8 bit comparison;
see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md) D. Split any non-8-bit comparison to 8-bit comparison; see
E. CmpLog is our enhanced [Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/) [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
implementation, see see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
E. CmpLog is our enhanced
[Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/)
implementation, see
[instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
for all llvm versions and all our compile modes, only instrument what should for all llvm versions and all our compile modes, only instrument what should
be instrumented, for more speed, directed fuzzing and less instability; be instrumented, for more speed, directed fuzzing and less instability; see
see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md) [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
G. Vanilla AFL uses coverage where edges could collide to the same coverage G. Vanilla AFL uses coverage where edges could collide to the same coverage
bytes the larger the target is. Our default instrumentation in LTO and bytes the larger the target is. Our default instrumentation in LTO and
afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it
faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`; faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`; see
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) [instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the
caller (CTX), based on caller (CTX), based on
[https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf); [https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf);
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md) see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
J. An LTO feature that creates a fuzzing dictionary based on comparisons found J. An LTO feature that creates a fuzzing dictionary based on comparisons found
during compilation/instrumentation. Automatic feature :) during compilation/instrumentation. Automatic feature :) See
See [instrumentation/README.lto.md](../instrumentation/README.lto.md) [instrumentation/README.lto.md](../instrumentation/README.lto.md)
K. The snapshot feature requires a kernel module that was a lot of work to get K. The snapshot feature requires a kernel module that was a lot of work to get
right and maintained so it is no longer supported. We have right and maintained so it is no longer supported. We have
[nyx_mode](../nyx_mode/README.md) instead. [nyx_mode](../nyx_mode/README.md) instead.
L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
delivery, see delivery, see
[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md) [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
1. default for LLVM >= 9.0, environment variable for older version due an ## More information about instrumentation
1. Default for LLVM >= 9.0, environment variable for older version due an
efficiency bug in previous llvm versions efficiency bug in previous llvm versions
2. GCC creates non-performant code, hence it is disabled in gcc_plugin 2. GCC creates non-performant code, hence it is disabled in gcc_plugin
3. with `AFL_LLVM_THREADSAFE_INST`, disables NeverZero 3. With `AFL_LLVM_THREADSAFE_INST`, disables NeverZero
4. with pcguard mode and LTO mode for LLVM 11 and newer 4. With pcguard mode and LTO mode for LLVM 11 and newer
5. upcoming, development in the branch 5. Upcoming, development in the branch
6. not compatible with LTO instrumentation and needs at least LLVM v4.1 6. Not compatible with LTO instrumentation and needs at least LLVM v4.1
7. automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM 7. Automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM
versions that write to a file to use with afl-fuzz' `-x` versions that write to a file to use with afl-fuzz' `-x`
8. the snapshot LKM is currently unmaintained due to too many kernel changes 8. The snapshot LKM is currently unmaintained due to too many kernel changes
coming too fast :-( coming too fast :-(
9. FRIDA mode is supported on Linux and MacOS for Intel and ARM 9. FRIDA mode is supported on Linux and MacOS for Intel and ARM
10. QEMU/Unicorn is only supported on Linux 10. QEMU/Unicorn is only supported on Linux
@ -72,6 +90,8 @@ L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
extension extension
12. Nyx mode is only supported on Linux and currently restricted to x86_x64 12. Nyx mode is only supported on Linux and currently restricted to x86_x64
## Integrated features and patches
Among others, the following features and patches have been integrated: Among others, the following features and patches have been integrated:
* NeverZero patch for afl-gcc, instrumentation, QEMU mode and unicorn_mode which * NeverZero patch for afl-gcc, instrumentation, QEMU mode and unicorn_mode which