ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 02:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

add feature list

Browse Source
This commit is contained in:
vanhauser-thc
2022-01-11 11:59:12 +01:00
parent ef77d552e9
commit 41b07983f1
3 changed files with 57 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
docs/features.md
View File

@ -4,20 +4,56 @@ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with
QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full
*BSD, Mac OS, Solaris and Android support and much, much, much more.
| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)|
| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
| Threadsafe counters | | x(3) | | | | | x | |
| NeverZero | x86[_64]| x(1) | x | x | x | x | | |
| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | |
| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | |
| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | |
| Selective Instrumentation| | x | x | x | x | | | |
| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | |
| Ngram prev_loc Coverage | | x(6) | | | | | | |
| Context Coverage | | x(6) | | | | | | |
| Auto Dictionary | | x(7) | | | | | | |
| Snapshot Support | | (x)(8) | (x)(8) | | (x)(5) | | x | |
| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | x | |
| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)|
| ------------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
| Threadsafe counters [A] | | x(3) | | | | | x | |
| NeverZero [B] | x86[_64]| x(1) | x | x | x | x | | |
| Persistent Mode [C] | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | |
| LAF-Intel / CompCov [D] | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | |
| CmpLog [E] | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | |
| Selective Instrumentation [F] | | x | x | x | x | | | |
| Non-Colliding Coverage [G] | | x(4) | | | (x)(5) | | | |
| Ngram prev_loc Coverage [H] | | x(6) | | | | | | |
| Context Coverage [I] | | x(6) | | | | | | |
| Auto Dictionary [J] | | x(7) | | | | | | |
| Snapshot Support (K) | | (x)(8) | (x)(8) | | (x)(5) | | x | |
| Shared Memory Test cases [L] | | x | x | x86[_64]/arm64 | x | x | x | |
A. Default is not thread-safe coverage counter updates for better performance,
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
B. On wrapping coverage counters (255 + 1) skip the 0 value and jump to 1
instead. This has shown to give better coverage data and is the default;
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
C. Instead of forking, reiterate the fuzz target function in a loop (like
`LLVMFuzzerTestOneInput`. Great speed increase but only work with target
functions that does not keep state, leak memory or exit;
see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
D. Split any non-8-bit comparison to 8 bit comparison;
see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
E. CmpLog is our enhanced [Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/)
implementation, see see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
for all llvm versions and all our compile modes, only instrument what should
be instrumented, for more speed, directed fuzzing and less instability;
see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
G. Vanilla AFL uses coverage where edges could collide to the same coverage
bytes the larger the target is. Our default instrumentation in LTO and
afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it
faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`;
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the
caller (CTX), based on
[https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf);
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
J. An LTO feature that creates a fuzzing dictionary based on comparisons found
during compilation/instrumentation. Automatic feature :)
See [instrumentation/README.lto.md](../instrumentation/README.lto.md)
K. The snapshot feature requires a kernel module that was a lot of work to get
right and maintained so it is no longer supported. We have
[nyx_mode](../nyx_mode/README.md) instead.
L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
delivery, see
[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
1. default for LLVM >= 9.0, environment variable for older version due an
efficiency bug in previous llvm versions