mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-07 15:51:32 +00:00
add feature list
This commit is contained in:
vanhauser-thc
parent
ef77d552e9
commit
41b07983f1
11
README.md
11
README.md
@ -28,6 +28,8 @@ terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
|
|||||||
|
|
||||||
Here is some information to get you started:
|
Here is some information to get you started:
|
||||||
|
|
||||||
|
* To get you started with tutorials, go to
|
||||||
|
[docs/tutorials.md](docs/tutorials.md).
|
||||||
* For releases, see the
|
* For releases, see the
|
||||||
[Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and
|
[Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and
|
||||||
[branches](#branches). The best branches to use are however `stable` or
|
[branches](#branches). The best branches to use are however `stable` or
|
||||||
@ -41,8 +43,6 @@ Here is some information to get you started:
|
|||||||
`afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
|
`afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
|
||||||
default configuration on Google's
|
default configuration on Google's
|
||||||
[fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
|
[fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
|
||||||
* To get you started with tutorials, go to
|
|
||||||
[docs/tutorials.md](docs/tutorials.md).
|
|
||||||
|
|
||||||
## Building and installing AFL++
|
## Building and installing AFL++
|
||||||
|
|
||||||
@ -58,7 +58,8 @@ This image is automatically generated when a push to the stable repo happens
|
|||||||
(see [branches](#branches)). You will find your target source code in `/src` in
|
(see [branches](#branches)). You will find your target source code in `/src` in
|
||||||
the container.
|
the container.
|
||||||
|
|
||||||
To build AFL++ yourself, continue at [docs/INSTALL.md](docs/INSTALL.md).
|
To build AFL++ yourself - which we recommend - continue at
|
||||||
|
[docs/INSTALL.md](docs/INSTALL.md).
|
||||||
|
|
||||||
## Quick start: Fuzzing with AFL++
|
## Quick start: Fuzzing with AFL++
|
||||||
|
|
||||||
@ -128,12 +129,12 @@ Questions? Concerns? Bug reports?
|
|||||||
* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important
|
* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important
|
||||||
question missing, submit it via
|
question missing, submit it via
|
||||||
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
|
[https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
|
||||||
* There is a mailing list for the AFL/AFL++ project
|
* Best: join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
|
||||||
|
* There is a (not really used) mailing list for the AFL/AFL++ project
|
||||||
([browse archive](https://groups.google.com/group/afl-users)). To compare
|
([browse archive](https://groups.google.com/group/afl-users)). To compare
|
||||||
notes with other users or to get notified about major new features, send an
|
notes with other users or to get notified about major new features, send an
|
||||||
email to <afl-users+subscribe@googlegroups.com>, but note that this is not
|
email to <afl-users+subscribe@googlegroups.com>, but note that this is not
|
||||||
managed by us.
|
managed by us.
|
||||||
* Best: join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
|
|
||||||
|
|
||||||
## Branches
|
## Branches
|
||||||
|
|
||||||
|
|||||||
@ -4,20 +4,56 @@ AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with
|
|||||||
QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full
|
QEMU 5.1 with laf-intel and redqueen, FRIDA mode, unicorn mode, gcc plugin, full
|
||||||
*BSD, Mac OS, Solaris and Android support and much, much, much more.
|
*BSD, Mac OS, Solaris and Android support and much, much, much more.
|
||||||
|
|
||||||
| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)|
|
| Feature/Instrumentation | afl-gcc | llvm | gcc_plugin | FRIDA mode(9) | QEMU mode(10) |unicorn_mode(10) |nyx_mode(12)|coresight_mode(11)|
|
||||||
| -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
|
| ------------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|:----------:|:----------------:|
|
||||||
| Threadsafe counters | | x(3) | | | | | x | |
|
| Threadsafe counters [A] | | x(3) | | | | | x | |
|
||||||
| NeverZero | x86[_64]| x(1) | x | x | x | x | | |
|
| NeverZero [B] | x86[_64]| x(1) | x | x | x | x | | |
|
||||||
| Persistent Mode | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | |
|
| Persistent Mode [C] | | x | x | x86[_64]/arm64 | x86[_64]/arm[64] | x | | |
|
||||||
| LAF-Intel / CompCov | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | |
|
| LAF-Intel / CompCov [D] | | x | | | x86[_64]/arm[64] | x86[_64]/arm[64] | x86[_64] | |
|
||||||
| CmpLog | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | |
|
| CmpLog [E] | | x | | x86[_64]/arm64 | x86[_64]/arm[64] | | | |
|
||||||
| Selective Instrumentation| | x | x | x | x | | | |
|
| Selective Instrumentation [F] | | x | x | x | x | | | |
|
||||||
| Non-Colliding Coverage | | x(4) | | | (x)(5) | | | |
|
| Non-Colliding Coverage [G] | | x(4) | | | (x)(5) | | | |
|
||||||
| Ngram prev_loc Coverage | | x(6) | | | | | | |
|
| Ngram prev_loc Coverage [H] | | x(6) | | | | | | |
|
||||||
| Context Coverage | | x(6) | | | | | | |
|
| Context Coverage [I] | | x(6) | | | | | | |
|
||||||
| Auto Dictionary | | x(7) | | | | | | |
|
| Auto Dictionary [J] | | x(7) | | | | | | |
|
||||||
| Snapshot Support | | (x)(8) | (x)(8) | | (x)(5) | | x | |
|
| Snapshot Support (K) | | (x)(8) | (x)(8) | | (x)(5) | | x | |
|
||||||
| Shared Memory Test cases | | x | x | x86[_64]/arm64 | x | x | x | |
|
| Shared Memory Test cases [L] | | x | x | x86[_64]/arm64 | x | x | x | |
|
||||||
|
|
||||||
|
A. Default is not thread-safe coverage counter updates for better performance,
|
||||||
|
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
|
||||||
|
B. On wrapping coverage counters (255 + 1) skip the 0 value and jump to 1
|
||||||
|
instead. This has shown to give better coverage data and is the default;
|
||||||
|
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
|
||||||
|
C. Instead of forking, reiterate the fuzz target function in a loop (like
|
||||||
|
`LLVMFuzzerTestOneInput`. Great speed increase but only work with target
|
||||||
|
functions that does not keep state, leak memory or exit;
|
||||||
|
see [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
|
||||||
|
D. Split any non-8-bit comparison to 8 bit comparison;
|
||||||
|
see [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
|
||||||
|
E. CmpLog is our enhanced [Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/)
|
||||||
|
implementation, see see [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
|
||||||
|
F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
|
||||||
|
for all llvm versions and all our compile modes, only instrument what should
|
||||||
|
be instrumented, for more speed, directed fuzzing and less instability;
|
||||||
|
see [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
|
||||||
|
G. Vanilla AFL uses coverage where edges could collide to the same coverage
|
||||||
|
bytes the larger the target is. Our default instrumentation in LTO and
|
||||||
|
afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it
|
||||||
|
faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`;
|
||||||
|
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
|
||||||
|
H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the
|
||||||
|
caller (CTX), based on
|
||||||
|
[https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf);
|
||||||
|
see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
|
||||||
|
J. An LTO feature that creates a fuzzing dictionary based on comparisons found
|
||||||
|
during compilation/instrumentation. Automatic feature :)
|
||||||
|
See [instrumentation/README.lto.md](../instrumentation/README.lto.md)
|
||||||
|
K. The snapshot feature requires a kernel module that was a lot of work to get
|
||||||
|
right and maintained so it is no longer supported. We have
|
||||||
|
[nyx_mode](../nyx_mode/README.md) instead.
|
||||||
|
L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
|
||||||
|
delivery, see
|
||||||
|
[instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
|
||||||
|
|
||||||
1. default for LLVM >= 9.0, environment variable for older version due an
|
1. default for LLVM >= 9.0, environment variable for older version due an
|
||||||
efficiency bug in previous llvm versions
|
efficiency bug in previous llvm versions
|
||||||
|
|||||||
@ -42,4 +42,4 @@ For example:
|
|||||||
afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
|
afl-fuzz -i input -o output -c ./program.cmplog -m none -- ./program.afl @@
|
||||||
```
|
```
|
||||||
|
|
||||||
Be sure to use `-m none` because CmpLog can map a lot of pages.
|
Be careful with the usage of `-m` because CmpLog can map a lot of pages.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user