ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 11:08:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

determinstic fuzzing is now disabled by default

Browse Source
This commit is contained in:
van Hauser
2020-10-10 10:55:56 +02:00
parent 5dc3bc175b
commit 445aba9221
6 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -43,9 +43,13 @@ behaviours:
worth it. worth it.
* When instrumenting targets, afl-cc will not supersede optimizations. This * When instrumenting targets, afl-cc will not supersede optimizations. This
allows to fuzz targets as same as they are built for debug or release. allows to fuzz targets as same as they are built for debug or release.
* afl-fuzz' `-i` option now descends into subdirectories. * afl-fuzz':
* `-i` option now descends into subdirectories.
* -m none is now default, set memory limits (in MB) with e.g. -m 250
* deterministic fuzzing is now disabled by default (unless using -M) and
can be enabled with -D
* afl-fuzz will skip over empty dictionaries and too-large test cases instead * afl-fuzz will skip over empty dictionaries and too-large test cases instead
of failing. of failing, and use them as a source for splicing mutations
## Contents ## Contents

2
docs/Changelog.md
View File

@ -15,6 +15,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o - afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
- afl-fuzz - afl-fuzz
- memory limits are now disabled by default, set them with -m if required - memory limits are now disabled by default, set them with -m if required
- deterministic fuzzing is now disabled by default and can be enabled with
-D. It is still enabled by default for -M.
- statsd support by Edznux, thanks a lot! - statsd support by Edznux, thanks a lot!
- Marcel Boehme submitted a patch that improves all AFFast schedules :) - Marcel Boehme submitted a patch that improves all AFFast schedules :)
- reading testcases from -i now descends into subdirectories - reading testcases from -i now descends into subdirectories

3
docs/life_pro_tips.md
View File

@ -85,6 +85,3 @@ You can find a simple solution in examples/argv_fuzzing.
Remove the checksum-checking code or use a postprocessor! Remove the checksum-checking code or use a postprocessor!
See examples/custom_mutators/ for more. See examples/custom_mutators/ for more.
## Dealing with a very slow target or hoping for instant results?
Specify `-d` when calling afl-fuzz!

8
docs/status_screen.md
View File

@ -86,10 +86,7 @@ Every fuzzing session should be allowed to complete at least one cycle; and
ideally, should run much longer than that. ideally, should run much longer than that.
As noted earlier, the first pass can take a day or longer, so sit back and As noted earlier, the first pass can take a day or longer, so sit back and
relax. If you want to get broader but more shallow coverage right away, try relax.
the `-d` option - it gives you a more familiar experience by skipping the
deterministic fuzzing steps. It is, however, inferior to the standard mode in
a couple of subtle ways.
To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded. To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded.
It is shown in magenta during the first pass, progresses to yellow if new finds It is shown in magenta during the first pass, progresses to yellow if new finds
@ -118,9 +115,6 @@ inputs it decided to ditch because they were persistently timing out.
The "*" suffix sometimes shown in the first line means that the currently The "*" suffix sometimes shown in the first line means that the currently
processed path is not "favored" (a property discussed later on). processed path is not "favored" (a property discussed later on).
If you feel that the fuzzer is progressing too slowly, see the note about the
`-d` option in this doc.
### Map coverage ### Map coverage
``` ```

2
src/afl-fuzz-state.c
View File

@ -101,6 +101,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
afl->hang_tmout = EXEC_TIMEOUT; afl->hang_tmout = EXEC_TIMEOUT;
afl->stats_update_freq = 1; afl->stats_update_freq = 1;
afl->stats_avg_exec = -1; afl->stats_avg_exec = -1;
afl->skip_deterministic = 1;
afl->use_splicing = 1;
#ifdef HAVE_AFFINITY #ifdef HAVE_AFFINITY
afl->cpu_aff = -1; /* Selected CPU core */ afl->cpu_aff = -1; /* Selected CPU core */

7
src/afl-fuzz.c
View File

@ -103,6 +103,7 @@ static void usage(u8 *argv0, int more_help) {
"mode)\n\n" "mode)\n\n"
"Mutator settings:\n" "Mutator settings:\n"
" -D - enable deterministic fuzzing (once per queue entry)\n"
" -L minutes - use MOpt(imize) mode and set the time limit for " " -L minutes - use MOpt(imize) mode and set the time limit for "
"entering the\n" "entering the\n"
" pacemaker mode (minutes of no new paths). 0 = " " pacemaker mode (minutes of no new paths). 0 = "
@ -116,7 +117,6 @@ static void usage(u8 *argv0, int more_help) {
"Fuzzing behavior settings:\n" "Fuzzing behavior settings:\n"
" -N - do not unlink the fuzzing input file (for devices " " -N - do not unlink the fuzzing input file (for devices "
"etc.)\n" "etc.)\n"
" -d - quick & dirty mode (skips deterministic steps)\n"
" -n - fuzz without instrumentation (non-instrumented mode)\n" " -n - fuzz without instrumentation (non-instrumented mode)\n"
" -x dict_file - fuzzer dictionary (see README.md, specify up to 4 " " -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
"times)\n\n" "times)\n\n"
@ -136,6 +136,7 @@ static void usage(u8 *argv0, int more_help) {
" -F path - sync to a foreign fuzzer queue directory (requires " " -F path - sync to a foreign fuzzer queue directory (requires "
"-M, can\n" "-M, can\n"
" be specified up to %u times)\n" " be specified up to %u times)\n"
" -d - skip deterministic fuzzing in -M mode\n"
" -T text - text banner to show on the screen\n" " -T text - text banner to show on the screen\n"
" -I command - execute this command/script when a new crash is " " -I command - execute this command/script when a new crash is "
"found\n" "found\n"
@ -403,6 +404,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
afl->sync_id = ck_strdup(optarg); afl->sync_id = ck_strdup(optarg);
afl->skip_deterministic = 0;
if ((c = strchr(afl->sync_id, ':'))) { if ((c = strchr(afl->sync_id, ':'))) {
@ -431,8 +433,6 @@ int main(int argc, char **argv_orig, char **envp) {
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); } if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
afl->sync_id = ck_strdup(optarg); afl->sync_id = ck_strdup(optarg);
afl->is_secondary_node = 1; afl->is_secondary_node = 1;
afl->skip_deterministic = 1;
afl->use_splicing = 1;
break; break;
case 'F': /* foreign sync dir */ case 'F': /* foreign sync dir */
@ -557,7 +557,6 @@ int main(int argc, char **argv_orig, char **envp) {
case 'd': /* skip deterministic */ case 'd': /* skip deterministic */
afl->skip_deterministic = 1; afl->skip_deterministic = 1;
afl->use_splicing = 1;
break; break;
case 'B': /* load bitmap */ case 'B': /* load bitmap */