mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-13 18:48:08 +00:00
determinstic fuzzing is now disabled by default
This commit is contained in:
van Hauser
@ -43,9 +43,13 @@ behaviours:
|
|||||||
worth it.
|
worth it.
|
||||||
* When instrumenting targets, afl-cc will not supersede optimizations. This
|
* When instrumenting targets, afl-cc will not supersede optimizations. This
|
||||||
allows to fuzz targets as same as they are built for debug or release.
|
allows to fuzz targets as same as they are built for debug or release.
|
||||||
* afl-fuzz' `-i` option now descends into subdirectories.
|
* afl-fuzz':
|
||||||
|
* `-i` option now descends into subdirectories.
|
||||||
|
* -m none is now default, set memory limits (in MB) with e.g. -m 250
|
||||||
|
* deterministic fuzzing is now disabled by default (unless using -M) and
|
||||||
|
can be enabled with -D
|
||||||
* afl-fuzz will skip over empty dictionaries and too-large test cases instead
|
* afl-fuzz will skip over empty dictionaries and too-large test cases instead
|
||||||
of failing.
|
of failing, and use them as a source for splicing mutations
|
||||||
|
|
||||||
## Contents
|
## Contents
|
||||||
|
|
||||||
|
|||||||
@ -15,6 +15,8 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
|
|||||||
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
|
- afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
|
||||||
- afl-fuzz
|
- afl-fuzz
|
||||||
- memory limits are now disabled by default, set them with -m if required
|
- memory limits are now disabled by default, set them with -m if required
|
||||||
|
- deterministic fuzzing is now disabled by default and can be enabled with
|
||||||
|
-D. It is still enabled by default for -M.
|
||||||
- statsd support by Edznux, thanks a lot!
|
- statsd support by Edznux, thanks a lot!
|
||||||
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
|
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
|
||||||
- reading testcases from -i now descends into subdirectories
|
- reading testcases from -i now descends into subdirectories
|
||||||
|
|||||||
@ -85,6 +85,3 @@ You can find a simple solution in examples/argv_fuzzing.
|
|||||||
Remove the checksum-checking code or use a postprocessor!
|
Remove the checksum-checking code or use a postprocessor!
|
||||||
See examples/custom_mutators/ for more.
|
See examples/custom_mutators/ for more.
|
||||||
|
|
||||||
## Dealing with a very slow target or hoping for instant results?
|
|
||||||
|
|
||||||
Specify `-d` when calling afl-fuzz!
|
|
||||||
|
|||||||
@ -86,10 +86,7 @@ Every fuzzing session should be allowed to complete at least one cycle; and
|
|||||||
ideally, should run much longer than that.
|
ideally, should run much longer than that.
|
||||||
|
|
||||||
As noted earlier, the first pass can take a day or longer, so sit back and
|
As noted earlier, the first pass can take a day or longer, so sit back and
|
||||||
relax. If you want to get broader but more shallow coverage right away, try
|
relax.
|
||||||
the `-d` option - it gives you a more familiar experience by skipping the
|
|
||||||
deterministic fuzzing steps. It is, however, inferior to the standard mode in
|
|
||||||
a couple of subtle ways.
|
|
||||||
|
|
||||||
To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded.
|
To help make the call on when to hit `Ctrl-C`, the cycle counter is color-coded.
|
||||||
It is shown in magenta during the first pass, progresses to yellow if new finds
|
It is shown in magenta during the first pass, progresses to yellow if new finds
|
||||||
@ -118,9 +115,6 @@ inputs it decided to ditch because they were persistently timing out.
|
|||||||
The "*" suffix sometimes shown in the first line means that the currently
|
The "*" suffix sometimes shown in the first line means that the currently
|
||||||
processed path is not "favored" (a property discussed later on).
|
processed path is not "favored" (a property discussed later on).
|
||||||
|
|
||||||
If you feel that the fuzzer is progressing too slowly, see the note about the
|
|
||||||
`-d` option in this doc.
|
|
||||||
|
|
||||||
### Map coverage
|
### Map coverage
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|||||||
@ -101,6 +101,8 @@ void afl_state_init(afl_state_t *afl, uint32_t map_size) {
|
|||||||
afl->hang_tmout = EXEC_TIMEOUT;
|
afl->hang_tmout = EXEC_TIMEOUT;
|
||||||
afl->stats_update_freq = 1;
|
afl->stats_update_freq = 1;
|
||||||
afl->stats_avg_exec = -1;
|
afl->stats_avg_exec = -1;
|
||||||
|
afl->skip_deterministic = 1;
|
||||||
|
afl->use_splicing = 1;
|
||||||
|
|
||||||
#ifdef HAVE_AFFINITY
|
#ifdef HAVE_AFFINITY
|
||||||
afl->cpu_aff = -1; /* Selected CPU core */
|
afl->cpu_aff = -1; /* Selected CPU core */
|
||||||
|
|||||||
@ -103,6 +103,7 @@ static void usage(u8 *argv0, int more_help) {
|
|||||||
"mode)\n\n"
|
"mode)\n\n"
|
||||||
|
|
||||||
"Mutator settings:\n"
|
"Mutator settings:\n"
|
||||||
|
" -D - enable deterministic fuzzing (once per queue entry)\n"
|
||||||
" -L minutes - use MOpt(imize) mode and set the time limit for "
|
" -L minutes - use MOpt(imize) mode and set the time limit for "
|
||||||
"entering the\n"
|
"entering the\n"
|
||||||
" pacemaker mode (minutes of no new paths). 0 = "
|
" pacemaker mode (minutes of no new paths). 0 = "
|
||||||
@ -116,7 +117,6 @@ static void usage(u8 *argv0, int more_help) {
|
|||||||
"Fuzzing behavior settings:\n"
|
"Fuzzing behavior settings:\n"
|
||||||
" -N - do not unlink the fuzzing input file (for devices "
|
" -N - do not unlink the fuzzing input file (for devices "
|
||||||
"etc.)\n"
|
"etc.)\n"
|
||||||
" -d - quick & dirty mode (skips deterministic steps)\n"
|
|
||||||
" -n - fuzz without instrumentation (non-instrumented mode)\n"
|
" -n - fuzz without instrumentation (non-instrumented mode)\n"
|
||||||
" -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
|
" -x dict_file - fuzzer dictionary (see README.md, specify up to 4 "
|
||||||
"times)\n\n"
|
"times)\n\n"
|
||||||
@ -136,6 +136,7 @@ static void usage(u8 *argv0, int more_help) {
|
|||||||
" -F path - sync to a foreign fuzzer queue directory (requires "
|
" -F path - sync to a foreign fuzzer queue directory (requires "
|
||||||
"-M, can\n"
|
"-M, can\n"
|
||||||
" be specified up to %u times)\n"
|
" be specified up to %u times)\n"
|
||||||
|
" -d - skip deterministic fuzzing in -M mode\n"
|
||||||
" -T text - text banner to show on the screen\n"
|
" -T text - text banner to show on the screen\n"
|
||||||
" -I command - execute this command/script when a new crash is "
|
" -I command - execute this command/script when a new crash is "
|
||||||
"found\n"
|
"found\n"
|
||||||
@ -403,6 +404,7 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
|
|
||||||
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
||||||
afl->sync_id = ck_strdup(optarg);
|
afl->sync_id = ck_strdup(optarg);
|
||||||
|
afl->skip_deterministic = 0;
|
||||||
|
|
||||||
if ((c = strchr(afl->sync_id, ':'))) {
|
if ((c = strchr(afl->sync_id, ':'))) {
|
||||||
|
|
||||||
@ -431,8 +433,6 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
if (afl->sync_id) { FATAL("Multiple -S or -M options not supported"); }
|
||||||
afl->sync_id = ck_strdup(optarg);
|
afl->sync_id = ck_strdup(optarg);
|
||||||
afl->is_secondary_node = 1;
|
afl->is_secondary_node = 1;
|
||||||
afl->skip_deterministic = 1;
|
|
||||||
afl->use_splicing = 1;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'F': /* foreign sync dir */
|
case 'F': /* foreign sync dir */
|
||||||
@ -557,7 +557,6 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
case 'd': /* skip deterministic */
|
case 'd': /* skip deterministic */
|
||||||
|
|
||||||
afl->skip_deterministic = 1;
|
afl->skip_deterministic = 1;
|
||||||
afl->use_splicing = 1;
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'B': /* load bitmap */
|
case 'B': /* load bitmap */
|
||||||
|
|||||||
Reference in New Issue
Block a user