ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-15 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

several documentation fixes

Browse Source
This commit is contained in:
Heiko Eißfeldt
2019-07-19 11:17:30 +02:00
parent 5f7e3025d9
commit fe084b9866
6 changed files with 46 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ChangeLog
View File

@ -30,7 +30,7 @@ Version ++2.52d (tbd):
path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim) path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
- added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt - added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
- added code to make it more portable to other platforms than Intel Linux - added code to make it more portable to other platforms than Intel Linux
- added never zero counters for afl-gcc and optional (because of an - added never zero counters for afl-gcc and optionally (because of an
optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1) optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
- added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt - added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt
- more cpu power for afl-system-config - more cpu power for afl-system-config
@ -46,7 +46,7 @@ Version ++2.52d (tbd):
- added -V time and -E execs option to better comparison runs, runs afl-fuzz - added -V time and -E execs option to better comparison runs, runs afl-fuzz
for a specific time/executions. for a specific time/executions.
- added a -s seed switch to allow afl run with a fixed initial - added a -s seed switch to allow afl run with a fixed initial
seed that is not updated. this is good for performance and path discovery seed that is not updated. This is good for performance and path discovery
tests as the random numbers are deterministic then tests as the random numbers are deterministic then
- llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_... - llvm_mode LAF_... env variables can now be specified as AFL_LLVM_LAF_...
that is longer but in line with other llvm specific env vars that is longer but in line with other llvm specific env vars

30
docs/README.MOpt
View File

@ -17,7 +17,8 @@ We open source all the seed sets used in the paper
### 4. Experiment Results ### 4. Experiment Results
The experiment results can be found in The experiment results can be found in
https://drive.google.com/drive/folders/184GOzkZGls1H2NuLuUfSp9gfqp1E2-lL?usp=sharing. We only open source the crash files since the space is limited. https://drive.google.com/drive/folders/184GOzkZGls1H2NuLuUfSp9gfqp1E2-lL?usp=sharing.
We only open source the crash files since the space is limited.
### 5. Technical Report ### 5. Technical Report
MOpt_TechReport.pdf is the technical report of the paper MOpt_TechReport.pdf is the technical report of the paper
@ -26,18 +27,25 @@ MOpt_TechReport.pdf is the technical report of the paper
### 6. Parameter Introduction ### 6. Parameter Introduction
Most important, you must add the parameter `-L` (e.g., `-L 0`) to launch the Most important, you must add the parameter `-L` (e.g., `-L 0`) to launch the
MOpt scheme. MOpt scheme.
<br>`-L` controls the time to move on to the pacemaker fuzzing mode.
<br>`-L t:` when MOpt-AFL finishes the mutation of one input, if it has not Option '-L' controls the time to move on to the pacemaker fuzzing mode.
discovered any new unique crash or path for more than t min, MOpt-AFL will '-L t': when MOpt-AFL finishes the mutation of one input, if it has not
discovered any new unique crash or path for more than t minutes, MOpt-AFL will
enter the pacemaker fuzzing mode. enter the pacemaker fuzzing mode.
<br>Setting 0 will enter the pacemaker fuzzing mode at first, which is
Setting 0 will enter the pacemaker fuzzing mode at first, which is
recommended in a short time-scale evaluation. recommended in a short time-scale evaluation.
Other important parameters can be found in afl-fuzz.c, for instance, Other important parameters can be found in afl-fuzz.c, for instance,
<br>`swarm_num:` the number of the PSO swarms used in the fuzzing process.
<br>`period_pilot:` how many times MOpt-AFL will execute the target program in the pilot fuzzing module, then it will enter the core fuzzing module.
<br>`period_core:` how many times MOpt-AFL will execute the target program in the core fuzzing module, then it will enter the PSO updating module.
<br>`limit_time_bound:` control how many interesting test cases need to be found before MOpt-AFL quits the pacemaker fuzzing mode and reuses the deterministic stage.
0 < `limit_time_bound` < 1, MOpt-AFL-tmp. `limit_time_bound` >= 1, MOpt-AFL-ever.
Having fun with MOpt in AFL! 'swarm_num': the number of the PSO swarms used in the fuzzing process.
'period_pilot': how many times MOpt-AFL will execute the target program
in the pilot fuzzing module, then it will enter the core fuzzing module.
'period_core': how many times MOpt-AFL will execute the target program in the
core fuzzing module, then it will enter the PSO updating module.
'limit_time_bound': control how many interesting test cases need to be found
before MOpt-AFL quits the pacemaker fuzzing mode and reuses the deterministic stage.
0 < 'limit_time_bound' < 1, MOpt-AFL-tmp.
'limit_time_bound' >= 1, MOpt-AFL-ever.
Have fun with MOpt in AFL!

27
docs/binaryonly_fuzzing.txt
View File

@ -11,7 +11,7 @@ then standard afl++ (dumb mode) is not effective.
The following is a description of how these can be fuzzed with afl++ The following is a description of how these can be fuzzed with afl++
!!!!! !!!!!
DTLR: try DYNINST with afl-dyninst. If it produces too many crashes then TL;DR: try DYNINST with afl-dyninst. If it produces too many crashes then
use afl -Q qemu_mode. use afl -Q qemu_mode.
!!!!! !!!!!
@ -22,7 +22,7 @@ Qemu is the "native" solution to the program.
It is available in the ./qemu_mode/ directory and once compiled it can It is available in the ./qemu_mode/ directory and once compiled it can
be accessed by the afl-fuzz -Q command line option. be accessed by the afl-fuzz -Q command line option.
The speed decrease is at about 50% The speed decrease is at about 50%
It the easiest to use alternative and even works for cross-platform binaries. It is the easiest to use alternative and even works for cross-platform binaries.
As it is included in afl++ this needs no URL. As it is included in afl++ this needs no URL.
@ -30,7 +30,7 @@ As it is included in afl++ this needs no URL.
DYNINST DYNINST
------- -------
Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio
(see far below). Howver whereas Pintool and Dynamorio work at runtime, dyninst (see far below). However whereas Pintool and Dynamorio work at runtime, dyninst
instruments the target at load time, and then let it run. instruments the target at load time, and then let it run.
This is great for some things, e.g. fuzzing, and not so effective for others, This is great for some things, e.g. fuzzing, and not so effective for others,
e.g. malware analysis. e.g. malware analysis.
@ -38,15 +38,15 @@ e.g. malware analysis.
So what we can do with dyninst is taking every basic block, and put afl's So what we can do with dyninst is taking every basic block, and put afl's
instrumention code in there - and then save the binary. instrumention code in there - and then save the binary.
Afterwards we can just fuzz the newly saved target binary with afl-fuzz. Afterwards we can just fuzz the newly saved target binary with afl-fuzz.
Sounds great? It is. The issue though - this is a non-trivial problem to Sounds great? It is. The issue though - it is a non-trivial problem to
insert instructions, which changes addresses in the process space and that insert instructions, which change addresses in the process space, so
everything still works afterwards. Hence more often than not binaries everything is still working afterwards. Hence more often than not binaries
crash when they are run. crash when they are run (because of instrumentation).
The speed decrease is about 15-35%, depending on the optimization options The speed decrease is about 15-35%, depending on the optimization options
used with afl-dyninst. used with afl-dyninst.
So if dyninst works, its the best option available. Otherwise it just doesn't So if dyninst works, it is the best option available. Otherwise it just doesn't
work well. work well.
https://github.com/vanhauser-thc/afl-dyninst https://github.com/vanhauser-thc/afl-dyninst
@ -54,13 +54,14 @@ https://github.com/vanhauser-thc/afl-dyninst
INTEL-PT INTEL-PT
-------- --------
If you have a newer Intel CPU, you can make use of Intels processor trace.
The big issue with Intel's PT is the small buffer size and the complex The big issue with Intel's PT is the small buffer size and the complex
encoding of the debug information collected through PT. encoding of the debug information collected through PT.
This makes the decoding very CPU intensive and hence slow. This makes the decoding very CPU intensive and hence slow.
As a result, the overall speed decrease is about 70-90% (depending on As a result, the overall speed decrease is about 70-90% (depending on
the implementation and other factors) the implementation and other factors).
there are two afl intel-pt implementations: There are two afl intel-pt implementations:
1. https://github.com/junxzm1990/afl-pt 1. https://github.com/junxzm1990/afl-pt
=> this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel. => this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
@ -73,13 +74,13 @@ there are two afl intel-pt implementations:
CORESIGHT CORESIGHT
--------- ---------
Coresight is the ARM answer to Intel's PT. Coresight is ARM's answer to Intel's PT.
There is no implementation so far which handle coresight and getting There is no implementation so far which handle coresight and getting
it working on an ARM Linux is very difficult due custom kernel building it working on an ARM Linux is very difficult due to custom kernel building
on embedded systems is difficult. And finding one that has coresight in on embedded systems is difficult. And finding one that has coresight in
the ARM chip is difficult too. the ARM chip is difficult too.
My guess is that it is slower than Qemu, but faster than Intel PT. My guess is that it is slower than Qemu, but faster than Intel PT.
If anyone finds any coresight implemention for afl please ping me: If anyone finds any coresight implementation for afl please ping me:
vh@thc.org vh@thc.org

9
docs/env_variables.txt
View File

@ -90,7 +90,8 @@ Then there are a few specific features that are only available in llvm_mode:
LAF-INTEL LAF-INTEL
========= =========
This great feature will split compares to series of single byte comparisons This great feature will split compares to series of single byte comparisons
to allow afl-fuzz to find otherwise rather impossible paths. to allow afl-fuzz to find otherwise rather impossible paths. It is not
restricted to Intel CPUs ;-)
- Setting AFL_LLVM_LAF_SPLIT_SWITCHES will split switch()es - Setting AFL_LLVM_LAF_SPLIT_SWITCHES will split switch()es
@ -105,20 +106,20 @@ Then there are a few specific features that are only available in llvm_mode:
This feature allows selectively instrumentation of the source This feature allows selectively instrumentation of the source
- Setting AFL_LLVM_WHITELIST with a filename will only instrument those - Setting AFL_LLVM_WHITELIST with a filename will only instrument those
files that match these names. files that match the names listed in this file.
See llvm_mode/README.whitelist for more information. See llvm_mode/README.whitelist for more information.
INSTRIM INSTRIM
======= =======
This feature increases the speed by whopping 20% but at the cost of a This feature increases the speed by whopping 20% but at the cost of a
lower path discovery and thefore coverage. lower path discovery and therefore coverage.
- Setting AFL_LLVM_INSTRIM activates this mode - Setting AFL_LLVM_INSTRIM activates this mode
- Setting AFL_LLVM_INSTRIM_LOOPHEAD=1 expands on INSTRIM to optimize loops. - Setting AFL_LLVM_INSTRIM_LOOPHEAD=1 expands on INSTRIM to optimize loops.
afl-fuzz will only be able to see the path the loop took, but not how afl-fuzz will only be able to see the path the loop took, but not how
many times it was called (unless its a complex loop). many times it was called (unless it is a complex loop).
See llvm_mode/README.instrim See llvm_mode/README.instrim

4
gcc_plugin/README.gcc
View File

@ -65,8 +65,8 @@ directory.
This is an early-stage mechanism, so field reports are welcome. You can send bug This is an early-stage mechanism, so field reports are welcome. You can send bug
reports to <aseipp@pobox.com>. reports to <aseipp@pobox.com>.
4) Bonus feature #1: deferred instrumentation 4) Bonus feature #1: deferred initialization
--------------------------------------------- --------------------------------------------
AFL tries to optimize performance by executing the targeted binary just once, AFL tries to optimize performance by executing the targeted binary just once,
stopping it just before main(), and then cloning this "master" process to get stopping it just before main(), and then cloning this "master" process to get

4
llvm_mode/README.llvm
View File

@ -109,8 +109,8 @@ See README.neverzero
This is an early-stage mechanism, so field reports are welcome. You can send bug This is an early-stage mechanism, so field reports are welcome. You can send bug
reports to <afl-users@googlegroups.com>. reports to <afl-users@googlegroups.com>.
5) Bonus feature #1: deferred instrumentation 5) Bonus feature #1: deferred initialization
--------------------------------------------- --------------------------------------------
AFL tries to optimize performance by executing the targeted binary just once, AFL tries to optimize performance by executing the targeted binary just once,
stopping it just before main(), and then cloning this "master" process to get stopping it just before main(), and then cloning this "master" process to get