ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 00:01:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
AFLplusplus/docs/coverage_estimation.md
jonas b54d3ed414
Added Coverage Estimation 
Signed-off-by: jonas <jonas.eppard@de.bosch.com>
2023-08-10 08:15:57 +02:00

2.3 KiB
Raw Blame History

Coverage Estimation in AFL++

This file describes the Coverage Estimation of AFL++. or general information about AFL++, see README.md.

Table of Content

1 Introduction

The Coverage Estimation inside AFL++ is based on Path Coverage. It used STADS (Security Testing As Discovery of Species) to use Species Richness estimators for Coverage estimation. The estimated coverage should help developers when to stop a Fuzzing campaign. The coverage estimation can only be estimated over fuzzable/reachable paths.

Coverage estimation is not tested on multiple Fuzzing instances (-M/-S Options). It's also not tested on resuming a fuzz run (AFL_AUTORESUME, -i -).

2 Setup

To use coverage estimation you don't have to change your workflow, just add following environment variables:

  • Set AFL_CODE_COVERAGE to enable Coverage Estimation.
  • Consider Setting AFL_N_FUZZ_SIZE to something bigger then (1 << 21)(default) to mitigate (Re-)Hash collisions
  • Consider the use of AFL_CRASH_ON_HASH_COLLISION if (slightly) incorrect coverage estimation is worse then a abort
  • If the Coverage estimation should update more often change COVERAGE_INTERVAL in config.h (This requires rebuilding of AFL++)

More information's about these environment variables in env_variables.md.

3 Status Screen extension

The status screen will be extended with following box:

 +- code coverage information ------------------------+
 |              coverage : 57.12% - 63.21%            |
 | collision probability : 1.02%                      |
 +----------------------------------------------------+
  • coverage - This is the estimated path coverage. The first number is a lower bound estimate. The second number is a upper bound estimate. It's only possible to estimate the fuzzable/reachable paths. If the coverage is very fast very high you either fuzzing a simple target or don't have a good corpus.
  • collision propability - This is a estimate for the probability of Hash Collisions. If this number gets high you should increase AFL_N_FUZZ_SIZE. Hash collisions will cause errors in coverage estimation. If AFL_CRASH_ON_HASH_COLLISION is set afl-fuzz will abort on a detected Hash collision.