ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 16:21:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
AFLplusplus/docs/life_pro_tips.md
van Hauser 8b7a7b29c6
Push to stable (#895) 
* sync (#886)

* Create FUNDING.yml

* Update FUNDING.yml

* moved custom_mutator examples

* unicorn speedtest makefile cleanup

* fixed example location

* fix qdbi

* update util readme

* Frida persistent (#880)

* Added x64 support for persistent mode (function call only), in-memory teest cases and complog

* Review changes, fix NeverZero and code to parse the .text section of the main executable. Excluded ranges TBC

* Various minor fixes and finished support for AFL_INST_LIBS

* Review changes

Co-authored-by: Your Name <you@example.com>

* nits

* fix frida mode

* Integer overflow/underflow fixes in libdislocator (#889)

* libdislocator: fixing integer overflow in 'max_mem' variable and setting 'max_mem' type to 'size_t'

* libdislocator: fixing potential integer underflow in 'total_mem' variable due to its different values in different threads

* Bumped warnings up to the max and fixed remaining issues (#890)

Co-authored-by: Your Name <you@example.com>

* nits

* frida mode - support non-pie

* nits

* nit

* update grammar mutator

* Fixes for aarch64, OSX and other minor issues (#891)

Co-authored-by: Your Name <you@example.com>

* nits

* nits

* fix PCGUARD, build aflpp_driver with fPIC

* Added representative fuzzbench test and test for libxml (#893)

* Added representative fuzzbench test and test for libxml

* Added support for building FRIDA from source with FRIDA_SOURCE=1

Co-authored-by: Your Name <you@example.com>

* nits

* update changelog

* typos

* fixed potential double free in custom trim (#881)

* error handling, freeing mem

* frida: complog -> cmplog

* fix statsd writing

* let aflpp_qemu_driver_hook.so build fail gracefully

* fix stdin trimming

* Support for AFL_ENTRYPOINT (#898)

Co-authored-by: Your Name <you@example.com>

* remove the input file .cur_input at the end of the fuzzing, if AFL_TMPDIR is used

* reverse push (#901)

* Create FUNDING.yml

* Update FUNDING.yml

* disable QEMU static pie

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>

* clarify that no modifications are required.

* add new test for frida_mode (please review)

* typos

* fix persistent mode (64-bit)

* set ARCH for linux intel 32-bit for frida-gum-devkit

* prepare for 32-bit support (later)

* not on qemu 3 anymore

* unicorn mips fixes

* instrumentation further move to C++11 (#900)

* unicorn fixes

* more unicorn fixes

* Fix memory errors when trim causes testcase growth (#881) (#903)

* Revert "fixed potential double free in custom trim (#881)"

This reverts commit e9d2f72382cab75832721d859c3e731da071435d.

* Revert "fix custom trim for increasing data"

This reverts commit 86a8ef168dda766d2f25f15c15c4d3ecf21d0667.

* Fix memory errors when trim causes testcase growth

Modify trim_case_custom to avoid writing into in_buf because
some custom mutators can cause the testcase to grow rather than
shrink.

Instead of modifying in_buf directly, we write the update out
to the disk when trimming is complete, and then the caller is
responsible for refreshing the in-memory buffer from the file.

This is still a bit sketchy because it does need to modify q->len in
order to notify the upper layers that something changed, and it could
end up telling upper layer code that the q->len is *bigger* than
the buffer (q->testcase_buf) that contains it, which is asking
for trouble down the line somewhere...

* Fix an unlikely situation

Put back some `unlikely()` calls that were in
the e9d2f72382cab75832721d859c3e731da071435d commit that was
reverted.

* typo

* Exit on time (#904)

* Variable AFL_EXIT_ON_TIME description has been added.
Variables AFL_EXIT_ON_TIME and afl_exit_on_time has been added.
afl->exit_on_time variable initialization has been added.
The asignment of a value to the afl->afl_env.afl_exit_on_time variable from
environment variables has been added.
Code to exit on timeout if new path not found has been added.

* Type of afl_exit_on_time variable has been changed.
Variable exit_on_time has been added to the afl_state_t structure.

* Command `export AFL_EXIT_WHEN_DONE=1` has been added.

* Millisecond to second conversion has been added.
Call get_cur_time() has been added.

* Revert to using the saved current time value.

* Useless check has been removed.

* fix new path to custom-mutators

* ensure crashes/README.txt exists

* fix

* Changes to bump FRIDA version and to clone FRIDA repo in to build directory rather than use a submodule as the FRIDA build scripts don't like it (#906)

Co-authored-by: Your Name <you@example.com>

* Fix numeric overflow in cmplog implementation (#907)

Co-authored-by: Your Name <you@example.com>

* testcase fixes for unicorn

* remove merge conflict artifacts

* fix afl-plot

* Changes to remove binaries from frida_mode (#913)

Co-authored-by: Your Name <you@example.com>

* Frida cmplog fail fast (#914)

* Changes to remove binaries from frida_mode

* Changes to make cmplog fail fast

Co-authored-by: Your Name <you@example.com>

* afl-plot: relative time

* arch linux and mac os support for afl-system-config

* typo

* code-format

* update documentation

Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: WorksButNotTested <62701594+WorksButNotTested@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: Dmitry Zheregelya <zheregelya.d@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Co-authored-by: hexcoder- <heiko@hexco.de>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: realmadsci <71108352+realmadsci@users.noreply.github.com>
Co-authored-by: Roman M. Iudichev <SecNotice@ya.ru>
2021-05-10 13:57:47 +02:00

3.1 KiB
Raw Blame History

AFL "Life Pro Tips"

Bite-sized advice for those who understand the basics, but can't be bothered to read or memorize every other piece of documentation for AFL.

Get more bang for your buck by using fuzzing dictionaries.

See dictionaries/README.md to learn how.

You can get the most out of your hardware by parallelizing AFL jobs.

See parallel_fuzzing.md for step-by-step tips.

Improve the odds of spotting memory corruption bugs with libdislocator.so!

It's easy. Consult utils/libdislocator/README.md for usage tips.

Want to understand how your target parses a particular input file?

Try the bundled afl-analyze tool; it's got colors and all!

You can visually monitor the progress of your fuzzing jobs.

Run the bundled afl-plot utility to generate browser-friendly graphs.

Need to monitor AFL jobs programmatically?

Check out the fuzzer_stats file in the AFL output dir or try afl-whatsup.

Puzzled by something showing up in red or purple in the AFL UI?

It could be important - consult docs/status_screen.md right away!

Know your target? Convert it to persistent mode for a huge performance gain!

Consult section #5 in README.llvm.md for tips.

Using clang?

Check out instrumentation/ for a faster alternative to afl-gcc!

Did you know that AFL can fuzz closed-source or cross-platform binaries?

Check out qemu_mode/README.md and unicorn_mode/README.md for more.

Did you know that afl-fuzz can minimize any test case for you?

Try the bundled afl-tmin tool - and get small repro files fast!

Not sure if a crash is exploitable? AFL can help you figure it out. Specify

-C to enable the peruvian were-rabbit mode.

Trouble dealing with a machine uprising? Relax, we've all been there.

Find essential survival tips at http://lcamtuf.coredump.cx/prep/.

Want to automatically spot non-crashing memory handling bugs?

Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.

Good selection of input files is critical to a successful fuzzing job.

See docs/perf_tips.md for pro tips.

You can improve the odds of automatically spotting stack corruption issues.

Specify AFL_HARDEN=1 in the environment to enable hardening flags.

Bumping into problems with non-reproducible crashes?

It happens, but usually isn't hard to diagnose. See section #7 in README.md for tips.

Fuzzing is not just about memory corruption issues in the codebase.

Add some sanity-checking assert() / abort() statements to effortlessly catch logic bugs.

Hey kid... pssst... want to figure out how AFL really works?

Check out docs/technical_details.md for all the gory details in one place!

There's a ton of third-party helper tools designed to work with AFL!

Be sure to check out docs/sister_projects.md before writing your own.

Need to fuzz the command-line arguments of a particular program?

You can find a simple solution in utils/argv_fuzzing.

Attacking a format that uses checksums?

Remove the checksum-checking code or use a postprocessor! See afl_custom_post_process in custom_mutators/examples/example.c for more.