ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-09 16:51:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
AFLplusplus/docs/ci_fuzzing.md
vanhauser-thc 51b2e86ec0 fix links
2021-09-15 12:28:05 +02:00

1.7 KiB
Raw Blame History

CI Fuzzing

Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing campaigns as these are much shorter runnings.

  1. Always:

    • LTO has a much longer compile time which is diametrical to short fuzzing - hence use afl-clang-fast instead.
    • If you compile with CMPLOG then you can save fuzzing time and reuse that compiled target for both the -c option and the main fuzz target. This will impact the speed by ~15% though.
    • AFL_FAST_CAL - Enable fast calibration, this halfs the time the saturated corpus needs to be loaded.
    • AFL_CMPLOG_ONLY_NEW - only perform cmplog on new found paths, not the initial corpus as this very likely has been done for them already.
    • Keep the generated corpus, use afl-cmin and reuse it every time!

  2. Additionally randomize the AFL++ compilation options, e.g.

    • 40% for AFL_LLVM_CMPLOG
    • 10% for AFL_LLVM_LAF_ALL

  3. Also randomize the afl-fuzz runtime options, e.g.

    • 65% for AFL_DISABLE_TRIM
    • 50% use a dictionary generated by AFL_LLVM_DICT2FILE
    • 40% use MOpt (-L 0)
    • 40% for AFL_EXPAND_HAVOC_NOW
    • 20% for old queue processing (-Z)
    • for CMPLOG targets, 60% for -l 2, 40% for -l 3

  4. Do not run any -M modes, just running -S modes is better for CI fuzzing. -M enables old queue handling etc. which is good for a fuzzing campaign but not good for short CI runs.

How this can look like can e.g. be seen at AFL++'s setup in Google's oss-fuzz and clusterfuzz.