Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2017-04-12 17:37:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Wed Apr 12 17:37:50 2017 rev:33 rq:487488 version:2.41b
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2017-03-12 20:04:31.585287600
+0100
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2017-04-12
17:59:36.698828781 +0200
@@ -1,0 +2,13 @@
+Wed Apr 12 06:25:50 UTC 2017 - meiss...@suse.com
+
+- update to 2.41b:
+ - Addressed a major user complaint related to timeout detection. Timing out
+ inputs are now binned as "hangs" only if they exceed a far more generous
+ time limit than the one used to reject slow paths.
+- update to 2.40b:
+ - Fixed a minor oversight in the insertion strategy for dictionary words.
+ Spotted by Andrzej Jackowski.
+ - Made a small improvement to the havoc block insertion strategy.
+ - Adjusted color rules for "is it done yet?" indicators.
+
+-------------------------------------------------------------------
Old:
----
afl-2.39b.tgz
New:
----
afl-2.41b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.Wr9qAq/_old 2017-04-12 17:59:37.206756948 +0200
+++ /var/tmp/diff_new_pack.Wr9qAq/_new 2017-04-12 17:59:37.210756383 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 2.39b
+Version: 2.41b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-2.39b.tgz -> afl-2.41b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/afl-fuzz.c new/afl-2.41b/afl-fuzz.c
--- old/afl-2.39b/afl-fuzz.c 2016-11-27 03:10:23.000000000 +0100
+++ new/afl-2.41b/afl-fuzz.c 2017-04-12 06:45:34.000000000 +0200
@@ -92,7 +92,9 @@
*orig_cmdline; /* Original command line */
EXP_ST u32 exec_tmout = EXEC_TIMEOUT; /* Configurable exec timeout (ms) */
-EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */
+static u32 hang_tmout = EXEC_TIMEOUT; /* Timeout used for hang det (ms) */
+
+EXP_ST u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */
static u32 stats_update_freq = 1; /* Stats update frequency (execs) */
@@ -132,7 +134,7 @@
EXP_ST u8* trace_bits; /* SHM with instrumentation bitmap */
EXP_ST u8 virgin_bits[MAP_SIZE], /* Regions yet untouched by fuzzing */
- virgin_hang[MAP_SIZE], /* Bits we haven't seen in hangs */
+ virgin_tmout[MAP_SIZE], /* Bits we haven't seen in tmouts */
virgin_crash[MAP_SIZE]; /* Bits we haven't seen in crashes */
static u8 var_bytes[MAP_SIZE]; /* Bytes that appear to be variable */
@@ -162,7 +164,8 @@
EXP_ST u64 total_crashes, /* Total number of crashes */
unique_crashes, /* Crashes with unique signatures */
- total_hangs, /* Total number of hangs */
+ total_tmouts, /* Total number of timeouts */
+ unique_tmouts, /* Timeouts with unique signatures */
unique_hangs, /* Hangs with unique signatures */
total_execs, /* Total execve() calls */
start_time, /* Unix start time (ms) */
@@ -178,7 +181,7 @@
blocks_eff_total, /* Blocks subject to effector maps */
blocks_eff_select; /* Blocks selected as fuzzable */
-static u32 subseq_hangs; /* Number of hangs in a row */
+static u32 subseq_tmouts; /* Number of timeouts in a row */
static u8 *stage_name = "init", /* Name of the current fuzz stage */
*stage_short, /* Short stage name */
@@ -308,7 +311,7 @@
enum {
/* 00 */ FAULT_NONE,
- /* 01 */ FAULT_HANG,
+ /* 01 */ FAULT_TMOUT,
/* 02 */ FAULT_CRASH,
/* 03 */ FAULT_ERROR,
/* 04 */ FAULT_NOINST,
@@ -1031,7 +1034,7 @@
/* Destructively simplify trace by eliminating hit count information
and replacing it with 0x80 or 0x01 depending on whether the tuple
- is hit or not. Called on every new crash or hang, should be
+ is hit or not. Called on every new crash or timeout, should be
reasonably fast. */
static const u8 simplify_lookup[256] = {
@@ -1122,7 +1125,7 @@
static u16 count_class_lookup16[65536];
-static void init_count_class16(void) {
+EXP_ST void init_count_class16(void) {
u32 b1, b2;
@@ -1339,7 +1342,7 @@
if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE);
- memset(virgin_hang, 255, MAP_SIZE);
+ memset(virgin_tmout, 255, MAP_SIZE);
memset(virgin_crash, 255, MAP_SIZE);
shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);
@@ -2252,7 +2255,7 @@
/* Execute target application, monitoring for timeouts. Return status
information. The called program will update trace_bits[]. */
-static u8 run_target(char** argv) {
+static u8 run_target(char** argv, u32 timeout) {
static struct itimerval it;
static u32 prev_timed_out = 0;
@@ -2378,8 +2381,8 @@
/* Configure timeout, as requested by user, then wait for child to
terminate. */
- it.it_value.tv_sec = (exec_tmout / 1000);
- it.it_value.tv_usec = (exec_tmout % 1000) * 1000;
+ it.it_value.tv_sec = (timeout / 1000);
+ it.it_value.tv_usec = (timeout % 1000) * 1000;
setitimer(ITIMER_REAL, &it, NULL);
@@ -2429,7 +2432,7 @@
/* Report outcome to caller. */
- if (child_timed_out) return FAULT_HANG;
+ if (child_timed_out) return FAULT_TMOUT;
if (WIFSIGNALED(status) && !stop_soon) {
kill_signal = WTERMSIG(status);
@@ -2529,7 +2532,8 @@
u64 start_us, stop_us;
- s32 old_sc = stage_cur, old_sm = stage_max, old_tmout = exec_tmout;
+ s32 old_sc = stage_cur, old_sm = stage_max;
+ u32 use_tmout = exec_tmout;
u8* old_sn = stage_name;
/* Be a bit more generous about timeouts when resuming sessions, or when
@@ -2537,8 +2541,8 @@
to intermittent latency. */
if (!from_queue || resuming_fuzz)
- exec_tmout = MAX(exec_tmout + CAL_TMOUT_ADD,
- exec_tmout * CAL_TMOUT_PERC / 100);
+ use_tmout = MAX(exec_tmout + CAL_TMOUT_ADD,
+ exec_tmout * CAL_TMOUT_PERC / 100);
q->cal_failed++;
@@ -2563,7 +2567,7 @@
write_to_testcase(use_mem, q->len);
- fault = run_target(argv);
+ fault = run_target(argv, use_tmout);
/* stop_soon is set by the handler for Ctrl+C. When it's pressed,
we want to bail out quickly. */
@@ -2657,7 +2661,6 @@
stage_name = old_sn;
stage_cur = old_sc;
stage_max = old_sm;
- exec_tmout = old_tmout;
if (!first_run) show_stats();
@@ -2730,7 +2733,7 @@
break;
- case FAULT_HANG:
+ case FAULT_TMOUT:
if (timeout_given) {
@@ -2739,7 +2742,7 @@
out. */
if (timeout_given > 1) {
- WARNF("Test case results in a hang (skipping)");
+ WARNF("Test case results in a timeout (skipping)");
q->cal_failed = CAL_CHANCES;
cal_failures++;
break;
@@ -2753,7 +2756,7 @@
" '+' at the end of the value passed to -t ('-t %u+').\n",
exec_tmout,
exec_tmout);
- FATAL("Test case '%s' results in a hang", fn);
+ FATAL("Test case '%s' results in a timeout", fn);
} else {
@@ -2765,7 +2768,7 @@
" If this test case is just a fluke, the other option is to
just avoid it\n"
" altogether, and find one that is less of a CPU hog.\n",
exec_tmout);
- FATAL("Test case '%s' results in a hang", fn);
+ FATAL("Test case '%s' results in a timeout", fn);
}
@@ -3161,14 +3164,14 @@
switch (fault) {
- case FAULT_HANG:
+ case FAULT_TMOUT:
- /* Hangs are not very interesting, but we're still obliged to keep
+ /* Timeouts are not very interesting, but we're still obliged to keep
a handful of samples. We use the presence of new bits in the
hang-specific bitmap as a signal of uniqueness. In "dumb" mode, we
just keep everything. */
- total_hangs++;
+ total_tmouts++;
if (unique_hangs >= KEEP_UNIQUE_HANG) return keeping;
@@ -3180,7 +3183,23 @@
simplify_trace((u32*)trace_bits);
#endif /* ^__x86_64__ */
- if (!has_new_bits(virgin_hang)) return keeping;
+ if (!has_new_bits(virgin_tmout)) return keeping;
+
+ }
+
+ unique_tmouts++;
+
+ /* Before saving, we make sure that it's a genuine hang by re-running
+ the target with a more generous timeout (unless the default timeout
+ is already generous). */
+
+ if (exec_tmout < hang_tmout) {
+
+ u8 new_fault;
+ write_to_testcase(mem, len);
+ new_fault = run_target(argv, hang_tmout);
+
+ if (stop_soon || new_fault != FAULT_TMOUT) return keeping;
}
@@ -3204,8 +3223,9 @@
case FAULT_CRASH:
- /* This is handled in a manner roughly similar to hangs,
- except for slightly different limits. */
+ /* This is handled in a manner roughly similar to timeouts,
+ except for slightly different limits and no need to re-run test
+ cases. */
total_crashes++;
@@ -3976,14 +3996,17 @@
} else {
+ u64 min_wo_finds = (cur_ms - last_path_time) / 1000 / 60;
+
/* First queue cycle: don't stop now! */
- if (queue_cycle == 1) strcpy(tmp, cMGN); else
+ if (queue_cycle == 1 || min_wo_finds < 15) strcpy(tmp, cMGN); else
/* Subsequent cycles, but we're still making finds. */
- if (cycles_wo_finds < 25) strcpy(tmp, cYEL); else
+ if (cycles_wo_finds < 25 || min_wo_finds < 30) strcpy(tmp, cYEL); else
/* No finds for a long time and no test cases to try. */
- if (cycles_wo_finds > 100 && !pending_not_fuzzed) strcpy(tmp, cLGN);
+ if (cycles_wo_finds > 100 && !pending_not_fuzzed && min_wo_finds > 120)
+ strcpy(tmp, cLGN);
/* Default: cautiously OK to stop? */
else strcpy(tmp, cLBL);
@@ -4129,10 +4152,10 @@
}
- sprintf(tmp, "%s (%s%s unique)", DI(total_hangs), DI(unique_hangs),
+ sprintf(tmp, "%s (%s%s unique)", DI(total_tmouts), DI(unique_tmouts),
(unique_hangs >= KEEP_UNIQUE_HANG) ? "+" : "");
- SAYF (bSTG bV bSTOP " total hangs : " cRST "%-22s " bSTG bV "\n", tmp);
+ SAYF (bSTG bV bSTOP " total tmouts : " cRST "%-22s " bSTG bV "\n", tmp);
/* Aaaalmost there... hold on! */
@@ -4385,6 +4408,12 @@
}
+ /* In dumb mode, re-running every timing out test case with a generous time
+ limit is very expensive, so let's select a more conservative default. */
+
+ if (dumb_mode && !getenv("AFL_HANG_TMOUT"))
+ hang_tmout = exec_tmout * 4;
+
OKF("All set and ready to roll!");
}
@@ -4449,7 +4478,7 @@
write_with_gap(in_buf, q->len, remove_pos, trim_avail);
- fault = run_target(argv);
+ fault = run_target(argv, exec_tmout);
trim_execs++;
if (stop_soon || fault == FAULT_ERROR) goto abort_trimming;
@@ -4544,18 +4573,18 @@
write_to_testcase(out_buf, len);
- fault = run_target(argv);
+ fault = run_target(argv, exec_tmout);
if (stop_soon) return 1;
- if (fault == FAULT_HANG) {
+ if (fault == FAULT_TMOUT) {
- if (subseq_hangs++ > HANG_LIMIT) {
+ if (subseq_tmouts++ > TMOUT_LIMIT) {
cur_skipped_paths++;
return 1;
}
- } else subseq_hangs = 0;
+ } else subseq_tmouts = 0;
/* Users can hit us with SIGUSR1 to request the current input
to be abandoned. */
@@ -4600,9 +4629,19 @@
max_value = HAVOC_BLK_MEDIUM;
break;
- default: min_value = HAVOC_BLK_MEDIUM;
- max_value = HAVOC_BLK_LARGE;
+ default:
+
+ if (UR(10)) {
+
+ min_value = HAVOC_BLK_MEDIUM;
+ max_value = HAVOC_BLK_LARGE;
+ } else {
+
+ min_value = HAVOC_BLK_LARGE;
+ max_value = HAVOC_BLK_XL;
+
+ }
}
@@ -4950,7 +4989,7 @@
out_buf = ck_alloc_nozero(len);
- subseq_hangs = 0;
+ subseq_tmouts = 0;
cur_depth = queue_cur->depth;
@@ -4960,7 +4999,7 @@
if (queue_cur->cal_failed) {
- u8 res = FAULT_HANG;
+ u8 res = FAULT_TMOUT;
if (queue_cur->cal_failed < CAL_CHANCES) {
@@ -5553,7 +5592,7 @@
/* Little endian first. Same deal as with 16-bit: we only want to
try if the operation would have effect on more than two bytes. */
- stage_val_type = STAGE_VAL_LE;
+ stage_val_type = STAGE_VAL_LE;
if ((orig & 0xffff) + j > 0xffff && !could_be_bitflip(r1)) {
@@ -5881,7 +5920,7 @@
ex_tmp = ck_alloc(len + MAX_DICT_FILE);
- for (i = 0; i < len; i++) {
+ for (i = 0; i <= len; i++) {
stage_cur_byte = i;
@@ -6230,16 +6269,26 @@
case 13:
- if (temp_len + HAVOC_BLK_LARGE < MAX_FILE) {
+ if (temp_len + HAVOC_BLK_XL < MAX_FILE) {
/* Clone bytes (75%) or insert a block of constant bytes (25%). */
+ u8 actually_clone = UR(4);
u32 clone_from, clone_to, clone_len;
u8* new_buf;
- clone_len = choose_block_len(temp_len);
+ if (actually_clone) {
+
+ clone_len = choose_block_len(temp_len);
+ clone_from = UR(temp_len - clone_len + 1);
+
+ } else {
+
+ clone_len = choose_block_len(HAVOC_BLK_XL);
+ clone_from = 0;
+
+ }
- clone_from = UR(temp_len - clone_len + 1);
clone_to = UR(temp_len);
new_buf = ck_alloc_nozero(temp_len + clone_len);
@@ -6250,10 +6299,11 @@
/* Inserted part */
- if (UR(4))
+ if (actually_clone)
memcpy(new_buf + clone_to, out_buf + clone_from, clone_len);
else
- memset(new_buf + clone_to, UR(256), clone_len);
+ memset(new_buf + clone_to,
+ UR(2) ? UR(256) : out_buf[UR(temp_len)], clone_len);
/* Tail */
memcpy(new_buf + clone_to + clone_len, out_buf + clone_to,
@@ -6286,7 +6336,8 @@
if (copy_from != copy_to)
memmove(out_buf + copy_to, out_buf + copy_from, copy_len);
- } else memset(out_buf + copy_to, UR(256), copy_len);
+ } else memset(out_buf + copy_to,
+ UR(2) ? UR(256) : out_buf[UR(temp_len)], copy_len);
break;
@@ -6334,7 +6385,7 @@
case 16: {
- u32 use_extra, extra_len, insert_at = UR(temp_len);
+ u32 use_extra, extra_len, insert_at = UR(temp_len + 1);
u8* new_buf;
/* Insert an extra. Do the same dice-rolling stuff as for the
@@ -6649,7 +6700,7 @@
write_to_testcase(mem, st.st_size);
- fault = run_target(argv);
+ fault = run_target(argv, exec_tmout);
if (stop_soon) return;
@@ -7155,7 +7206,7 @@
" external crash reporting utility. This will cause issues due to
the\n"
" extended delay between the fuzzed binary malfunctioning and this
fact\n"
" being relayed to the fuzzer via the standard waitpid() API.\n\n"
- " To avoid having crashes misinterpreted as hangs, please run the\n"
+ " To avoid having crashes misinterpreted as timeouts, please run
the\n"
" following commands:\n\n"
" SL=/System/Library; PL=com.apple.ReportCrash\n"
@@ -7185,7 +7236,7 @@
" between stumbling upon a crash and having this information
relayed to the\n"
" fuzzer via the standard waitpid() API.\n\n"
- " To avoid having crashes misinterpreted as hangs, please log in
as root\n"
+ " To avoid having crashes misinterpreted as timeouts, please log
in as root\n"
" and temporarily modify /proc/sys/kernel/core_pattern, like
so:\n\n"
" echo core >/proc/sys/kernel/core_pattern\n");
@@ -7833,6 +7884,11 @@
if (getenv("AFL_NO_CPU_RED")) no_cpu_meter_red = 1;
if (getenv("AFL_SHUFFLE_QUEUE")) shuffle_queue = 1;
+ if (getenv("AFL_HANG_TMOUT")) {
+ hang_tmout = atoi(getenv("AFL_HANG_TMOUT"));
+ if (!hang_tmout) FATAL("Invalid value of AFL_HANG_TMOUT");
+ }
+
if (dumb_mode == 2 && no_forkserver)
FATAL("AFL_DUMB_FORKSRV and AFL_NO_FORKSRV are mutually exclusive");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/config.h new/afl-2.41b/config.h
--- old/afl-2.39b/config.h 2017-02-02 19:40:52.000000000 +0100
+++ new/afl-2.41b/config.h 2017-04-12 06:46:53.000000000 +0200
@@ -21,7 +21,7 @@
/* Version string: */
-#define VERSION "2.39b"
+#define VERSION "2.41b"
/******************************************************
* *
@@ -38,7 +38,8 @@
#define FANCY_BOXES
-/* Default timeout for fuzzed code (milliseconds): */
+/* Default timeout for fuzzed code (milliseconds). This is the upper bound,
+ also used for detecting hangs; the actual value is auto-scaled: */
#define EXEC_TIMEOUT 1000
@@ -64,9 +65,9 @@
#define CAL_CYCLES 8
#define CAL_CYCLES_LONG 40
-/* Number of subsequent hangs before abandoning an input file: */
+/* Number of subsequent timeouts before abandoning an input file: */
-#define HANG_LIMIT 250
+#define TMOUT_LIMIT 250
/* Maximum number of unique hangs or crashes to record: */
@@ -106,6 +107,10 @@
#define HAVOC_BLK_MEDIUM 128
#define HAVOC_BLK_LARGE 1500
+/* Extra-large blocks, selected very rarely (<5% of the time): */
+
+#define HAVOC_BLK_XL 32768
+
/* Probabilities of skipping non-favored entries in the queue, expressed as
percentages: */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/docs/ChangeLog new/afl-2.41b/docs/ChangeLog
--- old/afl-2.39b/docs/ChangeLog 2017-02-01 18:49:12.000000000 +0100
+++ new/afl-2.41b/docs/ChangeLog 2017-04-12 06:05:03.000000000 +0200
@@ -17,6 +17,25 @@
to get on with the times.
--------------
+Version 2.41b:
+--------------
+
+ - Addressed a major user complaint related to timeout detection. Timing out
+ inputs are now binned as "hangs" only if they exceed a far more generous
+ time limit than the one used to reject slow paths.
+
+--------------
+Version 2.40b:
+--------------
+
+ - Fixed a minor oversight in the insertion strategy for dictionary words.
+ Spotted by Andrzej Jackowski.
+
+ - Made a small improvement to the havoc block insertion strategy.
+
+ - Adjusted color rules for "is it done yet?" indicators.
+
+--------------
Version 2.39b:
--------------
@@ -71,7 +90,7 @@
are unique to the input file, but not to the "boring" baseline.
Suggested by Sami Liedes.
- - "Fixed" a getPassName() problem with never versions of clang.
+ - "Fixed" a getPassName() problem with newer versions of clang.
Reported by Craig Young and several other folks.
Yep, I know I have a backlog on several other feature requests.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/docs/README new/afl-2.41b/docs/README
--- old/afl-2.39b/docs/README 2017-01-13 22:41:35.000000000 +0100
+++ new/afl-2.41b/docs/README 2017-04-12 06:08:38.000000000 +0200
@@ -220,10 +220,11 @@
fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are
grouped by the received signal.
- - hangs/ - unique test cases that cause the tested program to time out.
Note
- that when default (aggressive) timeout settings are in effect,
- this can be slightly noisy due to latency spikes and other
- natural phenomena.
+ - hangs/ - unique test cases that cause the tested program to time out. The
+ default time limit before something is classified as a hang is
+ the larger of 1 second and the value of the -t parameter.
+ The value can be fine-tuned by setting AFL_HANG_TMOUT, but this
+ is rarely necessary.
Crashes and hangs are considered "unique" if the associated execution paths
involve any state transitions not seen in previously-recorded faults. If a
@@ -481,6 +482,7 @@
Joshua J. Drake Toby Hutton
Rene Freingruber Sergey Davidoff
Sami Liedes Craig Young
+ Andrzej Jackowski
Thank you!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/docs/env_variables.txt
new/afl-2.41b/docs/env_variables.txt
--- old/afl-2.39b/docs/env_variables.txt 2016-09-16 05:54:51.000000000
+0200
+++ new/afl-2.41b/docs/env_variables.txt 2017-04-12 06:10:55.000000000
+0200
@@ -116,6 +116,13 @@
intermittently, but it's not really recommended under normal operating
conditions.
+ - Setting AFL_HANG_TMOUT allows you to specify a different timeout for
+ deciding if a particular test case is a "hang". The default is 1 second
+ or the value of the -t parameter, whichever is larger. Dialing the value
+ down can be useful if you are very concerned about slow inputs, or if you
+ don't want AFL to spend too much time classifying that stuff and just
+ rapidly put all timeouts in that bin.
+
- AFL_SHUFFLE_QUEUE randomly reorders the input queue on startup. Requested
by some users for unorthodox parallelized fuzzing setups, but not
advisable otherwise.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/docs/sister_projects.txt
new/afl-2.41b/docs/sister_projects.txt
--- old/afl-2.39b/docs/sister_projects.txt 2017-02-01 18:48:38.000000000
+0100
+++ new/afl-2.41b/docs/sister_projects.txt 2017-03-14 20:45:31.000000000
+0100
@@ -85,6 +85,10 @@
https://github.com/ivanfratric/winafl
+ Another Windows alternative may be:
+
+ https://github.com/carlosgprado/BrundleFuzz/
+
----------------
Network fuzzing:
----------------
@@ -120,6 +124,13 @@
https://github.com/MartijnB/disfuzz-afl
+AFLDFF (quantumvm)
+------------------
+
+ A nice GUI for managing AFL jobs.
+
+ https://github.com/quantumvm/AFLDFF
+
afl-launch (Ben Nagy)
---------------------
@@ -134,6 +145,10 @@
https://github.com/rc0r/afl-utils
+ Another crash triage tool:
+
+ https://github.com/floyd-fuh/afl-crash-analyzer
+
afl-fuzzing-scripts (Tobias Ospelt)
-----------------------------------
@@ -148,6 +163,10 @@
https://github.com/d33tah/afl-sid
+ Another Docker-related project:
+
+ https://github.com/ozzyjohnson/docker-afl
+
afl-monitor (Paul S. Ziegler)
-----------------------------
@@ -226,7 +245,7 @@
Simple automation to suspend and resume groups of fuzzing jobs.
- https://gist.github.com/bnagy/8f0eb29eb125653f73fd
+ https://github.com/bnagy/afl-trivia
Static binary-only instrumentation (Aleksandar Nikolich)
--------------------------------------------------------
@@ -303,3 +322,17 @@
https://github.com/google/syzkaller/wiki/Found-Bugs
https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931
http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
+
+Android support (ele7enxxh)
+---------------------------
+
+ Based on a somewhat dated version of AFL:
+
+ https://github.com/ele7enxxh/android-afl
+
+CGI wrapper (floyd)
+-------------------
+
+ Facilitates the testing of CGI scripts.
+
+ https://github.com/floyd-fuh/afl-cgi-wrapper
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-2.39b/docs/status_screen.txt
new/afl-2.41b/docs/status_screen.txt
--- old/afl-2.39b/docs/status_screen.txt 2016-08-09 03:41:17.000000000
+0200
+++ new/afl-2.41b/docs/status_screen.txt 2017-04-12 06:32:13.000000000
+0200
@@ -231,7 +231,7 @@
| favored paths : 879 (41.96%) |
| new edges on : 423 (20.19%) |
| total crashes : 0 (0 unique) |
- | total hangs : 24 (19 unique) |
+ | total tmouts : 24 (19 unique) |
+--------------------------------------+
This gives you several metrics that are of interest mostly to complete nerds.
@@ -239,7 +239,11 @@
on a minimization algorithm baked into the code (these will get considerably
more air time), and the number of test cases that actually resulted in better
edge coverage (versus just pushing the branch hit counters up). There are also
-additional, more detailed counters for crashes and hangs.
+additional, more detailed counters for crashes and timeouts.
+
+Note that the timeout counter is somewhat different from the hang counter; this
+one includes all test cases that exceeded the timeout, even if they did not
+exceed it by a margin sufficient to be classified as hangs.
7) Fuzzing strategy yields
--------------------------
