Hello community,
here is the log from the commit of package afl for openSUSE:Factory checked in
at 2015-04-22 01:18:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/afl (Old)
and /work/SRC/openSUSE:Factory/.afl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "afl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/afl/afl.changes 2015-04-16 14:14:15.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.afl.new/afl.changes 2015-04-22
01:18:45.000000000 +0200
@@ -1,0 +2,15 @@
+Mon Apr 20 17:20:09 UTC 2015 - astie...@suse.com
+
+- afl 1.71b:
+ - Fix bug with installed copies of AFL trying to use QEMU mode.
+ - Add last path / crash / hang times to fuzzer_stats
+- with changes from 1.70b:
+ - Modify resumption code to reuse the original timeout value when
+ resuming a session if -t is not given. This prevents timeout
+ creep in continuous fuzzing.
+ - Add improved error messages for failed handshake when
+ AFL_DEFER_FORKSRV is set.
+ - slight improvement to llvm_mode/Makefile
+ - Refresh several bits of documentation.
+
+-------------------------------------------------------------------
Old:
----
afl-1.69b.tgz
New:
----
afl-1.71b.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ afl.spec ++++++
--- /var/tmp/diff_new_pack.paSwkp/_old 2015-04-22 01:18:46.000000000 +0200
+++ /var/tmp/diff_new_pack.paSwkp/_new 2015-04-22 01:18:46.000000000 +0200
@@ -17,7 +17,7 @@
Name: afl
-Version: 1.69b
+Version: 1.71b
Release: 0
Summary: American fuzzy lop is a security-oriented fuzzer
License: Apache-2.0
++++++ afl-1.69b.tgz -> afl-1.71b.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/Makefile new/afl-1.71b/Makefile
--- old/afl-1.69b/Makefile 2015-04-16 08:11:39.000000000 +0200
+++ new/afl-1.71b/Makefile 2015-04-20 03:17:54.000000000 +0200
@@ -14,7 +14,7 @@
#
PROGNAME = afl
-VERSION = 1.69b
+VERSION = 1.71b
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
@@ -98,6 +98,7 @@
all_done: test_build
@echo "[+] All done! Be sure to review README - it's pretty short and
useful."
+ @if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS
X is slow because of the unusually high overhead of\nfork() on this OS.
Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to
put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this,
your terminal probably uses white background.\nThis will make the UI hard to
read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
.NOTPARALLEL: clean
@@ -127,7 +128,7 @@
test "`basename $$PWD`" = "afl" || exit 1
test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0"
]; then echo; echo "Change program version in Makefile, mmkay?"; echo; exit 1;
fi
cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME)
$(PROGNAME)-$(VERSION); \
- tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
$(PROGNAME)-$(VERSION)
+ tar -cvz --exclude openssl-null-ptr2.der -f
~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz
$(PROGNAME)-latest.tgz )
cat docs/README >~/www/afl/README.txt
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/afl-fuzz.c new/afl-1.71b/afl-fuzz.c
--- old/afl-1.69b/afl-fuzz.c 2015-04-15 07:38:00.000000000 +0200
+++ new/afl-1.71b/afl-fuzz.c 2015-04-20 03:39:02.000000000 +0200
@@ -1892,8 +1892,9 @@
SAYF("\n" cLRD "[-] " cRST
"Hmm, looks like the target binary terminated before we could
complete a\n"
- " handshake with the injected code. There are two probable
explanations:\n\n"
+ " handshake with the injected code. There are %s probable
explanations:\n\n"
+ "%s"
" - The current memory limit (%s) is too restrictive, causing an
OOM\n"
" fault in the dynamic linker. This can be fixed with the -m
option. A\n"
" simple way to confirm the diagnosis may be:\n\n"
@@ -1909,6 +1910,10 @@
" - Less likely, there is a horrible bug in the fuzzer. If other
options\n"
" fail, poke <lcam...@coredump.cx> for troubleshooting tips.\n",
+ getenv("AFL_DEFER_FORKSRV") ? "three" : "two",
+ getenv("AFL_DEFER_FORKSRV") ?
+ " - You are using AFL_DEFER_FORKSRV, but __afl_manual_init() is
never\n"
+ " reached before the program terminates.\n\n" : "",
DMS(mem_limit << 20), mem_limit - 1);
}
@@ -2371,7 +2376,7 @@
instructs afl-fuzz to tolerate but skip queue entries that time
out. */
- if (timeout_given == 2) {
+ if (timeout_given > 1) {
WARNF("Test case results in a hang (skipping)");
q->cal_failed = CAL_CHANCES;
cal_failures++;
@@ -2923,6 +2928,43 @@
}
+/* The same, but for timeouts. The idea is that when resuming sessions without
+ -t given, we don't want to keep auto-scaling the timeout over and over
+ again to prevent it from growing due to random flukes. */
+
+static void find_timeout(void) {
+
+ static u8 tmp[4096]; /* Ought to be enough for anybody. */
+
+ u8 *fn, *off;
+ s32 fd, i;
+ u32 ret;
+
+ if (!resuming_fuzz) return;
+
+ if (in_place_resume) fn = alloc_printf("%s/fuzzer_stats", out_dir);
+ else fn = alloc_printf("%s/../fuzzer_stats", in_dir);
+
+ fd = open(fn, O_RDONLY);
+ ck_free(fn);
+
+ if (fd < 0) return;
+
+ i = read(fd, tmp, sizeof(tmp) - 1); (void)i; /* Ignore errors */
+ close(fd);
+
+ off = strstr(tmp, "exec_timeout : ");
+ if (!off) return;
+
+ ret = atoi(off + 17);
+ if (ret <= 4) return;
+
+ exec_tmout = ret;
+ timeout_given = 3;
+
+}
+
+
/* Update stats file for unattended monitoring. */
static void write_stats_file(double bitmap_cvg, double eps) {
@@ -2971,6 +3013,10 @@
"bitmap_cvg : %0.02f%%\n"
"unique_crashes : %llu\n"
"unique_hangs : %llu\n"
+ "last_path : %llu\n"
+ "last_crash : %llu\n"
+ "last_hang : %llu\n"
+ "exec_timeout : %u\n"
"afl_banner : %s\n"
"afl_version : " VERSION "\n"
"command_line : %s\n",
@@ -2979,7 +3025,9 @@
queued_paths, queued_discovered, queued_imported, max_depth,
current_entry, pending_favored, pending_not_fuzzed,
queued_variable, bitmap_cvg, unique_crashes, unique_hangs,
- use_banner, orig_cmdline); /* ignore errors */
+ last_path_time / 1000, last_crash_time / 1000,
+ last_hang_time / 1000, exec_tmout, use_banner, orig_cmdline);
+ /* ignore errors */
fclose(f);
@@ -3876,6 +3924,10 @@
timeout_given = 1;
+ } else if (timeout_given == 3) {
+
+ ACTF("Applying timeout settings from resumed session (%u ms).",
exec_tmout);
+
}
OKF("All set and ready to roll!");
@@ -6797,9 +6849,9 @@
} else ck_free(own_copy);
- if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+ if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
- target_path = new_argv[0] = ck_strdup(AFL_PATH "/afl-qemu-trace");
+ target_path = new_argv[0] = ck_strdup(BIN_PATH "/afl-qemu-trace");
return new_argv;
}
@@ -7064,6 +7116,8 @@
if (extras_dir) load_extras(extras_dir);
+ if (!timeout_given) find_timeout();
+
detect_file_args(argv + optind + 1);
if (!out_file) setup_stdio_file();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/afl-showmap.c new/afl-1.71b/afl-showmap.c
--- old/afl-1.69b/afl-showmap.c 2015-04-13 20:13:45.000000000 +0200
+++ new/afl-1.71b/afl-showmap.c 2015-04-20 03:11:27.000000000 +0200
@@ -521,7 +521,6 @@
tmp = getenv("AFL_PATH");
-
if (tmp) {
cp = alloc_printf("%s/afl-qemu-trace", tmp);
@@ -553,9 +552,9 @@
} else ck_free(own_copy);
- if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+ if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
- target_path = new_argv[0] = AFL_PATH "/afl-qemu-trace";
+ target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
return new_argv;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/afl-tmin.c new/afl-1.71b/afl-tmin.c
--- old/afl-1.69b/afl-tmin.c 2015-04-13 20:14:29.000000000 +0200
+++ new/afl-1.71b/afl-tmin.c 2015-04-20 03:11:57.000000000 +0200
@@ -877,9 +877,9 @@
} else ck_free(own_copy);
- if (!access(AFL_PATH "/afl-qemu-trace", X_OK)) {
+ if (!access(BIN_PATH "/afl-qemu-trace", X_OK)) {
- target_path = new_argv[0] = AFL_PATH "/afl-qemu-trace";
+ target_path = new_argv[0] = BIN_PATH "/afl-qemu-trace";
return new_argv;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/ChangeLog new/afl-1.71b/docs/ChangeLog
--- old/afl-1.69b/docs/ChangeLog 2015-04-16 08:04:57.000000000 +0200
+++ new/afl-1.71b/docs/ChangeLog 2015-04-20 03:39:59.000000000 +0200
@@ -17,6 +17,36 @@
to get on with the times.
--------------
+Version 1.71b:
+--------------
+
+ - Fixed a bug with installed copies of AFL trying to use QEMU mode. Spotted
+ by G.M. Lime.
+
+ - Added last path / crash / hang times to fuzzer_stats, suggested by
+ Richard Hipp.
+
+ - Fixed a typo, thanks to Jakub Wilk.
+
+--------------
+Version 1.70b:
+--------------
+
+ - Modified resumption code to reuse the original timeout value when resuming
+ a session if -t is not given. This prevents timeout creep in continuous
+ fuzzing.
+
+ - Added improved error messages for failed handshake when AFL_DEFER_FORKSRV
+ is set.
+
+ - Made a slight improvement to llvm_mode/Makefile based on feedback from
+ Jakub Wilk.
+
+ - Refreshed several bits of documentation.
+
+ - Added a more prominent note about the MacOS X trade-offs to Makefile.
+
+--------------
Version 1.69b:
--------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/INSTALL new/afl-1.71b/docs/INSTALL
--- old/afl-1.69b/docs/INSTALL 2015-04-09 07:04:00.000000000 +0200
+++ new/afl-1.71b/docs/INSTALL 2015-04-17 03:47:40.000000000 +0200
@@ -48,8 +48,9 @@
shell commands given in the README and other docs will be different. Beyond
that, everything should work as advertised.
-The QEMU mode is currently supported only on Linux. I'll try to get BSD
-working at some point in the not-too-distant future.
+The QEMU mode is currently supported only on Linux. I think it's just a QEMU
+problem, I couldn't get user-mode emulation support working correctly on BSD
+at all.
3) MacOS X on x86
-----------------
@@ -90,17 +91,16 @@
4) Linux or *BSD on non-x86 systems
-----------------------------------
-Non-x86 systems are not officially supported, but you may be able to leverage
-one of two modes:
+Standard build will fail on non-x86 systems, but you should be able to
+leverage two other options:
- The LLVM mode (see llvm_mode/README.llvm), which does not rely on
x86-specific assembly shims,
- The QEMU mode (see qemu_mode/README.qemu), which can be also used for
- cross-platform binaries.
+ fuzzing cross-platform binaries.
-In both cases, you will need to set AFL_NOX86=1 before running make. Field
-reports welcome.
+In both cases, you will need to set AFL_NOX86=1 before running make.
5) Solaris on x86
-----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/README new/afl-1.71b/docs/README
--- old/afl-1.69b/docs/README 2015-04-16 08:05:12.000000000 +0200
+++ new/afl-1.71b/docs/README 2015-04-18 21:10:53.000000000 +0200
@@ -17,9 +17,9 @@
-------------------------------
Fuzzing is one of the most powerful and proven strategies for identifying
-security issues in real-world software; among other things, it is responsible
-for the vast majority of remote code execution and privilege escalation bugs
-found to date in security-critical software.
+security issues in real-world software; it is responsible for the vast
+majority of remote code execution and privilege escalation bugs found to date
+in security-critical software.
Unfortunately, fuzzing also offers fairly shallow coverage, because many of the
mutations needed to reach new code paths are exceedingly unlikely to be hit
@@ -28,12 +28,12 @@
There have been numerous attempts to solve this problem by augmenting the
process with additional information about the behavior of the tested code,
ranging from simple corpus distillation, to flow analysis (aka "concolic"
-execution), to static analysis and pure symbolic execution.
+execution), to pure symbolic execution, to static analysis.
-The first of these methods has been demonstrated to work well, but depends on
-the availability of a massive, high-quality corpus of valid input data. On top
-of this, coverage measurements provide only a fairly simplistic view of program
-state, making them less suited for guiding the fuzzing process later on.
+The first method on that list has been demonstrated to work well, but depends
+on the availability of a massive, high-quality corpus of valid input data. On
+top of this, coverage measurements provide only a fairly simplistic view of
+program state, making them less suited for guiding the fuzzing process later
on.
The remaining techniques are extremely promising in experimental settings, but
frequently suffer from reliability problems or irreducible complexity. Most of
@@ -74,7 +74,7 @@
The strategies mentioned in step 4 are fairly straightforward, but go well
beyond the functionality of tools such as zzuf and honggfuzz and lead to
-additional finds; this is discussed in more detail at http://goo.gl/SoZJ47.
+additional finds; this is discussed in more detail in technical_notes.txt.
As a side result of the fuzzing process, the tool creates a small,
self-contained corpus of interesting test cases. These are extremely useful
@@ -147,7 +147,7 @@
------------------------------
To operate correctly, the fuzzer requires one or more starting file containing
-typical input normally expected by the targeted application. There are
+the typical input normally expected by the targeted application. There are
two basic rules:
- Keep the files small. Under 1 kB is ideal, although not strictly necessary.
@@ -289,7 +289,7 @@
syntax, but the fuzzer will likely figure out some of this based on the
instrumentation feedback alone. This actually works in practice, say:
- https://www.mail-archive.com/sqlite-users@sqlite.org/msg88058.html
+ http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html
PS. Even when no explicit dictionary is given, afl-fuzz will try to extract
existing syntax tokens in the input corpus by watching the instrumentation
@@ -301,7 +301,7 @@
The coverage-based grouping of crashes usually produces a small data set that
can be quickly triaged manually or with a very simple GDB or Valgrind script.
-Every crash is also traceable to its parent, non-crashing test case in the
+Every crash is also traceable to its parent non-crashing test case in the
queue, making it easier to diagnose faults.
Having said that, it's important to acknowledge that some fuzzing crashes can
be
@@ -370,10 +370,9 @@
- AFL detects faults by checking for the first spawned process dying due to
a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
- these signals may need to have the relevant code commented out.
-
- In the same vein, faults in child processed spawned by the fuzzed target
- may evade detection unless explicitly checked for.
+ these signals may need to have the relevant code commented out. In the same
+ vein, faults in child processed spawned by the fuzzed target may evade
+ detection unless you manually add some code to catch that.
- As with any other brute-force tool, the fuzzer offers limited coverage if
encryption, checksums, cryptographic signatures, or compression are used to
@@ -384,10 +383,6 @@
you can also write a postprocessor, as explained in
experimental/post_library/.
- - The default instrumentation mode supports only x86. If you really, honestly
- have to fuzz on non-x86 systems, you may have luck with the LLVM mode
- (see llvm_mode/README.llvm), or with QEMU (see qemu_mode/README.qemu).
-
- There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
isn't due to any specific fault of afl-fuzz; see notes_for_asan.txt for
tips.
@@ -397,6 +392,8 @@
need to make simple code changes to make them behave in a more traditional
way.
+Beyond this, see INSTALL for platform-specific tips.
+
13) Special thanks
------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/env_variables.txt
new/afl-1.71b/docs/env_variables.txt
--- old/afl-1.69b/docs/env_variables.txt 2015-04-16 08:07:39.000000000
+0200
+++ new/afl-1.71b/docs/env_variables.txt 2015-04-20 03:14:37.000000000
+0200
@@ -15,15 +15,17 @@
- Setting AFL_HARDEN automatically adds code hardening options when invoking
the downstream compiler. This currently includes -D_FORTIFY_SOURCE=2 and
- -fstack-protector-all. The option is useful for catching non-crashing
+ -fstack-protector-all. The setting is useful for catching non-crashing
memory bugs at the expense of a very slight (sub-5%) performance loss.
- - By default, the wrapper appends -O3 to optimize builds. In the exceedingly
- unlikely case this causes problems, set AFL_DONT_OPTIMIZE.
+ - By default, the wrapper appends -O3 to optimize builds. Very rarely, this
+ will cause problems in programs built with -Werror, simply because -O3
+ enables more thorough code analysis and can spew out additional warnings.
+ To disable optimizations, set AFL_DONT_OPTIMIZE.
- Setting AFL_USE_ASAN automatically enables ASAN, provided that your
- compiler supports that. Note that fuzzing with ASAN is problematic - see
- notes_for_asan.txt.
+ compiler supports that. Note that fuzzing with ASAN is mildly challenging
+ - see notes_for_asan.txt.
(You can also enable MSAN via AFL_USE_MSAN; ASAN and MSAN come with the
same gotchas; the modes are mutually exclusive.)
@@ -89,7 +91,7 @@
- When developing custom instrumentation on top of afl-fuzz, you can use
AFL_SKIP_BIN_CHECK to inhibit the checks for non-instrumented binaries
and shell scripts; and AFL_DUMB_FORKSRV in conjunction with the -n
- setting to instruct afl-fuzz to still follow the fork server protocol,
+ setting to instruct afl-fuzz to still follow the fork server protocol
without expecting any instrumentation data in return.
- When running in the -M or -S mode, setting AFL_IMPORT_FIRST causes the
@@ -100,7 +102,7 @@
The benefit of AFL_IMPORT_FIRST is that it makes the "own finds" counter
in the UI more accurately reflect the number of findings made by the
- instance (that the remaining ones did not already have).
+ instance (that the remaining instances did not already have).
- Setting AFL_POST_LIBRARY allows you to configure a postprocessor for
mutated files - say, to fix up checksums. See experimental/post_library/
@@ -112,7 +114,9 @@
- In LLVM mode, AFL_DEFER_FORKSRV can be set to require the forkserver to
be initialized manually (see llvm_mode/README.llvm). This setting has no
- effect for progrms not compiled with afl-clang-fast.
+ effect for programs not compiled with afl-clang-fast.
+
+ - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
3) Settings for afl-qemu-trace
------------------------------
@@ -150,13 +154,21 @@
The corpus minimization script offers very little customization:
- - Setting AFL_PATH offers a way to specify the location of afl-showmap.
+ - Setting AFL_PATH offers a way to specify the location of afl-showmap
+ and afl-qemu-trace (the latter only in -Q mode).
- AFL_KEEP_TRACES makes the tool keep traces and other metadata used for
minimization and normally deleted at exit. The files can be found in the
<out_dir>/.traces/*.
-6) Third-party variables set by afl-fuzz & other tools
+6) Settings for afl-tmin
+------------------------
+
+Virtually nothing to play with:
+
+ - In QEMU mode (-Q), AFL_PATH will be searched for afl-qemu-trace.
+
+7) Third-party variables set by afl-fuzz & other tools
------------------------------------------------------
Several variables are not directly interpreted by afl-fuzz, but are set to
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/notes_for_asan.txt
new/afl-1.71b/docs/notes_for_asan.txt
--- old/afl-1.69b/docs/notes_for_asan.txt 2015-04-08 05:12:15.000000000
+0200
+++ new/afl-1.71b/docs/notes_for_asan.txt 2015-04-17 02:19:08.000000000
+0200
@@ -40,8 +40,8 @@
ASAN allocates a huge region of virtual address space for bookkeeping purposes.
Most of this is never actually accessed, so the OS never has to allocate any
real pages of memory for the process, and the VM grabbed by ASAN is essentially
-"free" - but the mapping counts against the OS-enforced limit (RLIMIT_AS, aka
-ulimit -v).
+"free" - but the mapping counts against the standard OS-enforced limit
+(RLIMIT_AS, aka ulimit -v).
On our end, afl-fuzz tries to protect you from processes that go off-rails
and start consuming all the available memory in a vain attempt to parse a
@@ -71,7 +71,7 @@
even on Linux systems, and they require root permissions to set up; I'm a bit
hesitant to make afl-fuzz require root permissions just for that. That said,
if you are on Linux and want to use cgroups, check out the contributed script
-that ships in experimental/asan_cgroups/, and simply pass -m none to afl-fuzz.
+that ships in experimental/asan_cgroups/.
In settings where cgroups aren't available, we have no nice, portable way to
avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/perf_tips.txt
new/afl-1.71b/docs/perf_tips.txt
--- old/afl-1.69b/docs/perf_tips.txt 2015-04-16 08:06:09.000000000 +0200
+++ new/afl-1.71b/docs/perf_tips.txt 2015-04-17 01:59:38.000000000 +0200
@@ -87,7 +87,8 @@
nanosleep(), etc.
In programs that are slow due to unavoidable initialization overhead, you may
-want to try the LLVM deferred forkserver mode (see llvm_mode/README.llvm).
+want to try the LLVM deferred forkserver mode (see llvm_mode/README.llvm),
+which can give you speed gains up to 10x, but needs to be used with care.
Last but not least, if you are using ASAN and the performance is unacceptable,
consider turning it off for now, and manually examining the generated corpus
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/sister_projects.txt
new/afl-1.71b/docs/sister_projects.txt
--- old/afl-1.69b/docs/sister_projects.txt 2015-04-09 03:09:15.000000000
+0200
+++ new/afl-1.71b/docs/sister_projects.txt 2015-04-17 16:46:15.000000000
+0200
@@ -6,13 +6,24 @@
designed for, or meant to integrate with AFL. See README for the general
instruction manual.
+-----------------
+General interest:
+-----------------
+
AFL Utils (rc0r)
----------------
- Simplifies the triage of discovered crashes.
+ Simplifies the triage of discovered crashes, start parallel instances, etc.
https://github.com/rc0r/afl-utils
+afl-fuzzing-scripts (Tobias Ospelt)
+-----------------------------------
+
+ Simplifies starting up multiple parallel AFL jobs.
+
+ https://github.com/floyd-fuh/afl-fuzzing-scripts/
+
Crashwalk (Ben Nagy)
--------------------
@@ -20,7 +31,16 @@
https://github.com/bnagy/crashwalk
-AFL Fixup Shim (Ben Nagy)
+Distfuzz-AFL (Martijn Bogaard)
+------------------------------
+
+ Simplifies the management of afl-fuzz instances on remote machines. The
+ author notes that the current implementation isn't secure and should not
+ be exposed on the Internet.
+
+ https://github.com/MartijnB/disfuzz-afl
+
+AFL fixup shim (Ben Nagy)
-------------------------
Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages
@@ -28,6 +48,13 @@
https://github.com/bnagy/aflfix
+RecidiVM (Jakub Wilk)
+---------------------
+
+ Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
+
+ http://jwilk.net/software/recidivm
+
Static binary-only instrumentation (Aleksandar Nikolich)
--------------------------------------------------------
@@ -38,21 +65,6 @@
https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
-Python AFL (Jakub Wilk)
------------------------
-
- Allows fuzz-testing of Python programs. Uses custom instrumentation and its
- own forkserver.
-
- https://bitbucket.org/jwilk/python-afl
-
-RecidiVM (Jakub Wilk)
----------------------
-
- Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN.
-
- http://jwilk.net/software/recidivm
-
AFL PIN (Parker Thompson)
-------------------------
@@ -61,20 +73,6 @@
https://github.com/mothran/aflpin
-AFL JS (Han Choongwoo)
-----------------------
-
- One-off optimizations to speed up the fuzzing of JavaScriptCore.
-
- https://github.com/tunz/afl-fuzz-js
-
-AFL harness for fwknop (Michael Rash)
--------------------------------------
-
- An example of a fairly involved integration with AFL.
-
- https://github.com/mrash/fwknop/tree/master/test/afl
-
AFL-style instrumentation in llvm (Kostya Serebryany)
-----------------------------------------------------
@@ -92,14 +90,24 @@
https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer
-Distfuzz-AFL (Martijn Bogaard)
-------------------------------
+Python AFL (Jakub Wilk)
+-----------------------
- Simplifies the management of afl-fuzz instances on remote machines. The
- author notes that the current implementation isn't secure and should not
- be exposed on the Internet.
+ Allows fuzz-testing of Python programs. Uses custom instrumentation and its
+ own forkserver.
- https://github.com/MartijnB/disfuzz-afl
+ https://bitbucket.org/jwilk/python-afl
+
+-------------------------------
+Narrow-purpose or experimental:
+-------------------------------
+
+AFL JS (Han Choongwoo)
+----------------------
+
+ One-off optimizations to speed up the fuzzing of JavaScriptCore.
+
+ https://github.com/tunz/afl-fuzz-js
afl.rs (Keegan McAllister)
--------------------------
@@ -107,3 +115,17 @@
Allows Rust features to be easily fuzzed with AFL (using the LLVM mode).
https://github.com/kmcallister/afl.rs
+
+AFL harness for fwknop (Michael Rash)
+-------------------------------------
+
+ An example of a fairly involved integration with AFL.
+
+ https://github.com/mrash/fwknop/tree/master/test/afl
+
+Fuzzer shell for SQLite (Richard Hipp)
+--------------------------------------
+
+ A simple SQL shell designed specifically for fuzzing the underlying library.
+
+ http://www.sqlite.org/src/artifact/9e7e273da2030371
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/docs/technical_details.txt
new/afl-1.71b/docs/technical_details.txt
--- old/afl-1.69b/docs/technical_details.txt 2015-03-05 09:22:07.000000000
+0100
+++ new/afl-1.71b/docs/technical_details.txt 2015-04-19 08:49:44.000000000
+0200
@@ -116,7 +116,7 @@
Changes within the range of a single bucket are ignored; transition from one
bucket to another is flagged as an interesting change in program control flow,
-and are routed to the evolutionary process outlined in the section below.
+and is routed to the evolutionary process outlined in the section below.
The hit count behavior provides a way to distinguish between potentially
interesting control flow changes, such as a block of code being executed
@@ -182,7 +182,7 @@
The first entry for blind fuzzing ("S") corresponds to executing just a single
round of testing; the second set of figures ("L") shows the fuzzer running in a
loop for a number of execution cycles comparable with that of the instrumented
-runs, which required more time to fully process the queue.
+runs, which required more time to fully process the growing queue.
Roughly similar results have been obtained in a separate experiment where the
fuzzer was modified to compile out all the random fuzzing stages and leave just
@@ -412,7 +412,9 @@
afl-fuzz.
With fast targets, the fork server can offer considerable performance gains,
-usually between 1.5x and 2x.
+usually between 1.5x and 2x. It is also possible to use the fork server in
+manual mode, skipping over larger, user-selected chunks of initialization
+code. With some targets, this can produce 10x+ performance gain.
11) Parallelization
-------------------
Files old/afl-1.69b/docs/vuln_samples/openssl-null-ptr.der and
new/afl-1.71b/docs/vuln_samples/openssl-null-ptr.der differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/llvm_mode/Makefile
new/afl-1.71b/llvm_mode/Makefile
--- old/afl-1.69b/llvm_mode/Makefile 2015-04-13 20:49:15.000000000 +0200
+++ new/afl-1.71b/llvm_mode/Makefile 2015-04-17 01:51:57.000000000 +0200
@@ -40,7 +40,7 @@
# this seems to be busted on some distros, so using the one in $PATH is
# probably better.
-ifeq "$(findstring clang, $(CC))" ""
+ifeq "$(origin CC)" "default"
CC = clang
CXX = clang++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/afl-1.69b/llvm_mode/README.llvm
new/afl-1.71b/llvm_mode/README.llvm
--- old/afl-1.69b/llvm_mode/README.llvm 2015-04-16 08:04:18.000000000 +0200
+++ new/afl-1.71b/llvm_mode/README.llvm 2015-04-17 01:56:26.000000000 +0200
@@ -86,9 +86,9 @@
file.
In such cases, it would be beneficial to initialize the forkserver a bit later,
-once most of the initialization work is already done, and the binary is about
-to read the fuzzed input and parse it. You can do this in LLVM mode in a fairly
-simple way:
+once most of the initialization work is already done, but before the binary
+attempts to read the fuzzed input and parse it. You can do this in LLVM mode in
+a fairly simple way:
1) First, locate a suitable location in the code for the deferred
initialization
to take place. This needs to be done with *extreme* care to avoid breaking
@@ -100,9 +100,13 @@
- The creation of temporary files, network sockets, offset-sensitive file
descriptors, and similar shared-state resources - but only provided that
- they actually influence the behavior of the program later on.
+ their state meaningfully influences the behavior of the program later on.
- - Any access to the fuzzed input or the metadata about its size.
+ - Any access to the fuzzed input, including the metadata about its size.
+
+ Of course, things will also not work if the forkserver is never initialized
+ at all; in this case, afl-fuzz will complain about failed handshake and bail
+ out.
2) Next, insert the following global function declaration somewhere in the
source file:
@@ -113,3 +117,10 @@
the project with afl-clang-fast (afl-gcc and afl-clang will *not* work).
3) Finally, be sure to set AFL_DEFER_FORKSRV=1 before invoking afl-fuzz.
+
+Again, this feature is easy to misuse; be careful and double-test that the
+coverage and the number of discovered paths is comparable between normal and
+deferred runs. That said, when you do it well, you can see gains up to 10x or
+so:
+
+ https://groups.google.com/forum/#!topic/afl-users/fNMJHl7Fhzs
