• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

.github/H19-Jul-2021-187154

custom_mutators/H19-Jul-2021-80,07860,367

dictionaries/H19-Jul-2021-13,26312,860

docs/H03-May-2022-8,9846,965

frida_mode/H19-Jul-2021-14,8369,811

include/H19-Jul-2021-11,1246,127

instrumentation/H19-Jul-2021-15,3359,407

qemu_mode/H19-Jul-2021-11,3446,032

src/H03-May-2022-31,54817,915

test/H19-Jul-2021-3,6192,961

testcases/H19-Jul-2021-2517

unicorn_mode/H19-Jul-2021-5,4173,748

utils/H19-Jul-2021-8,3955,012

.clang-formatH A D19-Jul-20213.9 KiB149147

.custom-format.pyH A D19-Jul-20214.3 KiB14595

.dockerignoreH A D19-Jul-20211 KiB6565

.gitignoreH A D19-Jul-20211.4 KiB8988

.gitmodulesH A D19-Jul-2021379 109

Android.bpH A D19-Jul-20216.9 KiB407348

CONTRIBUTING.mdH A D19-Jul-2021761 2517

Changelog.mdH A D19-Jul-2021105.9 KiB3,0042,057

DockerfileH A D19-Jul-20212.8 KiB7459

GNUmakefileH A D03-May-202229.2 KiB677535

GNUmakefile.gcc_pluginH A D03-May-20225 21

GNUmakefile.llvmH A D19-Jul-202123.7 KiB527451

LICENSEH A D19-Jul-202111.1 KiB202169

MakefileH A D19-Jul-2021427 4329

QuickStartGuide.mdH A D19-Jul-20212.2 KiB5135

README.mdH A D19-Jul-202167.8 KiB1,3981,092

TODO.mdH A D19-Jul-20211.3 KiB3929

afl-cminH A D19-Jul-202116.3 KiB543377

afl-cmin.bashH A D19-Jul-202112.1 KiB494244

afl-plotH A D19-Jul-20215.6 KiB194102

afl-system-configH A D19-Jul-20215.3 KiB132124

afl-whatsupH A D19-Jul-20217.4 KiB308209

afl-wine-traceH A D19-Jul-20213.3 KiB8166

config.hH A D19-Jul-202115.8 KiB511141

test-instr.cH A D19-Jul-20211.5 KiB7237

types.hH A D19-Jul-20216.4 KiB194145

README.md

1# American Fuzzy Lop plus plus (afl++)
2
3  <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo">
4
5  Release Version: [3.14c](https://github.com/AFLplusplus/AFLplusplus/releases)
6
7  Github Version: 3.15a
8
9  Repository: [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
10
11  afl++ is maintained by:
12
13  * Marc "van Hauser" Heuse <mh@mh-sec.de>,
14  * Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de>,
15  * Andrea Fioraldi <andreafioraldi@gmail.com> and
16  * Dominik Maier <mail@dmnk.co>.
17
18  Originally developed by Michał "lcamtuf" Zalewski.
19
20  afl++ is a superior fork to Google's afl - more speed, more and better
21  mutations, more and better instrumentation, custom module support, etc.
22
23  If you want to use afl++ for your academic work, check the [papers page](https://aflplus.plus/papers/)
24  on the website. To cite our work, look at the [Cite](#cite) section.
25  For comparisons use the fuzzbench `aflplusplus` setup, or use `afl-clang-fast`
26  with `AFL_LLVM_CMPLOG=1`.
27
28## Major behaviour changes in afl++ 3.00 onwards:
29
30With afl++ 3.13-3.20 we introduce frida_mode (-O) to have an alternative for
31binary-only fuzzing. It is slower than Qemu mode but works on MacOS, Android,
32iOS etc.
33
34With afl++ 3.15 we introduced the following changes from previous behaviours:
35  * Also -M main mode does not do deterministic fuzzing by default anymore
36  * afl-cmin and afl-showmap -Ci now descent into subdirectories like
37    afl-fuzz -i does (but note that afl-cmin.bash does not)
38
39With afl++ 3.14 we introduced the following changes from previous behaviours:
40  * afl-fuzz: deterministic fuzzing it not a default for -M main anymore
41  * afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash
42    however does not)
43
44With afl++ 3.10 we introduced the following changes from previous behaviours:
45  * The '+' feature of the '-t' option now means to  auto-calculate the timeout
46    with the value given being the maximum timeout. The original meaning of
47    "skipping timeouts instead of abort" is now inherent to the -t option.
48
49With afl++ 3.00 we introduced changes that break some previous afl and afl++
50behaviours and defaults:
51  * There are no llvm_mode and gcc_plugin subdirectories anymore and there is
52    only one compiler: afl-cc. All previous compilers now symlink to this one.
53    All instrumentation source code is now in the `instrumentation/` folder.
54  * The gcc_plugin was replaced with a new version submitted by AdaCore that
55    supports more features. Thank you!
56  * qemu_mode got upgraded to QEMU 5.1, but to be able to build this a current
57    ninja build tool version and python3 setuptools are required.
58    qemu_mode also got new options like snapshotting, instrumenting specific
59    shared libraries, etc. Additionally QEMU 5.1 supports more CPU targets so
60    this is really worth it.
61  * When instrumenting targets, afl-cc will not supersede optimizations anymore
62    if any were given. This allows to fuzz targets build regularly like those
63    for debug or release versions.
64  * afl-fuzz:
65    * if neither -M or -S is specified, `-S default` is assumed, so more
66      fuzzers can easily be added later
67    * `-i` input directory option now descends into subdirectories. It also
68      does not fatal on crashes and too large files, instead it skips them
69      and uses them for splicing mutations
70    * -m none is now default, set memory limits (in MB) with e.g. -m 250
71    * deterministic fuzzing is now disabled by default (unless using -M) and
72      can be enabled with -D
73    * a caching of testcases can now be performed and can be modified by
74      editing config.h for TESTCASE_CACHE or by specifying the env variable
75      `AFL_TESTCACHE_SIZE` (in MB). Good values are between 50-500 (default: 50).
76    * -M mains do not perform trimming
77  * examples/ got renamed to utils/
78  * libtokencap/ libdislocator/ and qdbi_mode/ were moved to utils/
79  * afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
80
81
82## Contents
83
84  1. [Features](#important-features-of-afl)
85  2. [How to compile and install afl++](#building-and-installing-afl)
86  3. [How to fuzz a target](#how-to-fuzz-with-afl)
87  4. [Fuzzing binary-only targets](#fuzzing-binary-only-targets)
88  5. [Good examples and writeups of afl++ usages](#good-examples-and-writeups)
89  6. [CI Fuzzing](#ci-fuzzing)
90  7. [Branches](#branches)
91  8. [Want to help?](#help-wanted)
92  9. [Detailed help and description of afl++](#challenges-of-guided-fuzzing)
93
94## Important features of afl++
95
96  afl++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with QEMU 5.1
97  with laf-intel and redqueen, frida mode, unicorn mode, gcc plugin, full *BSD,
98  Mac OS, Solaris and Android support and much, much, much more.
99
100  | Feature/Instrumentation  | afl-gcc | llvm      | gcc_plugin | frida_mode       | qemu_mode        |unicorn_mode      |
101  | -------------------------|:-------:|:---------:|:----------:|:----------------:|:----------------:|:----------------:|
102  | Threadsafe counters      |         |     x(3)  |            |                  |                  |                  |
103  | NeverZero                | x86[_64]|     x(1)  |     x      |         x        |         x        |         x        |
104  | Persistent Mode          |         |     x     |     x      | x86[_64]/arm64   | x86[_64]/arm[64] |         x        |
105  | LAF-Intel / CompCov      |         |     x     |            |                  | x86[_64]/arm[64] | x86[_64]/arm[64] |
106  | CmpLog                   |         |     x     |            | x86[_64]/arm64   | x86[_64]/arm[64] |                  |
107  | Selective Instrumentation|         |     x     |     x      |         x        |         x        |                  |
108  | Non-Colliding Coverage   |         |     x(4)  |            |                  |        (x)(5)    |                  |
109  | Ngram prev_loc Coverage  |         |     x(6)  |            |                  |                  |                  |
110  | Context Coverage         |         |     x(6)  |            |                  |                  |                  |
111  | Auto Dictionary          |         |     x(7)  |            |                  |                  |                  |
112  | Snapshot LKM Support     |         |    (x)(8) |    (x)(8)  |                  |        (x)(5)    |                  |
113  | Shared Memory Testcases  |         |     x     |     x      | x86[_64]/arm64   |         x        |         x        |
114
115  1. default for LLVM >= 9.0, env var for older version due an efficiency bug in previous llvm versions
116  2. GCC creates non-performant code, hence it is disabled in gcc_plugin
117  3. with `AFL_LLVM_THREADSAFE_INST`, disables NeverZero
118  4. with pcguard mode and LTO mode for LLVM 11 and newer
119  5. upcoming, development in the branch
120  6. not compatible with LTO instrumentation and needs at least LLVM v4.1
121  7. automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM versions that write to a file to use with afl-fuzz' `-x`
122  8. the snapshot LKM is currently unmaintained due to too many kernel changes coming too fast :-(
123
124  Among others, the following features and patches have been integrated:
125
126  * NeverZero patch for afl-gcc, instrumentation, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage
127  * Persistent mode, deferred forkserver and in-memory fuzzing for qemu_mode
128  * Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk)
129  * The new CmpLog instrumentation for LLVM and QEMU inspired by [Redqueen](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf)
130  * Win32 PE binary-only fuzzing with QEMU and Wine
131  * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
132  * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
133  * LLVM mode Ngram coverage by Adrian Herrera [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass)
134  * LAF-Intel/CompCov support for instrumentation, qemu_mode and unicorn_mode (with enhanced capabilities)
135  * Radamsa and honggfuzz mutators (as custom mutators).
136  * QBDI mode to fuzz android native libraries via Quarkslab's [QBDI](https://github.com/QBDI/QBDI) framework
137  * Frida and ptrace mode to fuzz binary-only libraries, etc.
138
139  So all in all this is the best-of afl that is out there :-)
140
141  For new versions and additional information, check out:
142  [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
143
144  To compare notes with other users or get notified about major new features,
145  send a mail to <afl-users+subscribe@googlegroups.com>.
146
147  See [docs/QuickStartGuide.md](docs/QuickStartGuide.md) if you don't have time to
148  read this file - however this is not recommended!
149
150## Branches
151
152  The following branches exist:
153
154  * [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/) : stable state of afl++ - it is synced from dev from time to
155    time when we are satisfied with its stability
156  * [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev) : development state of afl++ - bleeding edge and you might catch a
157    checkout which does not compile or has a bug. *We only accept PRs in dev!!*
158  * [release](https://github.com/AFLplusplus/AFLplusplus/tree/release) : the latest release
159  * (any other) : experimental branches to work on specific features or testing
160    new functionality or changes.
161
162  For releases, please see the [Releases](https://github.com/AFLplusplus/AFLplusplus/releases) tab.
163
164## Help wanted
165
166We have several ideas we would like to see in AFL++ to make it even better.
167However, we already work on so many things that we do not have the time for
168all the big ideas.
169
170This can be your way to support and contribute to AFL++ - extend it to do
171something cool.
172
173We have an idea list in [docs/ideas.md](docs/ideas.md).
174
175For everyone who wants to contribute (and send pull requests) please read
176[CONTRIBUTING.md](CONTRIBUTING.md) before your submit.
177
178## Building and installing afl++
179
180An easy way to install afl++ with everything compiled is available via docker:
181You can use the [Dockerfile](Dockerfile) (which has gcc-10 and clang-11 -
182hence afl-clang-lto is available!) or just pull directly from the docker hub:
183```shell
184docker pull aflplusplus/aflplusplus
185docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
186```
187This image is automatically generated when a push to the stable repo happens.
188You will find your target source code in /src in the container.
189
190If you want to build afl++ yourself you have many options.
191The easiest choice is to build and install everything:
192
193```shell
194sudo apt-get update
195sudo apt-get install -y build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
196# try to install llvm 11 and install the distro default if that fails
197sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang
198sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/.* //'|sed 's/\..*//')-dev
199git clone https://github.com/AFLplusplus/AFLplusplus
200cd AFLplusplus
201make distrib
202sudo make install
203```
204It is recommended to install the newest available gcc, clang and llvm-dev
205possible in your distribution!
206
207Note that "make distrib" also builds instrumentation, qemu_mode, unicorn_mode and
208more. If you just want plain afl++ then do "make all", however compiling and
209using at least instrumentation is highly recommended for much better results -
210hence in this case
211
212```shell
213make source-only
214```
215is what you should choose.
216
217These build targets exist:
218
219* all: just the main afl++ binaries
220* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap
221* source-only: everything for source code fuzzing: instrumentation, libdislocator, libtokencap
222* distrib: everything (for both binary-only and source code fuzzing)
223* man: creates simple man pages from the help option of the programs
224* install: installs everything you have compiled with the build options above
225* clean: cleans everything compiled, not downloads (unless not on a checkout)
226* deepclean: cleans everything including downloads
227* code-format: format the code, do this before you commit and send a PR please!
228* tests: runs test cases to ensure that all features are still working as they should
229* unit: perform unit tests (based on cmocka)
230* help: shows these build options
231
232[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the
233afl++ binaries by passing the STATIC=1 argument to make:
234
235```shell
236make STATIC=1
237```
238
239These build options exist:
240
241* STATIC - compile AFL++ static
242* ASAN_BUILD - compiles with memory sanitizer for debug purposes
243* DEBUG - no optimization, -ggdb3, all warnings and -Werror
244* PROFILING - compile with profiling information (gprof)
245* INTROSPECTION - compile afl-fuzz with mutation introspection
246* NO_PYTHON - disable python support
247* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
248* AFL_NO_X86 - if compiling on non-intel/amd platforms
249* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)
250
251e.g.: `make ASAN_BUILD=1`
252
253## Good examples and writeups
254
255Here are some good writeups to show how to effectively use AFL++:
256
257 * [https://aflplus.plus/docs/tutorials/libxml2_tutorial/](https://aflplus.plus/docs/tutorials/libxml2_tutorial/)
258 * [https://bananamafia.dev/post/gb-fuzz/](https://bananamafia.dev/post/gb-fuzz/)
259 * [https://securitylab.github.com/research/fuzzing-challenges-solutions-1](https://securitylab.github.com/research/fuzzing-challenges-solutions-1)
260 * [https://securitylab.github.com/research/fuzzing-software-2](https://securitylab.github.com/research/fuzzing-software-2)
261 * [https://securitylab.github.com/research/fuzzing-sockets-FTP](https://securitylab.github.com/research/fuzzing-sockets-FTP)
262 * [https://securitylab.github.com/research/fuzzing-sockets-FreeRDP](https://securitylab.github.com/research/fuzzing-sockets-FreeRDP)
263 * [https://securitylab.github.com/research/fuzzing-apache-1](https://securitylab.github.com/research/fuzzing-apache-1)
264
265If you are interested in fuzzing structured data (where you define what the
266structure is), these links have you covered:
267 * Superion for afl++: [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
268 * libprotobuf for afl++: [https://github.com/P1umer/AFLplusplus-protobuf-mutator](https://github.com/P1umer/AFLplusplus-protobuf-mutator)
269 * libprotobuf raw: [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator)
270 * libprotobuf for old afl++ API: [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator)
271
272If you find other good ones, please send them to us :-)
273
274## How to fuzz with afl++
275
276The following describes how to fuzz with a target if source code is available.
277If you have a binary-only target please skip to [#Instrumenting binary-only apps](#Instrumenting binary-only apps)
278
279Fuzzing source code is a three-step process.
280
2811. Compile the target with a special compiler that prepares the target to be
282   fuzzed efficiently. This step is called "instrumenting a target".
2832. Prepare the fuzzing by selecting and optimizing the input corpus for the
284   target.
2853. Perform the fuzzing of the target by randomly mutating input and assessing
286   if a generated input was processed in a new path in the target binary.
287
288### 1. Instrumenting that target
289
290#### a) Selecting the best afl++ compiler for instrumenting the target
291
292afl++ comes with a central compiler `afl-cc` that incorporates various different
293kinds of compiler targets and and instrumentation options.
294The following evaluation flow will help you to select the best possible.
295
296It is highly recommended to have the newest llvm version possible installed,
297anything below 9 is not recommended.
298
299```
300+--------------------------------+
301| clang/clang++ 11+ is available | --> use LTO mode (afl-clang-lto/afl-clang-lto++)
302+--------------------------------+     see [instrumentation/README.lto.md](instrumentation/README.lto.md)
303    |
304    | if not, or if the target fails with LTO afl-clang-lto/++
305    |
306    v
307+---------------------------------+
308| clang/clang++ 3.8+ is available | --> use LLVM mode (afl-clang-fast/afl-clang-fast++)
309+---------------------------------+     see [instrumentation/README.llvm.md](instrumentation/README.llvm.md)
310    |
311    | if not, or if the target fails with LLVM afl-clang-fast/++
312    |
313    v
314 +--------------------------------+
315 | gcc 5+ is available            | -> use GCC_PLUGIN mode (afl-gcc-fast/afl-g++-fast)
316 +--------------------------------+    see [instrumentation/README.gcc_plugin.md](instrumentation/README.gcc_plugin.md) and
317                                       [instrumentation/README.instrument_list.md](instrumentation/README.instrument_list.md)
318    |
319    | if not, or if you do not have a gcc with plugin support
320    |
321    v
322   use GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang)
323```
324
325Clickable README links for the chosen compiler:
326
327  * [LTO mode - afl-clang-lto](instrumentation/README.lto.md)
328  * [LLVM mode - afl-clang-fast](instrumentation/README.llvm.md)
329  * [GCC_PLUGIN mode - afl-gcc-fast](instrumentation/README.gcc_plugin.md)
330  * GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own features
331
332You can select the mode for the afl-cc compiler by:
333  1. use a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
334     afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
335     afl-gcc-fast, afl-g++-fast (recommended!)
336  2. using the environment variable AFL_CC_COMPILER with MODE
337  3. passing --afl-MODE command line options to the compiler via CFLAGS/CXXFLAGS/CPPFLAGS
338
339MODE can be one of: LTO (afl-clang-lto*), LLVM (afl-clang-fast*), GCC_PLUGIN
340(afl-g*-fast) or GCC (afl-gcc/afl-g++) or CLANG(afl-clang/afl-clang++).
341
342Because no afl specific command-line options are accepted (beside the
343--afl-MODE command), the compile-time tools make fairly broad use of environment
344variables, which can be listed with `afl-cc -hh` or by reading [docs/env_variables.md](docs/env_variables.md).
345
346#### b) Selecting instrumentation options
347
348The following options are available when you instrument with LTO mode (afl-clang-fast/afl-clang-lto):
349
350 * Splitting integer, string, float and switch comparisons so afl++ can easier
351   solve these. This is an important option if you do not have a very good
352   and large input corpus. This technique is called laf-intel or COMPCOV.
353   To use this set the following environment variable before compiling the
354   target: `export AFL_LLVM_LAF_ALL=1`
355   You can read more about this in [instrumentation/README.laf-intel.md](instrumentation/README.laf-intel.md)
356 * A different technique (and usually a better one than laf-intel) is to
357   instrument the target so that any compare values in the target are sent to
358   afl++ which then tries to put these values into the fuzzing data at different
359   locations. This technique is very fast and good - if the target does not
360   transform input data before comparison. Therefore this technique is called
361   `input to state` or `redqueen`.
362   If you want to use this technique, then you have to compile the target
363   twice, once specifically with/for this mode, and pass this binary to afl-fuzz
364   via the `-c` parameter.
365   Note that you can compile also just a cmplog binary and use that for both
366   however there will be a performance penality.
367   You can read more about this in [instrumentation/README.cmplog.md](instrumentation/README.cmplog.md)
368
369If you use LTO, LLVM or GCC_PLUGIN mode (afl-clang-fast/afl-clang-lto/afl-gcc-fast)
370you have the option to selectively only instrument parts of the target that you
371are interested in:
372
373 * To instrument only those parts of the target that you are interested in
374   create a file with all the filenames of the source code that should be
375   instrumented.
376   For afl-clang-lto and afl-gcc-fast - or afl-clang-fast if a mode other than
377   DEFAULT/PCGUARD is used or you have llvm > 10.0.0 - just put one
378   filename or function per line (no directory information necessary for
379   filenames9, and either set `export AFL_LLVM_ALLOWLIST=allowlist.txt` **or**
380   `export AFL_LLVM_DENYLIST=denylist.txt` - depending on if you want per
381   default to instrument unless noted (DENYLIST) or not perform instrumentation
382   unless requested (ALLOWLIST).
383   **NOTE:** During optimization functions might be inlined and then would not match!
384   See [instrumentation/README.instrument_list.md](instrumentation/README.instrument_list.md)
385
386There are many more options and modes available however these are most of the
387time less effective. See:
388 * [instrumentation/README.ctx.md](instrumentation/README.ctx.md)
389 * [instrumentation/README.ngram.md](instrumentation/README.ngram.md)
390
391afl++ performs "never zero" counting in its bitmap. You can read more about this
392here:
393 * [instrumentation/README.neverzero.md](instrumentation/README.neverzero.md)
394
395#### c) Sanitizers
396
397It is possible to use sanitizers when instrumenting targets for fuzzing,
398which allows you to find bugs that would not necessarily result in a crash.
399
400Note that sanitizers have a huge impact on CPU (= less executions per second)
401and RAM usage. Also you should only run one afl-fuzz instance per sanitizer type.
402This is enough because a use-after-free bug will be picked up, e.g. by
403ASAN (address sanitizer) anyway when syncing to other fuzzing instances,
404so not all fuzzing instances need to be instrumented with ASAN.
405
406The following sanitizers have built-in support in afl++:
407  * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
408    use-after-free, NULL pointer dereference, buffer overruns, etc.
409    Enabled with `export AFL_USE_ASAN=1` before compiling.
410  * MSAN = Memory SANitizer, finds read access to uninitialized memory, eg.
411    a local variable that is defined and read before it is even set.
412    Enabled with `export AFL_USE_MSAN=1` before compiling.
413  * UBSAN = Undefined Behaviour SANitizer, finds instances where - by the
414    C and C++ standards - undefined behaviour happens, e.g. adding two
415    signed integers together where the result is larger than a signed integer
416    can hold.
417    Enabled with `export AFL_USE_UBSAN=1` before compiling.
418  * CFISAN = Control Flow Integrity SANitizer, finds instances where the
419    control flow is found to be illegal. Originally this was rather to
420    prevent return oriented programming exploit chains from functioning,
421    in fuzzing this is mostly reduced to detecting type confusion
422    vulnerabilities - which is however one of the most important and dangerous
423    C++ memory corruption classes!
424    Enabled with `export AFL_USE_CFISAN=1` before compiling.
425  * LSAN = Leak SANitizer, finds memory leaks in a program. This is not really
426    a security issue, but for developers this can be very valuable.
427    Note that unlike the other sanitizers above this needs
428    `__AFL_LEAK_CHECK();` added to all areas of the target source code where you
429    find a leak check necessary!
430    Enabled with `export AFL_USE_LSAN=1` before compiling.
431
432It is possible to further modify the behaviour of the sanitizers at run-time
433by setting `ASAN_OPTIONS=...`, `LSAN_OPTIONS` etc. - the available parameters
434can be looked up in the sanitizer documentation of llvm/clang.
435afl-fuzz however requires some specific parameters important for fuzzing to be
436set. If you want to set your own, it might bail and report what it is missing.
437
438Note that some sanitizers cannot be used together, e.g. ASAN and MSAN, and
439others often cannot work together because of target weirdness, e.g. ASAN and
440CFISAN. You might need to experiment which sanitizers you can combine in a
441target (which means more instances can be run without a sanitized target,
442which is more effective).
443
444#### d) Modify the target
445
446If the target has features that make fuzzing more difficult, e.g.
447checksums, HMAC, etc. then modify the source code so that checks for these
448values are removed.
449This can even be done safely for source code used in operational products
450by eliminating these checks within these AFL specific blocks:
451
452```
453#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
454  // say that the checksum or HMAC was fine - or whatever is required
455  // to eliminate the need for the fuzzer to guess the right checksum
456  return 0;
457#endif
458```
459
460All afl++ compilers will set this preprocessor definition automatically.
461
462#### e) Instrument the target
463
464In this step the target source code is compiled so that it can be fuzzed.
465
466Basically you have to tell the target build system that the selected afl++
467compiler is used. Also - if possible - you should always configure the
468build system such that the target is compiled statically and not dynamically.
469How to do this is described below.
470
471Then build the target. (Usually with `make`)
472
473**NOTES**
474
4751. sometimes configure and build systems are fickle and do not like
476   stderr output (and think this means a test failure) - which is something
477   afl++ likes to do to show statistics. It is recommended to disable afl++
478   instrumentation reporting via `export AFL_QUIET=1`.
479
4802. sometimes configure and build systems error on warnings - these should be
481   disabled (e.g. `--disable-werror` for some configure scripts).
482
4833. in case the configure/build system complains about afl++'s compiler and
484   aborts then set `export AFL_NOOPT=1` which will then just behave like the
485   real compiler. This option has to be unset again before building the target!
486
487##### configure
488
489For `configure` build systems this is usually done by:
490`CC=afl-clang-fast CXX=afl-clang-fast++ ./configure --disable-shared`
491
492Note that if you are using the (better) afl-clang-lto compiler you also have to
493set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
494described in [instrumentation/README.lto.md](instrumentation/README.lto.md).
495
496##### cmake
497
498For `cmake` build systems this is usually done by:
499`mkdir build; cd build; cmake -DCMAKE_C_COMPILER=afl-cc -DCMAKE_CXX_COMPILER=afl-c++ ..`
500
501Note that if you are using the (better) afl-clang-lto compiler you also have to
502set AR to llvm-ar[-VERSION] and RANLIB to llvm-ranlib[-VERSION] - as is
503described in [instrumentation/README.lto.md](instrumentation/README.lto.md).
504
505##### meson
506
507For meson you have to set the afl++ compiler with the very first command!
508`CC=afl-cc CXX=afl-c++ meson`
509
510##### other build systems or if configure/cmake didn't work
511
512Sometimes cmake and configure do not pick up the afl++ compiler, or the
513ranlib/ar that is needed - because this was just not foreseen by the developer
514of the target. Or they have non-standard options. Figure out if there is a
515non-standard way to set this, otherwise set up the build normally and edit the
516generated build environment afterwards manually to point it to the right compiler
517(and/or ranlib and ar).
518
519#### f) Better instrumentation
520
521If you just fuzz a target program as-is you are wasting a great opportunity for
522much more fuzzing speed.
523
524This variant requires the usage of afl-clang-lto, afl-clang-fast or afl-gcc-fast.
525
526It is the so-called `persistent mode`, which is much, much faster but
527requires that you code a source file that is specifically calling the target
528functions that you want to fuzz, plus a few specific afl++ functions around
529it. See [instrumentation/README.persistent_mode.md](instrumentation/README.persistent_mode.md) for details.
530
531Basically if you do not fuzz a target in persistent mode then you are just
532doing it for a hobby and not professionally :-).
533
534#### g) libfuzzer fuzzer harnesses with LLVMFuzzerTestOneInput()
535
536libfuzzer `LLVMFuzzerTestOneInput()` harnesses are the defacto standard
537for fuzzing, and they can be used with afl++ (and honggfuzz) as well!
538Compiling them is as simple as:
539```
540afl-clang-fast++ -fsanitize=fuzzer -o harness harness.cpp targetlib.a
541```
542You can even use advanced libfuzzer features like `FuzzedDataProvider`,
543`LLVMFuzzerMutate()` etc. and they will work!
544
545The generated binary is fuzzed with afl-fuzz like any other fuzz target.
546
547Bonus: the target is already optimized for fuzzing due to persistent mode and
548shared-memory testcases and hence gives you the fastest speed possible.
549
550For more information see [utils/aflpp_driver/README.md](utils/aflpp_driver/README.md)
551
552### 2. Preparing the fuzzing campaign
553
554As you fuzz the target with mutated input, having as diverse inputs for the
555target as possible improves the efficiency a lot.
556
557#### a) Collect inputs
558
559Try to gather valid inputs for the target from wherever you can. E.g. if it is
560the PNG picture format try to find as many png files as possible, e.g. from
561reported bugs, test suites, random downloads from the internet, unit test
562case data - from all kind of PNG software.
563
564If the input format is not known, you can also modify a target program to write
565normal data it receives and processes to a file and use these.
566
567#### b) Making the input corpus unique
568
569Use the afl++ tool `afl-cmin` to remove inputs from the corpus that do not
570produce a new path in the target.
571
572Put all files from step a) into one directory, e.g. INPUTS.
573
574If the target program is to be called by fuzzing as `bin/target -d INPUTFILE`
575the run afl-cmin like this:
576`afl-cmin -i INPUTS -o INPUTS_UNIQUE -- bin/target -d @@`
577Note that the INPUTFILE argument that the target program would read from has to be set as `@@`.
578
579If the target reads from stdin instead, just omit the `@@` as this is the
580default.
581
582This step is highly recommended!
583
584#### c) Minimizing all corpus files
585
586The shorter the input files that still traverse the same path
587within the target, the better the fuzzing will be. This minimization
588is done with `afl-tmin` however it is a long process as this has to
589be done for every file:
590
591```
592mkdir input
593cd INPUTS_UNIQUE
594for i in *; do
595  afl-tmin -i "$i" -o "../input/$i" -- bin/target -d @@
596done
597```
598
599This step can also be parallelized, e.g. with `parallel`.
600Note that this step is rather optional though.
601
602#### Done!
603
604The INPUTS_UNIQUE/ directory from step b) - or even better the directory input/
605if you minimized the corpus in step c) - is the resulting input corpus directory
606to be used in fuzzing! :-)
607
608### 3. Fuzzing the target
609
610In this final step we fuzz the target.
611There are not that many important options to run the target - unless you want
612to use many CPU cores/threads for the fuzzing, which will make the fuzzing much
613more useful.
614
615If you just use one CPU for fuzzing, then you are fuzzing just for fun and not
616seriously :-)
617
618#### a) Running afl-fuzz
619
620Before you do even a test run of afl-fuzz execute `sudo afl-system-config` (on
621the host if you execute afl-fuzz in a docker container). This reconfigures the
622system for optimal speed - which afl-fuzz checks and bails otherwise.
623Set `export AFL_SKIP_CPUFREQ=1` for afl-fuzz to skip this check if you cannot
624run afl-system-config with root privileges on the host for whatever reason.
625
626If you have an input corpus from step 2 then specify this directory with the `-i`
627option. Otherwise create a new directory and create a file with any content
628as test data in there.
629
630If you do not want anything special, the defaults are already usually best,
631hence all you need is to specify the seed input directory with the result of
632step [2a. Collect inputs](#a-collect-inputs):
633`afl-fuzz -i input -o output -- bin/target -d @@`
634Note that the directory specified with -o will be created if it does not exist.
635
636It can be valuable to run afl-fuzz in a screen or tmux shell so you can log off,
637or afl-fuzz is not aborted if you are running it in a remote ssh session where
638the connection fails in between.
639Only do that though once you have verified that your fuzzing setup works!
640Simply run it like `screen -dmS afl-main -- afl-fuzz -M main-$HOSTNAME -i ...`
641and it will start away in a screen session. To enter this session simply type
642`screen -r afl-main`. You see - it makes sense to name the screen session
643same as the afl-fuzz -M/-S naming :-)
644For more information on screen or tmux please check their documentation.
645
646If you need to stop and re-start the fuzzing, use the same command line options
647(or even change them by selecting a different power schedule or another
648mutation mode!) and switch the input directory with a dash (`-`):
649`afl-fuzz -i - -o output -- bin/target -d @@`
650
651Memory limits are not enforced by afl-fuzz by default and the system may run
652out of memory. You can decrease the memory with the `-m` option, the value is
653in MB. If this is too small for the target, you can usually see this by
654afl-fuzz bailing with the message that it could not connect to the forkserver.
655
656Adding a dictionary is helpful. See the directory [dictionaries/](dictionaries/) if
657something is already included for your data format, and tell afl-fuzz to load
658that dictionary by adding `-x dictionaries/FORMAT.dict`. With afl-clang-lto
659you have an autodictionary generation for which you need to do nothing except
660to use afl-clang-lto as the compiler. You also have the option to generate
661a dictionary yourself, see [utils/libtokencap/README.md](utils/libtokencap/README.md).
662
663afl-fuzz has a variety of options that help to workaround target quirks like
664specific locations for the input file (`-f`), performing deterministic
665fuzzing (`-D`) and many more. Check out `afl-fuzz -h`.
666
667We highly recommend that you set a memory limit for running the target with `-m`
668which defines the maximum memory in MB. This prevents a potential
669out-of-memory problem for your system plus helps you detect missing `malloc()`
670failure handling in the target.
671Play around with various -m values until you find one that safely works for all
672your input seeds (if you have good ones and then double or quadrouple that.
673
674By default afl-fuzz never stops fuzzing. To terminate afl++ simply press Control-C
675or send a signal SIGINT. You can limit the number of executions or approximate runtime
676in seconds with options also.
677
678When you start afl-fuzz you will see a user interface that shows what the status
679is:
680![docs/screenshot.png](docs/screenshot.png)
681
682All labels are explained in [docs/status_screen.md](docs/status_screen.md).
683
684#### b) Using multiple cores
685
686If you want to seriously fuzz then use as many cores/threads as possible to
687fuzz your target.
688
689On the same machine - due to the design of how afl++ works - there is a maximum
690number of CPU cores/threads that are useful, use more and the overall performance
691degrades instead. This value depends on the target, and the limit is between 32
692and 64 cores per machine.
693
694If you have the RAM, it is highly recommended run the instances with a caching
695of the testcases. Depending on the average testcase size (and those found
696during fuzzing) and their number, a value between 50-500MB is recommended.
697You can set the cache size (in MB) by setting the environment variable `AFL_TESTCACHE_SIZE`.
698
699There should be one main fuzzer (`-M main-$HOSTNAME` option) and as many secondary
700fuzzers (eg `-S variant1`) as you have cores that you use.
701Every -M/-S entry needs a unique name (that can be whatever), however the same
702-o output directory location has to be used for all instances.
703
704For every secondary fuzzer there should be a variation, e.g.:
705 * one should fuzz the target that was compiled differently: with sanitizers
706   activated (`export AFL_USE_ASAN=1 ; export AFL_USE_UBSAN=1 ;
707   export AFL_USE_CFISAN=1`)
708 * one or two should fuzz the target with CMPLOG/redqueen (see above), at
709   least one cmplog instance should follow transformations (`-l AT`)
710 * one to three fuzzers should fuzz a target compiled with laf-intel/COMPCOV
711   (see above). Important note: If you run more than one laf-intel/COMPCOV
712   fuzzer and you want them to share their intermediate results, the main
713   fuzzer (`-M`) must be one of the them! (Although this is not really
714   recommended.)
715
716All other secondaries should be used like this:
717 * A quarter to a third with the MOpt mutator enabled: `-L 0`
718 * run with a different power schedule, recommended are:
719   `fast (default), explore, coe, lin, quad, exploit and rare`
720   which you can set with e.g. `-p explore`
721 * a few instances should use the old queue cycling with `-Z`
722
723Also it is recommended to set `export AFL_IMPORT_FIRST=1` to load testcases
724from other fuzzers in the campaign first.
725
726If you have a large corpus, a corpus from a previous run or are fuzzing in
727a CI, then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
728
729You can also use different fuzzers.
730If you are using afl spinoffs or afl conforming fuzzers, then just use the
731same -o directory and give it a unique `-S` name.
732Examples are:
733 * [Fuzzolic](https://github.com/season-lab/fuzzolic)
734 * [symcc](https://github.com/eurecom-s/symcc/)
735 * [Eclipser](https://github.com/SoftSec-KAIST/Eclipser/)
736 * [AFLsmart](https://github.com/aflsmart/aflsmart)
737 * [FairFuzz](https://github.com/carolemieux/afl-rb)
738 * [Neuzz](https://github.com/Dongdongshe/neuzz)
739 * [Angora](https://github.com/AngoraFuzzer/Angora)
740
741A long list can be found at [https://github.com/Microsvuln/Awesome-AFL](https://github.com/Microsvuln/Awesome-AFL)
742
743However you can also sync afl++ with honggfuzz, libfuzzer with `-entropic=1`, etc.
744Just show the main fuzzer (-M) with the `-F` option where the queue/work
745directory of a different fuzzer is, e.g. `-F /src/target/honggfuzz`.
746Using honggfuzz (with `-n 1` or `-n 2`) and libfuzzer in parallel is highly
747recommended!
748
749#### c) Using multiple machines for fuzzing
750
751Maybe you have more than one machine you want to fuzz the same target on.
752Simply start the `afl-fuzz` (and perhaps libfuzzer, honggfuzz, ...)
753orchestra as you like, just ensure that your have one and only one `-M`
754instance per server, and that its name is unique, hence the recommendation
755for `-M main-$HOSTNAME`.
756
757Now there are three strategies on how you can sync between the servers:
758  * never: sounds weird, but this makes every server an island and has the
759    chance the each follow different paths into the target. You can make
760    this even more interesting by even giving different seeds to each server.
761  * regularly (~4h): this ensures that all fuzzing campaigns on the servers
762    "see" the same thing. It is like fuzzing on a huge server.
763  * in intervals of 1/10th of the overall expected runtime of the fuzzing you
764    sync. This tries a bit to combine both. have some individuality of the
765    paths each campaign on a server explores, on the other hand if one
766    gets stuck where another found progress this is handed over making it
767    unstuck.
768
769The syncing process itself is very simple.
770As the `-M main-$HOSTNAME` instance syncs to all `-S` secondaries as well
771as to other fuzzers, you have to copy only this directory to the other
772machines.
773
774Lets say all servers have the `-o out` directory in /target/foo/out, and
775you created a file `servers.txt` which contains the hostnames of all
776participating servers, plus you have an ssh key deployed to all of them,
777then run:
778```bash
779for FROM in `cat servers.txt`; do
780  for TO in `cat servers.txt`; do
781    rsync -rlpogtz --rsh=ssh $FROM:/target/foo/out/main-$FROM $TO:target/foo/out/
782  done
783done
784```
785You can run this manually, per cron job - as you need it.
786There is a more complex and configurable script in `utils/distributed_fuzzing`.
787
788#### d) The status of the fuzz campaign
789
790afl++ comes with the `afl-whatsup` script to show the status of the fuzzing
791campaign.
792
793Just supply the directory that afl-fuzz is given with the -o option and
794you will see a detailed status of every fuzzer in that campaign plus
795a summary.
796
797To have only the summary use the `-s` switch e.g.: `afl-whatsup -s out/`
798
799If you have multiple servers then use the command after a sync, or you have
800to execute this script per server.
801
802#### e) Checking the coverage of the fuzzing
803
804The `paths found` value is a bad indicator for checking how good the coverage is.
805
806A better indicator - if you use default llvm instrumentation with at least
807version 9 - is to use `afl-showmap` with the collect coverage option `-C` on
808the output directory:
809```
810$ afl-showmap -C -i out -o /dev/null -- ./target -params @@
811...
812[*] Using SHARED MEMORY FUZZING feature.
813[*] Target map size: 9960
814[+] Processed 7849 input files.
815[+] Captured 4331 tuples (highest value 255, total values 67130596) in '/dev/nul
816l'.
817[+] A coverage of 4331 edges were achieved out of 9960 existing (43.48%) with 7849 input files.
818```
819It is even better to check out the exact lines of code that have been reached -
820and which have not been found so far.
821
822An "easy" helper script for this is [https://github.com/vanhauser-thc/afl-cov](https://github.com/vanhauser-thc/afl-cov),
823just follow the README of that separate project.
824
825If you see that an important area or a feature has not been covered so far then
826try to find an input that is able to reach that and start a new secondary in
827that fuzzing campaign with that seed as input, let it run for a few minutes,
828then terminate it. The main node will pick it up and make it available to the
829other secondary nodes over time. Set `export AFL_NO_AFFINITY=1` or
830`export AFL_TRY_AFFINITY=1` if you have no free core.
831
832Note that in nearly all cases you can never reach full coverage. A lot of
833functionality is usually dependent on exclusive options that would need individual
834fuzzing campaigns each with one of these options set. E.g. if you fuzz a library to
835convert image formats and your target is the png to tiff API then you will not
836touch any of the other library APIs and features.
837
838#### f) How long to fuzz a target?
839
840This is a difficult question.
841Basically if no new path is found for a long time (e.g. for a day or a week)
842then you can expect that your fuzzing won't be fruitful anymore.
843However often this just means that you should switch out secondaries for
844others, e.g. custom mutator modules, sync to very different fuzzers, etc.
845
846Keep the queue/ directory (for future fuzzings of the same or similar targets)
847and use them to seed other good fuzzers like libfuzzer with the -entropic
848switch or honggfuzz.
849
850#### g) Improve the speed!
851
852 * Use [persistent mode](instrumentation/README.persistent_mode.md) (x2-x20 speed increase)
853 * If you do not use shmem persistent mode, use `AFL_TMPDIR` to point the input file on a tempfs location, see [docs/env_variables.md](docs/env_variables.md)
854 * Linux: Improve kernel performance: modify `/etc/default/grub`, set `GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"`; then `update-grub` and `reboot` (warning: makes the system more insecure)
855 * Linux: Running on an `ext2` filesystem with `noatime` mount option will be a bit faster than on any other journaling filesystem
856 * Use your cores! [3.b) Using multiple cores/threads](#b-using-multiple-coresthreads)
857
858### The End
859
860Check out the [docs/FAQ](docs/FAQ.md) if it maybe answers your question (that
861you might not even have known you had ;-) ).
862
863This is basically all you need to know to professionally run fuzzing campaigns.
864If you want to know more, the rest of this README and the tons of texts in
865[docs/](docs/) will have you covered.
866
867Note that there are also a lot of tools out there that help fuzzing with afl++
868(some might be deprecated or unsupported):
869
870Speeding up fuzzing:
871 * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the function you want to fuzz requires loading a file, this allows using the shared memory testcase feature :-) - recommended.
872
873Minimization of test cases:
874 * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin that tries to speed up the process of minimization of a single test case by using many CPU cores.
875 * [afl-ddmin-mod](https://github.com/MarkusTeufelberger/afl-ddmin-mod) - a variation of afl-tmin based on the ddmin algorithm.
876 * [halfempty](https://github.com/googleprojectzero/halfempty) -  is a fast utility for minimizing test cases by Tavis Ormandy based on parallelization.
877
878Distributed execution:
879 * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing for AFL.
880 * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing framework.
881 * [afl-launch](https://github.com/bnagy/afl-launch) - a tool for the execution of many AFL instances.
882 * [afl-mothership](https://github.com/afl-mothership/afl-mothership) - management and execution of many synchronized AFL fuzzers on AWS cloud.
883 * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another script for running AFL in AWS.
884
885Deployment, management, monitoring, reporting
886 * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases.
887 * [afl-other-arch](https://github.com/shellphish/afl-other-arch) - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL.
888 * [afl-trivia](https://github.com/bnagy/afl-trivia) - a few small scripts to simplify the management of AFL.
889 * [afl-monitor](https://github.com/reflare/afl-monitor) - a script for monitoring AFL.
890 * [afl-manager](https://github.com/zx1340/afl-manager) - a web server on Python for managing multi-afl.
891 * [afl-remote](https://github.com/block8437/afl-remote) - a web server for the remote management of AFL instances.
892 * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to parallelize afl-tmin, startup, and data collection.
893
894Crash processing
895 * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) - another crash analyzer for AFL.
896 * [fuzzer-utils](https://github.com/ThePatrickStar/fuzzer-utils) - a set of scripts for the analysis of results.
897 * [atriage](https://github.com/Ayrx/atriage) - a simple triage tool.
898 * [afl-kit](https://github.com/kcwu/afl-kit) - afl-cmin on Python.
899 * [AFLize](https://github.com/d33tah/aflize) - a tool that automatically generates builds of debian packages suitable for AFL.
900 * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for working with input data.
901
902## CI Fuzzing
903
904Some notes on CI Fuzzing - this fuzzing is different to normal fuzzing
905campaigns as these are much shorter runnings.
906
9071. Always:
908  * LTO has a much longer compile time which is diametrical to short fuzzing -
909    hence use afl-clang-fast instead.
910  * If you compile with CMPLOG then you can save fuzzing time and reuse that
911    compiled target for both the -c option and the main fuzz target.
912    This will impact the speed by ~15% though.
913  * `AFL_FAST_CAL` - Enable fast calibration, this halfs the time the saturated
914     corpus needs to be loaded.
915  * `AFL_CMPLOG_ONLY_NEW` - only perform cmplog on new found paths, not the
916    initial corpus as this very likely has been done for them already.
917  * Keep the generated corpus, use afl-cmin and reuse it every time!
918
9192. Additionally randomize the afl++ compilation options, e.g.
920  * 40% for `AFL_LLVM_CMPLOG`
921  * 10% for `AFL_LLVM_LAF_ALL`
922
9233. Also randomize the afl-fuzz runtime options, e.g.
924  * 65% for `AFL_DISABLE_TRIM`
925  * 50% use a dictionary generated by `AFL_LLVM_DICT2FILE`
926  * 40% use MOpt (`-L 0`)
927  * 40% for `AFL_EXPAND_HAVOC_NOW`
928  * 20% for old queue processing (`-Z`)
929  * for CMPLOG targets, 60% for `-l 2`, 40% for `-l 3`
930
9314. Do *not* run any `-M` modes, just running `-S` modes is better for CI fuzzing.
932   `-M` enables old queue handling etc. which is good for a fuzzing campaign but
933   not good for short CI runs.
934
935How this can look like can e.g. be seen at afl++'s setup in Google's [oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl)
936and [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/python/bot/fuzzers/afl/launcher.py).
937
938## Fuzzing binary-only targets
939
940When source code is *NOT* available, afl++ offers various support for fast,
941on-the-fly instrumentation of black-box binaries.
942
943If you do not have to use Unicorn the following setup is recommended to use
944qemu_mode:
945  * run 1 afl-fuzz -Q instance with CMPLOG (`-c 0` + `AFL_COMPCOV_LEVEL=2`)
946  * run 1 afl-fuzz -Q instance with QASAN  (`AFL_USE_QASAN=1`)
947  * run 1 afl-fuzz -Q instance with LAF (`AFL_PRELOAD=libcmpcov.so` + `AFL_COMPCOV_LEVEL=2`)
948Alternatively you can use frida_mode, just switch `-Q` with `-O` and remove the
949LAF instance.
950
951Then run as many instances as you have cores left with either -Q mode or - better -
952use a binary rewriter like afl-dyninst, retrowrite, zafl, etc.
953
954For Qemu and Frida mode, check out the persistent mode, it gives a huge speed
955improvement if it is possible to use.
956
957### QEMU
958
959For linux programs and its libraries this is accomplished with a version of
960QEMU running in the lesser-known "user space emulation" mode.
961QEMU is a project separate from AFL, but you can conveniently build the
962feature by doing:
963```shell
964cd qemu_mode
965./build_qemu_support.sh
966```
967For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).
968If possible you should use the persistent mode, see [qemu_mode/README.persistent.md](qemu_mode/README.persistent.md).
969The mode is approximately 2-5x slower than compile-time instrumentation, and is
970less conducive to parallelization.
971
972If [afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst) works for
973your binary, then you can use afl-fuzz normally and it will have twice
974the speed compared to qemu_mode (but slower than qemu persistent mode).
975Note that several other binary rewriters exist, all with their advantages and
976caveats.
977
978### Frida
979
980Frida mode is sometimes faster and sometimes slower than Qemu mode.
981It is also newer, lacks COMPCOV, but supports MacOS.
982
983```shell
984cd frida_mode
985make
986```
987For additional instructions and caveats, see [frida_mode/README.md](frida_mode/README.md).
988If possible you should use the persistent mode, see [qemu_frida/README.persistent.md](qemu_frida/README.persistent.md).
989The mode is approximately 2-5x slower than compile-time instrumentation, and is
990less conducive to parallelization.
991
992### Unicorn
993
994For non-Linux binaries you can use afl++'s unicorn mode which can emulate
995anything you want - for the price of speed and user written scripts.
996See [unicorn_mode](unicorn_mode/README.md).
997
998It can be easily built by:
999```shell
1000cd unicorn_mode
1001./build_unicorn_support.sh
1002```
1003
1004### Shared libraries
1005
1006If the goal is to fuzz a dynamic library then there are two options available.
1007For both you need to write a small harness that loads and calls the library.
1008Faster is the frida solution: [utils/afl_frida/README.md](utils/afl_frida/README.md)
1009
1010Another, less precise and slower option is using ptrace with debugger interrupt
1011instrumentation: [utils/afl_untracer/README.md](utils/afl_untracer/README.md).
1012
1013### More
1014
1015A more comprehensive description of these and other options can be found in
1016[docs/binaryonly_fuzzing.md](docs/binaryonly_fuzzing.md).
1017
1018## Challenges of guided fuzzing
1019
1020Fuzzing is one of the most powerful and proven strategies for identifying
1021security issues in real-world software; it is responsible for the vast
1022majority of remote code execution and privilege escalation bugs found to date
1023in security-critical software.
1024
1025Unfortunately, fuzzing is also relatively shallow; blind, random mutations
1026make it very unlikely to reach certain code paths in the tested code, leaving
1027some vulnerabilities firmly outside the reach of this technique.
1028
1029There have been numerous attempts to solve this problem. One of the early
1030approaches - pioneered by Tavis Ormandy - is corpus distillation. The method
1031relies on coverage signals to select a subset of interesting seeds from a
1032massive, high-quality corpus of candidate files, and then fuzz them by
1033traditional means. The approach works exceptionally well but requires such
1034a corpus to be readily available. In addition, block coverage measurements
1035provide only a very simplistic understanding of the program state and are less
1036useful for guiding the fuzzing effort in the long haul.
1037
1038Other, more sophisticated research has focused on techniques such as program
1039flow analysis ("concolic execution"), symbolic execution, or static analysis.
1040All these methods are extremely promising in experimental settings, but tend
1041to suffer from reliability and performance problems in practical uses - and
1042currently do not offer a viable alternative to "dumb" fuzzing techniques.
1043
1044## Background: The afl-fuzz approach
1045
1046American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple
1047but rock-solid instrumentation-guided genetic algorithm. It uses a modified
1048form of edge coverage to effortlessly pick up subtle, local-scale changes to
1049program control flow.
1050
1051Simplifying a bit, the overall algorithm can be summed up as:
1052
1053  1) Load user-supplied initial test cases into the queue,
1054
1055  2) Take the next input file from the queue,
1056
1057  3) Attempt to trim the test case to the smallest size that doesn't alter
1058     the measured behavior of the program,
1059
1060  4) Repeatedly mutate the file using a balanced and well-researched variety
1061     of traditional fuzzing strategies,
1062
1063  5) If any of the generated mutations resulted in a new state transition
1064     recorded by the instrumentation, add mutated output as a new entry in the
1065     queue.
1066
1067  6) Go to 2.
1068
1069The discovered test cases are also periodically culled to eliminate ones that
1070have been obsoleted by newer, higher-coverage finds; and undergo several other
1071instrumentation-driven effort minimization steps.
1072
1073As a side result of the fuzzing process, the tool creates a small,
1074self-contained corpus of interesting test cases. These are extremely useful
1075for seeding other, labor- or resource-intensive testing regimes - for example,
1076for stress-testing browsers, office applications, graphics suites, or
1077closed-source tools.
1078
1079The fuzzer is thoroughly tested to deliver out-of-the-box performance far
1080superior to blind fuzzing or coverage-only tools.
1081
1082## Help: Choosing initial test cases
1083
1084To operate correctly, the fuzzer requires one or more starting file that
1085contains a good example of the input data normally expected by the targeted
1086application. There are two basic rules:
1087
1088  - Keep the files small. Under 1 kB is ideal, although not strictly necessary.
1089    For a discussion of why size matters, see [perf_tips.md](docs/perf_tips.md).
1090
1091  - Use multiple test cases only if they are functionally different from
1092    each other. There is no point in using fifty different vacation photos
1093    to fuzz an image library.
1094
1095You can find many good examples of starting files in the testcases/ subdirectory
1096that comes with this tool.
1097
1098PS. If a large corpus of data is available for screening, you may want to use
1099the afl-cmin utility to identify a subset of functionally distinct files that
1100exercise different code paths in the target binary.
1101
1102## Help: Interpreting output
1103
1104See the [docs/status_screen.md](docs/status_screen.md) file for information on
1105how to interpret the displayed stats and monitor the health of the process. Be
1106sure to consult this file especially if any UI elements are highlighted in red.
1107
1108The fuzzing process will continue until you press Ctrl-C. At a minimum, you want
1109to allow the fuzzer to complete one queue cycle, which may take anywhere from a
1110couple of hours to a week or so.
1111
1112There are three subdirectories created within the output directory and updated
1113in real-time:
1114
1115  - queue/   - test cases for every distinctive execution path, plus all the
1116               starting files given by the user. This is the synthesized corpus
1117               mentioned in section 2.
1118
1119               Before using this corpus for any other purposes, you can shrink
1120               it to a smaller size using the afl-cmin tool. The tool will find
1121               a smaller subset of files offering equivalent edge coverage.
1122
1123  - crashes/ - unique test cases that cause the tested program to receive a
1124               fatal signal (e.g., SIGSEGV, SIGILL, SIGABRT). The entries are
1125               grouped by the received signal.
1126
1127  - hangs/   - unique test cases that cause the tested program to time out. The
1128               default time limit before something is classified as a hang is
1129               the larger of 1 second and the value of the -t parameter.
1130               The value can be fine-tuned by setting AFL_HANG_TMOUT, but this
1131               is rarely necessary.
1132
1133Crashes and hangs are considered "unique" if the associated execution paths
1134involve any state transitions not seen in previously-recorded faults. If a
1135single bug can be reached in multiple ways, there will be some count inflation
1136early in the process, but this should quickly taper off.
1137
1138The file names for crashes and hangs are correlated with the parent, non-faulting
1139queue entries. This should help with debugging.
1140
1141When you can't reproduce a crash found by afl-fuzz, the most likely cause is
1142that you are not setting the same memory limit as used by the tool. Try:
1143
1144```shell
1145LIMIT_MB=50
1146( ulimit -Sv $[LIMIT_MB << 10]; /path/to/tested_binary ... )
1147```
1148
1149Change LIMIT_MB to match the -m parameter passed to afl-fuzz. On OpenBSD,
1150also change -Sv to -Sd.
1151
1152Any existing output directory can be also used to resume aborted jobs; try:
1153
1154```shell
1155./afl-fuzz -i- -o existing_output_dir [...etc...]
1156```
1157
1158If you have gnuplot installed, you can also generate some pretty graphs for any
1159active fuzzing task using afl-plot. For an example of how this looks like,
1160see [http://lcamtuf.coredump.cx/afl/plot/](http://lcamtuf.coredump.cx/afl/plot/).
1161
1162## Help: Crash triage
1163
1164The coverage-based grouping of crashes usually produces a small data set that
1165can be quickly triaged manually or with a very simple GDB or Valgrind script.
1166Every crash is also traceable to its parent non-crashing test case in the
1167queue, making it easier to diagnose faults.
1168
1169Having said that, it's important to acknowledge that some fuzzing crashes can be
1170difficult to quickly evaluate for exploitability without a lot of debugging and
1171code analysis work. To assist with this task, afl-fuzz supports a very unique
1172"crash exploration" mode enabled with the -C flag.
1173
1174In this mode, the fuzzer takes one or more crashing test cases as the input
1175and uses its feedback-driven fuzzing strategies to very quickly enumerate all
1176code paths that can be reached in the program while keeping it in the
1177crashing state.
1178
1179Mutations that do not result in a crash are rejected; so are any changes that
1180do not affect the execution path.
1181
1182The output is a small corpus of files that can be very rapidly examined to see
1183what degree of control the attacker has over the faulting address, or whether
1184it is possible to get past an initial out-of-bounds read - and see what lies
1185beneath.
1186
1187Oh, one more thing: for test case minimization, give afl-tmin a try. The tool
1188can be operated in a very simple way:
1189
1190```shell
1191./afl-tmin -i test_case -o minimized_result -- /path/to/program [...]
1192```
1193
1194The tool works with crashing and non-crashing test cases alike. In the crash
1195mode, it will happily accept instrumented and non-instrumented binaries. In the
1196non-crashing mode, the minimizer relies on standard afl++ instrumentation to make
1197the file simpler without altering the execution path.
1198
1199The minimizer accepts the -m, -t, -f and @@ syntax in a manner compatible with
1200afl-fuzz.
1201
1202Another tool in afl++ is the afl-analyze tool. It takes an input
1203file, attempts to sequentially flip bytes, and observes the behavior of the
1204tested program. It then color-codes the input based on which sections appear to
1205be critical, and which are not; while not bulletproof, it can often offer quick
1206insights into complex file formats. More info about its operation can be found
1207near the end of [docs/technical_details.md](docs/technical_details.md).
1208
1209## Going beyond crashes
1210
1211Fuzzing is a wonderful and underutilized technique for discovering non-crashing
1212design and implementation errors, too. Quite a few interesting bugs have been
1213found by modifying the target programs to call abort() when say:
1214
1215  - Two bignum libraries produce different outputs when given the same
1216    fuzzer-generated input,
1217
1218  - An image library produces different outputs when asked to decode the same
1219    input image several times in a row,
1220
1221  - A serialization / deserialization library fails to produce stable outputs
1222    when iteratively serializing and deserializing fuzzer-supplied data,
1223
1224  - A compression library produces an output inconsistent with the input file
1225    when asked to compress and then decompress a particular blob.
1226
1227Implementing these or similar sanity checks usually takes very little time;
1228if you are the maintainer of a particular package, you can make this code
1229conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
1230shared with libfuzzer and honggfuzz) or `#ifdef __AFL_COMPILER` (this one is
1231just for AFL).
1232
1233## Common-sense risks
1234
1235Please keep in mind that, similarly to many other computationally-intensive
1236tasks, fuzzing may put a strain on your hardware and on the OS. In particular:
1237
1238  - Your CPU will run hot and will need adequate cooling. In most cases, if
1239    cooling is insufficient or stops working properly, CPU speeds will be
1240    automatically throttled. That said, especially when fuzzing on less
1241    suitable hardware (laptops, smartphones, etc), it's not entirely impossible
1242    for something to blow up.
1243
1244  - Targeted programs may end up erratically grabbing gigabytes of memory or
1245    filling up disk space with junk files. afl++ tries to enforce basic memory
1246    limits, but can't prevent each and every possible mishap. The bottom line
1247    is that you shouldn't be fuzzing on systems where the prospect of data loss
1248    is not an acceptable risk.
1249
1250  - Fuzzing involves billions of reads and writes to the filesystem. On modern
1251    systems, this will be usually heavily cached, resulting in fairly modest
1252    "physical" I/O - but there are many factors that may alter this equation.
1253    It is your responsibility to monitor for potential trouble; with very heavy
1254    I/O, the lifespan of many HDDs and SSDs may be reduced.
1255
1256    A good way to monitor disk I/O on Linux is the 'iostat' command:
1257
1258```shell
1259    $ iostat -d 3 -x -k [...optional disk ID...]
1260```
1261
1262    Using the `AFL_TMPDIR` environment variable and a RAM-disk you can have the
1263    heavy writing done in RAM to prevent the aforementioned wear and tear. For
1264    example the following line will run a Docker container with all this preset:
1265
1266    ```shell
1267    # docker run -ti --mount type=tmpfs,destination=/ramdisk -e AFL_TMPDIR=/ramdisk aflplusplus/aflplusplus
1268    ```
1269
1270## Known limitations & areas for improvement
1271
1272Here are some of the most important caveats for AFL:
1273
1274  - afl++ detects faults by checking for the first spawned process dying due to
1275    a signal (SIGSEGV, SIGABRT, etc). Programs that install custom handlers for
1276    these signals may need to have the relevant code commented out. In the same
1277    vein, faults in child processes spawned by the fuzzed target may evade
1278    detection unless you manually add some code to catch that.
1279
1280  - As with any other brute-force tool, the fuzzer offers limited coverage if
1281    encryption, checksums, cryptographic signatures, or compression are used to
1282    wholly wrap the actual data format to be tested.
1283
1284    To work around this, you can comment out the relevant checks (see
1285    utils/libpng_no_checksum/ for inspiration); if this is not possible,
1286    you can also write a postprocessor, one of the hooks of custom mutators.
1287    See [docs/custom_mutators.md](docs/custom_mutators.md) on how to use
1288    `AFL_CUSTOM_MUTATOR_LIBRARY`
1289
1290  - There are some unfortunate trade-offs with ASAN and 64-bit binaries. This
1291    isn't due to any specific fault of afl-fuzz; see [docs/notes_for_asan.md](docs/notes_for_asan.md)
1292    for tips.
1293
1294  - There is no direct support for fuzzing network services, background
1295    daemons, or interactive apps that require UI interaction to work. You may
1296    need to make simple code changes to make them behave in a more traditional
1297    way. Preeny may offer a relatively simple option, too - see:
1298    [https://github.com/zardus/preeny](https://github.com/zardus/preeny)
1299
1300    Some useful tips for modifying network-based services can be also found at:
1301    [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
1302
1303  - Occasionally, sentient machines rise against their creators. If this
1304    happens to you, please consult [http://lcamtuf.coredump.cx/prep/](http://lcamtuf.coredump.cx/prep/).
1305
1306Beyond this, see INSTALL for platform-specific tips.
1307
1308## Special thanks
1309
1310Many of the improvements to the original afl and afl++ wouldn't be possible
1311without feedback, bug reports, or patches from:
1312
1313```
1314  Jann Horn                             Hanno Boeck
1315  Felix Groebert                        Jakub Wilk
1316  Richard W. M. Jones                   Alexander Cherepanov
1317  Tom Ritter                            Hovik Manucharyan
1318  Sebastian Roschke                     Eberhard Mattes
1319  Padraig Brady                         Ben Laurie
1320  @dronesec                             Luca Barbato
1321  Tobias Ospelt                         Thomas Jarosch
1322  Martin Carpenter                      Mudge Zatko
1323  Joe Zbiciak                           Ryan Govostes
1324  Michael Rash                          William Robinet
1325  Jonathan Gray                         Filipe Cabecinhas
1326  Nico Weber                            Jodie Cunningham
1327  Andrew Griffiths                      Parker Thompson
1328  Jonathan Neuschaefer                  Tyler Nighswander
1329  Ben Nagy                              Samir Aguiar
1330  Aidan Thornton                        Aleksandar Nikolich
1331  Sam Hakim                             Laszlo Szekeres
1332  David A. Wheeler                      Turo Lamminen
1333  Andreas Stieger                       Richard Godbee
1334  Louis Dassy                           teor2345
1335  Alex Moneger                          Dmitry Vyukov
1336  Keegan McAllister                     Kostya Serebryany
1337  Richo Healey                          Martijn Bogaard
1338  rc0r                                  Jonathan Foote
1339  Christian Holler                      Dominique Pelle
1340  Jacek Wielemborek                     Leo Barnes
1341  Jeremy Barnes                         Jeff Trull
1342  Guillaume Endignoux                   ilovezfs
1343  Daniel Godas-Lopez                    Franjo Ivancic
1344  Austin Seipp                          Daniel Komaromy
1345  Daniel Binderman                      Jonathan Metzman
1346  Vegard Nossum                         Jan Kneschke
1347  Kurt Roeckx                           Marcel Boehme
1348  Van-Thuan Pham                        Abhik Roychoudhury
1349  Joshua J. Drake                       Toby Hutton
1350  Rene Freingruber                      Sergey Davidoff
1351  Sami Liedes                           Craig Young
1352  Andrzej Jackowski                     Daniel Hodson
1353  Nathan Voss                           Dominik Maier
1354  Andrea Biondo                         Vincent Le Garrec
1355  Khaled Yakdan                         Kuang-che Wu
1356  Josephine Calliotte                   Konrad Welc
1357  Thomas Rooijakkers                    David Carlier
1358  Ruben ten Hove                        Joey Jiao
1359  fuzzah
1360```
1361
1362Thank you!
1363(For people sending pull requests - please add yourself to this list :-)
1364
1365## Cite
1366
1367If you use AFLpluplus to compare to your work, please use either `afl-clang-lto`
1368or `afl-clang-fast` with `AFL_LLVM_CMPLOG=1` for building targets and
1369`afl-fuzz` with the command line option `-l 2` for fuzzing.
1370The most effective setup is the `aflplusplus` default configuration on Google's [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
1371
1372If you use AFLplusplus in scientific work, consider citing [our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi) presented at WOOT'20:
1373
1374+ Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.
1375
1376Bibtex:
1377
1378```bibtex
1379@inproceedings {AFLplusplus-Woot20,
1380	author = {Andrea Fioraldi and Dominik Maier and Heiko Ei{\ss}feldt and Marc Heuse},
1381	title = {{AFL++}: Combining Incremental Steps of Fuzzing Research},
1382	booktitle = {14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},
1383	year = {2020},
1384	publisher = {{USENIX} Association},
1385	month = aug,
1386}
1387```
1388
1389## Contact
1390
1391Questions? Concerns? Bug reports? The contributors can be reached via
1392[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
1393
1394There is also a mailing list for the afl/afl++ project; to join, send a mail to
1395<afl-users+subscribe@googlegroups.com>. Or, if you prefer to browse archives
1396first, try: [https://groups.google.com/group/afl-users](https://groups.google.com/group/afl-users)
1397
1398