1 /* 2 american fuzzy lop - vaguely configurable bits 3 ---------------------------------------------- 4 5 Written and maintained by Michal Zalewski <lcamtuf@google.com> 6 7 Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. 8 9 Licensed under the Apache License, Version 2.0 (the "License"); 10 you may not use this file except in compliance with the License. 11 You may obtain a copy of the License at: 12 13 http://www.apache.org/licenses/LICENSE-2.0 14 15 */ 16 17 #ifndef _HAVE_CONFIG_H 18 #define _HAVE_CONFIG_H 19 20 #include "types.h" 21 22 /* Version string: */ 23 24 #define VERSION "2.52b" 25 26 /****************************************************** 27 * * 28 * Settings that may be of interest to power users: * 29 * * 30 ******************************************************/ 31 32 /* Comment out to disable terminal colors (note that this makes afl-analyze 33 a lot less nice): */ 34 35 #define USE_COLOR 36 37 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */ 38 39 #define FANCY_BOXES 40 41 /* Default timeout for fuzzed code (milliseconds). This is the upper bound, 42 also used for detecting hangs; the actual value is auto-scaled: */ 43 44 #define EXEC_TIMEOUT 1000 45 46 /* Timeout rounding factor when auto-scaling (milliseconds): */ 47 48 #define EXEC_TM_ROUND 20 49 50 /* Default memory limit for child process (MB): */ 51 52 #ifndef __x86_64__ 53 # define MEM_LIMIT 25 54 #else 55 # define MEM_LIMIT 50 56 #endif /* ^!__x86_64__ */ 57 58 /* Default memory limit when running in QEMU mode (MB): */ 59 60 #define MEM_LIMIT_QEMU 200 61 62 /* Number of calibration cycles per every new test case (and for test 63 cases that show variable behavior): */ 64 65 #define CAL_CYCLES 8 66 #define CAL_CYCLES_LONG 40 67 68 /* Number of subsequent timeouts before abandoning an input file: */ 69 70 #define TMOUT_LIMIT 250 71 72 /* Maximum number of unique hangs or crashes to record: */ 73 74 #define KEEP_UNIQUE_HANG 500 75 #define KEEP_UNIQUE_CRASH 5000 76 77 /* Baseline number of random tweaks during a single 'havoc' stage: */ 78 79 #define HAVOC_CYCLES 256 80 #define HAVOC_CYCLES_INIT 1024 81 82 /* Maximum multiplier for the above (should be a power of two, beware 83 of 32-bit int overflows): */ 84 85 #define HAVOC_MAX_MULT 16 86 87 /* Absolute minimum number of havoc cycles (after all adjustments): */ 88 89 #define HAVOC_MIN 16 90 91 /* Maximum stacking for havoc-stage tweaks. The actual value is calculated 92 like this: 93 94 n = random between 1 and HAVOC_STACK_POW2 95 stacking = 2^n 96 97 In other words, the default (n = 7) produces 2, 4, 8, 16, 32, 64, or 98 128 stacked tweaks: */ 99 100 #define HAVOC_STACK_POW2 7 101 102 /* Caps on block sizes for cloning and deletion operations. Each of these 103 ranges has a 33% probability of getting picked, except for the first 104 two cycles where smaller blocks are favored: */ 105 106 #define HAVOC_BLK_SMALL 32 107 #define HAVOC_BLK_MEDIUM 128 108 #define HAVOC_BLK_LARGE 1500 109 110 /* Extra-large blocks, selected very rarely (<5% of the time): */ 111 112 #define HAVOC_BLK_XL 32768 113 114 /* Probabilities of skipping non-favored entries in the queue, expressed as 115 percentages: */ 116 117 #define SKIP_TO_NEW_PROB 99 /* ...when there are new, pending favorites */ 118 #define SKIP_NFAV_OLD_PROB 95 /* ...no new favs, cur entry already fuzzed */ 119 #define SKIP_NFAV_NEW_PROB 75 /* ...no new favs, cur entry not fuzzed yet */ 120 121 /* Splicing cycle count: */ 122 123 #define SPLICE_CYCLES 15 124 125 /* Nominal per-splice havoc cycle length: */ 126 127 #define SPLICE_HAVOC 32 128 129 /* Maximum offset for integer addition / subtraction stages: */ 130 131 #define ARITH_MAX 35 132 133 /* Limits for the test case trimmer. The absolute minimum chunk size; and 134 the starting and ending divisors for chopping up the input file: */ 135 136 #define TRIM_MIN_BYTES 4 137 #define TRIM_START_STEPS 16 138 #define TRIM_END_STEPS 1024 139 140 /* Maximum size of input file, in bytes (keep under 100MB): */ 141 142 #define MAX_FILE (1 * 1024 * 1024) 143 144 /* The same, for the test case minimizer: */ 145 146 #define TMIN_MAX_FILE (10 * 1024 * 1024) 147 148 /* Block normalization steps for afl-tmin: */ 149 150 #define TMIN_SET_MIN_SIZE 4 151 #define TMIN_SET_STEPS 128 152 153 /* Maximum dictionary token size (-x), in bytes: */ 154 155 #define MAX_DICT_FILE 128 156 157 /* Length limits for auto-detected dictionary tokens: */ 158 159 #define MIN_AUTO_EXTRA 3 160 #define MAX_AUTO_EXTRA 32 161 162 /* Maximum number of user-specified dictionary tokens to use in deterministic 163 steps; past this point, the "extras/user" step will be still carried out, 164 but with proportionally lower odds: */ 165 166 #define MAX_DET_EXTRAS 200 167 168 /* Maximum number of auto-extracted dictionary tokens to actually use in fuzzing 169 (first value), and to keep in memory as candidates. The latter should be much 170 higher than the former. */ 171 172 #define USE_AUTO_EXTRAS 50 173 #define MAX_AUTO_EXTRAS (USE_AUTO_EXTRAS * 10) 174 175 /* Scaling factor for the effector map used to skip some of the more 176 expensive deterministic steps. The actual divisor is set to 177 2^EFF_MAP_SCALE2 bytes: */ 178 179 #define EFF_MAP_SCALE2 3 180 181 /* Minimum input file length at which the effector logic kicks in: */ 182 183 #define EFF_MIN_LEN 128 184 185 /* Maximum effector density past which everything is just fuzzed 186 unconditionally (%): */ 187 188 #define EFF_MAX_PERC 90 189 190 /* UI refresh frequency (Hz): */ 191 192 #define UI_TARGET_HZ 5 193 194 /* Fuzzer stats file and plot update intervals (sec): */ 195 196 #define STATS_UPDATE_SEC 60 197 #define PLOT_UPDATE_SEC 5 198 199 /* Smoothing divisor for CPU load and exec speed stats (1 - no smoothing). */ 200 201 #define AVG_SMOOTHING 16 202 203 /* Sync interval (every n havoc cycles): */ 204 205 #define SYNC_INTERVAL 5 206 207 /* Output directory reuse grace period (minutes): */ 208 209 #define OUTPUT_GRACE 25 210 211 /* Uncomment to use simple file names (id_NNNNNN): */ 212 213 // #define SIMPLE_FILES 214 215 /* List of interesting values to use in fuzzing. */ 216 217 #define INTERESTING_8 \ 218 -128, /* Overflow signed 8-bit when decremented */ \ 219 -1, /* */ \ 220 0, /* */ \ 221 1, /* */ \ 222 16, /* One-off with common buffer size */ \ 223 32, /* One-off with common buffer size */ \ 224 64, /* One-off with common buffer size */ \ 225 100, /* One-off with common buffer size */ \ 226 127 /* Overflow signed 8-bit when incremented */ 227 228 #define INTERESTING_16 \ 229 -32768, /* Overflow signed 16-bit when decremented */ \ 230 -129, /* Overflow signed 8-bit */ \ 231 128, /* Overflow signed 8-bit */ \ 232 255, /* Overflow unsig 8-bit when incremented */ \ 233 256, /* Overflow unsig 8-bit */ \ 234 512, /* One-off with common buffer size */ \ 235 1000, /* One-off with common buffer size */ \ 236 1024, /* One-off with common buffer size */ \ 237 4096, /* One-off with common buffer size */ \ 238 32767 /* Overflow signed 16-bit when incremented */ 239 240 #define INTERESTING_32 \ 241 -2147483648LL, /* Overflow signed 32-bit when decremented */ \ 242 -100663046, /* Large negative number (endian-agnostic) */ \ 243 -32769, /* Overflow signed 16-bit */ \ 244 32768, /* Overflow signed 16-bit */ \ 245 65535, /* Overflow unsig 16-bit when incremented */ \ 246 65536, /* Overflow unsig 16 bit */ \ 247 100663045, /* Large positive number (endian-agnostic) */ \ 248 2147483647 /* Overflow signed 32-bit when incremented */ 249 250 /*********************************************************** 251 * * 252 * Really exotic stuff you probably don't want to touch: * 253 * * 254 ***********************************************************/ 255 256 /* Call count interval between reseeding the libc PRNG from /dev/urandom: */ 257 258 #define RESEED_RNG 10000 259 260 /* Maximum line length passed from GCC to 'as' and used for parsing 261 configuration files: */ 262 263 #define MAX_LINE 8192 264 265 /* Environment variable used to pass SHM ID to the called program. */ 266 267 #define SHM_ENV_VAR "__AFL_SHM_ID" 268 269 /* Other less interesting, internal-only variables. */ 270 271 #define CLANG_ENV_VAR "__AFL_CLANG_MODE" 272 #define AS_LOOP_ENV_VAR "__AFL_AS_LOOPCHECK" 273 #define PERSIST_ENV_VAR "__AFL_PERSISTENT" 274 #define DEFER_ENV_VAR "__AFL_DEFER_FORKSRV" 275 276 /* In-code signatures for deferred and persistent mode. */ 277 278 #define PERSIST_SIG "##SIG_AFL_PERSISTENT##" 279 #define DEFER_SIG "##SIG_AFL_DEFER_FORKSRV##" 280 281 /* Distinctive bitmap signature used to indicate failed execution: */ 282 283 #define EXEC_FAIL_SIG 0xfee1dead 284 285 /* Distinctive exit code used to indicate MSAN trip condition: */ 286 287 #define MSAN_ERROR 86 288 289 /* Designated file descriptors for forkserver commands (the application will 290 use FORKSRV_FD and FORKSRV_FD + 1): */ 291 292 #define FORKSRV_FD 198 293 294 /* Fork server init timeout multiplier: we'll wait the user-selected 295 timeout plus this much for the fork server to spin up. */ 296 297 #define FORK_WAIT_MULT 10 298 299 /* Calibration timeout adjustments, to be a bit more generous when resuming 300 fuzzing sessions or trying to calibrate already-added internal finds. 301 The first value is a percentage, the other is in milliseconds: */ 302 303 #define CAL_TMOUT_PERC 125 304 #define CAL_TMOUT_ADD 50 305 306 /* Number of chances to calibrate a case before giving up: */ 307 308 #define CAL_CHANCES 3 309 310 /* Map size for the traced binary (2^MAP_SIZE_POW2). Must be greater than 311 2; you probably want to keep it under 18 or so for performance reasons 312 (adjusting AFL_INST_RATIO when compiling is probably a better way to solve 313 problems with complex programs). You need to recompile the target binary 314 after changing this - otherwise, SEGVs may ensue. */ 315 316 #define MAP_SIZE_POW2 16 317 #define MAP_SIZE (1 << MAP_SIZE_POW2) 318 319 /* Maximum allocator request size (keep well under INT_MAX): */ 320 321 #define MAX_ALLOC 0x40000000 322 323 /* A made-up hashing seed: */ 324 325 #define HASH_CONST 0xa5b35705 326 327 /* Constants for afl-gotcpu to control busy loop timing: */ 328 329 #define CTEST_TARGET_MS 5000 330 #define CTEST_CORE_TRG_MS 1000 331 #define CTEST_BUSY_CYCLES (10 * 1000 * 1000) 332 333 /* Uncomment this to use inferior block-coverage-based instrumentation. Note 334 that you need to recompile the target binary for this to have any effect: */ 335 336 // #define COVERAGE_ONLY 337 338 /* Uncomment this to ignore hit counts and output just one bit per tuple. 339 As with the previous setting, you will need to recompile the target 340 binary: */ 341 342 // #define SKIP_COUNTS 343 344 /* Uncomment this to use instrumentation data to record newly discovered paths, 345 but do not use them as seeds for fuzzing. This is useful for conveniently 346 measuring coverage that could be attained by a "dumb" fuzzing algorithm: */ 347 348 // #define IGNORE_FINDS 349 350 #endif /* ! _HAVE_CONFIG_H */ 351