AFLplusplus Versions Save

Version ++4.20c (release)

! A new forkserver communication model is now introduced. afl-fuzz is backward compatible to old compiled targets if they are not built for CMPLOG/Redqueen, but new compiled targets will not work with old afl-fuzz versions! ! Recompile all targets that are instrumented for CMPLOG/Redqueen!

• AFL++ now supports up to 4 billion coverage edges, up from 6 million.
• New compile option: make PERFORMANCE=1 - this will enable special CPU dependent optimizations that make everything more performant - but the binaries will likely won't work on different platforms. Also enables a faster hasher if the CPU requirements are met.
• The persistent record feature (see config.h) was expanded to also support replay, thanks to @quarta-qti !
• afl-fuzz:
  • the new deterministic fuzzing feature is now activated by default, deactivate with -z. Parameters -d and -D are ignored.
  • small improvements to CMPLOG/redqueen
  • workround for a bug with MOpt -L when used with -M - in the future we will either remove or rewrite MOpt.
  • fix for -t xxx+ feature
  • -e extension option now saves the queue items, crashes, etc. with the extension too
  • fixes for trimmming, correct -V time and reading stats on resume by eqv thanks a lot!
• afl-cc:
  • added collision free caller instrumentation to LTO mode. activate with AFL_LLVM_LTO_CALLER=1. You can set a max depth to go through single block functions with AFL_LLVM_LTO_CALLER_DEPTH (default 0)
  • fixes for COMPCOV/LAF and most other modules
  • fix for GCC_PLUGIN cmplog that broke on std::strings
• afl-whatsup:
  • now also displays current average speed
  • small bugfixes
• Fixes for aflpp custom mutator and standalone tool
• Minor edits to afl-persistent-config
• Prevent temporary files being left behind on aborted afl-whatsup
• More CPU benchmarks added to benchmark/

Version ++4.10c (release)

• afl-fuzz:
  • default power schedule is now EXPLORE, due a fix in fast schedules explore is slightly better now.
  • fixed minor issues in the mutation engine, thanks to @futhewo for reporting!
  • better deterministic fuzzing is now available, benchmarks have shown to improve fuzzing. Enable with -D. Thanks to @kdsjZh for the PR!
• afl-cc:
  • large rewrite by @SonicStark which fixes a few corner cases, thanks!
  • LTO mode now requires llvm 12+
  • workaround for ASAN with gcc_plugin mode
• instrumentation:
  • LLVM 18 support, thanks to @devnexen!
  • Injection (SQL, LDAP, XSS) fuzzing feature now available, see instrumentation/README.injections.md how to activate/use/expand.
  • compcov/LAF-intel:
    • floating point splitting bug fix by @hexcoder
    • due a bug in LLVM 17 integer splitting is disabled there!
    • when splitting floats was selected, integers were always split as well, fixed to require AFL_LLVM_LAF_SPLIT_COMPARES or _ALL as it should
  • dynamic instrumentation filtering for LLVM NATIVE, thanks @Mozilla! see utils/dynamic_covfilter/README.md
• qemu_mode:
  • plugins are now activated by default and a new module is included that produces drcov compatible traces for lighthouse/lightkeeper/... thanks to @JRomainG to submitting!
• updated Nyx checkout (fixes a bug) and some QOL
• updated the custom grammar mutator
• document afl-cmin does not work on macOS (but afl-cmin.bash does)

Version ++4.09c (release)

• afl-fuzz:
  • fixed the new mutation implementation for two bugs
  • added AFL_FINAL_SYNC which forces a final fuzzer sync (also for -F) before terminating.
  • added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead of exiting with an error message
  • allow -S/-M naming up to 50 characters (from 24)
  • CMPLOG:
    • added scale support (-l S)
    • skip unhelpful insertions (u8)
  • added --version and --help command line parameters
  • fixed endless loop when reading malformed dictionaries
  • new custom mutator function: post_run - thanks to yangzao!
• afl-whatsup:
  • detect instanced that are starting up and show them as such as not dead
  • now also shows coverage reached
  • option -m shows only very relevant stats
  • option -n will not use color in the output
• instrumentation:
  • fix for a few string compare transform functions for LAF
  • we are instrumenting __cxx internal functions again. this might break a few targets, please report if so.
• frida_mode:
  • fixes support for large map offsets
• support for AFL_FUZZER_LOOPCOUNT for afl.rs and LLVMFuzzerTestOneInput
• afl-cmin/afl-cmin.bash: prevent unneeded file errors
• added new tool afl-addseeds that adds new seeds to a running campaign
• added benchmark/benchmark.py if you want to see how good your fuzzing speed is in comparison to other setups.

Version ++4.08c (release)

• afl-fuzz:

  • new mutation engine: mutations that favor discovery more paths are prefered until no new finds for 10 minutes then switching to mutations that favor triggering crashes. Modes and switch time can be configured with -P. Also input mode for the target can be defined with -a to be text or binary (defaults to generic)
  • new custom mutator that has the new afl++ engine (so it can easily incorporated into new custom mutators), and also comes with a standalone command line tool! See custom_mutators/aflpp/standalone/
  • display the state of the fuzzing run in the UI :-)
  • fix timeout setting if '+' is used or a session is restarted
  • -l X option to enable base64 transformation solving
  • allow to disable CMPLOG with '-c -' (e.g. afl.rs enforces '-c 0' on every instance which is counterproductive).

• afl-cmin/afl-cmin.bash:

  • fixed a bug inherited from vanilla AFL where a coverage of map[123] = 11 would be the same as map[1123] = 1
  • warn on crashing inputs
  • adjust threads if less inputs than threads specified

• afl-cc:

  • fixed an off-by-one instrumentation of iselect, hurting coverage a bit. Thanks to @amykweon for spotting and fixing!
  • @toka fixed a bug in laf-intel signed integer comparison splitting, thanks a lot!!
  • more LLVM compatability

• frida_mode:

  • support for long form instrumentation on x86_x64 and arm64
  • renamed utils/get_symbol_addr.sh to utils/frida_get_symbol_addr.sh

• qemu_mode:

  • added qemu_mode/utils/qemu_get_symbol_addr.sh

Version ++4.07c (release)

• afl-fuzz:
  • reverse reading the seeds only on restarts (increases performance)
  • new env AFL_POST_PROCESS_KEEP_ORIGINAL to keep the orignal data before post process on finds (for atnwalk custom mutator)
  • new env AFL_IGNORE_PROBLEMS_COVERAGE to ignore coverage from loaded libs after forkserver initialization (required by Mozilla)
• afl-cc:
  • added @responsefile support
  • new env AFL_LLVM_LTO_SKIPINIT to support the AFL++ based WASM (https://github.com/fgsect/WAFL) project
  • error and print help if afl-clan-lto is used with lto=thin
  • rewrote our PCGUARD pass to be compatible with LLVM 15+ shenanigans, requires LLVM 13+ now instead of 10.0.1+
  • fallback to native LLVM PCGUARD if our PCGUARD is unavailable
  • fixed a crash in GCC CMPLOG
• afl-showmap:
  • added custom mutator post_process and send support
  • add -I filelist option, an alternative to -i in_dir
• afl-cmin + afl-cmin.bash:
  • -T threads parallel task support, can be a huge speedup!
• qemu_mode:
  • Persistent mode + QASAN support for ppc32 targets by @worksbutnottested
• a new grammar custom mutator atnwalk was submitted by @voidptr127 !
• two new custom mutators are now available:
  • TritonDSE in custom_mutators/aflpp_tritondse
  • SymQEMU in custom_mutators/symqemu

Version ++4.06c (release)

• afl-fuzz:
  • ensure temporary file descriptor is closed when not used
  • added AFL_NO_WARN_INSTABILITY
  • added time_wo_finds to fuzzer_stats
  • fixed a crash in pizza (1st april easter egg) mode. Sorry for everyone who was affected!
  • allow pizza mode to be disabled when AFL_PIZZA_MODE is set to -1
  • option -p mmopt now also selects new queue items more often
  • fix bug in post_process custom mutator implementation
  • print name of custom mutator in UI
  • slight changes that improve fuzzer performance
• afl-cc:
  • add CFI sanitizer variant to gcc targets
  • llvm 16 + 17 support (thanks to @devnexen!)
  • support llvm 15 native pcguard changes
  • support for LLVMFuzzerTestOneInput -1 return
  • LTO autoken and llvm_mode: added AFL_LLVM_DICT2FILE_NO_MAIN support
• qemu_mode:
  • fix _RANGES envs to allow hyphens in the filenames
  • basic riscv support
• frida_mode:
  • added AFL_FRIDA_STATS_INTERVAL
  • fix issue on MacOS
• unicorn_mode:
  • updated and minor issues fixed
• nyx_mode support for all tools
• better sanitizer default options support for all tools
• new custom module: autotoken, a grammar free fuzzer for text inputs
• fixed custom mutator C examples
• more minor fixes and cross-platform support

Version ++4.05c (release)

• MacOS: libdislocator, libtokencap etc. do not work with modern MacOS anymore, but could be patched to work, see this issue if you want to make the effort and send a PR: https://github.com/AFLplusplus/AFLplusplus/issues/1594
• afl-fuzz:
  • added afl_custom_fuzz_send custom mutator feature. Now your can send fuzz data to the target as you need, e.g. via IPC.
  • cmplog mode now has a -l R option for random colorization, thanks to guyf2010 for the PR!
  • queue statistics are written every 30 minutes to out/NAME/queue_data if compiled with INTROSPECTION
  • new env: AFL_FORK_SERVER_KILL_SIGNAL
• afl-showmap/afl-cmin
  • -t none now translates to -t 120000 (120 seconds)
• unicorn_mode updated
• updated rust custom mutator dependencies and LibAFL custom mutator
• several minor bugfixes

Version ++4.04c (release)

• fix gramatron and grammar_mutator build scripts
• enhancements to the afl-persistent-config and afl-system-config scripts
• afl-fuzz:
  • force writing all stats on exit
• afl-cc:
  • make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
• qemu_mode:
  • fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for reporting!
  • added qemu_mode/fastexit helper library
• unicorn_mode:
  • Enabled tricore arch (by @jma-qb)
  • Updated Capstone version in Rust bindings
• llvm-mode:
  • AFL runtime will always pass inputs via shared memory, when possible, ignoring the command line.

Version ++4.03c (release)

• Building now gives a build summary what succeeded and what not
• afl-fuzz:
  • added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead of calibrating all initial seeds first. Good for large queues and long execution times, especially in CIs.
  • default calibration cycles set to 7 from 8, and only add 5 cycles to variables queue items instead of 12.
• afl-cc:
  • fixed off-by-one bug in our pcguard implemenation, thanks for @tokatoka for reporting
  • fix for llvm 15 and reenabling LTO, thanks to nikic for the PR!
  • better handling of -fsanitize=..,...,.. lists
  • support added for LLVMFuzzerRunDriver()
  • fix gcc_mode cmplog
  • obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1 note that this will exit the target before main()
• qemu_mode:
  • added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable edges (together with AFL_DEBUG=1 afl-fuzz). thanks to worksbutnottested!
• afl-analyze broke at some point, fix by CodeLogicError, thank you!
• afl-cmin/afl-cmin.bash now have an -A option to allow also crashing and timeout inputs
• unicorn_mode:
  • updated upstream unicorn version
  • fixed builds for aarch64
  • build now uses all available cores

Version ++4.02c (release)

• afl-cc:
  • important fix for the default pcguard mode when LLVM IR vector selects are produced, thanks to @juppytt for reporting!
• gcc_plugin:
  • Adacore submitted CMPLOG support to the gcc_plugin! :-)
• llvm_mode:
  • laf cmp splitting fixed for more comparison types
• frida_mode:
  • now works on Android!
• afl-fuzz:
  • change post_process hook to allow returning NULL and 0 length to tell afl-fuzz to skip this mutated input