AFLplusplus Versions Save

The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!

4.01c

1 year ago

Version ++4.01c (release)

fixed */build_...sh scripts to work outside of git
new custom_mutator: libafl with token fuzzing :)
afl-fuzz:
- when you just want to compile once and set CMPLOG, then just set -c 0 to tell afl-fuzz that the fuzzing binary is also for CMPLOG.
- new commandline options -g/G to set min/max length of generated fuzz inputs
- you can set the time for syncing to other fuzzer now with AFL_SYNC_TIME
- reintroduced AFL_PERSISTENT and AFL_DEFER_FORKSRV to allow persistent mode and manual forkserver support if these are not in the target binary (e.g. are in a shared library)
- add AFL_EARLY_FORKSERVER to install the forkserver as earliest as possible in the target (for afl-gcc-fast/afl-clang-fast/ afl-clang-lto)
- "saved timeouts" was wrong information, timeouts are still thrown away by default even if they have new coverage (hangs are always kept), unless AFL_KEEP_TIMEOUTS are set
- AFL never implemented auto token inserts (but user token inserts, user token overwrite and auto token overwrite), added now!
- fixed a mutation type in havoc mode
- Mopt fix to always select the correct algorithm
- fix effector map calculation (deterministic mode)
- fix custom mutator post_process functionality
- document and auto-activate pizza mode on condition
afl-cc:
- due a bug in lld of llvm 15 LTO instrumentation wont work atm :-(
- converted all passed to use the new llvm pass manager for llvm 11+
- AFL++ PCGUARD mode is not available for 10.0.1 anymore (11+ only)
- trying to stay on top on all these #$&§!! changes in llvm 15 ...
frida_mode:
- update to new frida release, handles now c++ throw/catch
unicorn_mode:
- update unicorn engine, fix C example
utils:
- removed optimin because it looses coverage due to a bug and is unmaintained :-(

4.00c

2 years ago

Version ++4.00c (release)

complete documentation restructuring, made possible by Google Season of Docs :) thank you Jana!
we renamed several UI and fuzzer_stat entries to be more precise, e.g. "unique crashes" -> "saved crashes", "total paths" -> "corpus count", "current path" -> "current item". This might need changing custom scripting!
Nyx mode (full system emulation with snapshot capability) has been added - thanks to @schumilo and @eqv!
unicorn_mode:
- Moved to unicorn2! by Ziqiao Kong (@lazymio)
- Faster, more accurate emulation (newer QEMU base), risc-v support
- removed indirections in rust callbacks
new binary-only fuzzing mode: coresight_mode for aarch64 CPUs :) thanks to RICSecLab submitting!
if instrumented libaries are dlopen()'ed after the forkserver you will now see a crash. Before you would have colliding coverage. We changed this to force fixing a broken setup rather then allowing ineffective fuzzing. See docs/best_practices.md how to fix such setups.
afl-fuzz:
- cmplog binaries will need to be recompiled for this version (it is better!)
- fix a regression introduced in 3.10 that resulted in less coverage being detected. thanks to Collin May for reporting!
- ensure all spawned targets are killed on exit
- added AFL_IGNORE_PROBLEMS, plus checks to identify and abort on incorrect LTO usage setups and enhanced the READMEs for better information on how to deal with instrumenting libraries
- fix -n dumb mode (nobody should use this mode though)
- fix stability issue with LTO and cmplog
- better banner
- more effective cmplog mode
- more often update the UI when in input2stage mode
qemu_mode/unicorn_mode: fixed OOB write when using libcompcov, thanks to kotee4ko for reporting!
frida_mode:
- better performance, bug fixes
- David Carlier added Android support :)
afl-showmap, afl-tmin and afl-analyze:
- honor persistent mode for more speed. thanks to dloffre-snl for reporting!
- fix bug where targets are not killed on timeouts
- moved hidden afl-showmap -A option to -H to be used for coresight_mode
Prevent accidentaly killing non-afl/fuzz services when aborting afl-showmap and other tools.
afl-cc:
- detect overflow reads on initial input buffer for asan
- new cmplog mode (incompatible with older afl++ versions)
- support llvm IR select instrumentation for default PCGUARD and LTO
- fix for shared linking on MacOS
- better selective instrumentation AFL_LLVM_{ALLOW|DENY}LIST on filename matching (requires llvm 11 or newer)
- fixed a potential crash in targets for LAF string handling
- fixed a bad assert in LAF split switches
- added AFL_USE_TSAN thread sanitizer support
- llvm and LTO mode modified to work with new llvm 14-dev (again.)
- fix for AFL_REAL_LD
- more -z defs filtering
- make -v without options work
added the very good grammar mutator "GramaTron" to the custom_mutators
added optimin, a faster and better corpus minimizer by Adrian Herrera. Thank you!
added afl-persistent-config script to set perform permanent system configuration settings for fuzzing, for Linux and Macos. thanks to jhertz!
added xml, curl & exotic string functions to llvm dictionary feature
fix AFL_PRELOAD issues on MacOS
removed utils/afl_frida because frida_mode/ is now so much better
added uninstall target to makefile (todo: update new readme!)

3.14c

2 years ago

Version ++3.14c (release)

afl-fuzz:
- fix -F when a '/' was part of the parameter
- fixed a crash for cmplog for very slow inputs
- fix for AFLfast schedule counting
- removed implied -D determinstic from -M main
- if the target becomes unavailable check out out/default/error.txt for an indicator why
- AFL_CAL_FAST was a dead env, now does the same as AFL_FAST_CAL
- reverse read the queue on resumes (more effective)
- fix custom mutator trimming
afl-cc:
- Update to COMPCOV/laf-intel that speeds up the instrumentation process a lot - thanks to Michael Rodler/f0rki for the PR!
- Fix for failures for some sized string instrumentations
- Fix to instrument global namespace functions in c++
- Fix for llvm 13
- support partial linking
- do honor AFL_LLVM_{ALLOW/DENY}LIST for LTO autodictionary and DICT2FILE
- We do support llvm versions from 3.8 to 5.0 again
frida_mode:
- several fixes for cmplog
- remove need for AFL_FRIDA_PERSISTENT_RETADDR_OFFSET
- less coverage collision
- feature parity of aarch64 with intel now (persistent, cmplog, in-memory testcases, asan)
afl-cmin and afl-showmap -i do now descend into subdirectories (like afl-fuzz does) - note that afl-cmin.bash does not!
afl_analyze:
- fix timeout handling
- add forkserver support for better performance
ensure afl-compiler-rt is built for gcc_module
always build aflpp_driver for libfuzzer harnesses
added AFL_NO_FORKSRV env variable support to afl-cmin, afl-tmin, and afl-showmap, by @jhertz
removed outdated documents, improved existing documentation

3.13c

2 years ago

Version ++3.13c (release)

Note: plot_data switched to relative time from unix time in 3.10
frida_mode - new mode that uses frida to fuzz binary-only targets, it currently supports persistent mode and cmplog. thanks to @WorksButNotTested!
create a fuzzing dictionary with the help of CodeQL thanks to @microsvuln! see utils/autodict_ql
afl-fuzz:
- added patch by @realmadsci to support @@ as part of command line options, e.g. afl-fuzz ... -- ./target --infile=@@
- add recording of previous fuzz attempts for persistent mode to allow replay of non-reproducable crashes, see AFL_PERSISTENT_RECORD in config.h and docs/envs.h
- fixed a bug when trimming for stdin targets
- cmplog -l: default cmplog level is now 2, better efficiency. level 3 now performs redqueen on everything. use with care.
- better fuzzing strategy yield display for enabled options
- ensure one fuzzer sync per cycle
- fix afl_custom_queue_new_entry original file name when syncing from fuzzers
- fixed a crash when more than one custom mutator was used together with afl_custom_post_process
- on a crashing seed potentially the wrong input was disabled
- added AFL_EXIT_ON_SEED_ISSUES env that will exit if a seed in -i dir crashes the target or results in a timeout. By default afl++ ignores these and uses them for splicing instead.
- added AFL_EXIT_ON_TIME env that will make afl-fuzz exit fuzzing after no new paths have been found for n seconds
- when AFL_FAST_CAL is set a variable path will now be calibrated 8 times instead of originally 40. Long calibration is now 20.
- added AFL_TRY_AFFINITY to try to bind to CPUs but don't error if it fails
afl-cc:
- We do not support llvm versions prior 6.0 anymore
- added thread safe counters to all modes (AFL_LLVM_THREADSAFE_INST), note that this disables NeverZero counters.
- Fix for -pie compiled binaries with default afl-clang-fast PCGUARD
- Leak Sanitizer (AFL_USE_LSAN) added by Joshua Rogers, thanks!
- Removed InsTrim instrumentation as it is not as good as PCGUARD
- Removed automatic linking with -lc++ for LTO mode
- Fixed a crash in llvm dict2file when a strncmp length was -1
- added --afl-noopt support
utils/aflpp_driver:
- aflpp_qemu_driver_hook fixed to work with qemu_mode
- aflpp_driver now compiled with -fPIC
unicornafl:
- fix MIPS delay slot caching, thanks @JackGrence
- fixed aarch64 exit address
- execution no longer stops at address 0x0
updated afl-system-config to support Arch Linux weirdness and increase MacOS shared memory
updated the grammar custom mutator to the newest version
add -d (add dead fuzzer stats) to afl-whatsup
added AFL_PRINT_FILENAMES to afl-showmap/cmin to print the current filename
afl-showmap/cmin will now process queue items in alphabetical order

3.12c

3 years ago

Version ++3.12c (release)

afl-fuzz:
- added AFL_TARGET_ENV variable to pass extra env vars to the target (for things like LD_LIBRARY_PATH)
- fix map detection, AFL_MAP_SIZE not needed anymore for most cases
- fix counting favorites (just a display thing)
afl-cc:
- fix cmplog rtn (rare crash and not being able to gather ptr data)
- fix our own PCGUARD implementation to compile with llvm 10.0.1
- link runtime not to shared libs
- ensure shared libraries are properly built and instrumented
- AFL_LLVM_INSTRUMENT_ALLOW/DENY were not implemented for LTO, added
- show correct LLVM PCGUARD NATIVE mode when auto switching to it and keep fsanitize-coverage-*list=... Short mnemnonic NATIVE is now also accepted.
qemu_mode (thanks @realmadsci):
- move AFL_PRELOAD and AFL_USE_QASAN logic inside afl-qemu-trace
- add AFL_QEMU_CUSTOM_BIN
unicorn_mode
- accidently removed the subfolder from github, re-added
added DEFAULT_PERMISSION to config.h for all files created, default to 0600

3.11c

3 years ago

Version ++3.11c (release)

afl-fuzz:
- better auto detection of map size
- fix sanitizer settings (bug since 3.10c)
- fix an off-by-one overwrite in cmplog
- add non-unicode variants from unicode-looking dictionary entries
- Rust custom mutator API improvements
- Imported crash stats painted yellow on resume (only new ones are red)
afl-cc:
- added AFL_NOOPT that will just pass everything to the normal gcc/clang compiler without any changes - to pass weird configure scripts
- fixed a crash that can occur with ASAN + CMPLOG together plus better support for unicode (thanks to @stbergmann for reporting!)
- fixed a crash in LAF transform for empty strings
- handle erroneous setups in which multiple afl-compiler-rt are compiled into the target. This now also supports dlopen() instrumented libs loaded before the forkserver and even after the forkserver is started (then with collisions though)
- the compiler rt was added also in object building (-c) which should have been fixed years ago but somewhere got lost :(
- Renamed CTX to CALLER, added correct/real CTX implementation to CLASSIC
qemu_mode:
- added AFL_QEMU_EXCLUDE_RANGES env by @realmadsci, thanks!
- if no new/updated checkout is wanted, build with: NO_CHECKOUT=1 ./build_qemu_support.sh
- we no longer perform a "git drop"
afl-cmin: support filenames with spaces

3.10c

3 years ago

Version ++3.10c (release)

Mac OS ARM64 support
Android support fixed and updated by Joey Jiaojg - thanks!
New selective instrumentation option with _AFL_COVERAGE* commands to be placed in the source code. Check out instrumentation/README.instrument_list.md
afl-fuzz
- Making AFL_MAP_SIZE (mostly) obsolete - afl-fuzz now learns on start the target map size
- upgraded cmplog/redqueen: solving for floating point, solving transformations (e.g. toupper, tolower, to/from hex, xor, arithmetics, etc.). This is costly hence new command line option -l that sets the intensity (values 1 to 3). Recommended is 2.
- added AFL_CMPLOG_ONLY_NEW to not use cmplog on initial seeds from -i or resumes (these have most likely already been done)
- fix crash for very, very fast targets+systems (thanks to mhlakhani for reporting)
- on restarts (-i)/autoresume (AFL_AUTORESUME) the stats are now reloaded and used, thanks to Vimal Joseph for this patch!
- changed the meaning of '+' of the '-t' option, it now means to auto-calculate the timeout with the value given being the max timeout. The original meaning of skipping timeouts instead of abort is now inherent to the -t option.
- if deterministic mode is active (-D, or -M without -d) then we sync after every queue entry as this can take very long time otherwise
- added minimum SYNC_TIME to include/config.h (30 minutes default)
- better detection if a target needs a large shared map
- fix for -Z
- fixed a few crashes
- switched to an even faster RNG
- added hghwng's patch for faster trace map analysis
- printing suggestions for mistyped AFL_ env variables
- added Rust bindings for custom mutators (thanks @julihoh)
afl-cc
- allow instrumenting LLVMFuzzerTestOneInput
- fixed endless loop for allow/blocklist lines starting with a comment (thanks to Zherya for reporting)
- cmplog/redqueen now also tracks floating point, _ExtInt() + 128bit
- cmplog/redqueen can now process basic libc++ and libstdc++ std::string comparisons (no position or length type variants)
- added support for __afl_coverage_interesting() for LTO and our own PCGUARD (llvm 10.0.1+), read more about this function and selective coverage in instrumentation/README.instrument_list.md
- added AFL_LLVM_INSTRUMENT option NATIVE for native clang pc-guard support (less performant than our own), GCC for old afl-gcc and CLANG for old afl-clang
- fixed a potential crash in the LAF feature
- workaround for llvm bitcast lto bug
- workaround for llvm 13
qemuafl
- QASan (address sanitizer for Qemu) ported to qemuafl! See qemu_mode/libqasan/README.md
- solved some persistent mode bugs (thanks Dil4rd)
- solved an issue when dumping the memory maps (thanks wizche)
- Android support for QASan
unicornafl
- Substantial speed gains in python bindings for certain use cases
- Improved rust bindings
- Added a new example harness to compare python, c and rust bindings
afl-cmin and afl-showmap now support the -f option
afl_plot now also generates a graph on the discovered edges
changed default: no memory limit for afl-cmin and afl-cmin.bash
warn on any _AFL and __AFL env vars.
set AFL_IGNORE_UNKNOWN_ENVS to not warn on unknown AFL_... env vars
added dummy Makefile to instrumentation/
Updated utils/afl_frida to be 5% faster, 7% on x86_x64
Added AFL_KILL_SIGNAL env variable (thanks @v-p-b)
@Edznux added a nice documentation on how to use rpc.statsd with afl++ in docs/rpc_statsd.md, thanks!

3.0c

3 years ago

Version ++3.00c (release)

llvm_mode/ and gcc_plugin/ moved to instrumentation/
examples/ renamed to utils/
moved libdislocator, libtokencap and qdbi_mode to utils/
all compilers combined to afl-cc which emulates the previous ones
afl-llvm/gcc-rt.o merged into afl-compiler-rt.o
afl-fuzz
- not specifying -M or -S will now auto-set "-S default"
- deterministic fuzzing is now disabled by default and can be enabled with -D. It is still enabled by default for -M.
- a new seed selection was implemented that uses weighted randoms based on a schedule performance score, which is much better that the previous walk the whole queue approach. Select the old mode with -Z (auto enabled with -M)
- Marcel Boehme submitted a patch that improves all AFFast schedules :)
- the default schedule is now FAST
- memory limits are now disabled by default, set them with -m if required
- rpc.statsd support, for stats and charts, by Edznux, thanks a lot!
- reading testcases from -i now descends into subdirectories
- allow the -x command line option up to 4 times
- loaded extras now have a duplication protection
- If test cases are too large we do a partial read on the maximum supported size
- longer seeds with the same trace information will now be ignored for fuzzing but still be used for splicing
- crashing seeds are now not prohibiting a run anymore but are skipped - they are used for splicing, though
- update MOpt for expanded havoc modes
- setting the env var AFL_NO_AUTODICT will not load an LTO autodictionary
- added NO_SPLICING compile option and makefile define
- added INTROSPECTION make target that writes all mutations to out/NAME/introspection.txt
- print special compile time options used in help output
- when using -c cmplog, one of the childs was not killed, fixed
- somewhere we broke -n dumb fuzzing, fixed
- added afl_custom_describe to the custom mutator API to allow for easy mutation reproduction on crashing inputs
instrumentation
- We received an enhanced gcc_plugin module from AdaCore, thank you very much!!
- not overriding -Ox or -fno-unroll-loops anymore
- we now have our own trace-pc-guard implementation. It is the same as -fsanitize-coverage=trace-pc-guard from llvm 12, but: it is a) inline and b) works from llvm 10.0.1 + onwards :)
- new llvm pass: dict2file via AFL_LLVM_DICT2FILE, create afl-fuzz -x dictionary of string comparisons found during compilation
- LTO autodict now also collects interesting cmp comparisons, std::string compare + find + ==, bcmp
- fix crash in dict2file for integers > 64 bit
custom mutators
- added a new custom mutator: symcc -> https://github.com/eurecom-s3/symcc/
- added a new custom mutator: libfuzzer that integrates libfuzzer mutations
- Our afl++ Grammar-Mutator is now better integrated into custom_mutators/
- added INTROSPECTION support for custom modules
- python fuzz function was not optional, fixed
- some python mutator speed improvements
afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH
unicornafl synced with upstream version 1.02 (fixes, better rust bindings)
renamed AFL_DEBUG_CHILD_OUTPUT to AFL_DEBUG_CHILD
added AFL_CRASH_EXITCODE env variable to treat a child exitcode as crash

2.68c

3 years ago

Version ++2.68c (release)

added the GSoC excellent afl++ grammar mutator by Shengtuo to our custom_mutators/ (see custom_mutators/README.md) - or get it here: https://github.com/AFLplusplus/Grammar-Mutator
a few QOL changes for Apple and its outdated gmake
afl-fuzz:
- fix for auto dictionary entries found during fuzzing to not throw out a -x dictionary
- added total execs done to plot file
- AFL_MAX_DET_EXTRAS env variable added to control the amount of deterministic dict entries without recompiling.
- AFL_FORKSRV_INIT_TMOUT env variable added to control the time to wait for the forkserver to come up without the need to increase the overall timeout.
- bugfix for cmplog that results in a heap overflow based on target data (thanks to the magma team for reporting!)
- write fuzzing setup into out/fuzzer_setup (environment variables and command line)
custom mutators:
- added afl_custom_fuzz_count/fuzz_count function to allow specifying the number of fuzz attempts for custom_fuzz
llvm_mode:
- ported SanCov to LTO, and made it the default for LTO. better instrumentation locations
- Further llvm 12 support (fast moving target like afl++ :-) )
- deprecated LLVM SKIPSINGLEBLOCK env environment

2.67c

3 years ago

Version ++2.67c (release)

Support for improved afl++ snapshot module: https://github.com/AFLplusplus/AFL-Snapshot-LKM
Due to the instrumentation needing more memory, the initial memory sizes for -m have been increased
afl-fuzz:
- added -F option to allow -M main fuzzers to sync to foreign fuzzers, e.g. honggfuzz or libfuzzer
- added -b option to bind to a specific CPU
- eliminated CPU affinity race condition for -S/-M runs
- expanded havoc mode added, on no cycle finds add extra splicing and MOpt into the mix
- fixed a bug in redqueen for strings and made deterministic with -s
llvm_mode:
- now supports llvm 12
- support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm sancov, and also supports function matching :)
- added neverzero counting to trace-pc/pcgard
- fixes for laf-intel float splitting (thanks to mark-griffin for reporting)
- fixes for llvm 4.0
- skipping ctors and ifuncs for instrumentation
- LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR for a fixed map address (eg. 0x10000)
- LTO: improved stability for persistent mode, no other instrumentation has that advantage
- LTO: fixed autodict for long strings
- LTO: laf-intel and redqueen/cmplog are now applied at link time to prevent llvm optimizing away the splits
- LTO: autodictionary mode is a fixed default now
- LTO: instrim instrumentation disabled, only classic support used as it is always better
- LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID was given to which function during compilation
- LTO: single block functions were not implemented by default, fixed
- LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
- setting AFL_LLVM_LAF_SPLIT_FLOATS now activates AFL_LLVM_LAF_SPLIT_COMPARES
- support for -E and -shared compilation runs
added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
added afl-frida gum solution to examples/afl_frida (mostly imported from https://github.com/meme/hotwax/)
small fixes to afl-plot, afl-whatsup and man page creation
new README, added FAQ