This is a personal blog. My other stuff: book | home page | Twitter | prepping | CNC robotics | electronics

May 20, 2015

Lesser-known features of afl-fuzz

AFL is designed to be simple to use, but there are quite a few advanced, time-saving features that may be easy to overlook. So, here are several useful tricks that aren't covered in README:

  • Test case postprocessing: need to fix up checksums or length fields in a particular file format? AFL supports modular postprocessors that can take care of this for you. See experimental/post_library/ for sample code and other tips.

  • Deferred forkserver: stuck with a binary that initializes a lot of stuff before actually getting to the input data? When using clang, you can avoid this CPU overhead by instructing AFL to clone the process from an already-initialized image. It's simpler than it sounds - have a look at llvm_mode/README.llvm for advice.

  • Helpful stats: in addition to using afl-plot to generate pretty progress graphs, you can also directly parse <out_dir>/fuzzer_stats for machine-readable statistics on any background tasks. The afl-whatsup script is a simple demo of that.

  • Faster resume: if you don't care about detecting non-deterministic behavior in tested binaries, set AFL_NO_VAR_CHECK=1 before resuming afl-fuzz jobs. It can speed things up by a factor of ten. While you're at it, be sure to see docs/perf_tips.txt for other performance tips.

  • Heterogeneous parallelization: the parallelization mechanism described in docs/parallel_fuzzing.txt can be very easily used to co-fuzz several different parsers using a shared corpus, or to seamlessly couple afl-fuzz to any other guided tools - say, symbolic execution frameworks.

  • Third-party tools: have a look at docs/sister_projects.txt for a collection of third-party tools that help you manage multiple instances of AFL, simplify crash triage, allow you to fuzz network servers or clients, and add support for languages such as Python or Go.

  • Minimizing stuff: when you have a crashing test case, afl-tmin will work even with non-instrumented binaries - so you can use it to shrink and simplify almost anything, even if it has nothing to do with AFL.


No comments:

Post a Comment