2.66c

Version ++2.66c (release)

• renamed the main branch on Github to "stable"
• renamed master/slave to main/secondary
• renamed blacklist/whitelist to ignorelist/instrumentlist ->
  AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE
• warn on deprecated environment variables
• afl-fuzz:
  • -S secondary nodes now only sync from the main node to increase
    performance, the -M main node still syncs from everyone. Added checks
    that ensure exactly one main node is present and warn otherwise
  • Add -D after -S to force a secondary to perform deterministic fuzzing
  • If no main node is present at a sync one secondary node automatically
    becomes a temporary main node until a real main nodes shows up
  • Fixed a mayor performance issue we inherited from AFLfast
  • switched murmur2 hashing and random() for xxh3 and xoshiro256**,
    resulting in an up to 5.5% speed increase
  • Resizing the window does not crash afl-fuzz anymore
  • Ensure that the targets are killed on exit
  • fix/update to MOpt (thanks to arnow117)
  • added MOpt dictionary support from repo
  • added experimental SEEK power schedule. It is EXPLORE with ignoring
    the runtime and less focus on the length of the test case
• llvm_mode:
  • the default instrumentation is now PCGUARD if the llvm version is >= 7,
    as it is faster and provides better coverage. The original afl
    instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
    automatically done when the instrument_file list feature is used.
  • PCGUARD mode is now even better because we made it collision free - plus
    it has a fixed map size, so it is also faster! :)
  • some targets want a ld variant for LD that is not gcc/clang but ld,
    added afl-ld-lto to solve this
  • lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
    needs 3.8.0)
  • instrument_file list feature now supports wildcards (thanks to sirmc)
  • small change to cmplog to make it work with current llvm 11-dev
  • added AFL_LLVM_LAF_ALL, sets all laf-intel settings
  • LTO instrument_files functionality rewritten, now main, _init etc functions
    need not to be listed anymore
  • fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
    tried to be instrumented with LTO
  • fixed crash in cmplog with LTO
  • enable snapshot lkm also for persistent mode
• Unicornafl
  • Added powerPC support from unicorn/next
  • rust bindings!
• CMPLOG/Redqueen now also works for MMAP sharedmem
• ensure shmem is released on errors
• we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
  compiled by default anymore.
• allow running in /tmp (only unsafe with umask 0)
• persistent mode shared memory testcase handover (instead of via
  files/stdin) - 10-100% performance increase
• General support for 64 bit PowerPC, RiscV, Sparc etc.
• fix afl-cmin.bash
• slightly better performance compilation options for afl++ and targets
• fixed afl-gcc/afl-as that could break on fast systems reusing pids in
  the same second
• added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
• added former post_library examples to examples/custom_mutators/
• Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
  gcc 10 so afl-clang-lto can be build

2.65c

Version ++2.65c (release):

• afl-fuzz:
  • AFL_MAP_SIZE was not working correctly
  • better python detection
  • an old, old bug in afl that would show negative stability in rare
    circumstances is now hopefully fixed
  • AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
    instead (see docs/custom_mutators.md)
• llvm_mode:
  • afl-clang-fast/lto now do not skip single block functions. This
    behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
  • if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
    address for the shared memory map is used as this increases the
    fuzzing speed
  • InsTrim now has an LTO version! :-) That is the best and fastest mode!
  • fixes to LTO mode if instrumented edges > MAP_SIZE
  • CTX and NGRAM can now be used together
  • CTX and NGRAM are now also supported in CFG/INSTRIM mode
  • AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
  • added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
    implementation. For targets with few or no loops or heavily called
    functions. Gives a small performance boost.
• qemu_mode:
  • add information on PIE/PIC load addresses for 32 bit
  • better dependency checks
• gcc_plugin:
  • better dependency checks
• unicorn_mode:
  • validate_crash_callback can now count non-crashing inputs as crash as well
  • better submodule handling
• afl-showmap: fix for -Q mode
• added examples/afl_network_proxy which allows to fuzz a target over the
  network (not fuzzing tcp/ip services but running afl-fuzz on one system
  and the target being on an embedded device)
• added examples/afl_untracer which does a binary-only fuzzing with the
  modifications done in memory (intel32/64 and aarch64 support)
• added examples/afl_proxy which can be easily used to fuzz and instrument
  non-standard things
• all:
  • forkserver communication now also used for error reporting
  • fix 32 bit build options
  • make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
    intact if in a git/svn checkout - unless "deepclean" is used

2.64c

Version ++2.64c (release):

• llvm_mode LTO mode:
  • now requires llvm11 - but compiles all targets! :)
  • autodictionary feature added, enable with AFL_LLVM_LTO_AUTODICTIONARY
  • variable map size usage
• afl-fuzz:
  • variable map size support added (only LTO mode can use this)
  • snapshot feature usage now visible in UI
  • Now setting -L -1 will enable MOpt in parallel to normal mutation.
    Additionally, this allows to run dictionaries, radamsa and cmplog.
  • fix for cmplog/redqueen mode if stdin was used
  • fix for writing a better plot_data file
• qemu_mode: fix for persistent mode (which would not terminate or get stuck)
• compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
  static global and local variable comparisons (cannot find all though)
• extended forkserver: map_size and more information is communicated to
  afl-fuzz (and afl-fuzz acts accordingly)
• new environment variable: AFL_MAP_SIZE to specify the size of the shared map
• if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
  (this bug is in vanilla afl too)
• added NO_PYTHON flag to disable python support when building afl-fuzz
• more refactoring

2.63c

Version ++2.63c (release):

• all:
  • big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
    multiple fuzzing threads in the future or even become a library
  • afl basic tools now report on the environment variables picked up
  • more tools get environment variable usage info in the help output
  • force all output to stdout (some OK/SAY/WARN messages were sent to
    stdout, some to stderr)
  • uninstrumented mode uses an internal forkserver ("fauxserver")
  • now builds with -D_FORTIFY_SOURCE=2
  • drastically reduced number of (de)allocations during fuzzing
• afl-fuzz:
  • python mutator modules and custom mutator modules now use the same
    interface and hence the API changed
  • AFL_AUTORESUME will resume execution without the need to specify -i -
  • added experimental power schedules (-p):
    • mmopt: ignores runtime of queue entries, gives higher weighting to
      the last 5 queue entries
    • rare: puts focus on queue entries that hits rare branches, also ignores
      runtime
• llvm_mode:
  • added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
  • added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
  • added AFL_LLVM_INSTRUMENT option to control the instrumentation type
    easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
  • made USE_TRACE_PC compile obsolete
• LTO collision free instrumented added in llvm_mode with afl-clang-lto -
  note that this mode is amazing, but quite some targets won't compile
• Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
  (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
  AFL_LLVM_INSTRUMENT=NGRAM- or AFL_LLVM_NGRAM_SIZE=
• Added llvm_mode context sensitive branch coverage, activated by setting
  AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1
• llvm_mode InsTrim mode:
  • removed workaround for bug where paths were not instrumented and
    imported fix by author
  • made skipping 1 block functions an option and is disabled by default,
    set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
• qemu_mode:
  • qemu_mode now uses solely the internal capstone version to fix builds
    on modern Linux distributions
  • QEMU now logs routine arguments for CmpLog when the target is x86
• afl-tmin:
  • now supports hang mode -H to minimize hangs
  • fixed potential afl-tmin missbehavior for targets with multiple hangs
• Pressing Control-c in afl-cmin did not terminate it for some OS
• the custom API was rewritten and is now the same for Python and shared
  libraries.

2.62c

Version ++2.62c (release):

• Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
• Small fix for -E/-V to release the CPU
• CmpLog does not need sancov anymore

2.61c

-> DO NOT USE THIS RELEASE <-

Version ++2.61c (release):

• use -march=native if available
• most tools now check for mistyped environment variables
• gcc 10 is now supported
• the memory safety checks are now disabled for a little more speed during
  fuzzing (only affects creating queue entries), can be toggled in config.h
• afl-fuzz:
  • MOpt out of bounds writing crash fixed
  • now prints the real python version support compiled in
  • set stronger performance compile options and little tweaks
  • Android: prefer bigcores when selecting a CPU
  • CmpLog forkserver
  • Redqueen input-2-state mutator (cmp instructions only ATM)
  • all Python 2+3 versions supported now
  • changed execs_per_sec in fuzzer_stats from "current" execs per second
    (which is pointless) to total execs per second
  • bugfix for dictionary insert stage count (fix via Google repo PR)
  • added warning if -M is used together with custom mutators with _ONLY option
  • AFL_TMPDIR checks are now later and better explained if they fail
• llvm_mode
  • InsTrim: three bug fixes:
    1. (minor) no pointless instrumentation of 1 block functions
    2. (medium) path bug that leads a few blocks not instrumented that
       should be
    3. (major) incorrect prev_loc was written, fixed!
• afl-clang-fast:
  • show in the help output for which llvm version it was compiled for
  • now does not need to be recompiled between trace-pc and pass
    instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
  • LLVM 11 is supported
  • CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
• afl-gcc, afl-clang-fast, afl-gcc-fast:
  • experimental support for undefined behaviour sanitizer UBSAN
    (set AFL_USE_UBSAN=1)
  • the instrumentation summary output now also lists activated sanitizers
  • afl-as: added isatty(2) check back in
  • added AFL_DEBUG (for upcoming merge)
• qemu_mode:
  • persistent mode is now also available for arm and aarch64
  • CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
    for x86, x86_64, arm and aarch64
  • AFL_PERSISTENT_HOOK callback module for persistent QEMU
    (see examples/qemu_persistent_hook)
  • added qemu_mode/README.persistent.md documentation
  • AFL_ENTRYPOINT noew has instruction granularity
• afl-cmin is now a sh script (invoking awk) instead of bash for portability
  the original script is still present as afl-cmin.bash
• afl-showmap: -i dir option now allows processing multiple inputs using the
  forkserver. This is for enhanced speed in afl-cmin.
• added blacklist and whitelisting function check in all modules of llvm_mode
• added fix from Debian project to compile libdislocator and libtokencap
• libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t

2.60c

---

Version ++2.60c (release):

• fixed a critical bug in afl-tmin that was introduced during ++2.53d
• added test cases for afl-cmin and afl-tmin to test/test.sh
• added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
• added preeny's desock_dup ld_preload library as
  ./experimental/socket_fuzzing for network fuzzing
• added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
  for the retrorewrite project
• we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used

2.59c

---

Version ++2.59c (release):

• qbdi_mode: fuzz android native libraries via QBDI framework
• unicorn_mode: switched to the new unicornafl, thanks domenukk
  (see https://github.com/vanhauser-thc/unicorn)
• afl-fuzz:
  • added radamsa as (an optional) mutator stage (-R[R])
  • added -u command line option to not unlink the fuzz input file
  • Python3 support (autodetect)
  • AFL_DISABLE_TRIM env var to disable the trim stage
  • CPU affinity support for DragonFly
• llvm_mode:
  • float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
  • support for llvm 10 included now (thanks to devnexen)
• libtokencap:
  • support for *BSD/OSX/Dragonfly added
  • hook common *cmp functions from widely used libraries
• compcov:
  • hook common *cmp functions from widely used libraries
  • floating point splitting support for QEMU on x86 targets
• qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
• afl-analyze: added AFL_SKIP_BIN_CHECK support
• better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
• Dockerfile by courtesy of devnexen
• added regex.dictionary
• qemu and unicorn download scripts now try to download until the full
  download succeeded. f*ckin travis fails downloading 40% of the time!
• more support for Android (please test!)
• added the few Android stuff we didnt have already from Google afl repository
• removed unnecessary warnings

2.58c

---

Version ++2.58c (release):

• reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10%
• added test/test-performance.sh script
• (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder-
• gcc_plugin tests added to testing framework

2.57c

Note: we jump to 2.57 instead of 2.55 to catch up with Google's versioning

Changelog:

• persistent mode for QEMU (see qemu_mode/README.md)
• custom mutator library is now an additional mutator, to exclusivly use it
  add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
• new library qemu_mode/unsigaction which filters sigaction events
• afl-fuzz: new command line option -I to execute a command on a new crash
• no more unlinking the input file, this way the input file can also be a
  FIFO or disk partition
• setting LLVM_CONFIG for llvm_mode will now again switch to the selected
  llvm version. If your setup is correct.
• fuzzing strategy yields for custom mutator were missing from the UI, added them :)
• added "make tests" which will perform checks to see that all functionality
  is working as expected. this is currently the starting point, its not complete :)
• added mutation documentation feature ("make document"), creates afl-fuzz-document
  and saves all mutations of the first run on the first file into out/queue/mutations
• libtokencap and libdislocator now compile to the afl_root directory and are
  installed to the .../lib/afl directory when present during make install
• more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
• reducing duplicate code in afl-fuzz
• added "make help"
• removed compile warnings from python internal stuff
• added man page for afl-clang-fast[++]
• updated documentation
• Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
• CompareCoverage for ARM target in QEMU/Unicorn