Releases: AFLplusplus/AFLplusplus
Releases · AFLplusplus/AFLplusplus
2.66c
Version ++2.66c (release)
- renamed the main branch on Github to "stable"
- renamed master/slave to main/secondary
- renamed blacklist/whitelist to ignorelist/instrumentlist ->
AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE - warn on deprecated environment variables
- afl-fuzz:
- -S secondary nodes now only sync from the main node to increase
performance, the -M main node still syncs from everyone. Added checks
that ensure exactly one main node is present and warn otherwise - Add -D after -S to force a secondary to perform deterministic fuzzing
- If no main node is present at a sync one secondary node automatically
becomes a temporary main node until a real main nodes shows up - Fixed a mayor performance issue we inherited from AFLfast
- switched murmur2 hashing and random() for xxh3 and xoshiro256**,
resulting in an up to 5.5% speed increase - Resizing the window does not crash afl-fuzz anymore
- Ensure that the targets are killed on exit
- fix/update to MOpt (thanks to arnow117)
- added MOpt dictionary support from repo
- added experimental SEEK power schedule. It is EXPLORE with ignoring
the runtime and less focus on the length of the test case
- -S secondary nodes now only sync from the main node to increase
- llvm_mode:
- the default instrumentation is now PCGUARD if the llvm version is >= 7,
as it is faster and provides better coverage. The original afl
instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
automatically done when the instrument_file list feature is used. - PCGUARD mode is now even better because we made it collision free - plus
it has a fixed map size, so it is also faster! :) - some targets want a ld variant for LD that is not gcc/clang but ld,
added afl-ld-lto to solve this - lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
needs 3.8.0) - instrument_file list feature now supports wildcards (thanks to sirmc)
- small change to cmplog to make it work with current llvm 11-dev
- added AFL_LLVM_LAF_ALL, sets all laf-intel settings
- LTO instrument_files functionality rewritten, now main, _init etc functions
need not to be listed anymore - fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
tried to be instrumented with LTO - fixed crash in cmplog with LTO
- enable snapshot lkm also for persistent mode
- the default instrumentation is now PCGUARD if the llvm version is >= 7,
- Unicornafl
- Added powerPC support from unicorn/next
- rust bindings!
- CMPLOG/Redqueen now also works for MMAP sharedmem
- ensure shmem is released on errors
- we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
compiled by default anymore. - allow running in /tmp (only unsafe with umask 0)
- persistent mode shared memory testcase handover (instead of via
files/stdin) - 10-100% performance increase - General support for 64 bit PowerPC, RiscV, Sparc etc.
- fix afl-cmin.bash
- slightly better performance compilation options for afl++ and targets
- fixed afl-gcc/afl-as that could break on fast systems reusing pids in
the same second - added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
- added former post_library examples to examples/custom_mutators/
- Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
gcc 10 so afl-clang-lto can be build
2.65c
Version ++2.65c (release):
- afl-fuzz:
- AFL_MAP_SIZE was not working correctly
- better python detection
- an old, old bug in afl that would show negative stability in rare
circumstances is now hopefully fixed - AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
instead (see docs/custom_mutators.md)
- llvm_mode:
- afl-clang-fast/lto now do not skip single block functions. This
behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK - if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
address for the shared memory map is used as this increases the
fuzzing speed - InsTrim now has an LTO version! :-) That is the best and fastest mode!
- fixes to LTO mode if instrumented edges > MAP_SIZE
- CTX and NGRAM can now be used together
- CTX and NGRAM are now also supported in CFG/INSTRIM mode
- AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
- added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
implementation. For targets with few or no loops or heavily called
functions. Gives a small performance boost.
- afl-clang-fast/lto now do not skip single block functions. This
- qemu_mode:
- add information on PIE/PIC load addresses for 32 bit
- better dependency checks
- gcc_plugin:
- better dependency checks
- unicorn_mode:
- validate_crash_callback can now count non-crashing inputs as crash as well
- better submodule handling
- afl-showmap: fix for -Q mode
- added examples/afl_network_proxy which allows to fuzz a target over the
network (not fuzzing tcp/ip services but running afl-fuzz on one system
and the target being on an embedded device) - added examples/afl_untracer which does a binary-only fuzzing with the
modifications done in memory (intel32/64 and aarch64 support) - added examples/afl_proxy which can be easily used to fuzz and instrument
non-standard things - all:
- forkserver communication now also used for error reporting
- fix 32 bit build options
- make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
intact if in a git/svn checkout - unless "deepclean" is used
2.64c
Version ++2.64c (release):
- llvm_mode LTO mode:
- now requires llvm11 - but compiles all targets! :)
- autodictionary feature added, enable with
AFL_LLVM_LTO_AUTODICTIONARY
- variable map size usage
- afl-fuzz:
- variable map size support added (only LTO mode can use this)
- snapshot feature usage now visible in UI
- Now setting
-L -1
will enable MOpt in parallel to normal mutation.
Additionally, this allows to run dictionaries, radamsa and cmplog. - fix for cmplog/redqueen mode if stdin was used
- fix for writing a better plot_data file
- qemu_mode: fix for persistent mode (which would not terminate or get stuck)
- compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
static global and local variable comparisons (cannot find all though) - extended forkserver: map_size and more information is communicated to
afl-fuzz (and afl-fuzz acts accordingly) - new environment variable: AFL_MAP_SIZE to specify the size of the shared map
- if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
(this bug is in vanilla afl too) - added NO_PYTHON flag to disable python support when building afl-fuzz
- more refactoring
2.63c
Version ++2.63c (release):
- all:
- big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
multiple fuzzing threads in the future or even become a library - afl basic tools now report on the environment variables picked up
- more tools get environment variable usage info in the help output
- force all output to stdout (some OK/SAY/WARN messages were sent to
stdout, some to stderr) - uninstrumented mode uses an internal forkserver ("fauxserver")
- now builds with
-D_FORTIFY_SOURCE=2
- drastically reduced number of (de)allocations during fuzzing
- big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
- afl-fuzz:
- python mutator modules and custom mutator modules now use the same
interface and hence the API changed - AFL_AUTORESUME will resume execution without the need to specify
-i -
- added experimental power schedules (-p):
- mmopt: ignores runtime of queue entries, gives higher weighting to
the last 5 queue entries - rare: puts focus on queue entries that hits rare branches, also ignores
runtime
- mmopt: ignores runtime of queue entries, gives higher weighting to
- python mutator modules and custom mutator modules now use the same
- llvm_mode:
- added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
- added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
- added AFL_LLVM_INSTRUMENT option to control the instrumentation type
easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16) - made USE_TRACE_PC compile obsolete
- LTO collision free instrumented added in llvm_mode with afl-clang-lto -
note that this mode is amazing, but quite some targets won't compile - Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
(https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
AFL_LLVM_INSTRUMENT=NGRAM- or AFL_LLVM_NGRAM_SIZE= - Added llvm_mode context sensitive branch coverage, activated by setting
AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1 - llvm_mode InsTrim mode:
- removed workaround for bug where paths were not instrumented and
imported fix by author - made skipping 1 block functions an option and is disabled by default,
set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
- removed workaround for bug where paths were not instrumented and
- qemu_mode:
- qemu_mode now uses solely the internal capstone version to fix builds
on modern Linux distributions - QEMU now logs routine arguments for CmpLog when the target is x86
- qemu_mode now uses solely the internal capstone version to fix builds
- afl-tmin:
- now supports hang mode
-H
to minimize hangs - fixed potential afl-tmin missbehavior for targets with multiple hangs
- now supports hang mode
- Pressing Control-c in afl-cmin did not terminate it for some OS
- the custom API was rewritten and is now the same for Python and shared
libraries.
2.62c
Version ++2.62c (release):
- Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
- Small fix for -E/-V to release the CPU
- CmpLog does not need sancov anymore
2.61c
-> DO NOT USE THIS RELEASE <-
Version ++2.61c (release):
- use -march=native if available
- most tools now check for mistyped environment variables
- gcc 10 is now supported
- the memory safety checks are now disabled for a little more speed during
fuzzing (only affects creating queue entries), can be toggled in config.h - afl-fuzz:
- MOpt out of bounds writing crash fixed
- now prints the real python version support compiled in
- set stronger performance compile options and little tweaks
- Android: prefer bigcores when selecting a CPU
- CmpLog forkserver
- Redqueen input-2-state mutator (cmp instructions only ATM)
- all Python 2+3 versions supported now
- changed execs_per_sec in fuzzer_stats from "current" execs per second
(which is pointless) to total execs per second - bugfix for dictionary insert stage count (fix via Google repo PR)
- added warning if -M is used together with custom mutators with _ONLY option
- AFL_TMPDIR checks are now later and better explained if they fail
- llvm_mode
- InsTrim: three bug fixes:
- (minor) no pointless instrumentation of 1 block functions
- (medium) path bug that leads a few blocks not instrumented that
should be - (major) incorrect prev_loc was written, fixed!
- InsTrim: three bug fixes:
- afl-clang-fast:
- show in the help output for which llvm version it was compiled for
- now does not need to be recompiled between trace-pc and pass
instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :) - LLVM 11 is supported
- CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
- afl-gcc, afl-clang-fast, afl-gcc-fast:
- experimental support for undefined behaviour sanitizer UBSAN
(set AFL_USE_UBSAN=1) - the instrumentation summary output now also lists activated sanitizers
- afl-as: added isatty(2) check back in
- added AFL_DEBUG (for upcoming merge)
- experimental support for undefined behaviour sanitizer UBSAN
- qemu_mode:
- persistent mode is now also available for arm and aarch64
- CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
for x86, x86_64, arm and aarch64 - AFL_PERSISTENT_HOOK callback module for persistent QEMU
(see examples/qemu_persistent_hook) - added qemu_mode/README.persistent.md documentation
- AFL_ENTRYPOINT noew has instruction granularity
- afl-cmin is now a sh script (invoking awk) instead of bash for portability
the original script is still present as afl-cmin.bash - afl-showmap: -i dir option now allows processing multiple inputs using the
forkserver. This is for enhanced speed in afl-cmin. - added blacklist and whitelisting function check in all modules of llvm_mode
- added fix from Debian project to compile libdislocator and libtokencap
- libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t
2.60c
Version ++2.60c (release):
- fixed a critical bug in afl-tmin that was introduced during ++2.53d
- added test cases for afl-cmin and afl-tmin to test/test.sh
- added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
- added preeny's desock_dup ld_preload library as
./experimental/socket_fuzzing for network fuzzing - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
for the retrorewrite project - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
2.59c
Version ++2.59c (release):
- qbdi_mode: fuzz android native libraries via QBDI framework
- unicorn_mode: switched to the new unicornafl, thanks domenukk
(see https://github.com/vanhauser-thc/unicorn) - afl-fuzz:
- added radamsa as (an optional) mutator stage (-R[R])
- added -u command line option to not unlink the fuzz input file
- Python3 support (autodetect)
- AFL_DISABLE_TRIM env var to disable the trim stage
- CPU affinity support for DragonFly
- llvm_mode:
- float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
- support for llvm 10 included now (thanks to devnexen)
- libtokencap:
- support for *BSD/OSX/Dragonfly added
- hook common *cmp functions from widely used libraries
- compcov:
- hook common *cmp functions from widely used libraries
- floating point splitting support for QEMU on x86 targets
- qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
- afl-analyze: added AFL_SKIP_BIN_CHECK support
- better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
- Dockerfile by courtesy of devnexen
- added regex.dictionary
- qemu and unicorn download scripts now try to download until the full
download succeeded. f*ckin travis fails downloading 40% of the time! - more support for Android (please test!)
- added the few Android stuff we didnt have already from Google afl repository
- removed unnecessary warnings
2.58c
Version ++2.58c (release):
- reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10%
- added test/test-performance.sh script
- (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder-
- gcc_plugin tests added to testing framework
2.57c
Note: we jump to 2.57 instead of 2.55 to catch up with Google's versioning
Changelog:
- persistent mode for QEMU (see qemu_mode/README.md)
- custom mutator library is now an additional mutator, to exclusivly use it
add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour) - new library qemu_mode/unsigaction which filters sigaction events
- afl-fuzz: new command line option -I to execute a command on a new crash
- no more unlinking the input file, this way the input file can also be a
FIFO or disk partition - setting LLVM_CONFIG for llvm_mode will now again switch to the selected
llvm version. If your setup is correct. - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
- added "make tests" which will perform checks to see that all functionality
is working as expected. this is currently the starting point, its not complete :) - added mutation documentation feature ("make document"), creates afl-fuzz-document
and saves all mutations of the first run on the first file into out/queue/mutations - libtokencap and libdislocator now compile to the afl_root directory and are
installed to the .../lib/afl directory when present during make install - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
- reducing duplicate code in afl-fuzz
- added "make help"
- removed compile warnings from python internal stuff
- added man page for afl-clang-fast[++]
- updated documentation
- Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
- CompareCoverage for ARM target in QEMU/Unicorn