New OS Primitives Specialized for Fuzzing
The snapshot() system call
- The prototype is built on linux-4.8.10.
CONFIG_SNAPSHOTwhen compiling the kernel and check snapshot-test/ for its example.
- afl/ contains the modified afl source code which leverages the snapshot() system call and the in-memory test case log.
- To enable snapshot(), make sure
#define MYFORKin config.h and compile with
- We add a new option
-uto indicate the afl instance id and the total number of afl instances running in parallel.
- Currently only 64bit fuzzing targets are supported.
- We provide an example of using modified AFL to fuzz libjpeg (afl-test/).
- Compile libjpeg.
cd jpeg-9b CC=../../afl/afl-gcc ./configure make ./djpeg -h (This step cannot be skipped in order to get lt-djpeg)
- Launch afl (here 2 instances)
sudo ./prepare.sh ../afl/afl-fuzz -i input -o output -S slave0 -u 0/2 jpeg-9b/.libs/lt-djpeg
In another terminal,
../afl/afl-fuzz -i input -o output -S slave1 -u 1/2 jpeg-9b/.libs/lt-djpeg
Note that both of the AFL instances will start fuzzing only when both of them have been launched.