Skip to content
This repository has been archived by the owner on Apr 12, 2022. It is now read-only.

Latest commit

 

History

History
58 lines (51 loc) · 3.02 KB

important_changes.md

File metadata and controls

58 lines (51 loc) · 3.02 KB

Important changes in AFL++

This document lists important changes in AFL++, for example, major behavior changes.

From version 3.00 onwards

With AFL++ 3.13-3.20, we introduce FRIDA mode (-O) to have an alternative for binary-only fuzzing. It is slower than QEMU mode but works on MacOS, Android, iOS etc.

With AFL++ 3.15, we introduced the following changes from previous behaviors:

  • Also -M main mode does not do deterministic fuzzing by default anymore
  • afl-cmin and afl-showmap -Ci now descent into subdirectories like afl-fuzz -i does (but note that afl-cmin.bash does not)

With AFL++ 3.14, we introduced the following changes from previous behaviors:

  • afl-fuzz: deterministic fuzzing it not a default for -M main anymore
  • afl-cmin/afl-showmap -i now descends into subdirectories (afl-cmin.bash, however, does not)

With AFL++ 3.10, we introduced the following changes from previous behaviors:

  • The '+' feature of the '-t' option now means to auto-calculate the timeout with the value given being the maximum timeout. The original meaning of "skipping timeouts instead of abort" is now inherent to the -t option.

With AFL++ 3.00, we introduced changes that break some previous AFL and AFL++ behaviors and defaults:

  • There are no llvm_mode and gcc_plugin subdirectories anymore and there is only one compiler: afl-cc. All previous compilers now symlink to this one. All instrumentation source code is now in the instrumentation/ folder.
  • The gcc_plugin was replaced with a new version submitted by AdaCore that supports more features. Thank you!
  • QEMU mode got upgraded to QEMU 5.1, but to be able to build this a current ninja build tool version and python3 setuptools are required. QEMU mode also got new options like snapshotting, instrumenting specific shared libraries, etc. Additionally QEMU 5.1 supports more CPU targets so this is really worth it.
  • When instrumenting targets, afl-cc will not supersede optimizations anymore if any were given. This allows to fuzz targets build regularly like those for debug or release versions.
  • afl-fuzz:
    • if neither -M or -S is specified, -S default is assumed, so more fuzzers can easily be added later
    • -i input directory option now descends into subdirectories. It also does not fatal on crashes and too large files, instead it skips them and uses them for splicing mutations
    • -m none is now default, set memory limits (in MB) with, e.g., -m 250
    • deterministic fuzzing is now disabled by default (unless using -M) and can be enabled with -D
    • a caching of test cases can now be performed and can be modified by editing config.h for TESTCASE_CACHE or by specifying the environment variable AFL_TESTCACHE_SIZE (in MB). Good values are between 50-500 (default: 50).
    • -M mains do not perform trimming
  • examples/ got renamed to utils/
  • libtokencap/ libdislocator/ and qdbi_mode/ were moved to utils/
  • afl-cmin/afl-cmin.bash now search first in PATH and last in AFL_PATH