AFLplusplus v4.08c releases: brute-force fuzzer
Fuzzing is one of the most powerful and proven strategies for identifying security issues in real-world software; it is responsible for the vast majority of remote code execution and privilege escalation bugs found to date in security-critical software.
Unfortunately, fuzzing is also relatively shallow; blind, random mutations make it very unlikely to reach certain code paths in the tested code, leaving some vulnerabilities firmly outside the reach of this technique.
There have been numerous attempts to solve this problem. One of the early approaches – pioneered by Tavis Ormandy – is corpus distillation. The method relies on coverage signals to select a subset of interesting seeds from a massive, high-quality corpus of candidate files, and then fuzz them by traditional means. The approach works exceptionally well but requires such a corpus to be readily available. In addition, block coverage measurements provide only a very simplistic understanding of program state and are less useful for guiding the fuzzing effort in the long haul.
Other, more sophisticated research has focused on techniques such as program flow analysis (“concolic execution”), symbolic execution, or static analysis. All these methods are extremely promising in experimental settings, but tend to suffer from reliability and performance problems in practical uses – and currently, do not offer a viable alternative to “dumb” fuzzing techniques.
The afl-fuzz approach
American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. It uses a modified form of edge coverage to effortlessly pick up subtle, local-scale changes to program control flow.
Simplifying a bit, the overall algorithm can be summed up as:
- Load user-supplied initial test cases into the queue,
- Take next input file from the queue,
- Attempt to trim the test case to the smallest size that doesn’t alter the measured behavior of the program,
- Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies,
- If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue.
- Go to 2.
The discovered test cases are also periodically culled to eliminate ones that have been obsoleted by newer, higher-coverage finds; and undergo several other instrumentation-driven effort minimization steps.
As a side result of the fuzzing process, the tool creates a small, self-contained corpus of interesting test cases. These are extremely useful for seeding other, labor- or resource-intensive testing regimes – for example, for stress-testing browsers, office applications, graphics suites, or closed-source tools.
The fuzzer is thoroughly tested to deliver out-of-the-box performance far superior to blind fuzzing or coverage-only tools.
Changelog v4.08c
- afl-fuzz:
- new mutation engine: mutations that favor discovery more paths are
prefered until no new finds for 10 minutes then switching to mutations
that favor triggering crashes. Modes and switch time can be configured
with-P. Also input mode for the target can be defined with-ato
betextorbinary(defaults togeneric) - new custom mutator that has the new afl++ engine (so it can easily
incorporated into new custom mutators), and also comes with a standalone
command line tool! See custom_mutators/aflpp/standalone/ - display the state of the fuzzing run in the UI 🙂
- fix timeout setting if ‘+’ is used or a session is restarted
- -l X option to enable base64 transformation solving
- allow to disable CMPLOG with ‘-c -‘ (e.g. afl.rs enforces ‘-c 0’ on
every instance which is counterproductive).
- new mutation engine: mutations that favor discovery more paths are
- afl-cmin/afl-cmin.bash:
- fixed a bug inherited from vanilla AFL where a coverage of
map[123] = 11 would be the same as map[1123] = 1 - warn on crashing inputs
- adjust threads if less inputs than threads specified
- fixed a bug inherited from vanilla AFL where a coverage of
- afl-cc:
- fixed an off-by-one instrumentation of iselect, hurting coverage a bit.
Thanks to @amykweon for spotting and fixing! - @toka fixed a bug in laf-intel signed integer comparison splitting,
thanks a lot!! - more LLVM compatability
- fixed an off-by-one instrumentation of iselect, hurting coverage a bit.
- frida_mode:
- support for long form instrumentation on x86_x64 and arm64
- renamed utils/get_symbol_addr.sh to utils/frida_get_symbol_addr.sh
- qemu_mode:
- added qemu_mode/utils/qemu_get_symbol_addr.sh
Install && Use
Copyright (C) 2019 vanhauser-thc
