| Index: third_party/afl/src/docs/README
|
| diff --git a/third_party/afl/src/docs/README b/third_party/afl/src/docs/README
|
| index 642e57b77f8917f8b799b9fa37351e43418f5043..bac9fee1e20c441a8215110f25b213d00f5d10c9 100644
|
| --- a/third_party/afl/src/docs/README
|
| +++ b/third_party/afl/src/docs/README
|
| @@ -115,7 +115,8 @@ $ CC=/path/to/afl/afl-gcc ./configure --disable-shared
|
|
|
| Setting AFL_HARDEN=1 when calling 'make' will cause the CC wrapper to
|
| automatically enable code hardening options that make it easier to detect
|
| -simple memory bugs.
|
| +simple memory bugs. Libdislocator, a helper library included with AFL (see
|
| +libdislocator/README.dislocator) can help uncover heap corruption issues, too.
|
|
|
| PS. ASAN users are advised to review notes_for_asan.txt file for important
|
| caveats.
|
| @@ -276,8 +277,10 @@ magic headers, or other special tokens associated with the targeted data type
|
| http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
|
|
|
| To use this feature, you first need to create a dictionary in one of the two
|
| -formats discussed in testcases/README.testcases; and then point the fuzzer to
|
| -it via the -x option in the command line.
|
| +formats discussed in dictionaries/README.dictionaries; and then point the fuzzer
|
| +to it via the -x option in the command line.
|
| +
|
| +(Several common dictionaries are already provided in that subdirectory, too.)
|
|
|
| There is no way to provide more structured descriptions of the underlying
|
| syntax, but the fuzzer will likely figure out some of this based on the
|
| @@ -290,6 +293,10 @@ existing syntax tokens in the input corpus by watching the instrumentation
|
| very closely during deterministic byte flips. This works for some types of
|
| parsers and grammars, but isn't nearly as good as the -x mode.
|
|
|
| +If a dictionary is really hard to come by, another option is to let AFL run
|
| +for a while, and then use the token capture library that comes as a companion
|
| +utility with AFL. For that, see libtokencap/README.tokencap.
|
| +
|
| 10) Crash triage
|
| ----------------
|
|
|
| @@ -336,7 +343,31 @@ be critical, and which are not; while not bulletproof, it can often offer quick
|
| insights into complex file formats. More info about its operation can be found
|
| near the end of technical_details.txt.
|
|
|
| -11) Common-sense risks
|
| +11) Going beyond crashes
|
| +------------------------
|
| +
|
| +Fuzzing is a wonderful and underutilized technique for discovering non-crashing
|
| +design and implementation errors, too. Quite a few interesting bugs have been
|
| +found by modifying the target programs to call abort() when, say:
|
| +
|
| + - Two bignum libraries produce different outputs when given the same
|
| + fuzzer-generated input,
|
| +
|
| + - An image library produces different outputs when asked to decode the same
|
| + input image several times in a row,
|
| +
|
| + - A serialization / deserialization library fails to produce stable outputs
|
| + when iteratively serializing and deserializing fuzzer-supplied data,
|
| +
|
| + - A compression library produces an output inconsistent with the input file
|
| + when asked to compress and then decompress a particular blob.
|
| +
|
| +Implementing these or similar sanity checks usually takes very little time;
|
| +if you are the maintainer of a particular package, you can make this code
|
| +conditional with #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION (a flag also
|
| +shared with libfuzzer) or #ifdef __AFL_COMPILER (this one is just for AFL).
|
| +
|
| +12) Common-sense risks
|
| ----------------------
|
|
|
| Please keep in mind that, similarly to many other computationally-intensive
|
| @@ -364,7 +395,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular:
|
|
|
| $ iostat -d 3 -x -k [...optional disk ID...]
|
|
|
| -12) Known limitations & areas for improvement
|
| +13) Known limitations & areas for improvement
|
| ---------------------------------------------
|
|
|
| Here are some of the most important caveats for AFL:
|
| @@ -400,9 +431,12 @@ Here are some of the most important caveats for AFL:
|
| - AFL doesn't output human-readable coverage data. If you want to monitor
|
| coverage, use afl-cov from Michael Rash: https://github.com/mrash/afl-cov
|
|
|
| + - Occasionally, sentient machines rise against their creators. If this
|
| + happens to you, please consult http://lcamtuf.coredump.cx/prep/.
|
| +
|
| Beyond this, see INSTALL for platform-specific tips.
|
|
|
| -13) Special thanks
|
| +14) Special thanks
|
| ------------------
|
|
|
| Many of the improvements to afl-fuzz wouldn't be possible without feedback,
|
| @@ -439,11 +473,13 @@ bug reports, or patches from:
|
| Guillaume Endignoux ilovezfs
|
| Daniel Godas-Lopez Franjo Ivancic
|
| Austin Seipp Daniel Komaromy
|
| - Daniel Binderman
|
| + Daniel Binderman Jonathan Metzman
|
| + Vegard Nossum Jan Kneschke
|
| + Kurt Roeckx
|
|
|
| Thank you!
|
|
|
| -14) Contact
|
| +15) Contact
|
| -----------
|
|
|
| Questions? Concerns? Bug reports? The author can be usually reached at
|
|
|
Chromium Code Reviews
Issue 2238013002:
Roll src/third_party/afl/src/ 2.14b..2.30b (16 versions). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master