Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(107)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/afl/src/qemu_mode/README.qemu

Issue 2662883002: Roll AFL 2.31b:2.38b and switch coverage to use trace-pc-guard. (Closed)
Patch Set: Remove unneeded vuln_samples binaries. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/afl/src/llvm_mode/afl-llvm-rt.o.c ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 ========================================================= 1 =========================================================
2 High-performance binary-only instrumentation for afl-fuzz 2 High-performance binary-only instrumentation for afl-fuzz
3 ========================================================= 3 =========================================================
4 4
5 (See ../docs/README for the general instruction manual.) 5 (See ../docs/README for the general instruction manual.)
6 6
7 1) Introduction 7 1) Introduction
8 --------------- 8 ---------------
9 9
10 The code in this directory allows you to build a standalone feature that 10 The code in this directory allows you to build a standalone feature that
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after
91 experimental/post_library/ for a viable solution. 91 experimental/post_library/ for a viable solution.
92 92
93 Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate 93 Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate
94 the "shadow VM" trick employed by the sanitizers and will probably just 94 the "shadow VM" trick employed by the sanitizers and will probably just
95 run out of memory. 95 run out of memory.
96 96
97 Compared to fully-fledged virtualization, the user emulation mode is *NOT* a 97 Compared to fully-fledged virtualization, the user emulation mode is *NOT* a
98 security boundary. The binaries can freely interact with the host OS. If you 98 security boundary. The binaries can freely interact with the host OS. If you
99 somehow need to fuzz an untrusted binary, put everything in a sandbox first. 99 somehow need to fuzz an untrusted binary, put everything in a sandbox first.
100 100
101 QEMU does not necessarily support all CPU or hardware features that your
102 target program may be utilizing. In particular, it does not appear to have
103 full support for AVX2 / FMA3. Using binaries for older CPUs, or recompiling them
104 with -march=core2, can help.
105
101 Beyond that, this is an early-stage mechanism, so fields reports are welcome. 106 Beyond that, this is an early-stage mechanism, so fields reports are welcome.
102 You can send them to <afl-users@googlegroups.com>. 107 You can send them to <afl-users@googlegroups.com>.
103 108
104 6) Alternatives: static rewriting 109 6) Alternatives: static rewriting
105 --------------------------------- 110 ---------------------------------
106 111
107 Statically rewriting binaries just once, instead of attempting to translate 112 Statically rewriting binaries just once, instead of attempting to translate
108 them at run time, can be a faster alternative. That said, static rewriting is 113 them at run time, can be a faster alternative. That said, static rewriting is
109 fraught with peril, because it depends on being able to properly and fully model 114 fraught with peril, because it depends on being able to properly and fully model
110 program control flow without actually executing each and every code path. 115 program control flow without actually executing each and every code path.
111 116
112 If you want to experiment with this mode of operation, there is a module 117 If you want to experiment with this mode of operation, there is a module
113 contributed by Aleksandar Nikolich: 118 contributed by Aleksandar Nikolich:
114 119
115 https://github.com/vrtadmin/moflow/tree/master/afl-dyninst 120 https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
116 https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg 121 https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
117 122
118 At this point, the author reports the possibility of hiccups with stripped 123 At this point, the author reports the possibility of hiccups with stripped
119 binaries. That said, if we can get it to be comparably reliable to QEMU, we may 124 binaries. That said, if we can get it to be comparably reliable to QEMU, we may
120 decide to switch to this mode, but I had no time to play with it yet. 125 decide to switch to this mode, but I had no time to play with it yet.
OLDNEW
« no previous file with comments | « third_party/afl/src/llvm_mode/afl-llvm-rt.o.c ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698