You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
129 lines
3.3 KiB
129 lines
3.3 KiB
1 month ago
|
# ===================
|
||
|
# AFL "Life Pro Tips"
|
||
|
# ===================
|
||
|
#
|
||
|
# Bite-sized advice for those who understand the basics, but can't be bothered
|
||
|
# to read or memorize every other piece of documentation for AFL.
|
||
|
#
|
||
|
|
||
|
%
|
||
|
|
||
|
Get more bang for your buck by using fuzzing dictionaries.
|
||
|
See dictionaries/README.dictionaries to learn how.
|
||
|
|
||
|
%
|
||
|
|
||
|
You can get the most out of your hardware by parallelizing AFL jobs.
|
||
|
See docs/parallel_fuzzing.txt for step-by-step tips.
|
||
|
|
||
|
%
|
||
|
|
||
|
Improve the odds of spotting memory corruption bugs with libdislocator.so!
|
||
|
It's easy. Consult libdislocator/README.dislocator for usage tips.
|
||
|
|
||
|
%
|
||
|
|
||
|
Want to understand how your target parses a particular input file?
|
||
|
Try the bundled afl-analyze tool; it's got colors and all!
|
||
|
|
||
|
%
|
||
|
|
||
|
You can visually monitor the progress of your fuzzing jobs.
|
||
|
Run the bundled afl-plot utility to generate browser-friendly graphs.
|
||
|
|
||
|
%
|
||
|
|
||
|
Need to monitor AFL jobs programmatically? Check out the fuzzer_stats file
|
||
|
in the AFL output dir or try afl-whatsup.
|
||
|
|
||
|
%
|
||
|
|
||
|
Puzzled by something showing up in red or purple in the AFL UI?
|
||
|
It could be important - consult docs/status_screen.txt right away!
|
||
|
|
||
|
%
|
||
|
|
||
|
Know your target? Convert it to persistent mode for a huge performance gain!
|
||
|
Consult section #5 in llvm_mode/README.llvm for tips.
|
||
|
|
||
|
%
|
||
|
|
||
|
Using clang? Check out llvm_mode/ for a faster alternative to afl-gcc!
|
||
|
|
||
|
%
|
||
|
|
||
|
Did you know that AFL can fuzz closed-source or cross-platform binaries?
|
||
|
Check out qemu_mode/README.qemu for more.
|
||
|
|
||
|
%
|
||
|
|
||
|
Did you know that afl-fuzz can minimize any test case for you?
|
||
|
Try the bundled afl-tmin tool - and get small repro files fast!
|
||
|
|
||
|
%
|
||
|
|
||
|
Not sure if a crash is exploitable? AFL can help you figure it out. Specify
|
||
|
-C to enable the peruvian were-rabbit mode. See section #10 in README for more.
|
||
|
|
||
|
%
|
||
|
|
||
|
Trouble dealing with a machine uprising? Relax, we've all been there.
|
||
|
Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
|
||
|
|
||
|
%
|
||
|
|
||
|
AFL-generated corpora can be used to power other testing processes.
|
||
|
See section #2 in README for inspiration - it tends to pay off!
|
||
|
|
||
|
%
|
||
|
|
||
|
Want to automatically spot non-crashing memory handling bugs?
|
||
|
Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
|
||
|
|
||
|
%
|
||
|
|
||
|
Good selection of input files is critical to a successful fuzzing job.
|
||
|
See section #5 in README (or docs/perf_tips.txt) for pro tips.
|
||
|
|
||
|
%
|
||
|
|
||
|
You can improve the odds of automatically spotting stack corruption issues.
|
||
|
Specify AFL_HARDEN=1 in the environment to enable hardening flags.
|
||
|
|
||
|
%
|
||
|
|
||
|
Bumping into problems with non-reproducible crashes? It happens, but usually
|
||
|
isn't hard to diagnose. See section #7 in README for tips.
|
||
|
|
||
|
%
|
||
|
|
||
|
Fuzzing is not just about memory corruption issues in the codebase. Add some
|
||
|
sanity-checking assert() / abort() statements to effortlessly catch logic bugs.
|
||
|
|
||
|
%
|
||
|
|
||
|
Hey kid... pssst... want to figure out how AFL really works?
|
||
|
Check out docs/technical_details.txt for all the gory details in one place!
|
||
|
|
||
|
%
|
||
|
|
||
|
There's a ton of third-party helper tools designed to work with AFL!
|
||
|
Be sure to check out docs/sister_projects.txt before writing your own.
|
||
|
|
||
|
%
|
||
|
|
||
|
Need to fuzz the command-line arguments of a particular program?
|
||
|
You can find a simple solution in experimental/argv_fuzzing.
|
||
|
|
||
|
%
|
||
|
|
||
|
Attacking a format that uses checksums? Remove the checksum-checking code or
|
||
|
use a postprocessor! See experimental/post_library/ for more.
|
||
|
|
||
|
%
|
||
|
|
||
|
Dealing with a very slow target or hoping for instant results? Specify -d
|
||
|
when calling afl-fuzz!
|
||
|
|
||
|
%
|