Makefile:
llvm_mode:
qemu_mode:
afl-fuzz:
gcc_plugin:
qemu_mode:
custom_mutators:
Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. At afl's default map that means ~16 collisions and ~3 wrappings.
Solution #1: increase map size.
=> speed loss is bad. last resort solution
every +1 decreases fuzzing speed by ~10% and halfs the collisions birthday paradox predicts collisions at this # of edges:
mapsize | collisions |
---|---|
2^16 | 302 |
2^17 | 427 |
2^18 | 603 |
2^19 | 853 |
2^20 | 1207 |
2^21 | 1706 |
2^22 | 2412 |
2^23 | 3411 |
2^24 | 4823 |
Increasing the map is an easy solution but also not a good one.
Solution #2: use dynamic map size and collision free basic block IDs
=> This works and is the selected solution
This only works in llvm_mode and llvm >= 9 though A potential good future solution. Heiko/hexcoder follows this up
Solution #3: write instruction pointers to a big shared map
=> Tested and it is a dead end
512kb/1MB shared map and the instrumented code writes the instruction pointer into the map. Map must be big enough but could be command line controlled.
Good: complete coverage information, nothing is lost. choice of analysis impacts speed, but this can be decided by user options
Neutral: a little bit slower but no loss of coverage
Bad: completely changes how afl uses the map and the scheduling. Overall another very good solution, Marc Heuse/vanHauser follows this up