Makefile:
llvm_mode:
afl-fuzz:
gcc_plugin:
qemu_mode:
custom_mutators:
Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. At afl's default map that means ~16 collisions and ~3 wrappings.
Solution #1: increase map size.
=> speed loss is bad. last resort solution
every +1 decreases fuzzing speed by ~10% and halfs the collisions birthday paradox predicts collisions at this # of edges:
mapsize | collisions at | speed decrease |
---|---|---|
2^16 | 302 | 0% |
2^17 | 427 | 10% |
2^18 | 603 | 25% |
2^19 | 853 | 43% |
2^20 | 1207 | 62% |
2^21 | 1706 | ?% |
2^22 | 2412 | ?% |
2^23 | 3411 | ?% |
2^24 | 4823 | ?% |
Increasing the map is an easy solution but also not a complete and efficient one.
Solution #2: use dynamic map size and collision free basic block IDs
=> This works and is the selected solution
This only works in llvm_mode - obviously.
Solution #3: write instruction pointers to a big shared map
=> Tested and it is a dead end
512kb/1MB shared map and the instrumented code writes the instruction pointer into the map. Map must be big enough but could be command line controlled.
Good: complete coverage information, nothing is lost. choice of analysis impacts speed, but this can be decided by user options
Neutral: a little bit slower but no loss of coverage
Bad: completely changes how afl uses the map and the scheduling. Overall another very good solution, Marc Heuse/vanHauser follows this up
Solution #4: ???
other ideas?