libdislocator/README.dislocator - platform/external/AFLplusplus - Git at Google

 ===================================
 libdislocator, an abusive allocator
 ===================================

   (See ../docs/README for the general instruction manual.)

 This is a companion library that can be used as a drop-in replacement for the
 libc allocator in the fuzzed binaries. It improves the odds of bumping into
 heap-related security bugs in several ways:

   - It allocates all buffers so that they are immediately adjacent to a
     subsequent PROT_NONE page, causing most off-by-one reads and writes to
     immediately segfault,

   - It adds a canary immediately below the allocated buffer, to catch writes
     to negative offsets (won't catch reads, though),

   - It sets the memory returned by malloc() to garbage values, improving the
     odds of crashing when the target accesses uninitialized data,

   - It sets freed memory to PROT_NONE and does not actually reuse it, causing
     most use-after-free bugs to segfault right away,

   - It forces all realloc() calls to return a new address - and sets
     PROT_NONE on the original block. This catches use-after-realloc bugs,

   - It checks for calloc() overflows and can cause soft or hard failures
     of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
     AFL_LD_HARD_FAIL).

 Basically, it is inspired by some of the non-default options available for the
 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
 also somewhat similar to several other debugging libraries, such as gmalloc
 and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
 jobs.

 Note that it does nothing for stack-based memory handling errors. The
 -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
 can catch some subset of that.

 The allocator is slow and memory-intensive (even the tiniest allocation uses up
 4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
 for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
 when fuzzing small, self-contained binaries.

 To use this library, run AFL like so:

 AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]

 You *have* to specify path, even if it's just ./libdislocator.so or
 $PWD/libdislocator.so.

 Similarly to afl-tmin, the library is not "proprietary" and can be used with
 other fuzzers or testing tools without the need for any code tweaks. It does not
 require AFL-instrumented binaries to work.

 Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or
 DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
 dynamically linked. Otherwise, attempting to use the library will have no
 effect.
	===================================
	libdislocator, an abusive allocator
	===================================

	(See ../docs/README for the general instruction manual.)

	This is a companion library that can be used as a drop-in replacement for the
	libc allocator in the fuzzed binaries. It improves the odds of bumping into
	heap-related security bugs in several ways:

	- It allocates all buffers so that they are immediately adjacent to a
	subsequent PROT_NONE page, causing most off-by-one reads and writes to
	immediately segfault,

	- It adds a canary immediately below the allocated buffer, to catch writes
	to negative offsets (won't catch reads, though),

	- It sets the memory returned by malloc() to garbage values, improving the
	odds of crashing when the target accesses uninitialized data,

	- It sets freed memory to PROT_NONE and does not actually reuse it, causing
	most use-after-free bugs to segfault right away,

	- It forces all realloc() calls to return a new address - and sets
	PROT_NONE on the original block. This catches use-after-realloc bugs,

	- It checks for calloc() overflows and can cause soft or hard failures
	of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
	AFL_LD_HARD_FAIL).

	Basically, it is inspired by some of the non-default options available for the
	OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
	also somewhat similar to several other debugging libraries, such as gmalloc
	and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
	jobs.

	Note that it does nothing for stack-based memory handling errors. The
	-fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
	can catch some subset of that.

	The allocator is slow and memory-intensive (even the tiniest allocation uses up
	4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
	for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
	when fuzzing small, self-contained binaries.

	To use this library, run AFL like so:

	AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]

	You have to specify path, even if it's just ./libdislocator.so or
	$PWD/libdislocator.so.

	Similarly to afl-tmin, the library is not "proprietary" and can be used with
	other fuzzers or testing tools without the need for any code tweaks. It does not
	require AFL-instrumented binaries to work.

	Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or
	DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
	dynamically linked. Otherwise, attempting to use the library will have no
	effect.