Description
@jonathanmetzman @lszekeres @inferno-chromium
The following are variations on how you can run afl++ effectively.
- building afl++
git clone https://github.com/AFLplusplus/AFLplusplus afl++
cd afl++
checkout stable
make all
make -C llvm_mode
make -C examples/aflpp_driver
The last entry builds the libafl driver (see https://github.com/google/fuzzbench/blob/master/fuzzers/aflplusplus/builder.Dockerfile)
- building targets
Just use afl-clang-fast
afl-clang-lto is a full step better (faster, auto dictionary) plus has a high impact on build time.
Plain, or better with two useful options:
AFL_LLVM_CMPLOG=1 <= cmplog/redqueen, highly effective., not compatible with afl spinoffs
AFL_LLVM_LAF_ALL=1 <= highly improved laf-intel (floats, non-literal string support, etc.), compatible with afl spinoffs
Note that the binary comparability with afl and spin-offs are limited, as afl++ support variable map sizes - means: afl-fuzz and
the target choose the correct size and have a non-colliding coverage. So far some targets the map will be 15k entries, and
these are no problem. For a few large targets it can be > 64k and then these binaries cannot be used with others.
Note that for cmplog you are faster if you compile one version with cmplog and one without. the cmplog version is passed with the -c parameter to afl-fuzz. However if you do not care to loose a bit of speed, then you can use just a cmplog compiled one for both.
- running targets
The normal havoc mode is improved on afl and better than MOpt, and if it has a cycle without finds then it addionally activates MOpt. so your choices are:
-L 0 <- MOpt only
-L -1 <- start with mixed mode
nothing <- mixed mode is turned on after a cycle without finds
AFL_EXPAND_HAVOC_NOW=1 <- dont wait for a cycle without finds to enable advanced havoc mode
And then you can select a schedule. we have 9 schedules and the best are: seek, rare, explore (the default). (-p schedule).
as you are fuzzing with an existing and growing corpus I highly recommend to use cmplog and laf-intel, use AFL_EXPAND_HAVOC_NOW and -p rare or -p seek.
These options are the more effective ones to find new paths.
If you have further questions - just put them here.