fuzzing_in_depth.md - OpenGrok cross reference for /external/AFLplusplus/docs/fuzzing_in

Lines Matching full:fuzzing
1 # Fuzzing with AFL++
7 Fuzzing source code is a three-step process:
11 2. Prepare the fuzzing by selecting and optimizing the input corpus for the
13 3. Perform the fuzzing of the target by randomly mutating input and assessing if
19 tasks, fuzzing may put a strain on your hardware and on the OS. In particular:
23   automatically throttled. That said, especially when fuzzing on less suitable
30   that you shouldn't be fuzzing on systems where the prospect of data loss is
33 - Fuzzing involves billions of reads and writes to the filesystem. On modern
132   AFL++ which then tries to put these values into the fuzzing data at different
195 It is possible to use sanitizers when instrumenting targets for fuzzing, which
201 (address sanitizer) anyway after syncing test cases from other fuzzing
218   oriented programming (ROP) exploit chains from functioning. In fuzzing, this
236 requires some specific parameters important for fuzzing to be set. If you want
247 If the target has features that make fuzzing more difficult, e.g., checksums,
360 much more fuzzing speed.
377 fuzzing, and they can be used with AFL++ (and honggfuzz) as well!
390 Bonus: the target is already optimized for fuzzing due to persistent mode and
396 ## 2. Preparing the fuzzing campaign
426    * If the target program is to be called by fuzzing as `bin/target INPUTFILE`,
442 bloated with duplicates anymore, which would slow down the fuzzing progress!
447 the better the fuzzing will be. This minimization is done with `afl-tmin`,
467 directory to be used in fuzzing! :-)
469 ## 3. Fuzzing the target
473 fuzzing, which will make the fuzzing much more useful.
475 If you just use one instance for fuzzing, then you are fuzzing just for fun and
489   boot options for a much better fuzzing performance.
490 * Both scripts improve your fuzzing performance but also decrease your system
494 If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign),
512 verified that your fuzzing setup works! Run it like `screen -dmS afl-main --
518 If you need to stop and re-start the fuzzing, use the same command line options
546 fuzzing (`-D`) and many more. Check out `afl-fuzz -h`.
555 By default, afl-fuzz never stops fuzzing. To terminate AFL++, press Control-C or
598 during fuzzing) and their number, a value between 50-500MB is recommended. You
637 If you have a large corpus, a corpus from a previous run or are fuzzing in a CI,
641 phase and start fuzzing at once - but only do this if the calibration phase
664 ### d) Using multiple machines for fuzzing
675 * regularly (~4h): this ensures that all fuzzing campaigns on the servers "see"
676   the same thing. It is like fuzzing on a huge server.
677 * in intervals of 1/10th of the overall expected runtime of the fuzzing you
704 AFL++ comes with the `afl-whatsup` script to show the status of the fuzzing
717 fuzzing instance is performing. The syntax is `afl-plot instance_dir web_dir`,
720 ### f) Stopping fuzzing, restarting fuzzing, adding new seeds
727 If you want to add new seeds to a fuzzing campaign, you can run a temporary
728 fuzzing instance, e.g., when your main fuzzer is using `-o out` and the new
735 ### g) Checking the coverage of the fuzzing
747 [*] Using SHARED MEMORY FUZZING feature.
764 that fuzzing campaign with that seed as input, let it run for a few minutes,
771 individual fuzzing campaigns each with one of these options set. E.g., if you
778 (e.g., for a day or a week), then you can expect that your fuzzing won't be
808 Fuzzing is a wonderful and underutilized technique for discovering non-crashing
853 - There is no direct support for fuzzing network services, background daemons,
876 Having said that, it's important to acknowledge that some fuzzing crashes can be
882 uses its feedback-driven fuzzing strategies to very quickly enumerate all code
921 ## 5. CI fuzzing
923 Some notes on continuous integration (CI) fuzzing - this fuzzing is different to
924 normal fuzzing campaigns as these are much shorter runnings.
928 phase and start fuzzing at once. But only do that if the calibration time is
932     * LTO has a much longer compile time which is diametrical to short fuzzing -
957    fuzzing. `-M` enables old queue handling etc. which is good for a fuzzing
970 This is basically all you need to know to professionally run fuzzing campaigns.
974 Note that there are also a lot of tools out there that help fuzzing with AFL++