diff options
| author | van Hauser <vh@thc.org> | 2020-02-16 20:40:53 +0100 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-02-16 20:40:53 +0100 |
| commit | b670ba182e266b674a6d0389774d78de960abf57 (patch) | |
| tree | 33559b222ac7e48b73fa37153b48a6c37eaf997e /TODO.md | |
| parent | e40415cf1605455cf671ddad7c3b2aac8ccdf3d7 (diff) | |
| download | AFLplusplus-b670ba182e266b674a6d0389774d78de960abf57.tar.gz | |
update TODO
Diffstat (limited to 'TODO.md')
| -rw-r--r-- | TODO.md | 27 |
1 files changed, 25 insertions, 2 deletions
@@ -1,7 +1,21 @@ +# TODO list for AFL++ + ## Roadmap 2.61 Makefile: - - -march=native -Ofast -flto=full + - -march=native -Ofast -flto=full (especially for afl-fuzz) + +llvm_mode: + - using lto + opt to instrument at link time, and using a sat solver to + select basic block IDs that do not result in collisions + (Solution for "The far away future", see bottom of file) + +qemu_mode: + - ensure redqueen implementation works fine + - ensure no issues in persistent mode + + +## Further down the road afl-fuzz: - sync_fuzzers(): only masters sync from all, slaves only sync from master @@ -20,11 +34,11 @@ qemu_mode: - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?) - add AFL_QEMU_EXITPOINT (maybe multiple?) - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM + - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses custom_mutators: - rip what Superion is doing into custom mutators for js, php, etc. - uniform python and custom mutators API - - running with -M and custom_only mutators should warn that no deterministic stages are run. ## The far away future: @@ -33,6 +47,9 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. At afl's default map that means ~16 collisions and ~3 wrappings. - Solution #1: increase map size. + + => speed loss is bad. last resort solution + every +1 decreases fuzzing speed by ~10% and halfs the collisions birthday paradox predicts collisions at this # of edges: @@ -51,10 +68,16 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges. Increasing the map is an easy solution but also not a good one. - Solution #2: use dynamic map size and collision free basic block IDs + + => This works and is the selected solution + This only works in llvm_mode and llvm >= 9 though A potential good future solution. Heiko/hexcoder follows this up - Solution #3: write instruction pointers to a big shared map + + => Tested and it is a dead end + 512kb/1MB shared map and the instrumented code writes the instruction pointer into the map. Map must be big enough but could be command line controlled. |