2.27b

Makefile

@@ -22,8 +22,7 @@ HELPER_PATH = $(PREFIX)/lib/afl
 DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
 
-# PROGS intentionally omit afl-as and libdislocator.so, which get installed
-# to a different location.
+# PROGS intentionally omit afl-as, which gets installed elsewhere.
 
 PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
 SH_PROGS    = afl-plot afl-cmin afl-whatsup
@@ -45,7 +44,7 @@ endif
 
 COMM_HDR    = alloc-inl.h config.h debug.h types.h
 
-all: test_x86 $(PROGS) afl-as libdislocator.so test_build all_done
+all: test_x86 $(PROGS) afl-as test_build all_done
 
 ifndef AFL_NO_X86
 
@@ -85,9 +84,6 @@ afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
 afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
 
-libdislocator.so: libdislocator.so.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) -shared -fPIC $@.c -o $@ $(LDFLAGS)
-
 ifndef AFL_NO_X86
 
 test_build: afl-gcc afl-as afl-showmap
@@ -115,9 +111,11 @@ all_done: test_build
 .NOTPARALLEL: clean
 
 clean:
-	rm -f $(PROGS) libdislocator.so afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
+	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
 	rm -rf out_dir qemu_mode/qemu-2.3.0
 	$(MAKE) -C llvm_mode clean
+	$(MAKE) -C libdislocator clean
+	$(MAKE) -C libtokencap clean
 
 install: all
 	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
@@ -130,7 +128,6 @@ install: all
 	if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
 	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
 	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
-	install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
 	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
 	install -m 644 docs/README docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
 	cp -r testcases/ $${DESTDIR}$(MISC_PATH)

afl-gcc.c

@@ -116,7 +116,7 @@ static void edit_params(u32 argc, char** argv) {
   u8 m32_set = 0;
 #endif
 
-  cc_params = ck_alloc((argc + 64) * sizeof(u8*));
+  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
 
   name = strrchr(argv[0], '/');
   if (!name) name = argv[0]; else name++;
@@ -271,6 +271,16 @@ static void edit_params(u32 argc, char** argv) {
 
   }
 
+  if (getenv("AFL_NO_BUILTIN")) {
+
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+
+  }
+
   cc_params[cc_par_cnt] = NULL;
 
 }

config.h

@@ -21,7 +21,7 @@
 
 /* Version string: */
 
-#define VERSION             "2.26b"
+#define VERSION             "2.27b"
 
 /******************************************************
  *                                                    *

docs/ChangeLog

@@ -16,6 +16,17 @@ Not sure if you should upgrade? The lowest currently recommended version
 is 2.21b. If you're stuck on an earlier release, it's strongly advisable
 to get on with the times.
 
+--------------
+Version 2.27b:
+--------------
+
+  - Added libtokencap, a simple feature to intercept strcmp / memcmp and
+    generate dictionary entries that can help extend coverage.
+
+  - Moved libdislocator to its own dir, added README.
+
+  - The demo in experimental/instrumented_cmp is no more.
+
 --------------
 Version 2.26b:
 --------------

docs/README

@@ -115,9 +115,8 @@ $ CC=/path/to/afl/afl-gcc ./configure --disable-shared
 
 Setting AFL_HARDEN=1 when calling 'make' will cause the CC wrapper to
 automatically enable code hardening options that make it easier to detect
-simple memory bugs. Preloading 'libdislocator.so' (an abusive allocator) can
-help uncover heap corruption issues, too; see libdislocator.so.c for info and
-usage tips.
+simple memory bugs. Libdislocator, a helper library included with AFL (see
+libdislocator/README.dislocator) can help uncover heap corruption issues, too.
 
 PS. ASAN users are advised to review notes_for_asan.txt file for important
 caveats.
@@ -292,6 +291,10 @@ existing syntax tokens in the input corpus by watching the instrumentation
 very closely during deterministic byte flips. This works for some types of
 parsers and grammars, but isn't nearly as good as the -x mode.
 
+If a dictionary is really hard to come by, another option is to let AFL run
+for a while, and then use the token capture library that comes as a companion
+utility with AFL. For that, see libtokencap/README.tokencap.
+
 10) Crash triage
 ----------------
 

docs/notes_for_asan.txt

@@ -38,7 +38,9 @@ is not AFL-specific.
 
 There is also the option of generating a corpus using a non-ASAN binary, and
 then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
-and can give you somewhat comparable results.
+and can give you somewhat comparable results. You can also try using
+libdislocator (see libdislocator/README.dislocator in the parent directory) as a
+lightweight and hassle-free (but less thorough) alternative.
 
 2) Long version
 ---------------

experimental/README.experiments

@@ -22,10 +22,6 @@ Here's a quick overview of the stuff you can find in this directory:
   - distributed_fuzzing  - a sample script for synchronizing fuzzer instances
                            across multiple machines (see parallel_fuzzing.txt).
 
-  - instrumented_cmp     - an experiment showing how a custom memcmp() or
-                           strcmp() can be used to work around one of the
-                           limitations of afl-fuzz.
-
   - libpng_no_checksum   - a sample patch for removing CRC checks in libpng.
 
   - persistent_demo      - an example of how to use the LLVM persistent process

libdislocator/Makefile

@@ -0,0 +1,37 @@
+#
+# american fuzzy lop - libdislocator
+# ----------------------------------
+#
+# Written by Michal Zalewski <[email protected]>
+#
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+PREFIX      ?= /usr/local
+HELPER_PATH  = $(PREFIX)/lib/afl
+
+VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
+
+CFLAGS      ?= -O3 -funroll-loops
+CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
+
+all: libdislocator.so
+
+libdislocator.so: libdislocator.so.c ../config.h
+	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
+
+.NOTPARALLEL: clean
+
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
+	rm -f libdislocator.so
+
+install: all
+	install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
+

libdislocator/README.dislocator

@@ -0,0 +1,60 @@
+===================================
+libdislocator, an abusive allocator
+===================================
+
+  (See ../docs/README for the general instruction manual.)
+
+This is a companion library that can be used as a drop-in replacement for the
+libc allocator in the fuzzed binaries. It improves the odds of bumping into
+heap-related security bugs in several ways:
+
+  - It allocates all buffers so that they are immediately adjacent to a
+    subsequent PROT_NONE page, causing most off-by-one reads and writes to
+    immediately segfault,
+
+  - It adds a canary immediately below the allocated buffer, to catch writes
+    to negative offsets (won't catch reads, though),
+
+  - It sets the memory returned by malloc() to garbage values, improving the
+    odds of crashing when the target accesses uninitialized data,
+
+  - It sets freed memory to PROT_NONE and does not actually reuse it, causing
+    most use-after-free bugs to segfault right away,
+
+  - It forces all realloc() calls to return a new address - and sets
+    PROT_NONE on the original block. This catches use-after-realloc bugs,
+
+  - It checks for calloc() overflows and can cause soft or hard failures
+    of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
+    AFL_LD_HARD_FAIL).
+
+Basically, it is inspired by some of the non-default options available for the
+OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
+also somewhat similar to several other debugging libraries, such as gmalloc
+and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
+jobs.
+
+Note that it does nothing for stack-based memory handling errors. The
+-fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
+can catch some subset of that.
+
+The allocator is slow and memory-intensive (even the tiniest allocation uses up
+4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
+for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
+when fuzzing small, self-contained binaries.
+
+To use this library, run AFL like so:
+
+AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
+
+You *have* to specify path, even if it's just ./libdislocator.so or
+$PWD/libdislocator.so.
+
+Similarly to afl-tmin, the library is not "proprietary" and can be used with
+other fuzzers or testing tools without the need for any code tweaks. It does not
+require AFL-instrumented binaries to work.
+
+Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or
+DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
+dynamically linked. Otherwise, attempting to use the library will have no
+effect.