diff --git a/Makefile b/Makefile index ca6879c3..4e8772e7 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ # PROGNAME = afl -VERSION = 2.14b +VERSION = 2.15b PREFIX ?= /usr/local BIN_PATH = $(PREFIX)/bin diff --git a/docs/ChangeLog b/docs/ChangeLog index 3b453f79..40598c13 100644 --- a/docs/ChangeLog +++ b/docs/ChangeLog @@ -16,6 +16,15 @@ Not sure if you should upgrade? The lowest currently recommended version is 2.07b. If you're stuck on an earlier release, it's strongly advisable to get on with the times. +-------------- +Version 2.15b: +-------------- + + - Added a README section on looking for non-crashing bugs. + + - Added license data to several boring files. Contributed by + Jonathan Metzman. + -------------- Version 2.14b: -------------- diff --git a/docs/QuickStartGuide.txt b/docs/QuickStartGuide.txt index 59752e6d..61541466 100644 --- a/docs/QuickStartGuide.txt +++ b/docs/QuickStartGuide.txt @@ -14,7 +14,8 @@ how to hit the ground running: checksum verification code, too. The program must crash properly when a fault is encountered. Watch out for - custom SIGSEGV or SIGABRT handlers and background processes. + custom SIGSEGV or SIGABRT handlers and background processes. For tips on + detecting non-crashing flaws, see section 11 in docs/README. 3) Compile the program / library to be fuzzed using afl-gcc. A common way to do this would be: diff --git a/docs/README b/docs/README index 642e57b7..698350df 100644 --- a/docs/README +++ b/docs/README @@ -336,7 +336,28 @@ be critical, and which are not; while not bulletproof, it can often offer quick insights into complex file formats. More info about its operation can be found near the end of technical_details.txt. -11) Common-sense risks +11) Going beyond crashes +------------------------ + +Fuzzing is a wonderful and underutilized technique for discovering non-crashing +design and implementation errors, too. Plenty of interesting bugs have been +found by modifying the target programs to call abort() when: + + - Two bignum libraries produce different outputs when given the same + fuzzer-generated input, + + - An image library produces different outputs when asked to decode the same + input image several times in a row, + + - A compression library produces an output inconsistent with the input file + when asked to compress and then decompress a particular blob. + +Implementing these or similar sanity checks usually takes very little time; +if you are the maintainer of a particular package, you can make this code +conditional with #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION (a flag also +shared with libfuzzer) or #ifdef __AFL_COMPILER (this one is just for AFL). + +12) Common-sense risks ---------------------- Please keep in mind that, similarly to many other computationally-intensive @@ -364,7 +385,7 @@ tasks, fuzzing may put strain on your hardware and on the OS. In particular: $ iostat -d 3 -x -k [...optional disk ID...] -12) Known limitations & areas for improvement +13) Known limitations & areas for improvement --------------------------------------------- Here are some of the most important caveats for AFL: @@ -402,7 +423,7 @@ Here are some of the most important caveats for AFL: Beyond this, see INSTALL for platform-specific tips. -13) Special thanks +14) Special thanks ------------------ Many of the improvements to afl-fuzz wouldn't be possible without feedback, @@ -439,7 +460,7 @@ bug reports, or patches from: Guillaume Endignoux ilovezfs Daniel Godas-Lopez Franjo Ivancic Austin Seipp Daniel Komaromy - Daniel Binderman + Daniel Binderman Jonathan Metzman Thank you! diff --git a/experimental/instrumented_cmp/instrumented_cmp.c b/experimental/instrumented_cmp/instrumented_cmp.c index 867da5c0..8806c72d 100644 --- a/experimental/instrumented_cmp/instrumented_cmp.c +++ b/experimental/instrumented_cmp/instrumented_cmp.c @@ -1,6 +1,17 @@ /* - A simple proof-of-concept for instrumented strcmp() or memcmp(). + american fuzzy lop - instrumented strcmp() or memcmp() proof-of-concept + ----------------------------------------------------------------------- + + Written and maintained by Michal Zalewski + + Copyright 2015 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 Normally, afl-fuzz will have difficulty ever reaching the code behind something like: diff --git a/hash.h b/hash.h index 530cd632..f39a8257 100644 --- a/hash.h +++ b/hash.h @@ -12,6 +12,16 @@ Austin's original code is public domain. + Other code written and maintained by Michal Zalewski + + Copyright 2016 Google Inc. All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + */ #ifndef _HAVE_HASH_H