想提高一下自己读代码的能力,加上对FUZZ知之甚少,仅仅是知道模糊的过程,这对于一个二进制选手来说是远远不够的,因此这几天放弃了调试内核CVE,转而阅读AFL源码,到现在已经有很多基于AFL的开源软件了,比如AFL plusplus和AFL Unicorn,但是都是基于AFL,可见这一开源的FUZZ工具是多么经典,因此花了大概五天进行源码阅读(太菜了,代码看着看着就看不懂了),虽然afl-fuzz的源码有8000+行,但是代码逻辑很清晰,注释也非常完整,结合着注释以及网上看到的其他资料,这里自己总结一下学习到的东西,也是一篇集他人之长的杂文,不写点东西以我的记性应该很快就忘掉了。









在看雪上找到了一篇很详细的分析,其中解答了我很多看源码困惑的地方,其中一个关键的点就是这个架构,在alf-gcc中先起了一个fork-server,在这个fork出的子进程里调用了execve去执行二进制程序,然后结合afl-as的代码可以看到插桩的桩代码中也包含了fork函数的调用,这样的话就是fuzzer->forkserver->exec target Bin->bin->bin_sub_process(被fuzz的app),这样看起来fuzzer是最终被fuzz的程序的祖祖父进程,但是execve根据我们之前的介绍是直接将创建的进程替换掉原进程的,除非出错否则不会返回,因此实际上forkserver与target bin可以看作是同一个进程的不同程序,其父进程都是fuzzer,故最终的调用关系是下面这样的





这个文件用来编译源代码,其实际上是gcc的封装,在组装参数的时候可以看到,as_path是afl-as,查看gcc的参数可以看到-B是指定编译器,也就是说这里先把汇编码给了afl-as,看后者的代码会发现它也只是个真正as的wrapper,在源程序的汇编中插桩之后再传递给real as。

tmp = alloc_printf("%s/afl-as", dir);

    if (!access(tmp, X_OK)) {
      as_path = dir;
cc_params[cc_par_cnt++] = "-B";
cc_params[cc_par_cnt++] = as_path;




static void add_instrumentation(void) 


  while (fgets(line, MAX_LINE, inf)) {

    /* In some cases, we want to defer writing the instrumentation trampoline
       until after all the labels, macros, comments, etc. If we're in this
       mode, and if the line starts with a tab followed by a character, dump
       the trampoline now. */
    if (!pass_thru && !skip_intel && !skip_app && !skip_csect && instr_ok &&
        instrument_next && line[0] == 't' && isalpha(line[1])) {

      fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,

      instrument_next = 0;


    /* Output the actual line, call it a day in pass-thru mode. */
    fputs(line, outf);

    /* If we're in the right mood for instrumenting, check for function
       names or conditional labels. This is a bit messy, but in essence,
       we want to catch:

         ^main:      - function entry point (always instrumented)
         ^.L0:       - GCC branch label
         ^.LBB0_0:   - clang branch label (but only in clang mode)
         ^tjnz foo  - conditional branches

       ...but not:

         ^# BB#0:    - clang comments
         ^ # BB#0:   - ditto
         ^.Ltmp0:    - clang non-branch labels
         ^.LC0       - GCC non-branch labels
         ^.LBB0_0:   - ditto (when in GCC mode)
         ^tjmp foo  - non-conditional jumps

       Additionally, clang and GCC on MacOS X follow a different convention
       with no leading dots on labels, hence the weird maze of #ifdefs
       later on.


    if (skip_intel || skip_app || skip_csect || !instr_ok ||
        line[0] == '#' || line[0] == ' ') continue;

    /* Conditional branch instruction (jnz, etc). We append the instrumentation
       right after the branch (to instrument the not-taken path) and at the
       branch destination label (handled later on). */
    if (line[0] == 't') {

      if (line[1] == 'j' && line[2] != 'm' && R(100) < inst_ratio) {

        fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,





  if (ins_lines)
    fputs(use_64bit ? main_payload_64 : main_payload_32, outf);

  if (input_file) fclose(inf);

  if (!be_quiet) {

    if (!ins_lines) WARNF("No instrumentation targets found%s.",
                          pass_thru ? " (pass-thru mode)" : "");
    else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).",
             ins_lines, use_64bit ? "64" : "32",
             getenv("AFL_HARDEN") ? "hardened" : 
             (sanitizer ? "ASAN/MSAN" : "non-hardened"),




static const u8* trampoline_fmt_32 =

  "/* --- AFL TRAMPOLINE (32-BIT) --- */n"
  ".align 4n"
  "leal -16(%%esp), %%espn"
  "movl %%edi,  0(%%esp)n"
  "movl %%edx,  4(%%esp)n"
  "movl %%ecx,  8(%%esp)n"
  "movl %%eax, 12(%%esp)n"
  "movl $0x%08x, %%ecxn"
  "call __afl_maybe_logn"
  "movl 12(%%esp), %%eaxn"
  "movl  8(%%esp), %%ecxn"
  "movl  4(%%esp), %%edxn"
  "movl  0(%%esp), %%edin"
  "leal 16(%%esp), %%espn"
  "/* --- END --- */n"

核心函数为__afl_maybe_log,lahf作用是将EFLAGS 寄存器标志位加载到AH,seto为溢出置位,之后判断__afl_area_ptr是否为空,这个指针用来保存共享内存,如果不为空表明已经初始化完成了,直接进入__afl_store,这里首先把__afl_prev_loc(之前的我位置)同当前位置的key异或,保存在edi寄存器,之后当前的key右移一位,作为下一个的__afl_prev_loc,这个右移是一个很巧妙的设计,如果代码块的跳转为A->BB->A,直接对两个Key异或结果是一样的,因此右移可以区分出一些特殊情况。下面那个incb代码中edx为map,edi为索引,即map表中对应的索引加一,表明一次hit。




static const u8* main_payload_32 = 

  "/* --- AFL MAIN PAYLOAD (32-BIT) --- */n"
  ".align 8n"

  "  lahfn"
  "  seto %aln"
  "  /* Check if SHM region is already mapped. */n"
  "  movl  __afl_area_ptr, %edxn"
  "  testl %edx, %edxn"
  "  je    __afl_setupn"
  "  /* Calculate and store hit for the code location specified in ecx. Theren"
  "     is a double-XOR way of doing this without tainting another register,n"
  "     and we use it on 64-bit systems; but it's slower for 32-bit ones. */n"
  "  movl __afl_prev_loc, %edin"
  "  xorl %ecx, %edin"
  "  shrl $1, %ecxn"
  "  movl %ecx, __afl_prev_locn"
  "  movl %ecx, %edin"
#endif /* ^!COVERAGE_ONLY */
  "  orb  $1, (%edx, %edi, 1)n"
  "  incb (%edx, %edi, 1)n"
#endif /* ^SKIP_COUNTS */
  "  addb $127, %aln"
  "  sahfn"
  "  retn"
  ".align 8n"
  "  /* Do not retry setup if we had previous failures. */n"
  "  cmpb $0, __afl_setup_failuren"
  "  jne  __afl_returnn"
  "  /* Map SHM, jumping to __afl_setup_abort if something goes wrong.n"
  "     We do not save FPU/MMX/SSE registers here, but hopefully, nobodyn"
  "     will notice this early in the game. */n"
  "  pushl %eaxn"
  "  pushl %ecxn"
  "  pushl $.AFL_SHM_ENVn"
  "  call  getenvn"
  "  addl  $4, %espn"
  "  testl %eax, %eaxn"
  "  je    __afl_setup_abortn"
  "  pushl %eaxn"
  "  call  atoin"
  "  addl  $4, %espn"
  "  pushl $0          /* shmat flags    */n"
  "  pushl $0          /* requested addr */n"
  "  pushl %eax        /* SHM ID         */n"
  "  call  shmatn"
  "  addl  $12, %espn"
  "  cmpl $-1, %eaxn"
  "  je   __afl_setup_abortn"
  "  /* Store the address of the SHM region. */n"
  "  movl %eax, __afl_area_ptrn"
  "  movl %eax, %edxn"
  "  popl %ecxn"
  "  popl %eaxn"
  "  /* Enter the fork server mode to avoid the overhead of execve() calls. */n"
  "  pushl %eaxn"
  "  pushl %ecxn"
  "  pushl %edxn"
  "  /* Phone home and tell the parent that we're OK. (Note that signals withn"
  "     no SA_RESTART will mess it up). If this fails, assume that the fd isn"
  "     closed because we were execve()d from an instrumented binary, or becausen" 
  "     the parent doesn't want to use the fork server. */n"
  "  pushl $4          /* length    */n"
  "  pushl $__afl_temp /* data      */n"
  "  pushl $" STRINGIFY((FORKSRV_FD + 1)) "  /* file desc */n"
  "  call  writen"
  "  addl  $12, %espn"
  "  cmpl  $4, %eaxn"
  "  jne   __afl_fork_resumen"
  "  /* Wait for parent by reading from the pipe. Abort if read fails. */n"
  "  pushl $4          /* length    */n"
  "  pushl $__afl_temp /* data      */n"
  "  pushl $" STRINGIFY(FORKSRV_FD) "        /* file desc */n"
  "  call  readn"
  "  addl  $12, %espn"
  "  cmpl  $4, %eaxn"
  "  jne   __afl_dien"
  "  /* Once woken up, create a clone of our process. This is an excellent usen"
  "     case for syscall(__NR_clone, 0, CLONE_PARENT), but glibc boneheadedlyn"
  "     caches getpid() results and offers no way to update the value, breakingn"
  "     abort(), raise(), and a bunch of other things :-( */n"
  "  call forkn"
  "  cmpl $0, %eaxn"
  "  jl   __afl_dien"
  "  je   __afl_fork_resumen"
  "  /* In parent process: write PID to pipe, then wait for child. */n"
  "  movl  %eax, __afl_fork_pidn"
  "  pushl $4              /* length    */n"
  "  pushl $__afl_fork_pid /* data      */n"
  "  pushl $" STRINGIFY((FORKSRV_FD + 1)) "      /* file desc */n"
  "  call  writen"
  "  addl  $12, %espn"
  "  pushl $0             /* no flags  */n"
  "  pushl $__afl_temp    /* status    */n"
  "  pushl __afl_fork_pid /* PID       */n"
  "  call  waitpidn"
  "  addl  $12, %espn"
  "  cmpl  $0, %eaxn"
  "  jle   __afl_dien"
  "  /* Relay wait status to pipe, then loop back. */n"
  "  pushl $4          /* length    */n"
  "  pushl $__afl_temp /* data      */n"
  "  pushl $" STRINGIFY((FORKSRV_FD + 1)) "  /* file desc */n"
  "  call  writen"
  "  addl  $12, %espn"
  "  jmp __afl_fork_wait_loopn"
  "  /* In child process: close fds, resume execution. */n"
  "  pushl $" STRINGIFY(FORKSRV_FD) "n"
  "  call  closen"
  "  pushl $" STRINGIFY((FORKSRV_FD + 1)) "n"
  "  call  closen"
  "  addl  $8, %espn"
  "  popl %edxn"
  "  popl %ecxn"
  "  popl %eaxn"
  "  jmp  __afl_storen"
  "  xorl %eax, %eaxn"
  "  call _exitn"
  "  /* Record setup failure so that we don't keep callingn"
  "     shmget() / shmat() over and over again. */n"
  "  incb __afl_setup_failuren"
  "  popl %ecxn"
  "  popl %eaxn"
  "  jmp __afl_returnn"
  "  .comm   __afl_area_ptr, 4, 32n"
  "  .comm   __afl_setup_failure, 1, 32n"
  "  .comm   __afl_prev_loc, 4, 32n"
#endif /* !COVERAGE_ONLY */
  "  .comm   __afl_fork_pid, 4, 32n"
  "  .comm   __afl_temp, 4, 32n"
  "  .asciz "" SHM_ENV_VAR ""n"
  "/* --- END --- */n"



这个是我们fuzz启动的入口,代码8000+行(看的我都麻木了- -),下面会挑核心的逻辑来讲,细枝末节不再赘述。


EXP_ST void setup_shm(void) {

  u8* shm_str;

  if (!in_bitmap) memset(virgin_bits, 255, MAP_SIZE);
  memset(virgin_tmout, 255, MAP_SIZE);
  memset(virgin_crash, 255, MAP_SIZE);

  shm_id = shmget(IPC_PRIVATE, MAP_SIZE, IPC_CREAT | IPC_EXCL | 0600);

  if (shm_id < 0) PFATAL("shmget() failed");


  shm_str = alloc_printf("%d", shm_id);

  /* If somebody is asking us to fuzz instrumented binaries in dumb mode,
     we don't want them to detect instrumentation, since we won't be sending
     fork server commands. This should be replaced with better auto-detection
     later on, perhaps? */

  if (!dumb_mode) setenv(SHM_ENV_VAR, shm_str, 1);

  trace_bits = shmat(shm_id, NULL, 0);

  if (!trace_bits) PFATAL("shmat() failed");



static const u8 count_class_lookup8[256] = {

  [0]           = 0,
  [1]           = 1,
  [2]           = 2,
  [3]           = 4,
  [4 ... 7]     = 8,
  [8 ... 15]    = 16,
  [16 ... 31]   = 32,
  [32 ... 127]  = 64,
  [128 ... 255] = 128


static u16 count_class_lookup16[65536];

EXP_ST void init_count_class16(void) {
  u32 b1, b2;

  for (b1 = 0; b1 < 256; b1++) 
    for (b2 = 0; b2 < 256; b2++)
      count_class_lookup16[(b1 << 8) + b2] = 
        (count_class_lookup8[b1] << 8) |




struct queue_entry {

  u8* fname;                          /* File name for the test case      */
  u32 len;                            /* Input length                     */

  u8  cal_failed,                     /* Calibration failed?              */
      trim_done,                      /* Trimmed?                         */
      was_fuzzed,                     /* Had any fuzzing done yet?        */
      passed_det,                     /* Deterministic stages passed?     */
      has_new_cov,                    /* Triggers new coverage?           */
      var_behavior,                   /* Variable behavior?               */
      favored,                        /* Currently favored?               */
      fs_redundant;                   /* Marked as redundant in the fs?   */

  u32 bitmap_size,                    /* Number of bits set in bitmap     */
      exec_cksum;                     /* Checksum of the execution trace  */

  u64 exec_us,                        /* Execution time (us)              */
      handicap,                       /* Number of queue cycles behind    */
      depth;                          /* Path depth                       */

  u8* trace_mini;                     /* Trace bytes, if kept             */
  u32 tc_ref;                         /* Trace bytes ref count            */

  struct queue_entry *next,           /* Next element, if any             */
                     *next_100;       /* 100 elements ahead               */


在这个函数中核心的调用为res = calibrate_case(argv, q, use_mem, 0, 1);,之后对res判断确定程序的运行情况(crash or sth),拿翻译看下,这函数的意思是校准用例,看注释的话意思应该是在输入的时候进行测试,前期发现一些有问题的测试用例。应该一共跑个3次或者8次(取决于是否是快速模式),如果没启动forkserver那么在这用init_forkserver启动。这个函数有必要多讲一下。

开局也不多说,直接就fork出子进程,为其设置一些资源,拷贝文件描述符,设置环境变量等,最终调用execv(target_path, argv);替换进程去执行Binary,由于execv正常是不会返回的,所以出错后后面会在共享内存那里设置一个EXEC_FAIL_SIG,通过对于管道文件的读取可以判断forkserver是否正常启动,这块就和之前插桩的代码联系了起来,判断方式是说如果正常操作会有一个4字节的Hello信息(但是这tm不是五字节吗喂),确保启动正常就进入waitpid(forksrv_pid, &status, 0)的等待,后面对接收到的status进行判断确定子进程的运行状况。

EXP_ST void init_forkserver(char** argv) {

  static struct itimerval it;
  int st_pipe[2], ctl_pipe[2];
  int status;
  s32 rlen;

  ACTF("Spinning up the fork server...");

  if (pipe(st_pipe) || pipe(ctl_pipe)) PFATAL("pipe() failed");

  forksrv_pid = fork();

  if (forksrv_pid < 0) PFATAL("fork() failed");

  if (!forksrv_pid) {
    struct rlimit r;

    /* Umpf. On OpenBSD, the default fd limit for root users is set to
       soft 128. Let's try to fix that... */

    if (!getrlimit(RLIMIT_NOFILE, &r) && r.rlim_cur < FORKSRV_FD + 2) {
      r.rlim_cur = FORKSRV_FD + 2;
      setrlimit(RLIMIT_NOFILE, &r); /* Ignore errors */


    if (mem_limit) {

      r.rlim_max = r.rlim_cur = ((rlim_t)mem_limit) << 20;

#ifdef RLIMIT_AS
      setrlimit(RLIMIT_AS, &r); /* Ignore errors */


      /* This takes care of OpenBSD, which doesn't have RLIMIT_AS, but
         according to reliable sources, RLIMIT_DATA covers anonymous
         maps - so we should be getting good protection against OOM bugs. */

      setrlimit(RLIMIT_DATA, &r); /* Ignore errors */

#endif /* ^RLIMIT_AS */


    /* Dumping cores is slow and can lead to anomalies if SIGKILL is delivered
       before the dump is complete. */

    r.rlim_max = r.rlim_cur = 0;
    //4 core
    setrlimit(RLIMIT_CORE, &r); /* Ignore errors */

    /* Isolate the process and configure standard descriptors. If out_file is
       specified, stdin is /dev/null; otherwise, out_fd is cloned instead. */
    //为子进程分配新的session id

    dup2(dev_null_fd, 1);
    dup2(dev_null_fd, 2);

    if (out_file) {

      dup2(dev_null_fd, 0);

    } else {

      dup2(out_fd, 0);


    /* Set up control and status pipes, close the unneeded original fds. */

    if (dup2(ctl_pipe[0], FORKSRV_FD) < 0) PFATAL("dup2() failed");
    if (dup2(st_pipe[1], FORKSRV_FD + 1) < 0) PFATAL("dup2() failed");



    /* This should improve performance a bit, since it stops the linker from
       doing extra work post-fork(). */
    if (!getenv("LD_BIND_LAZY")) setenv("LD_BIND_NOW", "1", 0);

    /* Set sane defaults for ASAN if nothing else specified. */

    setenv("ASAN_OPTIONS", "abort_on_error=1:"
                           "allocator_may_return_null=1", 0);

    /* MSAN is tricky, because it doesn't support abort_on_error=1 at this
       point. So, we do this in a very hacky way. */

    setenv("MSAN_OPTIONS", "exit_code=" STRINGIFY(MSAN_ERROR) ":"
                           "msan_track_origins=0", 0);

    execv(target_path, argv);
    /* Use a distinctive bitmap signature to tell the parent about execv()
       falling through. */

    *(u32*)trace_bits = EXEC_FAIL_SIG;

  /* Close the unneeded endpoints. */


  fsrv_ctl_fd = ctl_pipe[1];
  fsrv_st_fd  = st_pipe[0];

  /* Wait for the fork server to come up, but don't wait too long. */

  it.it_value.tv_sec = ((exec_tmout * FORK_WAIT_MULT) / 1000);
  it.it_value.tv_usec = ((exec_tmout * FORK_WAIT_MULT) % 1000) * 1000;

  setitimer(ITIMER_REAL, &it, NULL);

  rlen = read(fsrv_st_fd, &status, 4);

  it.it_value.tv_sec = 0;
  it.it_value.tv_usec = 0;

  setitimer(ITIMER_REAL, &it, NULL);

  /* If we have a four-byte "hello" message from the server, we're all set.
     Otherwise, try to figure out what went wrong. */

  if (rlen == 4) {
    OKF("All right - fork server is up.");

  if (child_timed_out)
    FATAL("Timeout while initializing fork server (adjusting -t may help)");

  if (waitpid(forksrv_pid, &status, 0) <= 0)
    PFATAL("waitpid() failed");

  if (WIFSIGNALED(status)) {

    if (mem_limit && mem_limit < 500 && uses_asan) {

      SAYF("n" cLRD "[-] " cRST
           "Whoops, the target binary crashed suddenly, before receiving any inputn"
           "    from the fuzzer! Since it seems to be built with ASAN and you have an"
           "    restrictive memory limit configured, this is expected; please readn"
           "    %s/notes_for_asan.txt for help.n", doc_path);

    } else if (!mem_limit) {

      SAYF("n" cLRD "[-] " cRST
           "Whoops, the target binary crashed suddenly, before receiving any inputn"
           "    from the fuzzer! There are several probable explanations:nn"

           "    - The binary is just buggy and explodes entirely on its own. If so, youn"
           "      need to fix the underlying problem or find a better replacement.nn"

#ifdef __APPLE__

           "    - On MacOS X, the semantics of fork() syscalls are non-standard and mayn"
           "      break afl-fuzz performance optimizations when running platform-specificn"
           "      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.nn"

#endif /* __APPLE__ */

           "    - Less likely, there is a horrible bug in the fuzzer. If other optionsn"
           "      fail, poke <> for troubleshooting tips.n");

    } else {

      SAYF("n" cLRD "[-] " cRST
           "Whoops, the target binary crashed suddenly, before receiving any inputn"
           "    from the fuzzer! There are several probable explanations:nn"

           "    - The current memory limit (%s) is too restrictive, causing then"
           "      target to hit an OOM condition in the dynamic linker. Try bumping upn"
           "      the limit with the -m setting in the command line. A simple way confirmn"
           "      this diagnosis would be:nn"

#ifdef RLIMIT_AS
           "      ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )nn"
           "      ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )nn"
#endif /* ^RLIMIT_AS */

           "      Tip: you can use to quicklyn"
           "      estimate the required amount of virtual memory for the binary.nn"

           "    - The binary is just buggy and explodes entirely on its own. If so, youn"
           "      need to fix the underlying problem or find a better replacement.nn"

#ifdef __APPLE__

           "    - On MacOS X, the semantics of fork() syscalls are non-standard and mayn"
           "      break afl-fuzz performance optimizations when running platform-specificn"
           "      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.nn"

#endif /* __APPLE__ */

           "    - Less likely, there is a horrible bug in the fuzzer. If other optionsn"
           "      fail, poke <> for troubleshooting tips.n",
           DMS(mem_limit << 20), mem_limit - 1);


    FATAL("Fork server crashed with signal %d", WTERMSIG(status));


  if (*(u32*)trace_bits == EXEC_FAIL_SIG)
    FATAL("Unable to execute target application ('%s')", argv[0]);

  if (mem_limit && mem_limit < 500 && uses_asan) {

    SAYF("n" cLRD "[-] " cRST
           "Hmm, looks like the target binary terminated before we could complete an"
           "    handshake with the injected code. Since it seems to be built with ASAN andn"
           "    you have a restrictive memory limit configured, this is expected; pleasen"
           "    read %s/notes_for_asan.txt for help.n", doc_path);

  } else if (!mem_limit) {

    SAYF("n" cLRD "[-] " cRST
         "Hmm, looks like the target binary terminated before we could complete an"
         "    handshake with the injected code. Perhaps there is a horrible bug in then"
         "    fuzzer. Poke <> for troubleshooting tips.n");

  } else {

    SAYF("n" cLRD "[-] " cRST
         "Hmm, looks like the target binary terminated before we could complete an"
         "    handshake with the injected code. There are %s probable explanations:nn"

         "    - The current memory limit (%s) is too restrictive, causing an OOMn"
         "      fault in the dynamic linker. This can be fixed with the -m option. An"
         "      simple way to confirm the diagnosis may be:nn"

#ifdef RLIMIT_AS
         "      ( ulimit -Sv $[%llu << 10]; /path/to/fuzzed_app )nn"
         "      ( ulimit -Sd $[%llu << 10]; /path/to/fuzzed_app )nn"
#endif /* ^RLIMIT_AS */

         "      Tip: you can use to quicklyn"
         "      estimate the required amount of virtual memory for the binary.nn"

         "    - Less likely, there is a horrible bug in the fuzzer. If other optionsn"
         "      fail, poke <> for troubleshooting tips.n",
         getenv(DEFER_ENV_VAR) ? "three" : "two",
         getenv(DEFER_ENV_VAR) ?
         "    - You are using deferred forkserver, but __AFL_INIT() is nevern"
         "      reached before the program terminates.nn" : "",
         DMS(mem_limit << 20), mem_limit - 1);


  FATAL("Fork server handshake failed");




update_bitmap_score这个函数很有意思,注释里说每当我们发现一个新的路径,都会调用这个函数来判断其是不是更加地favorable,这个favorable的意思是说是否包含最小的路径集合来遍历到所有bitmap中的位,我们专注于这些集合而忽略其他的。核心的比较方式是fav_factor = q->exec_us * q->len;即测试用例执行的时间以及输入长度的乘积,注释说希望找到更快或者规模更小的用例,一旦当前的fav_factortop_rated[i]要小就会更新这个表,将原来的winner的tc_ref--,当前的插入表中。


下面会调用cull_queue函数,函数前的注释说我们已经进入了第二个阶段,即用routine来遍历top_rated entry,不断寻找之前没见到过的bytes并且将它们标为favored。函数首先判断sore_changed是不是为真,之后拿贪心算法找能够遍历到所有节点的最小测试集合,比如有三个节点n0,n1,n2,n3和3个测试用例s1,s2,s3。top_rated[0]=s0,top_rated[s2]=s2s0覆盖n0,n1;s1覆盖n2其中初始化temp_v=[1,1,1,1],1就表示对应节点没有访问到,初始化为都没访问到。开始先判断temp_v[0]=1,说明没访问到,之后就去看top_rated[0],发现为1,说明存在一个用例能访问到这个n0,因此进一步查看这个用例,得到其覆盖范围trace_mini=[1,1,0]故据此更新temp_v=[0,0,1],往下看n1,访问过了,再看n2仍未访问到,再去看top_rated得到s2,再看s2的覆盖范围更新temp_v,就这样标注s0和s1为favored,如果他俩还没有被fuzz,还要pending_favored++。完成上述操作之后将无用的用例标为冗余。

/* The second part of the mechanism discussed above is a routine that
   goes over top_rated[] entries, and then sequentially grabs winners for
   previously-unseen bytes (temp_v) and marks them as favored, at least
   until the next run. The favored entries are given more air time during
   all fuzzing steps. */

static void cull_queue(void) {

  struct queue_entry* q;
  static u8 temp_v[MAP_SIZE >> 3];
  u32 i;

  if (dumb_mode || !score_changed) return;

  score_changed = 0;

  memset(temp_v, 255, MAP_SIZE >> 3);

  queued_favored  = 0;
  pending_favored = 0;

  q = queue;

  while (q) {
    q->favored = 0;
    q = q->next;

  /* Let's see if anything in the bitmap isn't captured in temp_v.
     If yes, and if it has a top_rated[] contender, let's use it. */

  for (i = 0; i < MAP_SIZE; i++)
    if (top_rated[i] && (temp_v[i >> 3] & (1 << (i & 7)))) {

      u32 j = MAP_SIZE >> 3;

      /* Remove all bits belonging to the current entry from temp_v. */

      while (j--) 
        if (top_rated[i]->trace_mini[j])//这里是之前提到的取反操作
          temp_v[j] &= ~top_rated[i]->trace_mini[j];

      top_rated[i]->favored = 1;

      if (!top_rated[i]->was_fuzzed) pending_favored++;


  q = queue;

  while (q) {//标记冗余用例
    mark_as_redundant(q, !q->favored);
    q = q->next;


再往后就是一个大的循环,也是AFL最最核心的部分,循环开始依然是用cull_queue对队列进行筛选,如果一个cycle都没有新发现尝试更换策略,最终调用skipped_fuzz = fuzz_one(use_argv);这个函数里对测试用例做了变异,下面一节着重分析这个函数AFL的变异策略


fuzz_one && 变异策略



/* Probabilities of skipping non-favored entries in the queue, expressed as
   percentages: */

#define SKIP_TO_NEW_PROB    99 /* ...when there are new, pending favorites */
#define SKIP_NFAV_OLD_PROB  95 /* new favs, cur entry already fuzzed */
#define SKIP_NFAV_NEW_PROB  75 /* new favs, cur entry not fuzzed yet */


下面一步为TRIMMING,调用方式为u8 res = trim_case(argv, queue_cur, in_buf);这个函数主要是用来调整测试用例大小的。起始以文件的1/16大小,一直到1/1024为步长,依次删除文件的某一步长(write_with_gap函数),将得到的check_sum同原来的比较,如果相同说明这部分不会影响测试的结果,删除这部分。




if (cksum != queue_cur->exec_cksum) {
        eff_map[EFF_APOS(stage_cur)] = 1;


/* Maximum offset for integer addition / subtraction stages: */

#define ARITH_MAX           35


/* Interesting values, as per config.h */

static s8  interesting_8[]  = { INTERESTING_8 };
static s16 interesting_16[] = { INTERESTING_8, INTERESTING_16 };
static s32 interesting_32[] = { INTERESTING_8, INTERESTING_16, INTERESTING_32 };

/* List of interesting values to use in fuzzing. */

#define INTERESTING_8 
  -128,          /* Overflow signed 8-bit when decremented  */ 
  -1,            /*                                         */ 
   0,            /*                                         */ 
   1,            /*                                         */ 
   16,           /* One-off with common buffer size         */ 
   32,           /* One-off with common buffer size         */ 
   64,           /* One-off with common buffer size         */ 
   100,          /* One-off with common buffer size         */ 
   127           /* Overflow signed 8-bit when incremented  */

#define INTERESTING_16 
  -32768,        /* Overflow signed 16-bit when decremented */ 
  -129,          /* Overflow signed 8-bit                   */ 
   128,          /* Overflow signed 8-bit                   */ 
   255,          /* Overflow unsig 8-bit when incremented   */ 
   256,          /* Overflow unsig 8-bit                    */ 
   512,          /* One-off with common buffer size         */ 
   1000,         /* One-off with common buffer size         */ 
   1024,         /* One-off with common buffer size         */ 
   4096,         /* One-off with common buffer size         */ 
   32767         /* Overflow signed 16-bit when incremented */

#define INTERESTING_32 
  -2147483648LL, /* Overflow signed 32-bit when decremented */ 
  -100663046,    /* Large negative number (endian-agnostic) */ 
  -32769,        /* Overflow signed 16-bit                  */ 
   32768,        /* Overflow signed 16-bit                  */ 
   65535,        /* Overflow unsig 16-bit when incremented  */ 
   65536,        /* Overflow unsig 16 bit                   */ 
   100663045,    /* Large positive number (endian-agnostic) */ 
   2147483647    /* Overflow signed 32-bit when incremented */

DICTIONARY是替换/插入token到原文件中,共有user extras (over)/user extras (insert)/auto extras (over)。其中替换是有上限的,数量高于上限就按概率替换。


随机选取某个byte,将其设置为随机的interesting value
随机选取某个word,并随机选取大、小端序,将其设置为随机的interesting value
随机选取某个dword,并随机选取大、小端序,将其设置为随机的interesting value



locate_diffs(in_buf, new_buf, MIN(len, target->len), &f_diff, &l_diff);

    if (f_diff < 0 || l_diff < 2 || f_diff == l_diff) {
      goto retry_splicing;

    /* Split somewhere between the first and last differing byte. */

    split_at = f_diff + UR(l_diff - f_diff);
















