1# Building and installing AFL++ 2 3## Linux on x86 4 5An easy way to install AFL++ with everything compiled is available via docker: 6You can use the [Dockerfile](../Dockerfile) or just pull directly from the 7Docker Hub (for x86_64 and arm64): 8 9```shell 10docker pull aflplusplus/aflplusplus:latest 11docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus 12``` 13 14This image is automatically generated when a push to the stable branch happens. 15You will find your target source code in `/src` in the container. 16 17Note: you can also pull `aflplusplus/aflplusplus:dev` which is the most current 18development state of AFL++. 19 20If you want to build AFL++ yourself, you have many options. The easiest choice 21is to build and install everything: 22 23NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-14` with 24whatever llvm version is available. We recommend llvm 13, 14, 15 or 16. 25 26```shell 27sudo apt-get update 28sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev 29# try to install llvm 14 and install the distro default if that fails 30sudo apt-get install -y lld-14 llvm-14 llvm-14-dev clang-14 || sudo apt-get install -y lld llvm llvm-dev clang 31sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev 32sudo apt-get install -y ninja-build # for QEMU mode 33git clone https://github.com/AFLplusplus/AFLplusplus 34cd AFLplusplus 35make distrib 36sudo make install 37``` 38 39It is recommended to install the newest available gcc, clang and llvm-dev 40possible in your distribution! 41 42Note that `make distrib` also builds FRIDA mode, QEMU mode, unicorn_mode, and 43more. If you just want plain AFL++, then do `make all`. If you want some 44assisting tooling compiled but are not interested in binary-only targets, then 45instead choose: 46 47```shell 48make source-only 49``` 50 51These build targets exist: 52 53* all: the main AFL++ binaries and llvm/gcc instrumentation 54* binary-only: everything for binary-only fuzzing: frida_mode, nyx_mode, 55 qemu_mode, frida_mode, unicorn_mode, coresight_mode, libdislocator, 56 libtokencap 57* source-only: everything for source code fuzzing: nyx_mode, libdislocator, 58 libtokencap 59* distrib: everything (for both binary-only and source code fuzzing) 60* man: creates simple man pages from the help option of the programs 61* install: installs everything you have compiled with the build options above 62* clean: cleans everything compiled, not downloads (unless not on a checkout) 63* deepclean: cleans everything including downloads 64* code-format: format the code, do this before you commit and send a PR please! 65* tests: runs test cases to ensure that all features are still working as they 66 should 67* unit: perform unit tests (based on cmocka) 68* help: shows these build options 69 70[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html), 71you can also build statically linked versions of the AFL++ binaries by passing 72the `STATIC=1` argument to make: 73 74```shell 75make STATIC=1 76``` 77 78These build options exist: 79 80* STATIC - compile AFL++ static 81* CODE_COVERAGE - compile the target for code coverage (see docs/instrumentation/README.llvm.md) 82* ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes 83* UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for debug purposes 84* DEBUG - no optimization, -ggdb3, all warnings and -Werror 85* LLVM_DEBUG - shows llvm deprecation warnings 86* PROFILING - compile afl-fuzz with profiling information 87* INTROSPECTION - compile afl-fuzz with mutation introspection 88* NO_PYTHON - disable python support 89* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing 90* NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL) 91* NO_NYX - disable building nyx mode dependencies 92* NO_CORESIGHT - disable building coresight (arm64 only) 93* NO_UNICORN_ARM64 - disable building unicorn on arm64 94* AFL_NO_X86 - if compiling on non-intel/amd platforms 95* LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian) 96 97e.g.: `make LLVM_CONFIG=llvm-config-14` 98 99## MacOS X on x86 and arm64 (M1) 100 101MacOS has some gotchas due to the idiosyncrasies of the platform. 102 103To build AFL, install llvm (and perhaps gcc) from brew and follow the general 104instructions for Linux. If possible, avoid Xcode at all cost. 105 106```shell 107brew install wget git make cmake llvm gdb coreutils 108``` 109 110Be sure to setup `PATH` to point to the correct clang binaries and use the 111freshly installed clang, clang++, llvm-config, gmake and coreutils, e.g.: 112 113```shell 114# Depending on your MacOS system + brew version it is either 115export PATH="/opt/homebrew/opt/llvm/bin:$PATH" 116# or 117export PATH="/usr/local/opt/llvm/bin:/usr/local/opt/coreutils/libexec/gnubin:$PATH" 118# you can check with "brew info llvm" 119 120export PATH="/usr/local/bin:$PATH" 121export CC=clang 122export CXX=clang++ 123gmake 124cd frida_mode 125gmake 126cd .. 127sudo gmake install 128``` 129 130`afl-gcc` will fail unless you have GCC installed, but that is using outdated 131instrumentation anyway. `afl-clang` might fail too depending on your PATH setup. 132But you don't want neither, you want `afl-clang-fast` anyway :) Note that 133`afl-clang-lto`, `afl-gcc-fast` and `qemu_mode` are not working on MacOS. 134 135The crash reporting daemon that comes by default with MacOS X will cause 136problems with fuzzing. You need to turn it off: 137 138``` 139launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist 140sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist 141``` 142 143The `fork()` semantics on OS X are a bit unusual compared to other unix systems 144and definitely don't look POSIX-compliant. This means two things: 145 146 - Fuzzing will be probably slower than on Linux. In fact, some folks report 147 considerable performance gains by running the jobs inside a Linux VM on 148 MacOS X. 149 - Some non-portable, platform-specific code may be incompatible with the AFL++ 150 forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the 151 environment before starting afl-fuzz. 152 153User emulation mode of QEMU does not appear to be supported on MacOS X, so 154black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`) 155works on both x86 and arm64 MacOS boxes. 156 157MacOS X supports SYSV shared memory used by AFL's instrumentation, but the 158default settings aren't usable with AFL++. The default settings on 10.14 seem to 159be: 160 161```bash 162$ ipcs -M 163IPC status from <running system> as of XXX 164shminfo: 165 shmmax: 4194304 (max shared memory segment size) 166 shmmin: 1 (min shared memory segment size) 167 shmmni: 32 (max number of shared memory identifiers) 168 shmseg: 8 (max shared memory segments per process) 169 shmall: 1024 (max amount of shared memory in pages) 170``` 171 172To temporarily change your settings to something minimally usable with AFL++, 173run these commands as root: 174 175```bash 176sysctl kern.sysv.shmmax=8388608 177sysctl kern.sysv.shmall=4096 178``` 179 180If you're running more than one instance of AFL, you likely want to make 181`shmall` bigger and increase `shmseg` as well: 182 183```bash 184sysctl kern.sysv.shmmax=8388608 185sysctl kern.sysv.shmseg=48 186sysctl kern.sysv.shmall=98304 187``` 188 189See 190[http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html) 191for documentation for these settings and how to make them permanent. 192