xref: /aosp_15_r20/external/AFLplusplus/docs/features.md (revision 08b48e0b10e97b33e7b60c5b6e2243bd915777f2) 
1# Important features of AFL++
2
3AFL++ supports llvm from 3.8 up to version 12, very fast binary fuzzing with
4QEMU 5.1 with laf-intel and Redqueen, FRIDA mode, unicorn mode, gcc plugin, full
5*BSD, Mac OS, Solaris and Android support and much, much, much more.
6
7## Features and instrumentation
8
9| Feature/Instrumentation       | afl-gcc  | llvm      | gcc_plugin | FRIDA mode(9)  | QEMU mode(10)    | unicorn_mode(10) | nyx_mode(12) | coresight_mode(11) |
10| ------------------------------|:--------:|:---------:|:----------:|:--------------:|:----------------:|:----------------:|:------------:|:------------------:|
11| Threadsafe counters [A]       |          |    x(3)   |            |                |                  |                  |       x      |                    |
12| NeverZero           [B]       | x86[_64] |    x(1)   |      x     |        x       |         x        |         x        |              |                    |
13| Persistent Mode     [C]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |         x        |              |                    |
14| LAF-Intel / CompCov [D]       |          |     x     |            |                | x86[_64]/arm[64] | x86[_64]/arm[64] |   x86[_64]   |                    |
15| CmpLog              [E]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |                  |              |                    |
16| Selective Instrumentation [F] |          |     x     |      x     |        x       |         x        |                  |              |                    |
17| Non-Colliding Coverage    [G] |          |    x(4)   |            |                |       (x)(5)     |                  |              |                    |
18| Ngram prev_loc Coverage   [H] |          |    x(6)   |            |                |                  |                  |              |                    |
19| Context Coverage    [I]       |          |    x(6)   |            |                |                  |                  |              |                    |
20| Auto Dictionary     [J]       |          |    x(7)   |            |                |                  |                  |              |                    |
21| Snapshot Support    [K]       |          |   (x)(8)  |   (x)(8)   |                |       (x)(5)     |                  |       x      |                    |
22| Shared Memory Test cases  [L] |          |     x     |      x     | x86[_64]/arm64 |         x        |         x        |       x      |                    |
23
24## More information about features
25
26A. Default is not thread-safe coverage counter updates for better performance,
27   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md)
28
29B. On wrapping coverage counters (255 + 1), skip the 0 value and jump to 1
30   instead. This has shown to give better coverage data and is the default; see
31   [instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
32
33C. Instead of forking, reiterate the fuzz target function in a loop (like
34   `LLVMFuzzerTestOneInput`. Great speed increase but only works with target
35   functions that do not keep state, leak memory, or exit; see
36   [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
37
38D. Split any non-8-bit comparison to 8-bit comparison; see
39   [instrumentation/README.laf-intel.md](../instrumentation/README.laf-intel.md)
40
41E. CmpLog is our enhanced
42   [Redqueen](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/)
43   implementation, see
44   [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)
45
46F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
47   for all llvm versions and all our compile modes, only instrument what should
48   be instrumented, for more speed, directed fuzzing and less instability; see
49   [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
50
51G. Vanilla AFL uses coverage where edges could collide to the same coverage
52   bytes the larger the target is. Our default instrumentation in LTO and
53   afl-clang-fast (PCGUARD) uses non-colliding coverage that also makes it
54   faster. Vanilla AFL style is available with `AFL_LLVM_INSTRUMENT=AFL`; see
55   [instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
56
57H.+I. Alternative coverage based on previous edges (NGRAM) or depending on the
58   caller (CTX), based on
59   [https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf](https://www.usenix.org/system/files/raid2019-wang-jinghan.pdf);
60   see [instrumentation/README.llvm.md](../instrumentation/README.llvm.md).
61
62J. An LTO feature that creates a fuzzing dictionary based on comparisons found
63   during compilation/instrumentation. Automatic feature :) See
64   [instrumentation/README.lto.md](../instrumentation/README.lto.md)
65
66K. The snapshot feature requires a kernel module that was a lot of work to get
67   right and maintained so it is no longer supported. We have
68   [nyx_mode](../nyx_mode/README.md) instead.
69
70L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase
71   delivery, see
72   [instrumentation/README.persistent_mode.md](../instrumentation/README.persistent_mode.md)
73
74## More information about instrumentation
75
761. Default for LLVM >= 9.0, environment variable for older version due an
77   efficiency bug in previous llvm versions
782. GCC creates non-performant code, hence it is disabled in gcc_plugin
793. With `AFL_LLVM_THREADSAFE_INST`, disables NeverZero
804. With pcguard mode and LTO mode for LLVM 11 and newer
815. Upcoming, development in the branch
826. Not compatible with LTO instrumentation and needs at least LLVM v4.1
837. Automatic in LTO mode with LLVM 11 and newer, an extra pass for all LLVM
84   versions that write to a file to use with afl-fuzz' `-x`
858. The snapshot LKM is currently unmaintained due to too many kernel changes
86   coming too fast :-(
879. FRIDA mode is supported on Linux and MacOS for Intel and ARM
8810. QEMU/Unicorn is only supported on Linux
8911. Coresight mode is only available on AARCH64 Linux with a CPU with Coresight
90    extension
9112. Nyx mode is only supported on Linux and currently restricted to x86_x64
92
93## Integrated features and patches
94
95Among others, the following features and patches have been integrated:
96
97* NeverZero patch for afl-gcc, instrumentation, QEMU mode and unicorn_mode which
98  prevents a wrapping map value to zero, increases coverage
99* Persistent mode, deferred forkserver and in-memory fuzzing for QEMU mode
100* Unicorn mode which allows fuzzing of binaries from completely different
101  platforms (integration provided by domenukk)
102* The new CmpLog instrumentation for LLVM and QEMU inspired by
103  [Redqueen](https://github.com/RUB-SysSec/redqueen)
104* Win32 PE binary-only fuzzing with QEMU and Wine
105* AFLfast's power schedules by Marcel Böhme:
106  [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
107* The MOpt mutator:
108  [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
109* LLVM mode Ngram coverage by Adrian Herrera
110  [https://github.com/adrianherrera/afl-ngram-pass](https://github.com/adrianherrera/afl-ngram-pass)
111* LAF-Intel/CompCov support for instrumentation, QEMU mode and unicorn_mode
112  (with enhanced capabilities)
113* Radamsa and honggfuzz mutators (as custom mutators).
114* QBDI mode to fuzz android native libraries via Quarkslab's
115  [QBDI](https://github.com/QBDI/QBDI) framework
116* Frida and ptrace mode to fuzz binary-only libraries, etc.
117
118So all in all this is the best-of AFL that is out there :-)