1*08b48e0bSAndroid Build Coastguard Worker# laf-intel instrumentation 2*08b48e0bSAndroid Build Coastguard Worker 3*08b48e0bSAndroid Build Coastguard Worker## Introduction 4*08b48e0bSAndroid Build Coastguard Worker 5*08b48e0bSAndroid Build Coastguard WorkerThis originally is the work of an individual nicknamed laf-intel. His blog 6*08b48e0bSAndroid Build Coastguard Worker[Circumventing Fuzzing Roadblocks with Compiler Transformations](https://lafintel.wordpress.com/) 7*08b48e0bSAndroid Build Coastguard Workerand GitLab repo [laf-llvm-pass](https://gitlab.com/laf-intel/laf-llvm-pass/) 8*08b48e0bSAndroid Build Coastguard Workerdescribe some code transformations that help AFL++ to enter conditional blocks, 9*08b48e0bSAndroid Build Coastguard Workerwhere conditions consist of comparisons of large values. 10*08b48e0bSAndroid Build Coastguard Worker 11*08b48e0bSAndroid Build Coastguard Worker## Usage 12*08b48e0bSAndroid Build Coastguard Worker 13*08b48e0bSAndroid Build Coastguard WorkerBy default, these passes will not run when you compile programs using 14*08b48e0bSAndroid Build Coastguard Workerafl-clang-fast. Hence, you can use AFL++ as usual. To enable the passes, you 15*08b48e0bSAndroid Build Coastguard Workermust set environment variables before you compile the target project. 16*08b48e0bSAndroid Build Coastguard Worker 17*08b48e0bSAndroid Build Coastguard WorkerThe following options exist: 18*08b48e0bSAndroid Build Coastguard Worker 19*08b48e0bSAndroid Build Coastguard Worker`export AFL_LLVM_LAF_SPLIT_SWITCHES=1` 20*08b48e0bSAndroid Build Coastguard Worker 21*08b48e0bSAndroid Build Coastguard WorkerEnables the split-switches pass. 22*08b48e0bSAndroid Build Coastguard Worker 23*08b48e0bSAndroid Build Coastguard Worker`export AFL_LLVM_LAF_TRANSFORM_COMPARES=1` 24*08b48e0bSAndroid Build Coastguard Worker 25*08b48e0bSAndroid Build Coastguard WorkerEnables the transform-compares pass (strcmp, memcmp, strncmp, strcasecmp, 26*08b48e0bSAndroid Build Coastguard Workerstrncasecmp). 27*08b48e0bSAndroid Build Coastguard Worker 28*08b48e0bSAndroid Build Coastguard Worker`export AFL_LLVM_LAF_SPLIT_COMPARES=1` 29*08b48e0bSAndroid Build Coastguard Worker 30*08b48e0bSAndroid Build Coastguard WorkerEnables the split-compares pass. By default, it will 31*08b48e0bSAndroid Build Coastguard Worker1. simplify operators >= (and <=) into chains of > (<) and == comparisons 32*08b48e0bSAndroid Build Coastguard Worker2. change signed integer comparisons to a chain of sign-only comparison and 33*08b48e0bSAndroid Build Coastguard Worker unsigned integer comparisons 34*08b48e0bSAndroid Build Coastguard Worker3. split all unsigned integer comparisons with bit widths of 64, 32, or 16 bits 35*08b48e0bSAndroid Build Coastguard Worker to chains of 8 bits comparisons. 36*08b48e0bSAndroid Build Coastguard Worker 37*08b48e0bSAndroid Build Coastguard WorkerYou can change the behavior of the last step by setting `export 38*08b48e0bSAndroid Build Coastguard WorkerAFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where bit_width may be 64, 32, or 39*08b48e0bSAndroid Build Coastguard Worker16. For example, a bit_width of 16 would split larger comparisons down to 16 bit 40*08b48e0bSAndroid Build Coastguard Workercomparisons. 41*08b48e0bSAndroid Build Coastguard Worker 42*08b48e0bSAndroid Build Coastguard WorkerA new unique feature is splitting floating point comparisons into a series 43*08b48e0bSAndroid Build Coastguard Workerof sign, exponent and mantissa comparisons followed by splitting each of them 44*08b48e0bSAndroid Build Coastguard Workerinto 8 bit comparisons when necessary. It is activated with the 45*08b48e0bSAndroid Build Coastguard Worker`AFL_LLVM_LAF_SPLIT_FLOATS` setting. 46*08b48e0bSAndroid Build Coastguard Worker 47*08b48e0bSAndroid Build Coastguard WorkerNote that setting this automatically activates `AFL_LLVM_LAF_SPLIT_COMPARES`. 48*08b48e0bSAndroid Build Coastguard Worker 49*08b48e0bSAndroid Build Coastguard WorkerYou can also set `AFL_LLVM_LAF_ALL` and have all of the above enabled. :-) 50