xref: /aosp_15_r20/external/AFLplusplus/utils/target_intelligence/README.md (revision 08b48e0b10e97b33e7b60c5b6e2243bd915777f2) 
1# Target Intelligence
2
3These are some ideas you can do so that your target that you are fuzzing can
4give helpful feedback to AFL++.
5
6## Add to the AFL++ dictionary from your target
7
8For this you target must be compiled for CMPLOG (`AFL_LLVM_CMPLOG=1`).
9
10Add in your source code:
11
12```
13__attribute__((weak)) void __cmplog_rtn_hook_strn(u8 *ptr1, u8 *ptr2, u64 len);
14__attribute__((weak)) void __cmplog_ins_hook1(uint8_t arg1, uint8_t arg2, uint8_t attr);
15__attribute__((weak)) void __cmplog_ins_hook2(uint16_t arg1, uint16_t arg2, uint8_t attr);
16__attribute__((weak)) void __cmplog_ins_hook4(uint32_t arg1, uint32_t arg2, uint8_t attr);
17__attribute__((weak)) void __cmplog_ins_hook8(uint64_t arg1, uint64_t arg2, uint8_t attr);
18
19int in_your_function(...) {
20
21  // to add two strings to the AFL++ dictionary:
22  if (__cmplog_rtn_hook_strn)
23    __cmplog_rtn_hook_strn(string1, length_of_string1, string2, length_of_string2);
24
25  // to add two 32 bit integers to the AFL++ dictionary:
26  if (__cmplog_ins_hook4)
27    __cmplog_ins_hook4(first_32_bit_var, second_32_bit_var, 0);
28
29}
30```
31
32Note that this only makes sense if these values are in-depth processed in the
33target in a way that AFL++ CMPLOG cannot uncover these, e.g. if these values
34are transformed by a matrix computation.
35
36Fixed values are always better to give to afl-fuzz via a `-x dictionary`.
37
38## Add inputs to AFL++ dictionary from your target
39
40If for whatever reason you want your target to propose new inputs to AFL++,
41then this is actually very easy.
42The environment variable `AFL_CUSTOM_INFO_OUT` contains the output directory
43of this run - including the fuzzer instance name (e.g. `default`), so if you
44run `afl-fuzz -o out -S foobar`, the value would be `out/foobar`).
45
46To show afl-fuzz an input it should consider just do the following:
47
481. create the directory `$AFL_CUSTOM_INFO_OUT/../target/queue`
492. create any new inputs you want afl-fuzz to notice in that directory with the
50   following naming convention: `id:NUMBER-OF-LENGTH-SIX-WITH-LEADING-ZEROES,whatever`
51   where that number has to be increasing.
52   e.g.:
53```
54   id:000000,first_file
55   id:000001,second_file
56   id:000002,third_file
57   etc.
58```
59
60Note that this will not work in nyx_mode because afl-fuzz cannot see inside the
61virtual machine.
62