JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 9

2 of 9

AFLplusplus WTF

AFLplusplus is the son of the American Fuzzy Lop fuzzer by Michal “lcamtuf” Zalewski.

It was created initially to incorporate all the best features developed in the years for the fuzzers in the AFL family and not merged in AFL cause it is not updated since November 2017.

Visit https://aflplus.plus/ for more info.

3 of 9

Basic Blocks Coverage

Basic Block B

One entry, one exit

4 of 9

Edge Coverage

Edge A -> B

5 of 9

AFL QEMU Instrumentation

uintptr_t cur_location = (uintptr_t)PROGRAM_COUNTER;

cur_location = (cur_location >> 4) ^ (cur_location << 8);

cur_location &= MAP_SIZE - 1;

__afl_area_ptr [ cur_location ^ prev_location ] ++;

prev_location = cur_location >> 1;

shared_mem is a 64kb (fits in L2 chache) SHM shared between the fuzzer and the instrumented target program.

Collisions are possibles.

6 of 9

AFL Ngram Instrumentation

Use multiple prev_location to keep track not only of the last basic block but the last NGRAMS blocks.

uintptr_t idx = cur_loc;

for (int i = 0; i < NGRAMS-1; ++i) {

idx ^= prev_locations[i+1];

prev_locs[i] = prev_locations[i+1];

}

prev_locs[NGRAMS-1] = cur_loc >> 1;

7 of 9

Hooking ELF imports

A dynamic ELF stores the resolved address of imported functions in the .got.plt section. We can replace imported functions simply writing in the corresponding entry of this array.

We can also substitute a symbol name in order to force the loader to resolve to another function.

8 of 9

Hooking with LD_PRELOAD

LD_PRELOAD=/path/to/mylib.so ./program

Override symbols, use dlsym to call the original function. E.g:

void* malloc(size_t size) {

printf(“hooked malloc!\n”);

typeof(&malloc) real_malloc = dlsym(RTLD_NEXT, “malloc”);

void* r = real_malloc(size);

}

9 of 9

PltCov

QEMU use Dynamic Binary Translation to instrument binaries, AFL uses it to log edge coverage.

AFL++ QEMU is faster but always not comparable to uninstrumented runs of the same program.

The idea is to statically replace imported functions of an ELF and use them to produce coverage (a library-calls coverage, not edge coverage anymore).

A simple coverage is ofc not enough, we want NGRAM coverage to better approximate the paths.