rebuilding site mar 2 gen 2024, 14:35:12, CET

Author: andreafioraldi

AFLplusplus

@@ -14,5 +14,5 @@ publishDir = "docs"
   ogimage = "ogimage.png"
   BookMenuBundle = "/menu"
   BookLogo = 'aflpp_logo_256x256_w.png'
-  ReleaseName = "4.08c"
-  ReleaseURL = "https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.08c"
+  ReleaseName = "4.09c"
+  ReleaseURL = "https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.09c"

LibAFL

@@ -9,27 +9,54 @@ type: docs
   This is the list of all noteworthy changes made in every public
   release of the tool. See README.md for the general instruction manual.
 
-### Version ++4.09a (dev)
+### Version ++4.10a (dev)
   - afl-fuzz:
+    - default power schedule is now EXPLORE, due a fix in fast schedules
+      explore is slightly better now.
+    - fixed minor issues in the mutation engine, thanks to @futhewo for
+      reporting!
+  - instrumentation:
+    - LLVM 18 support, thanks to @devnexen!
+    - Injection (SQL, LDAP, XSS) feature now available, see
+      `instrumentation/README.injections.md` how to activate/use/expand.
+    - compcov/LAF-intel:
+      - floating point splitting bug fix by @hexcoder
+      - due a bug in LLVM 17 integer splitting is disabled!
+      - when splitting floats was selected, integers were always split as well,
+        fixed to require AFL_LLVM_LAF_SPLIT_COMPARES as it should
+
+
+### Version ++4.09c (release)
+  - afl-fuzz:
+    - fixed the new mutation implementation for two bugs
     - added `AFL_FINAL_SYNC` which forces a final fuzzer sync (also for `-F`)
       before terminating.
     - added AFL_IGNORE_SEED_PROBLEMS to skip over seeds that time out instead
       of exiting with an error message
     - allow -S/-M naming up to 50 characters (from 24)
+    - CMPLOG:
+      - added scale support (-l S)
+      - skip unhelpful insertions (u8)
+    - added --version and --help command line parameters
+    - fixed endless loop when reading malformed dictionaries
+    - new custom mutator function: post_run - thanks to yangzao!
   - afl-whatsup:
     - detect instanced that are starting up and show them as such as not dead
     - now also shows coverage reached
     - option -m shows only very relevant stats
     - option -n will not use color in the output
   - instrumentation:
     - fix for a few string compare transform functions for LAF
+    - we are instrumenting __cxx internal functions again. this might break
+      a few targets, please report if so.
   - frida_mode:
     - fixes support for large map offsets
+  - support for AFL_FUZZER_LOOPCOUNT for afl.rs and LLVMFuzzerTestOneInput
+  - afl-cmin/afl-cmin.bash: prevent unneeded file errors
   - added new tool afl-addseeds that adds new seeds to a running campaign
-  - added benchmark/benchmark.sh if you want to see how good your fuzzing
+  - added benchmark/benchmark.py if you want to see how good your fuzzing
     speed is in comparison to other setups.
 
-
 ### Version ++4.08c (release)
   - afl-fuzz:
     - new mutation engine: mutations that favor discovery more paths are

config.toml

@@ -13,7 +13,7 @@ You can use the [Dockerfile](https://github.com/AFLplusplus/AFLplusplus/blob/sta
 Docker Hub (for x86_64 and arm64):
 
 ```shell
-docker pull aflplusplus/aflplusplus:
+docker pull aflplusplus/aflplusplus:latest
 docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
 ```
 

content/docs/Changelog.md

@@ -11,6 +11,10 @@ instrumentation-guided genetic algorithm. It uses a modified form of edge
 coverage to effortlessly pick up subtle, local-scale changes to program control
 flow.
 
+Note: If you are interested in a more current up-to-date deep dive how AFL++
+works then we commend this blog post:
+[https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)
+
 Simplifying a bit, the overall algorithm can be summed up as:
 
 1) Load user-supplied initial test cases into the queue.

content/docs/INSTALL.md

@@ -131,8 +131,9 @@ def deinit():  # optional for Python
 
 - `queue_get` (optional):
 
-    This method determines whether the custom fuzzer should fuzz the current
-    queue entry or not
+    This method determines whether AFL++ should fuzz the current
+    queue entry or not: all defined custom mutators as well as
+    all AFL++'s mutators.
 
 - `fuzz_count` (optional):
 
@@ -203,7 +204,7 @@ def deinit():  # optional for Python
     This method can be used if you want to send data to the target yourself,
     e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
     that you start the target with afl-fuzz.
-    Example: [https://github.com/AFLplusplus/AFLplusplus/blob/stable/custom_mutators/examples/custom_send.c](https://github.com/AFLplusplus/AFLplusplus/blob/stable/custom_mutators/examples/custom_send.c)
+    Example: [custom_mutators/examples/custom_send.c](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/../custom_mutators/examples/custom_send.c)
 
 - `queue_new_entry` (optional):
 
@@ -382,4 +383,4 @@ See [example.c](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/../c
     - [bruce30262/libprotobuf-mutator_fuzzing_learning](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator)
     - [thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator)
 - [XML Fuzzing@NullCon 2017](https://www.agarri.fr/docs/XML_Fuzzing-NullCon2017-PUBLIC.pdf)
-    - [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663)
+    - [A bug detected by AFL + XML-aware mutators](https://bugs.chromium.org/p/chromium/issues/detail?id=930663)

content/docs/afl-fuzz_approach.md

@@ -141,6 +141,12 @@ subset of the settings discussed in section 1, with the exception of:
   - `TMPDIR` and `AFL_KEEP_ASSEMBLY`, since no temporary assembly files are
     created.
 
+  - LLVM modes compiling C++ will normally set rpath in the binary if LLVM is
+    not in a usual location (/usr or /lib). Setting `AFL_LLVM_NO_RPATH=1`
+    disables this behaviour in case it isn't desired. For example, the compiling
+    toolchain might be in a custom location, but the target machine has LLVM
+    runtime libs in the search path.
+
 Then there are a few specific features that are only available in
 instrumentation mode:
 
@@ -196,6 +202,19 @@ in the specified file.
 For more information, see
 [instrumentation/README.instrument_list.md](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/../instrumentation/README.instrument_list.md).
 
+#### INJECTIONS
+
+This feature is able to find simple injection vulnerabilities in insecure
+calls to mysql/mariadb/nosql/postgresql/ldap and XSS in libxml2.
+
+  - Setting `AFL_LLVM_INJECTIONS_ALL` will enable all injection hooking
+
+  - Setting `AFL_LLVM_INJECTIONS_SQL` will enable SQL injection hooking
+
+  - Setting `AFL_LLVM_INJECTIONS_LDAP` will enable LDAP injection hooking
+
+  - Setting `AFL_LLVM_INJECTIONS_XSS` will enable XSS injection hooking
+
 #### LAF-INTEL
 
 This great feature will split compares into series of single byte comparisons to

content/docs/custom_mutators.md

@@ -100,8 +100,7 @@ For more information, see
 
 In FRIDA mode, you can fuzz binary-only targets as easily as with QEMU mode.
 FRIDA mode is most of the times slightly faster than QEMU mode. It is also
-newer, lacks COMPCOV, and has the advantage that it works on MacOS (both intel
-and M1).
+newer, and has the advantage that it works on MacOS (both intel and M1).
 
 To build FRIDA mode:
 
@@ -119,10 +118,6 @@ The mode is approximately 2-5x slower than compile-time instrumentation, and is
 less conducive to parallelization. But for binary-only fuzzing, it gives a huge
 speed improvement if it is possible to use.
 
-If you want to fuzz a binary-only library, then you can fuzz it with frida-gum
-via frida_mode/. You will have to write a harness to call the target function in
-the library, use afl-frida.c as a template.
-
 You can also perform remote fuzzing with frida, e.g., if you want to fuzz on
 iPhone or Android devices, for this you can use
 [https://github.com/ttdennis/fpicker/](https://github.com/ttdennis/fpicker/) as
@@ -308,7 +303,6 @@ some are very hard to set up...
 * S2E: [https://github.com/S2E](https://github.com/S2E)
 * TinyInst:
   [https://github.com/googleprojectzero/TinyInst](https://github.com/googleprojectzero/TinyInst)
-  (Mac/Windows only)
 *  ... please send me any missing that are good
 
 ## Closing words

content/docs/env_variables.md

@@ -27,7 +27,7 @@ training, then we can highly recommend the following:
 
 * [https://github.com/antonio-morales/Fuzzing101](https://github.com/antonio-morales/Fuzzing101)
 
-Here is a good forkflow description (and tutorial) for qemu_mode:
+Here is a good workflow description (and tutorial) for qemu_mode:
 
 * [https://airbus-seclab.github.io/AFLplusplus-blogpost/](https://airbus-seclab.github.io/AFLplusplus-blogpost/)
 
@@ -47,6 +47,9 @@ structure is), these links have you covered (some are outdated though):
 * Superion for AFL++:
   [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
 
+For a very in-depth explanation on how AFL++ works check out:
+[https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)
+
 ## Video Tutorials
 
 * [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA)