AFLplusplus

Version ++2.67c (release)

• Support for improved afl++ snapshot module:
  https://github.com/AFLplusplus/AFL-Snapshot-LKM
• Due to the instrumentation needing more memory, the initial memory sizes
  for -m have been increased
• afl-fuzz:
  • added -F option to allow -M main fuzzers to sync to foreign fuzzers,
    e.g. honggfuzz or libfuzzer
  • added -b option to bind to a specific CPU
  • eliminated CPU affinity race condition for -S/-M runs
  • expanded havoc mode added, on no cycle finds add extra splicing and
    MOpt into the mix
  • fixed a bug in redqueen for strings and made deterministic with -s
• llvm_mode:
  • now supports llvm 12
  • support for AFL_LLVM_ALLOWLIST/AFL_LLVM_DENYLIST (previous
    AFL_LLVM_WHITELIST and AFL_LLVM_INSTRUMENT_FILE are deprecated and
    are matched to AFL_LLVM_ALLOWLIST). The format is compatible to llvm
    sancov, and also supports function matching :)
  • added neverzero counting to trace-pc/pcgard
  • fixes for laf-intel float splitting (thanks to mark-griffin for
    reporting)
  • fixes for llvm 4.0
  • skipping ctors and ifuncs for instrumentation
  • LTO: switch default to the dynamic memory map, set AFL_LLVM_MAP_ADDR
    for a fixed map address (eg. 0x10000)
  • LTO: improved stability for persistent mode, no other instrumentation
    has that advantage
  • LTO: fixed autodict for long strings
  • LTO: laf-intel and redqueen/cmplog are now applied at link time
    to prevent llvm optimizing away the splits
  • LTO: autodictionary mode is a fixed default now
  • LTO: instrim instrumentation disabled, only classic support used
    as it is always better
  • LTO: env var AFL_LLVM_DOCUMENT_IDS=file will document which edge ID
    was given to which function during compilation
  • LTO: single block functions were not implemented by default, fixed
  • LTO: AFL_LLVM_SKIP_NEVERZERO behaviour was inversed, fixed
  • setting AFL_LLVM_LAF_SPLIT_FLOATS now activates
    AFL_LLVM_LAF_SPLIT_COMPARES
  • support for -E and -shared compilation runs
• added honggfuzz mangle as a custom mutator in custom_mutators/honggfuzz
• added afl-frida gum solution to examples/afl_frida (mostly imported
  from https://github.com/meme/hotwax/)
• small fixes to afl-plot, afl-whatsup and man page creation
• new README, added FAQ

Version ++2.66c (release)

• renamed the main branch on Github to "stable"
• renamed master/slave to main/secondary
• renamed blacklist/whitelist to ignorelist/instrumentlist ->
  AFL_LLVM_INSTRUMENT_FILE and AFL_GCC_INSTRUMENT_FILE
• warn on deprecated environment variables
• afl-fuzz:
  • -S secondary nodes now only sync from the main node to increase
    performance, the -M main node still syncs from everyone. Added checks
    that ensure exactly one main node is present and warn otherwise
  • Add -D after -S to force a secondary to perform deterministic fuzzing
  • If no main node is present at a sync one secondary node automatically
    becomes a temporary main node until a real main nodes shows up
  • Fixed a mayor performance issue we inherited from AFLfast
  • switched murmur2 hashing and random() for xxh3 and xoshiro256**,
    resulting in an up to 5.5% speed increase
  • Resizing the window does not crash afl-fuzz anymore
  • Ensure that the targets are killed on exit
  • fix/update to MOpt (thanks to arnow117)
  • added MOpt dictionary support from repo
  • added experimental SEEK power schedule. It is EXPLORE with ignoring
    the runtime and less focus on the length of the test case
• llvm_mode:
  • the default instrumentation is now PCGUARD if the llvm version is >= 7,
    as it is faster and provides better coverage. The original afl
    instrumentation can be set via AFL_LLVM_INSTRUMENT=AFL. This is
    automatically done when the instrument_file list feature is used.
  • PCGUARD mode is now even better because we made it collision free - plus
    it has a fixed map size, so it is also faster! :)
  • some targets want a ld variant for LD that is not gcc/clang but ld,
    added afl-ld-lto to solve this
  • lowered minimum required llvm version to 3.4 (except LLVMInsTrim, which
    needs 3.8.0)
  • instrument_file list feature now supports wildcards (thanks to sirmc)
  • small change to cmplog to make it work with current llvm 11-dev
  • added AFL_LLVM_LAF_ALL, sets all laf-intel settings
  • LTO instrument_files functionality rewritten, now main, _init etc functions
    need not to be listed anymore
  • fixed crash in compare-transform-pass when strcasecmp/strncasecmp was
    tried to be instrumented with LTO
  • fixed crash in cmplog with LTO
  • enable snapshot lkm also for persistent mode
• Unicornafl
  • Added powerPC support from unicorn/next
  • rust bindings!
• CMPLOG/Redqueen now also works for MMAP sharedmem
• ensure shmem is released on errors
• we moved radamsa to be a custom mutator in ./custom_mutators/. It is not
  compiled by default anymore.
• allow running in /tmp (only unsafe with umask 0)
• persistent mode shared memory testcase handover (instead of via
  files/stdin) - 10-100% performance increase
• General support for 64 bit PowerPC, RiscV, Sparc etc.
• fix afl-cmin.bash
• slightly better performance compilation options for afl++ and targets
• fixed afl-gcc/afl-as that could break on fast systems reusing pids in
  the same second
• added lots of dictionaries from oss-fuzz, go-fuzz and Jakub Wilk
• added former post_library examples to examples/custom_mutators/
• Dockerfile upgraded to Ubuntu 20.04 Focal and installing llvm 11 and
  gcc 10 so afl-clang-lto can be build

Version ++2.65c (release):

• afl-fuzz:
  • AFL_MAP_SIZE was not working correctly
  • better python detection
  • an old, old bug in afl that would show negative stability in rare
    circumstances is now hopefully fixed
  • AFL_POST_LIBRARY was deprecated, use AFL_CUSTOM_MUTATOR_LIBRARY
    instead (see docs/custom_mutators.md)
• llvm_mode:
  • afl-clang-fast/lto now do not skip single block functions. This
    behaviour can be reactivated with AFL_LLVM_SKIPSINGLEBLOCK
  • if LLVM 11 is installed the posix shm_open+mmap is used and a fixed
    address for the shared memory map is used as this increases the
    fuzzing speed
  • InsTrim now has an LTO version! :-) That is the best and fastest mode!
  • fixes to LTO mode if instrumented edges > MAP_SIZE
  • CTX and NGRAM can now be used together
  • CTX and NGRAM are now also supported in CFG/INSTRIM mode
  • AFL_LLVM_LAF_TRANSFORM_COMPARES could crash, fixed
  • added AFL_LLVM_SKIP_NEVERZERO to skip the never zero coverage counter
    implementation. For targets with few or no loops or heavily called
    functions. Gives a small performance boost.
• qemu_mode:
  • add information on PIE/PIC load addresses for 32 bit
  • better dependency checks
• gcc_plugin:
  • better dependency checks
• unicorn_mode:
  • validate_crash_callback can now count non-crashing inputs as crash as well
  • better submodule handling
• afl-showmap: fix for -Q mode
• added examples/afl_network_proxy which allows to fuzz a target over the
  network (not fuzzing tcp/ip services but running afl-fuzz on one system
  and the target being on an embedded device)
• added examples/afl_untracer which does a binary-only fuzzing with the
  modifications done in memory (intel32/64 and aarch64 support)
• added examples/afl_proxy which can be easily used to fuzz and instrument
  non-standard things
• all:
  • forkserver communication now also used for error reporting
  • fix 32 bit build options
  • make clean now leaves qemu-3.1.1.tar.xz and the unicornafl directory
    intact if in a git/svn checkout - unless "deepclean" is used

Version ++2.64c (release):

• llvm_mode LTO mode:
  • now requires llvm11 - but compiles all targets! :)
  • autodictionary feature added, enable with AFL_LLVM_LTO_AUTODICTIONARY
  • variable map size usage
• afl-fuzz:
  • variable map size support added (only LTO mode can use this)
  • snapshot feature usage now visible in UI
  • Now setting -L -1 will enable MOpt in parallel to normal mutation.
    Additionally, this allows to run dictionaries, radamsa and cmplog.
  • fix for cmplog/redqueen mode if stdin was used
  • fix for writing a better plot_data file
• qemu_mode: fix for persistent mode (which would not terminate or get stuck)
• compare-transform/AFL_LLVM_LAF_TRANSFORM_COMPARES now transforms also
  static global and local variable comparisons (cannot find all though)
• extended forkserver: map_size and more information is communicated to
  afl-fuzz (and afl-fuzz acts accordingly)
• new environment variable: AFL_MAP_SIZE to specify the size of the shared map
• if AFL_CC/AFL_CXX is set but empty afl compilers did fail, fixed
  (this bug is in vanilla afl too)
• added NO_PYTHON flag to disable python support when building afl-fuzz
• more refactoring

Version ++2.63c (release):

• all:
  • big code changes to make afl-fuzz thread-safe so afl-fuzz can spawn
    multiple fuzzing threads in the future or even become a library
  • afl basic tools now report on the environment variables picked up
  • more tools get environment variable usage info in the help output
  • force all output to stdout (some OK/SAY/WARN messages were sent to
    stdout, some to stderr)
  • uninstrumented mode uses an internal forkserver ("fauxserver")
  • now builds with -D_FORTIFY_SOURCE=2
  • drastically reduced number of (de)allocations during fuzzing
• afl-fuzz:
  • python mutator modules and custom mutator modules now use the same
    interface and hence the API changed
  • AFL_AUTORESUME will resume execution without the need to specify -i -
  • added experimental power schedules (-p):
    • mmopt: ignores runtime of queue entries, gives higher weighting to
      the last 5 queue entries
    • rare: puts focus on queue entries that hits rare branches, also ignores
      runtime
• llvm_mode:
  • added SNAPSHOT feature (using https://github.com/AFLplusplus/AFL-Snapshot-LKM)
  • added Control Flow Integrity sanitizer (AFL_USE_CFISAN)
  • added AFL_LLVM_INSTRUMENT option to control the instrumentation type
    easier: DEFAULT, CFG (INSTRIM), LTO, CTX, NGRAM-x (x=2-16)
  • made USE_TRACE_PC compile obsolete
• LTO collision free instrumented added in llvm_mode with afl-clang-lto -
  note that this mode is amazing, but quite some targets won't compile
• Added llvm_mode NGRAM prev_loc coverage by Adrean Herrera
  (https://github.com/adrianherrera/afl-ngram-pass/), activate by setting
  AFL_LLVM_INSTRUMENT=NGRAM- or AFL_LLVM_NGRAM_SIZE=
• Added llvm_mode context sensitive branch coverage, activated by setting
  AFL_LLVM_INSTRUMENT=CTX or AFL_LLVM_CTX=1
• llvm_mode InsTrim mode:
  • removed workaround for bug where paths were not instrumented and
    imported fix by author
  • made skipping 1 block functions an option and is disabled by default,
    set AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK=1 to re-enable this
• qemu_mode:
  • qemu_mode now uses solely the internal capstone version to fix builds
    on modern Linux distributions
  • QEMU now logs routine arguments for CmpLog when the target is x86
• afl-tmin:
  • now supports hang mode -H to minimize hangs
  • fixed potential afl-tmin missbehavior for targets with multiple hangs
• Pressing Control-c in afl-cmin did not terminate it for some OS
• the custom API was rewritten and is now the same for Python and shared
  libraries.

Version ++2.62c (release):

• Important fix for memory allocation functions that result in afl-fuzz not identifying crashes - UPDATE!
• Small fix for -E/-V to release the CPU
• CmpLog does not need sancov anymore

-> DO NOT USE THIS RELEASE <-

Version ++2.61c (release):

• use -march=native if available
• most tools now check for mistyped environment variables
• gcc 10 is now supported
• the memory safety checks are now disabled for a little more speed during
  fuzzing (only affects creating queue entries), can be toggled in config.h
• afl-fuzz:
  • MOpt out of bounds writing crash fixed
  • now prints the real python version support compiled in
  • set stronger performance compile options and little tweaks
  • Android: prefer bigcores when selecting a CPU
  • CmpLog forkserver
  • Redqueen input-2-state mutator (cmp instructions only ATM)
  • all Python 2+3 versions supported now
  • changed execs_per_sec in fuzzer_stats from "current" execs per second
    (which is pointless) to total execs per second
  • bugfix for dictionary insert stage count (fix via Google repo PR)
  • added warning if -M is used together with custom mutators with _ONLY option
  • AFL_TMPDIR checks are now later and better explained if they fail
• llvm_mode
  • InsTrim: three bug fixes:
    1. (minor) no pointless instrumentation of 1 block functions
    2. (medium) path bug that leads a few blocks not instrumented that
       should be
    3. (major) incorrect prev_loc was written, fixed!
• afl-clang-fast:
  • show in the help output for which llvm version it was compiled for
  • now does not need to be recompiled between trace-pc and pass
    instrumentation. compile normally and set AFL_LLVM_USE_TRACE_PC :)
  • LLVM 11 is supported
  • CmpLog instrumentation using SanCov (see llvm_mode/README.cmplog)
• afl-gcc, afl-clang-fast, afl-gcc-fast:
  • experimental support for undefined behaviour sanitizer UBSAN
    (set AFL_USE_UBSAN=1)
  • the instrumentation summary output now also lists activated sanitizers
  • afl-as: added isatty(2) check back in
  • added AFL_DEBUG (for upcoming merge)
• qemu_mode:
  • persistent mode is now also available for arm and aarch64
  • CmpLog instrumentation for QEMU (-c afl-fuzz command line option)
    for x86, x86_64, arm and aarch64
  • AFL_PERSISTENT_HOOK callback module for persistent QEMU
    (see examples/qemu_persistent_hook)
  • added qemu_mode/README.persistent.md documentation
  • AFL_ENTRYPOINT noew has instruction granularity
• afl-cmin is now a sh script (invoking awk) instead of bash for portability
  the original script is still present as afl-cmin.bash
• afl-showmap: -i dir option now allows processing multiple inputs using the
  forkserver. This is for enhanced speed in afl-cmin.
• added blacklist and whitelisting function check in all modules of llvm_mode
• added fix from Debian project to compile libdislocator and libtokencap
• libdislocator: AFL_ALIGNED_ALLOC to force size alignment to max_align_t

Version ++2.60c (release):

• fixed a critical bug in afl-tmin that was introduced during ++2.53d
• added test cases for afl-cmin and afl-tmin to test/test.sh
• added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
• added preeny's desock_dup ld_preload library as
  ./experimental/socket_fuzzing for network fuzzing
• added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
  for the retrorewrite project
• we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used

Version ++2.59c (release):

• qbdi_mode: fuzz android native libraries via QBDI framework
• unicorn_mode: switched to the new unicornafl, thanks domenukk
  (see https://github.com/vanhauser-thc/unicorn)
• afl-fuzz:
  • added radamsa as (an optional) mutator stage (-R[R])
  • added -u command line option to not unlink the fuzz input file
  • Python3 support (autodetect)
  • AFL_DISABLE_TRIM env var to disable the trim stage
  • CPU affinity support for DragonFly
• llvm_mode:
  • float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
  • support for llvm 10 included now (thanks to devnexen)
• libtokencap:
  • support for *BSD/OSX/Dragonfly added
  • hook common *cmp functions from widely used libraries
• compcov:
  • hook common *cmp functions from widely used libraries
  • floating point splitting support for QEMU on x86 targets
• qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
• afl-analyze: added AFL_SKIP_BIN_CHECK support
• better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
• Dockerfile by courtesy of devnexen
• added regex.dictionary
• qemu and unicorn download scripts now try to download until the full
  download succeeded. f*ckin travis fails downloading 40% of the time!
• more support for Android (please test!)
• added the few Android stuff we didnt have already from Google afl repository
• removed unnecessary warnings

Version ++2.58c (release):

• reverted patch to not unlink and recreate the input file, it resulted in performance loss of ~10%
• added test/test-performance.sh script
• (re)added gcc_plugin, fast inline instrumentation is not yet finished, however it includes the whitelisting and persistance feature! by hexcoder-
• gcc_plugin tests added to testing framework

Note: we jump to 2.57 instead of 2.55 to catch up with Google's versioning

Changelog:

• persistent mode for QEMU (see qemu_mode/README.md)
• custom mutator library is now an additional mutator, to exclusivly use it
  add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
• new library qemu_mode/unsigaction which filters sigaction events
• afl-fuzz: new command line option -I to execute a command on a new crash
• no more unlinking the input file, this way the input file can also be a
  FIFO or disk partition
• setting LLVM_CONFIG for llvm_mode will now again switch to the selected
  llvm version. If your setup is correct.
• fuzzing strategy yields for custom mutator were missing from the UI, added them :)
• added "make tests" which will perform checks to see that all functionality
  is working as expected. this is currently the starting point, its not complete :)
• added mutation documentation feature ("make document"), creates afl-fuzz-document
  and saves all mutations of the first run on the first file into out/queue/mutations
• libtokencap and libdislocator now compile to the afl_root directory and are
  installed to the .../lib/afl directory when present during make install
• more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
• reducing duplicate code in afl-fuzz
• added "make help"
• removed compile warnings from python internal stuff
• added man page for afl-clang-fast[++]
• updated documentation
• Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
• CompareCoverage for ARM target in QEMU/Unicorn

Changelog for 2.54c:

• big code refactoring:
  • all includes are now in include/
  • all afl sources are now in src/ - see src/README.src
  • afl-fuzz was splitted up in various individual files for including
    functionality in other programs (e.g. forkserver, memory map, etc.)
    for better readability.
  • new code indention everywhere
• auto-generating man pages for all (main) tools
• added AFL_FORCE_UI to show the UI even if the terminal is not detected
• llvm 9 is now supported (still needs testing)
• Android is now supported (thank to JoeyJiao!) - still need to modify the Makefile though
• fix building qemu on some Ubuntus (thanks to floyd!)
• custom mutator by a loaded library is now supported (thanks to kyakdan!)
• added PR that includes peak_rss_mb and slowest_exec_ms in the fuzzer_stats report
• more support for *BSD (thanks to devnexen!)
• fix building on *BSD (thanks to tobias.kortkamp for the patch)
• fix for a few features to support different map sized than 2^16
• afl-showmap: new option -r now shows the real values in the buckets (stock
  afl never did), plus shows tuple content summary information now
• small docu updates
• NeverZero counters for QEMU
• NeverZero counters for Unicorn
• CompareCoverage Unicorn
• immediates-only instrumentation for CompareCoverage

Second release of afl++ which besides the new features from the previous version has the following important changes:

• imported the few minor changes from the 2.53b release
• unicorn_mode got added - thanks to domenukk for the patch!
• fix llvm_mode AFL_TRACE_PC with modern llvm
• fix a crash in qemu_mode which also exists in stock afl
• added libcompcov, a laf-intel implementation for qemu! :) see qemu_mode/libcompcov/README.libcompcov
• updated afl-fuzz and afl-system-config for new scaling governor location in modern kernels
• all queue, hang and crash files now have their discovery time in their name
• if llvm_mode was compiled, afl-clang/afl-clang++ will point to these instead of afl-gcc
• added instrim, a much faster llvm_mode instrumentation at the cost of path discovery. See llvm_mode/README.instrim (https://github.com/csienslab/instrim)
• added MOpt (github.com/puppet-meteor/MOpt-AFL) mode, see docs/README.MOpt
• added code to make it more portable to other platforms than Intel Linux
• added never zero counters for afl-gcc and optionally (because of an optimization issue in llvm < 9) for llvm_mode (AFL_LLVM_NEVER_ZERO=1)
• added a new doc about binary only fuzzing: docs/binaryonly_fuzzing.txt
• more cpu power for afl-system-config
• added forkserver patch to afl-tmin, makes it much faster (originally from github.com/nccgroup/TriforceAFL)
• added whitelist support for llvm_mode via AFL_LLVM_WHITELIST to allow only to instrument what is actually interesting. Gives more speed and less map pollution (originally by choller@mozilla)
• added Python Module mutator support, python2.7-dev is autodetected. see docs/python_mutators.txt (originally by choller@mozilla)
• added AFL_CAL_FAST for slow applications and AFL_DEBUG_CHILD_OUTPUT for debugging
• added -V time and -E execs option to better comparison runs, runs afl-fuzz for a specific time/executions.
• added a -s seed switch to allow afl run with a fixed initial seed that is not updated. This is good for performance and path discovery tests as the random numbers are deterministic then

First release of afl++ based on afl 2.52b with:

• community patches to make llvm_mode and qemu_mode faster, plus new features and bugfixes
• qemu upgraded to 3.1
• aflfast powerschedules added
• llvm_mode now supports llvm up to version 8