Here are some results when skipping the deterministic stage (-d option) -- comparing FidgetyAFL, the old version of AFLFast (AFLFast.old), and the new hybrid version of AFLFast (AFLFast.new) for two of our binutils subjects (average over 6 runs x 12 hours x {nm,cxxfilt} x {FidgetyAFL, AFLFast.old, AFLFast.new} = 36 runs on a 40-core PC).
Map_size: AFLFast.new achieves the same map_size about 2x faster than FidgetyAFL.
For instance, for nm, AFLFast.new needs 1.5hours while FidgetyAFL needs 4 hours to achieve the same 10%. For cxxfilt, AFLFast.new needs 3hours while FidgetyAFL needs 7 hours to achieve the same 11.25%.
Unique_crashes: AFLFast.new achieves the same unique_crashes about 2x faster than FidgetyAFL.
For instance, for nm, AFLFast.new needs about 4 hours while FidgetyAFL needs about 12hours to achieve 750 unique crashes. For cxxfilt, AFLFast.new needs 6 hours while FidgetyAFL needs about 10hours to achieve 1500 crashes.
Total_paths: AFLFast.new explores the same number of paths about 3x faster than FidgetyAFL.
For instance, for nm, AFLFast.new needs about 3 hours to explore 10k paths while FidgetyAFL needs about 11 hours. For cxxfilt, AFLFast.new needs about 4.5 hours while FidgetyAFL needs about 11 hours to explore about 15k paths.
Time to exposure: AFLFast.new exposes the same vulnerabilities significantly faster than FidgetyAFL. Moreover, in 12hours AFLFast.new produces about 2x as many unique crashes (279) that cannot be assigned one of the known vulnerabilities as FidgetyAFL (158).
Cheers!
- Marcel