afl with VALGRIND ?

[Shai Sarfaty]

hi,

i have seen in the documentation that like ASAN we can also use VALGRIND to monitor the execution of a test but sadly i couldn't find any example for this type of usage..

can anyone please give the command line example of how to use afl-fuzz with VALGRIND on a instrumented target ?

Thanks

[Michal Zalewski]

> can anyone please give the command line example of how to use afl-fuzz with
> VALGRIND on a instrumented target ?

The same way you'd use it for a non-instrumented one; refer to
Valgrind's manual, but the simplest use is:

valgrind ./binary-to-test [target params]

Fuzzing with valgrind is not recommended and not seriously supported,
though; the tool is way too slow for that.

/mz

[shai.s...@googlemail.com]

I know the tool it self syntax I was referring to how to run it as a part of afl

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Michal Zalewski
Sent: Wednesday, 17 February 2016 18:08
To: afl-users
Reply To: afl-...@googlegroups.com
Subject: Re: [afl-users] afl with VALGRIND ?

--
You received this message because you are subscribed to a topic in the Google Groups "afl-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/afl-users/tyH8eRNCtEc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michal Zalewski]

> I know the tool it self syntax I was referring to how to run it as a part of afl

Basically, please don't :-)

/mz

[shai.s...@googlemail.com]

:-) ok ok

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Michal Zalewski

Sent: Wednesday, 17 February 2016 19:33

To: afl-users
Reply To: afl-...@googlegroups.com
Subject: Re: [afl-users] afl with VALGRIND ?

> I know the tool it self syntax I was referring to how to run it as a part of afl

Basically, please don't :-)

/mz

[Yuri Gribov]

On Wed, Feb 17, 2016 at 8:44 PM, shai.sarfaty via afl-users
<afl-...@googlegroups.com> wrote:
> :-) ok ok

You could try DrMemory or other DynamoRIO-based tools.

> You received this message because you are subscribed to the Google Groups "afl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.

[Dominique Pellé]

Michal Zalewski <lca...@gmail.com> wrote:

>> I know the tool it self syntax I was referring to how to run it as a part of afl
>
> Basically, please don't :-)

I disagree. I found bugs thanks to running tests cases from the corpus
created by afl-fuzz with valgrind. I generally fuzz with asan, then when
a corpus is created (files in the queue/ directory), I process it with valgrind.
Valgrind may be slow, but it finds conditions that depend on uninitialized
memory, which are not found by asan. It's a frequent bug too. msan would
find such errors, but msan is difficult to use in practise, as all
libraries needs
to be compiled with msan. Valgrind is simpler.

You can use the "timeout" shell command to prevent valgrind from
hanging for a long time in case it enters a endless loop.
I don't recall the exact command I used, but something like this
should work:

$ find queue/ | xargs -I@@ timeout 10 valgrind your_command @@

Regards
Dominique

[Michal Zalewski]

>>> I know the tool it self syntax I was referring to how to run it as a part of afl
>> Basically, please don't :-)
>
> I disagree. I found bugs thanks to running tests cases from the corpus
> created by afl-fuzz with valgrind.

I think that the original poster was asking about fuzzing with
valgrind; using valgrind on the corpus is no different from running it
in standalone mode, which was covered earlier in the thread?

Cheers,
/mz