forkserver in afl utils (tmin and analyze)?

81 views
Skip to first unread message

Tim Newsham

unread,
Mar 16, 2016, 7:25:06 PM3/16/16
to afl-users
I noticed that the fork server isnt supported in tools like afl-tmin and afl-analyze.  I'm currently using test cases that have a large startup before invoking the fork server, so this is a big lose for my tests -- each tmin measurement takes seconds.  

Is forkserver support in tools something that you plan to support in the future?  How much work would it be to get these tools to use the forkserver? (Does this also preclude tmin from being used with programs that are set up with persistent-mode fuzzing?)

Tim

Michal Zalewski

unread,
Mar 16, 2016, 8:08:55 PM3/16/16
to afl-users
> Is forkserver support in tools something that you plan to support in the
> future? How much work would it be to get these tools to use the forkserver?

Some of the common code needs to be abstracted out and moved to a
separate .c / .o file. Not too much work, but probably 2-3 days of
manual labor, since many other things would need to be refactored,
too.

> (Does this also preclude tmin from being used with programs that are set up
> with persistent-mode fuzzing?)

They should be fine. You just don't get the associated speed gain. The
__AFL_LOOP() magic auto-detects stuff and does the right thing.

/mz

Tim Newsham

unread,
Mar 21, 2016, 8:55:21 PM3/21/16
to afl-users
On Wednesday, March 16, 2016 at 2:08:55 PM UTC-10, Michal Zalewski wrote:

Some of the common code needs to be abstracted out and moved to a
separate .c / .o file. Not too much work, but probably 2-3 days of
manual labor, since many other things would need to be refactored,
too.

/mz

I didn't take on the refactoring work, but I did get afl-showmap and afl-cmin 
working with the forkserver.  The afl-showmap changes are fairly straight-forward
and shouldn't affect pre-existing functionality.  The afl-cmin changes I have
are a bit more of a hack and I had to break stdin processing and take out
some sanity checks (that would have caused another forkserver startup).
It seems to work for me and my use case (I currently have forkserver startup
cost of about 5 seconds but I can run around 100 tests per second with the
fork server. I will soon have a several-minute forkserver startup for another
test case).  It is not yet heavily tested.  My patches are attached.

Tim 

patch-cmin-forkserv.txt
patch-showmap-forkserv.txt
Reply all
Reply to author
Forward
0 new messages