Interpreting Output

[apk_mavi]

Hi, I am new to AFL. I ran AFL on a C compiled binary and just wanted to clarify the following:

1)  I found one of the files to have the following names: id:000015,src:000000,op:havoc,rep:32,+cov

    Can I ask, what does 'src', 'op:havoc', 'rep:32' and '+cov' symbolise?

2) There was a crash detected with the following filename: id:000002,sig:11,src:000000,op:havoc,rep:32

I remember reading in the documentation that "file names for crashes and hangs are correlated with parent, non-faulting queue entries". When I visited the 'queue' folder, I

found 5 files with the substring 'src:000000,op:havoc,rep:32'. However, I found no similarities between any of these inputs and the crash input. May I know what is the correlation being referred to?

[Michal Zalewski]

> 1) I found one of the files to have the following names:
> id:000015,src:000000,op:havoc,rep:32,+cov
> Can I ask, what does 'src', 'op:havoc', 'rep:32' and '+cov' symbolise?

'src:nnnnnn' refers to the ID of the test case used as the input. This
test case was mutated in some way to derive the one you're looking at.

'op:havoc,rep:32' is the description of the mutations used. This
actually isn't a very descriptive one, it just means 32 rounds of
stacked random tweaks. Deterministic fuzzing steps produce more
descriptive strings, explaining which bits or bytes were replaced,
etc. For havoc, it'd take too much space.

'+cov' means that this mutation actually improved coverage, versus
just changing hit counts for the instrumentation injected by AFL.

> 2) There was a crash detected with the following filename:
> id:000002,sig:11,src:000000,op:havoc,rep:32
> I remember reading in the documentation that "file names for crashes and
> hangs are correlated with parent, non-faulting queue entries". When I
> visited the 'queue' folder, I
> found 5 files with the substring 'src:000000,op:havoc,rep:32'.

You want to look for a single test case that starts with the ID
referenced in 'src:' for the crash. In this case, 'id:000000,...'.
Since 'havoc' is a fairly disruptive stage, it may be that the
crashing test case will have little resemblance to the input, but they
are close relatives.

/mz

[apk_mavi]

Hi Michal

Thanks a lot for the detailed responses. Just to clarify the following if I am understanding the semantics accurately:

1) If I do not provide any test cases to AFL, the default test case would be "fuzz" given by 'id:000000,orig:seed-0' in the queue folder. Now, subsequent files in the queue that are named '....src:000000...." are essentially using "fuzz" as the input since the 'src' value corresponds to the 'id' of the test case "fuzz". Is that right? 

2) Similarly, in the crash folder, for a crash with the name 'id:000002,sig:11,src:000000,op:havoc,rep:32', it is basically referring to the test case "fuzz" since the 'id' of that corresponds to the 'src' value of the crash. Is that right?

[apk_mavi]

Hi Michal

Just to clarify the following if I am understanding the semantics accurately:

1) If I do not provide any test cases to AFL, the default test case would be "fuzz" given by 'id:000000,orig:seed-0' in the queue folder. Now, subsequent files in the queue that are named '....src:000000...." are essentially using "fuzz" as the input since the 'src' value corresponds to the 'id' of the test case "fuzz". Is that right? 

2) Similarly, in the crash folder, for a crash with the name 'id:000002,sig:11,src:000000,op:havoc,rep:32', it is basically referring to the test case "fuzz" since the 'id' of that corresponds to the 'src' value of the crash. Is that right?