Comparing two ways of using AFL with sanitizers
153 views
Skip to first unread message
zhoul...@gmail.com
May 8, 2022, 4:08:36 AM5/8/22
to afl-users
Hi
I feel there are two ways of using AFL with sanitizers (ASan, UBSan, etc).
One way is to compile the software under test with sanitizers and then run afl-fuzz. Because sanitizers slow down the software, we know this way produces fewer iterations than fuzzing without sanitizers.
Another way is to have the software under test compiled twice. One without sanitizers and another one with sanitizers. Then we fuzz the software without sanitizers, but run the software compiled with sanitizers with the input corpus produced in crashes/, queue/ and hangs/. This way should produce more iterations but I do not know how much bug detection capability is negatively affected by that.
Do both ways make sense? Which one would be preferred in practice? In particular, would the Heartbleed bug be detected in one but not the other approach?
Thanks.
- Zhoulai
Marc
May 8, 2022, 6:56:02 AM5/8/22
to afl-...@googlegroups.com, zhoul...@gmail.com
using ASAN only for a single instance, and running others without it is
standard practice:
https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores
Regards,
Marc
--
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
standard practice:
https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/fuzzing_in_depth.md#c-using-multiple-cores
Regards,
Marc
Marc Heuse
www.mh-sec.de
PGP: AF3D 1D4C D810 F0BB 977D 3807 C7EE D0A0 6BE9 F573
Reply all
Reply to author
Forward
0 new messages