Skip to content

Latest commit

 

History

History
49 lines (38 loc) · 1.66 KB

TODO.md

File metadata and controls

49 lines (38 loc) · 1.66 KB

TODO list for AFL++

Must

  • UI revamp
  • hardened_usercopy=0 page_alloc.shuffle=0
  • add value_profile but only enable after 15 minutes without finds
  • cmplog max len, cmplog max items envs?
  • adapt MOpt to new mutation engine
    • Update afl->pending_not_fuzzed for MOpt
  • cmplog rtn sanity check on fixed length? currently we ignore the length
  • afl-showmap -f support
  • afl-fuzz multicore wrapper script
  • when trimming then perform crash detection
  • problem: either -L0 and/or -p mmopt results in zero new coverage

Should

  • afl-crash-analysis
  • support persistent and deferred fork server in afl-showmap?
  • better autodetection of shifting runtime timeout values
  • afl-plot to support multiple plot_data
  • parallel builds for source-only targets
  • get rid of check_binary, replace with more forkserver communication
  • first fuzzer should be a main automatically? not sure.

Maybe

  • forkserver tells afl-fuzz if cmplog is supported and if so enable it by default, with AFL_CMPLOG_NO=1 (?) set to skip?
  • afl_custom_splice()
  • cmdline option from-to range for mutations

Further down the road

QEMU mode/FRIDA mode:

  • non colliding instrumentation
  • rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?)
  • add AFL_QEMU_EXITPOINT (maybe multiple?)

Ideas

  • LTO/sancov: write current edge to prev_loc and use that information when using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow up edge numbers that both following cmp paths have been found and then disable working on this edge id -> cmplog_intelligence branch
  • use cmplog colorization taint result for havoc locations?