0

I am looking on understanding how AFL implements its seed selection. To my understanding,afl-fuzz.c has a function called has_new_bits which returns values in identifying if the result of input creates a new path, new edge or if it is not an interesting branch we are considering. So my question is this, given that I am able to insert some lines of codes that allowed me to insert variables such as a counter, which I can insert other line of codes that will increment it in a given branch, how do I modify the AFL such that it is able to detect this?

l0j0
  • 41
  • 4
  • 1
    Afl relies on coverage, your incremented variable should affect coverage to make afl consider it in path selection. – nevilad Mar 25 '21 at 08:51
  • Okay and to affect coverage, based on what I understand, to to affect the bits on the shadow memory map? or? Okay to give more context, I am trying to learn how to fuzz rust binaries, and I have already (or I think I did) create an instrumentation method where I insert line of code given a certain type of codes that appear in it. – l0j0 Mar 25 '21 at 16:52
  • Make the paths your program selects dependable on the value of your variable. – nevilad Mar 26 '21 at 12:50
  • Hmmm but AFL still generates/select the seed randomly right? If let's say given two child seed, both with the same coverage, however one seed leads to a block with unsafe operation that will lead to vulnerability, then how do I get AFL to select this seed over another? – l0j0 Mar 28 '21 at 08:24
  • Afl prefers favored seeds. When I remember right, when 2 inputs have same coverage the smaller one is favored. New blocks found by input is also considered in seed selection. Afl can't know which seed will lead to a path with vulnerabilities, it selects the one that more probably will lead to new discovered blocks. – nevilad Mar 28 '21 at 09:41

1 Answers1

1

In AFL++, you can affect the coverage bitmap directly using __afl_coverage_interesting. You can for instance compute the val parameter using the value of your counter (but remind that val is u8).

Another way, is to use FuzzFactory, a modified version of AFL that allow the user to define custom coverage metrics. In their paper the authors discuss one of the possible coverage metrics that FuzzFactory can use, that is validity. With validity, the fuzzer select with more probability valid inputs. You can hack around it and make a FuzzFactory version that focus on inputs triggering unsafe code instead of valid inputs.

Andrea Fioraldi
  • 68
  • 7