This repository contains the implementation of AFL++-PGE used in the evaluation part.
- How to build AFL++-PGE
- How to instrument a target with AFL++-PGE
- How to fuzz a target with AFL++-PGE
- How to use AFL++-PGE on Magma
Clone this repository and cd to the root directory, then
$ cd AFLplusplus-PGE
$ make all
Note that, since AFL++-PGE uses LLVM PCGUARD for instrumentation, we strongly suggest to compile AFL++-PGE with clang >= 13 for better performance.
A nearly-universal approach would be specifying C/C++ compiler when configuring and building your binary:
$ CC=/path/to/AFLplusplus-PGE/afl-clang-fast CXX=/path/to/AFL-PGE/afl-clang-fast++ ./configure
$ CC=/path/to/AFLplusplus-PGE/afl-clang-fast CXX=/path/to/AFL-PGE/afl-clang-fast++ make clean all
There is only one extra argument in AFL++-PGE compared to AFL++:
-r
(required),the target recall rate used during prefix length search.
The fuzzing command for a binary would be, for example:
$ /path/to/AFLplusplus-PGE/afl-fuzz -r 90 -m none -i input/ -o output/ -- /path/to/bin @@
If you'd like to evaluate AFL++-PGE on Magma benchmark by yourself, we provide the general steps as well:
-
clone the magma repo;
-
copy the directory in
magma_integration/aflplusplus_pge_r90
into/path/to/magma/fuzzers/aflplusplus_pge_r90
The default recall is set to 90%. You can change it in magma_integration/aflplusplus_pge_r90/run.sh