AFL源码分析与使用指南<\/h1>

一、AFL简介<\/h2>

American Fuzzy Lop (AFL)是由Google安全工程师Michał Zalewski开发的一款开源fuzzing测试工具，具有以下特点：<\/p>

使用编译时插桩技术<\/li>
采用遗传算法自动发现触发目标程序漏洞的测试用例<\/li>
显著提高测试代码的功能覆盖率<\/li>

项目地址：google\/AFL: american fuzzy lop - a security-oriented fuzzer<\/li> <\/ul>

二、AFL基本使用<\/h2>

1. 安装AFL<\/h3>

make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre>2. 插装编译测试<\/h3>
\/\/ test.c示例
<\/span><\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <malloc.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    int<\/span> size;
<\/span><\/span>    scanf("%d"<\/span>, &<\/span>size);
<\/span><\/span>    printf("size:%d<\/span>\n<\/span>"<\/span>, size);
<\/span><\/span>    char<\/span> *<\/span>buf =<\/span> (char<\/span> *<\/span>)malloc(size);
<\/span><\/span>    read(0<\/span>, buf, 0x200<\/span>);
<\/span><\/span>    puts(buf);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译命令：<\/p>
afl-gcc -g -o test test.c
<\/span><\/span><\/code><\/pre>3. 创建种子文件夹<\/h3>
mkdir seeds
<\/span><\/span>echo "123"<\/span> > seeds\/any_seed
<\/span><\/span><\/code><\/pre>4. 开始fuzz<\/h3>
afl-fuzz -i seeds -o fuzz_out .\/test
<\/span><\/span><\/code><\/pre>5. 常见问题解决<\/h3>
core_pattern报错<\/strong>：<\/p>
sudo su
<\/span><\/span>echo core >\/proc\/sys\/kernel\/core_pattern
<\/span><\/span><\/code><\/pre>内存设置问题<\/strong>：<\/p>
afl-fuzz -i seeds -o fuzz_out -m none .\/test
<\/span><\/span><\/code><\/pre>三、AFL界面解析<\/h2>

Process Timing<\/strong>：Fuzzer运行时长、距离最近发现的路径\/崩溃\/挂起的时间<\/li>
cycle progress<\/strong>：输入队列进度，当前测试用例序号<\/li>
Stage progress<\/strong>：当前测试策略、执行次数、平均速度<\/li>
fuzzing strategy yields<\/strong>：变异策略的最新行为和结果<\/li>
Overall results<\/strong>：当前状态（循环队列次数、总路径数、崩溃次数、挂起次数）<\/li>
map coverage<\/strong>：

map density：使用的位图大小占比<\/li>
count coverage：位图中每个被命中字节平均改变的位数(1-8)<\/li>
<\/ul>
<\/li>
findings in depth<\/strong>：青睐的测试用例数、覆盖新路径测试用例数、总崩溃数、总超时数<\/li>
path geometry<\/strong>：执行路径信息<\/li>
<\/ol>
四、AFL源码分析<\/h2>
1. afl-gcc分析<\/h3>
afl-gcc是gcc\/g++\/clang\/clang++的包装器，主要功能：<\/p>

设置编译参数并调用下游编译器<\/li>
需要知道afl-as的路径（默认\/usr\/local\/lib\/afl\/或通过AFL_PATH指定）<\/li>
支持AFL_HARDEN（添加安全编译选项）和AFL_USE_ASAN（使用ASan）<\/li>
可通过AFL_CC\/AFL_CXX指定非标准编译器<\/li>
<\/ul>
主要函数：<\/h4>
main函数流程<\/strong>：<\/p>

通过find_as()寻找afl-as插桩器位置<\/li>
通过edit_params()修改下游编译参数<\/li>
使用execvp执行下游编译器<\/li>
<\/ol>
find_as()逻辑<\/strong>：<\/p>

检查AFL_PATH环境变量<\/li>
在argv[0]所在目录查找<\/li>
最后通过编译时的AFL_PATH查找<\/li>
<\/ol>
edit_params()逻辑<\/strong>：<\/p>

分析argv[0]确定调用的编译器类型<\/li>
复制argv[1]开始的参数<\/li>
覆盖-B参数为as_path，使编译时使用afl-as替换原生as<\/li>
<\/ol>
2. afl-as插桩器<\/h3>
afl-as是GNU汇编器(as)的包装器，主要功能：<\/p>

预处理GCC\/clang生成的汇编文件<\/li>
注入来自afl-as.h的插桩代码<\/li>
自动被afl-gcc\/afl-clang调用<\/li>
<\/ol>
注意：不会对手写汇编代码插桩（.s文件或asm块）<\/p>
主要函数：<\/h4>
main函数流程<\/strong>：<\/p>

初始化随机种子<\/li>
修改as参数<\/li>
在汇编上插桩<\/li>
调用as编译<\/li>
<\/ol>
edit_params()逻辑<\/strong>：<\/p>

确定as名称（默认GNU as，可被AFL_AS覆盖）<\/li>
复制原始argv参数<\/li>
设置临时文件modified_file（路径为\/tmp\/.afl-pid-time.s）<\/li>
<\/ol>
插桩实现<\/strong>：<\/p>

在分支处插入_afl_maybe_log()调用<\/li>
使用独立栈保存寄存器状态<\/li>
核心逻辑：
cur_location =<\/span> <<\/span>COMPILE_TIME_RANDOM><\/span>;
<\/span><\/span>shared_mem[cur_location ^<\/span> prev_location]++<\/span>;
<\/span><\/span>prev_location =<\/span> cur_location >><\/span> 1<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 共享内存与fork server机制<\/h3>
__afl_maybe_log()工作流程<\/strong>：<\/p>

检查共享内存是否已映射<\/li>
未映射则调用__afl_setup初始化<\/li>
已映射则调用__afl_store记录执行信息<\/li>
<\/ol>
__afl_setup流程<\/strong>：<\/p>

检查__afl_setup_failure<\/li>
检查__afl_global_area_ptr<\/li>
获取__AFL_SHM_ID环境变量<\/li>
使用shmat映射共享内存<\/li>
进入__afl_forkserver<\/li>
<\/ol>
fork server机制<\/strong>：<\/p>

使用管道(198\/199)通信<\/li>
主进程循环：fork子进程→报告pid→等待子进程结束<\/li>
子进程恢复原始执行流程<\/li>
避免频繁execve，提高fuzz效率<\/li>
<\/ul>
五、AFL覆盖率机制<\/h2>
AFL使用基于边界(edge)的覆盖率反馈机制：<\/p>

每个基本块开头插入桩代码<\/li>
将源基本块和目的基本块组合成元组(tuple)<\/li>
通过记录tuple信息实现边界覆盖率统计<\/li>
执行次数被划分为8个bucket：<\/li>
<\/ol>
static<\/span> const<\/span> u8 count_class_lookup8[256<\/span>] =<\/span> {
<\/span><\/span>    [0<\/span>] =<\/span> 0<\/span>, [1<\/span>] =<\/span> 1<\/span>, [2<\/span>] =<\/span> 2<\/span>, [3<\/span>] =<\/span> 4<\/span>,
<\/span><\/span>    [4.<\/span>..7<\/span>] =<\/span> 8<\/span>, [8.<\/span>..15<\/span>] =<\/span> 16<\/span>, 
<\/span><\/span>    [16.<\/span>..31<\/span>] =<\/span> 32<\/span>, [32.<\/span>..127<\/span>] =<\/span> 64<\/span>,
<\/span><\/span>    [128.<\/span>..255<\/span>] =<\/span> 128<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
通过比较trace_bits的hash值判断是否发现新路径<\/li>
<\/ol>
六、关键点总结<\/h2>

编译插桩<\/strong>：afl-gcc包装编译器，afl-as实现汇编级插桩<\/li>
覆盖率统计<\/strong>：基于边界(edge)的tuple记录方式<\/li>
fork server<\/strong>：高效执行目标程序的核心机制<\/li>
共享内存<\/strong>：通过__AFL_SHM_ID环境变量传递共享内存ID<\/li>
变异策略<\/strong>：遗传算法驱动测试用例生成<\/li>
反馈机制<\/strong>：通过执行路径变化指导fuzzing方向<\/li>
<\/ol>
七、参考资源<\/h2>

AFL中使用的环境变量以及状态栏、fuzzer_stats文件、plot_data文件中各字段的含义<\/li>
AFL白皮书<\/li>
experimental\/clang_asm_normalize\/（处理手写汇编的解决方案）<\/li>
<\/ol>

AFL源码分析与使用指南<\/h1>

二、AFL基本使用<\/h2>

四、AFL源码分析<\/h2>

七、参考资源<\/h2> AFL中使用的环境变量以及状态栏、fuzzer_stats文件、plot_data文件中各字段的含义<\/li> AFL白皮书<\/li> experimental\/clang_asm_normalize\/（处理手写汇编的解决方案）<\/li> <\/ol>

七、参考资源<\/h2>

AFL中使用的环境变量以及状态栏、fuzzer_stats文件、plot_data文件中各字段的含义<\/li>
AFL白皮书<\/li>
experimental\/clang_asm_normalize\/（处理手写汇编的解决方案）<\/li> <\/ol>