Date: Sat, 25 Apr 2015 03:25:11 +0300 From: Alexander Cherepanov <ch3root@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: Advice on proposal: John the Ripper jumbo robustness On 24.04.2015 17:10, Kai Zhao wrote: >> A week ago, in version 1.69b, afl have got support for deferred >> initialization in LLVM mode. Please try it. > > I would have done a lot of useless work without your suggestion, thanks. > > I use the latest version: afl-1.71b, and the fuzzing speed can reach 2200 > exec/sec. That's a pretty decent speed. I think it's good enough for fuzzing. > Below are the detailed steps. Thanks, it's useful. It clears some question right away and serves as a documentation for others (at least for me). > 1. Install afl-1.71b > > $ cd afl-1.71b > $ make && sudo make install > $ cd llvm_mode > $ make > > There is an error on my computer and I have reported it to the afl-user > group. See my reply there. > Even though there is an error, the afl-clang-fast can be generated > and we can ignore the error currently. > > 2. Change john.c > > Next, insert the following global function declaration somewhere in the > source file: > > void __afl_manual_init(void); > > ...and add a call to this function in the desired location before > recompiling > the project with afl-clang-fast (afl-gcc and afl-clang will *not* work). > > Attachment is the patch that change john.c to fuzz faster. > > 3. Compile john > > $ CC=/path/to/afl-clang-fast ./configure --disable-openmp > $ make > > 3.1 Can we instrumenting only necessary minimum ? > > No, I tried but failed. It was useful to not instrument secondary parts of code because it slowed start-up process down. It doesn't matter If start-up process is performed only once. Please try to also undo other optimizations. E.g. enable dymanics, use full config file, etc. If it's done only once it should not visibly affect fuzzing speed. > $ CC=clang ./configure && make && rm 7z_fmt_plug.o john.o > $ make CC=.../path/to/afl-clang-fast > > There are a lot of compile errors. > > 3.2 Why disable openmp? > > AFL can't clone thread easily. So we should disable thread before the > __afl_manual_init() function. Yeah, we don't want threads. At least for now. > 4. Fuzz > > $ export AFL_DEFER_FORKSRV='1' > $ echo '[Options]' > local.conf > $ echo garbage > test_cases/test.pw > $ afl-fuzz -m none -i test_cases/ -o out ../john @@ --nolog > --skip-self-test --format=7z --config=local.conf BTW, as a separate experiment, please try fuzzing with and without --nolog and --skip-self-test. I've seen faster fuzzing without these options in some tests. > The exec speed is around 2200 exec/sec. > > run time : 0 days, 0 hrs, 23 min, 28 sec > cycles done : 1 > total paths : 192 > total execs : 3.10M > exec speed : 2185/sec > favored paths : 25 > new edges on : 43 Nice. -- Alexander Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.