Sunday, September 5, 2021

How to build AFL++ on Fedora 34

In the last article, I explained how to use Radamsa to fuzz applications. But what if you said I want to use a real fuzzer - one like AFL. Well, OK then. When you say you want to use AFL, I think you really mean AFL++, This is the community supported version based on the original, but with a whole lot of new ideas to make it faster and more aggressive. I'm here to show you how to do it...but on Fedora, it's harder than it needs to be.

The thing about AFL++ is that you really want to use the clang-lto mode. To do that means you need the clang gold linker. And for whatever reason, Fedora doesn't ship it. No gold linker, no clang-lto mode. So, the first step of building AFL++ is to build clang from scratch. And unless you have one of those nice AMD 12 or 16 core CPU's, this will take a while.

Suppose you have a 4 core machine, that gives you 8 hyperthreads. Typically when you compile, you can do:


make -j $(expr nproc)


but a lot of time is spent doing IO. So, you can get a little more speed by doubling that. And that is exact what we'll do in the instruction below.

Also, I wanted to go with a released version of llvm/clang instead of whatever's in the repo at the moment. So, I'll add the steps in to get 12.0.1 which is the current release as of this writing. Building clang takes about an hour on 4 core Xeon. See you on the other side. 


cd working/BUILD/
git clone --depth 1 --branch llvmorg-12.0.1 https://github.com/llvm/llvm-project.git
cd llvm-project
mkdir build
cd build
cmake -G "Unix Makefiles" -DLLVM_ENABLE_PROJECTS='clang;clang-tools-extra;compiler-rt;libclc;libcxx;libcxxabi;libunwind;lld' -DCMAKE_BUILD_TYPE=Release -DLLVM_BINUTILS_INCDIR="/usr/include" ../llvm
make -j $(expr `nproc` \* 2) ENABLE_OPTIMIZED=1

export PATH="~/working/BUILD/llvm-project/build/bin/:$PATH"


Hopefully you had something to do while that built. Anyways, on to doing the real job of making AFL++. This goes much faster.


git clone https://github.com/AFLplusplus/AFLplusplus.git
cd AFLplusplus
make -j $(expr `nproc` \* 2) source-only

export PATH=/home/builder/working/BUILD/AFLplusplus:/home/builder/working/BUILD/llvm-project/build/bin:$PATH
export AFL_PATH=/home/builder/working/BUILD/AFLplusplus


These last two updates of the environment are something you can put in your bashrc or as part of a script to setup for fuzzing. Also note that the first one includes the path to llvm-clang.

So, there you have it. We're all ready to fuzz a target. We'll start a fuzzing project in a future article to show how fuzz a real program that people are using.

No comments: