Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <553ADEE7.3070604@openwall.com>
Date: Sat, 25 Apr 2015 03:25:11 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Advice on proposal: John the Ripper jumbo robustness

On 24.04.2015 17:10, Kai Zhao wrote:
>> A week ago, in version 1.69b, afl have got support for deferred
>> initialization in LLVM mode. Please try it.
>
> I would have done a lot of useless work without your suggestion, thanks.
>
> I use the latest version: afl-1.71b, and the fuzzing speed can reach 2200
> exec/sec.

That's a pretty decent speed. I think it's good enough for fuzzing.

> Below are the detailed steps.

Thanks, it's useful. It clears some question right away and serves as a 
documentation for others (at least for me).

> 1. Install afl-1.71b
>
> $ cd afl-1.71b
> $ make && sudo make install
> $ cd llvm_mode
> $ make
>
> There is an error on my computer and I have reported it to the afl-user
> group.

See my reply there.

> Even though there is an error, the afl-clang-fast can be generated
> and we can ignore the error currently.
>
> 2. Change john.c
>
> Next, insert the following global function declaration somewhere in the
> source file:
>
> void __afl_manual_init(void);
>
> ...and add a call to this function in the desired location before
> recompiling
> the project with afl-clang-fast (afl-gcc and afl-clang will *not* work).
>
> Attachment is the patch that change john.c to fuzz faster.
>
> 3. Compile john
>
> $ CC=/path/to/afl-clang-fast ./configure --disable-openmp
> $ make
>
> 3.1 Can we instrumenting only necessary minimum ?
>
> No, I tried but failed.

It was useful to not instrument secondary parts of code because it 
slowed start-up process down. It doesn't matter If start-up process is 
performed only once.

Please try to also undo other optimizations. E.g. enable dymanics, use 
full config file, etc. If it's done only once it should not visibly 
affect fuzzing speed.

> $ CC=clang ./configure && make && rm 7z_fmt_plug.o john.o
> $ make CC=.../path/to/afl-clang-fast
>
> There are a lot of compile errors.
>
> 3.2 Why disable openmp?
>
> AFL can't clone thread easily. So we should disable thread before the
> __afl_manual_init() function.

Yeah, we don't want threads. At least for now.

> 4. Fuzz
>
> $ export AFL_DEFER_FORKSRV='1'
> $ echo '[Options]' > local.conf
> $ echo garbage > test_cases/test.pw
> $ afl-fuzz -m none -i test_cases/ -o out ../john @@ --nolog
> --skip-self-test --format=7z --config=local.conf

BTW, as a separate experiment, please try fuzzing with and without 
--nolog and --skip-self-test. I've seen faster fuzzing without these 
options in some tests.

> The exec speed is around 2200 exec/sec.
>
> run time            : 0 days, 0 hrs, 23 min, 28 sec
> cycles done      : 1
> total paths        : 192
> total execs        : 3.10M
> exec speed      : 2185/sec
> favored paths   : 25
> new edges on  : 43

Nice.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.