AFLplusplus/LibAFLPublic

NotificationsYou must be signed in to change notification settings
Fork386
Star2.3k

Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

License

View license

2.3k stars 386 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 3,301 Commits
.devcontainer		.devcontainer
.github		.github
.vscode		.vscode
bindings/pylibafl		bindings/pylibafl
crates		crates
docs		docs
fuzzers		fuzzers
just		just
scripts		scripts
seeds/pngs		seeds/pngs
utils		utils
.clang-format		.clang-format
.dockerignore		.dockerignore
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.toml		Cargo.toml
Dockerfile		Dockerfile
LICENSE-APACHE		LICENSE-APACHE
LICENSE-MIT		LICENSE-MIT
MIGRATION.md		MIGRATION.md
README.md		README.md
TROPHIES.md		TROPHIES.md
rustfmt.toml		rustfmt.toml

Repository files navigation

`LibAFL`, the fuzzer library

Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.

LibAFL is a collection of reusable pieces of fuzzers, written in Rust, it gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable.Some highlight features currently include:

fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
scalable:Low Level Message Passing,LLMP for short, allowsLibAFL to scale almost linearly over cores, and via TCP to multiple machines.
adaptable: You can replace each part ofLibAFL. For example,BytesInput is just one potential form input:feel free to add an AST-based input for structured fuzzing, and more.
multi platform:LibAFL runs onWindows,macOS,iOSLinux, andAndroid, and more.LibAFL can be built inno_std mode to injectLibAFL into obscure targets like embedded devices and hypervisors.
bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.

Core concepts

LibAFL is fast, multi-platform,no_std compatible, and scales over cores and machines. It offers a main crate that provide building blocks for custom fuzzers,libafl, a library containing common code that can be used for targets instrumentation,libafl_targets, and a library providing facilities to wrap compilers,libafl_cc. It offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:

SanitizerCoverage, inlibafl_targets
Frida, inlibafl_frida
QEMU user-mode and system mode, including hooks for emulation, inlibafl_qemu
TinyInst, inlibafl_tinyinst byelbiazo

Building and installing

Install the Dependencies

The Rust development language
- We highly recommendnot to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be foundhere.
LLVM tools
- The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package fromhere
- (Inlibafl_concolic, we only support LLVM version newer than 18)
Just:
- We usejust to build the fuzzers infuzzers/ directory. You can find instructions to install it in your environmentin the Just Programmer's Manual.

Clone the`LibAFL` repository with

git clone https://github.com/AFLplusplus/LibAFL

Build the library using

cargo build --release

Build the API documentation with

cargo doc

Browse the`LibAFL` book (WIP!) with (requiresmdbook)

cd docs&& mdbook serve

Getting started

We collect all example fuzzers in./fuzzers.Be sure to read their documentation (and source), this isthe natural way to get started!

just run

You can run each example fuzzer with this following command, as long as the fuzzer directory has aJustfile file. The best-tested fuzzer is./fuzzers/inprocess/libfuzzer_libpng, a multicore libfuzzer-like fuzzer usingLibAFL for a libpng harness.

Resources

Installation guide
Online API documentation
TheLibAFL book (WIP)online or in therepo
Our researchpaper
Our RC3talk explaining the core concepts
Our Fuzzcon Europetalk with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
The Fuzzing101solutions & series ofblog posts byepi
Blogpost on binary-only fuzzing liblibaf_qemu,Hacking TMNF - Fuzzing the game server, byRickdeJager.
A LibAFL Introductory Workshop, byJordan Whitehead

Contributors

LibAFL is written and maintained by

Contributing

Please check outCONTRIBUTING.md for the contributing guideline.

Debugging

Your fuzzer doesn't work as expected? Try readingDEBUGGING.md to understand how to debug your problems.

Cite

If you useLibAFL for your academic work, please cite the following paper:

@inproceedings{libafl,author       ={Andrea Fioraldi and Dominik Maier and Dongjia Zhang and Davide Balzarotti},title        ={{LibAFL: A Framework to Build Modular and Reusable Fuzzers}},booktitle    ={Proceedings of the 29th ACM conference on Computer and communications security (CCS)},series       ={CCS '22},year         ={2022},month        ={November},location     ={Los Angeles, U.S.A.},publisher    ={ACM},}

License

^{Licensed under either ofApache License, Version2.0 orMIT license at your option.}
_{Unless you explicitly state otherwise, any contribution intentionally submittedfor inclusion in this crate by you, as defined in the Apache-2.0 license, shallbe dual licensed as above, without any additional terms or conditions.}