b3fe744e57
* Fixing the test_harness library name * Fasan works, but testing of all features is pending * Tests pass, before fixing clippy and fmt * CLippy+fmt * CLippy+fmt+tests running on linux * Clippy * Not stalkering the fuzzer. In the correct way * Removing the instrumentation upon crash. Proper hooking of UnmapViewOfFile * Fixes after the merge from the upstream (before 0.15.0). Still need to add the observer, clippy, fmt, and at least linux compilation * Adding the helper observer and using it in the test * Removing the observer from the wrong location * Adapting to the new helper ownership model * Adding an observer to shut down instrumentation upon crash * Clippy + fmt * Using mimalloc everywhere * Deactivating before activating with the harness. Otherwise, gets stuck on Linux. * Fixing imports for windows * Using the new way of passing the handler * Using frida_helper_shutdown_observer * Clippy+fmt * no-std, clippy * Fmt * Stable thread_id * Clippy 18 * More clippy * Formatting toml * Fixing apples * Fixing apples 2 * Fixing apples 3 * Upping to 0.16.7 (necessary for Windows) * Clippy+fmt * Enabling the allocator test after the fix and clarifying the importantce of the static runtime linking. * Moving has_tls to bolts * Proper handling of no-std, hopefully * Another attempt to fix win no-std * Not mine clippy complaint... * Not mine clippy complaint #2... * Dlmalloc not used, removing from dependencies * Restoring target in config.toml (otherwise fails CI on Linux) * lots of digging around, pray for us * fixup? * Revert "lots of digging around, pray for us" This reverts commit 706c27201918e906e3401cd0d9e76546f889d1f5. * Revert "fixup?" This reverts commit 1d7c5d4fb5b1bd31f5e0c07492aa8ed64c6822f3. * Revert artifact * Revert fixups * Removing unused * Reverting to upstream/main --------- Co-authored-by: Addison Crump <addison.crump@cispa.de> Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
LibAFL, the fuzzer library.
Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
LibAFL is a collection of reusable pieces of fuzzers, written in Rust, it gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include:
fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).scalable:Low Level Message Passing,LLMPfor short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.adaptable: You can replace each part of LibAFL. For example,BytesInputis just one potential form input: feel free to add an AST-based input for structured fuzzing, and more.multi platform: LibAFL was confirmed to work on Windows, MacOS, Linux, and Android on x86_64 and aarch64.LibAFLcan be built inno_stdmode to inject LibAFL into obscure targets like embedded devices and hypervisors.bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.
Core concepts
LibAFL is fast, multi-platform, no_std compatible, and scales over cores and machines. It offers a main crate that provide building blocks for custom fuzzers, libafl, a library containing common code that can be used for targets instrumentation, libafl_targets, and a library providing facilities to wrap compilers, libafl_cc. It offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
SanitizerCoverage, in libafl_targetsFrida, in libafl_fridaQEMUuser-mode and system mode, including hooks for emulation, in libafl_qemuTinyInst, in libafl_tinyinst by elbiazo
Building and installing
Install the Dependencies
- The Rust development language
- We highly recommend not to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found here.
- LLVM tools
- The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from here
- (In
libafl_concolic, we only support LLVM version newer than 18)
- Just:
- We use just to build the fuzzers in
fuzzers/directory. You can find instructions to install it in your environment in the Just Programmer's Manual.
- We use just to build the fuzzers in
Clone the LibAFL repository with
git clone https://github.com/AFLplusplus/LibAFL
Build the library using
cargo build --release
Build the API documentation with
cargo doc
Browse the LibAFL book (WIP!) with (requires mdbook)
cd docs && mdbook serve
Getting started
We collect all example fuzzers in ./fuzzers.
Be sure to read their documentation (and source), this is the natural way to get started!
just run
You can run each example fuzzer with this following command, as long as the fuzzer directory has a Justfile file. The best-tested fuzzer is ./fuzzers/inprocess/libfuzzer_libpng, a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
Resources
- Installation guide
- Online API documentation
- The LibAFL book (WIP) online or in the repo
- Our research paper
- Our RC3 talk explaining the core concepts
- Our Fuzzcon Europe talk with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
- The Fuzzing101 solutions & series of blog posts by epi
- Blogpost on binary-only fuzzing lib libaf_qemu, Hacking TMNF - Fuzzing the game server, by RickdeJager.
- A LibAFL Introductory Workshop, by Jordan Whitehead
Contributors
LibAFL is written and maintained by
- Andrea Fioraldi andrea@aflplus.plus
- Dominik Maier dominik@aflplus.plus
- s1341 github@shmarya.net
- Dongjia Zhang toka@aflplus.plus
- Addison Crump me@addisoncrump.info
- Romain Malmain rmalmain@pm.me
Contributing
Please check out CONTRIBUTING.md for the contributing guideline.
Debugging
Your fuzzer doesn't work as expected? Try reading DEBUGGING.md to understand how to debug your problems.
Cite
If you use LibAFL for your academic work, please cite the following paper:
@inproceedings{libafl,
author = {Andrea Fioraldi and Dominik Maier and Dongjia Zhang and Davide Balzarotti},
title = {{LibAFL: A Framework to Build Modular and Reusable Fuzzers}},
booktitle = {Proceedings of the 29th ACM conference on Computer and communications security (CCS)},
series = {CCS '22},
year = {2022},
month = {November},
location = {Los Angeles, U.S.A.},
publisher = {ACM},
}
License
Licensed under either of Apache License, Version 2.0 or MIT license at your option.Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.