bdde109867
* launcher now uses client_id instead of core_id * adding overcommit to an example fuzzer * Replace addr_of with &raw across the codebase (#2669) * Replace addr_of with &raw across the codebase * fix fixes * more fix * undo clang fmt? * oops * fix? * allocator fix * more fix * more more * more docs * more fix * mas mas mas * hm * more * fix Frida * needed * more error * qemu * Introduce workspace (again) (#2673) * Trying to redo workspace deps again after #2672 * unused * clippy * Replace addr_of with &raw across the codebase (#2669) * Replace addr_of with &raw across the codebase * fix fixes * more fix * undo clang fmt? * oops * fix? * allocator fix * more fix * more more * more docs * more fix * mas mas mas * hm * more * fix Frida * needed * more error * qemu * Introduce workspace (again) (#2673) * Trying to redo workspace deps again after #2672 * unused * clippy * fixing formatting issues * cloning values to make borrow checker happy * simplifying cfg constraints, removing excessive clippy allows * printing clang version that is used to find inconsistencies between CI and local formatting * some fixes according to the CI * Specifying types * improved logging for formatter * more attempts at logging for the CI formatting * fixing setting LLVM version in formatting in CI * fixing cippy allows * renaming launcher's ClientID to ClientDescription * Lower capped RAND generators (#2671) * Lower capped rand generators * Updated all references to RAND generators * Formatting updates * New RAND bytes generator constructor * Revert "Updated all references to RAND generators" This reverts commit 9daad894b25ec3867daf93c4fe67c03abec1d8c6. * Revert "Formatting updates" This reverts commit ff2a61a366c48b3f313878f62409e51b1e1ed663. * cargo nightly format * Added must_use to with_min_size * fix error '#' is not followed by a macro parameter (#2678) * Use version.workspace (#2682) * LibAFL_QEMU: Don't return a generic Address from Register reads (#2681) * LibAFL_QEMU: Make ReadReg always return GuestReg type * Don't return a generic address * fix fuzzers * fix mips * Add DrCovReader to read DrCov files and DrCov dumper and merge utils (#2680) * Add DrCov Reader * Removed libafl_jumper deps * Fix DrCovWriter, add dump_drcov_addrs * Taplo * Move frida from usize to u64 * DrCov usize=>u64 * Better error print * More u64 * ? * debug * clippy * clippy * Add Merge option to DrCovReader * Add drcov_merge tool * Move folder around * DrCov * More assert * fmt * Move around * Fix print * Add option to read multiple files/full folders * Fix build_all_fuzzers.sh for local runs (#2686) * Add Intel PT tracing support (#2471) * WIP: IntelPT qemu systemmode * use perf-event-open-sys instead of bindgen * intelPT Add enable and disable tracing, add test * Use static_assertions crate * Fix volatiles, finish test * Add Intel PT availability check * Use LibAFL errors in Result * Improve filtering * Add KVM pt_mode check * move static_assertions use * Check for perf_event_open support * Add (empty) IntelPT module * Add IntelPTModule POC * partial ideas to implement intel pt * forgot smth * trace decoding draft * add libipt decoder * use cpuid instead of reading /proc/cpuinfo * investigating nondeterministic behaviour * intel_pt module add thread creation hook * Fully identify deps versions Cargo docs: Although it looks like a specific version of the crate, it actually specifies a range of versions and allows SemVer compatible updates * Move mem image to module, output to file for debug * fixup! Use static_assertions crate * Exclude host kernel from traces * Bump libipt-rs * Callback to get memory as an alterantive to image * WIP Add bootloader fuzzer example * Split availability check: add availability_with_qemu * Move IntelPT to observer * Improve test docs * Clippy happy now * Taplo happy now * Add IntelPTObserver boilerplate * Hook instead of Observer * Clippy & Taplo * Add psb_freq setting * Extremely bad and dirty babyfuzzer stealing * Use thread local cell instead of mutex * Try a trace diff based naive feedback * fix perf aux buffer wrap handling * Use f64 for feedback score * Fix clippy for cargo test * Add config format tests * WIP intelpt babyfuzzer with fork * Fix not wrapped tail offset in split buffer * Baby PT with raw traces diff working * Cache nr_filters * Use Lazy_lock for perf_type * Add baby_fuzzer_intel_pt * restore baby fuzzer * baby_fuzzer with block decoder * instruction decoder instead of block * Fix after upstream merge * OwnedRefMut instead of Cow * Read mem directly instead of going through files * Fix cache lifetime and tail update * clippy * Taplo * Compile caps only on linux * clippy * Fail compilation on unsupported OSes * Add baby_fuzzer_intel_pt to CI * Cleanup * Move intel pt + linux check * fix baby pt * rollback forkexecutor * Remove unused dep * Cleanup * Lints * Compute an edge id instead of using only block ip * Binary only intelPT POC * put linux specific code behind target_os=linux * Clippy & Taplo * fix CI * Disable relocation * No unwrap in decode * No expect in decode * Better logging, smaller aux buffer * add IntelPTBuilder * some lints * Add exclude_hv config * Per CPU tracing and inheritance * Parametrize buffer size * Try not to break commandExecutor API pt.1 * Try not to break commandExecutor API pt.2 * Try not to break commandExecutor API pt.3 * fix baby PT * Support on_crash & on_timeout callbacks for libafl_qemu modules (#2620) * support (unsafe) on_crash / on_timeout callbacks for modules * use libc types in bindgen * Move common code to bolts * Cleanup * Revert changes to backtrace_baby_fuzzers/command_executor * Move intel_pt in one file * Use workspace deps * add nr_addr_filter fallback * Cleaning * Improve decode * Clippy * Improve errors and docs * Impl from<PtError> for libafl::Error * Merge hooks * Docs * Clean command executor * fix baby PT * fix baby PT warnings * decoder fills the map with no vec alloc * WIP command executor intel PT * filter_map() instead of filter().map() * fix docs * fix windows? * Baby lints * Small cleanings * Use personality to disable ASLR at runtime * Fix nix dep * Use prc-maps in babyfuzzer * working ET_DYN elf * Cleanup Cargo.toml * Clean command executor * introduce PtraceCommandConfigurator * Fix clippy & taplo * input via stdin * libipt as workspace dep * Check kernel version * support Arg input location * Reorder stuff * File input * timeout support for PtraceExec * Lints * Move out method not needing self form IntelPT * unimplemented * Lints * Move intel_pt_baby_fuzzer * Move intel_pt_command_executor * Document the need for smp_rmb * Better comment * Readme and Makefile.toml instead of build.rs * Move out from libafl_bolts to libafl_intelpt * Fix hooks * (Almost) fix intel_pt command exec * fix intel_pt command exec debug * Fix baby_fuzzer * &raw over addr_of! * cfg(target_os = "linux") * bolts Cargo.toml leftover * minimum wage README.md * extract join_split_trace from decode * extract decode_block from decode * add 1 to `previous_block_ip` to avoid that all the recursive basic blocks map to 0 * More generic hook * fix windows * Update CI, fmt * No bitbybit * Fix docker? * Fix Apple silicon? * Use old libipt from crates.io --------- Co-authored-by: Romain Malmain <romain.malmain@pm.me> Co-authored-by: Dominik Maier <domenukk@gmail.com> * libafl-fuzz: introduce nyx_mode (#2503) * add nyx_mode * fix frida ci? * damn clippy * clippy * LibAFL: Remove `tui_monitor` from default features (#2685) * No Usermode default * no tui * gg * try fix CI * fmt --------- Co-authored-by: Dominik Maier <dmnk@google.com> * Actually make ConstMapObserver work, introduce `nonnull_raw_mut` macro (#2687) * Actually make ConstMapObserver work * fixes * does that work? * mas * Feature: libafl-fuzzfuzzbench (#2689) * fuzzbench * clippy * fmt * fix unicorn CI? * Move bitfields to bitbybit (#2688) * move to bitbybit * Restore bitbybit dependent code * Clippy * Fix NautilusContext::from_file for python files (#2690) * Bump to 0.14.0 (#2692) * Fix versions in libafl and libafl_intelpt for crates.io (#2693) * Fix versions in libafl and libafl_intelpt for crates * Add libafl_intelpt to publish * StdMOptMutator:🆕 remove unused type parameter (#2695) `I` is unused in `::new` and thus requires callers to explicitly specify any type as it can't be determined by type inference. Clippy's `extra_unused_type_parameters` should pick this up, but is tuned a bit too conservative in order to avoid false positives AFAICT. * Move test_harness from source directory to OUT_DIR (#2694) * remove test_harness from source directory * fmt * Add package.metadata.docs.rs for libafl_intelpt (#2696) * libafl-fuzz: fix cmplog running on inputs more than once (#2697) * libafl-fuzz: fix cmplog running on inputs more than once * fmt * fix afl++ cmplog header * update to latest afl stable commit * Libafl workspace internal deps in workspace Cargo.toml (#2691) * Add internal deps to workspace * libafl: use workspace internal deps * libafl_bolts: use workspace internal deps * 0.14.0 * use workspace internal deps * Fix tui monitor for example fuzzers (#2699) * Fix tui monitor for example fuzzers * New clippy lint * fix * Update pyo3-build-config requirement from 0.22.3 to 0.23.1 (#2701) Updates the requirements on [pyo3-build-config](https://github.com/pyo3/pyo3) to permit the latest version. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyo3/pyo3/compare/v0.22.3...v0.23.1) --- updated-dependencies: - dependency-name: pyo3-build-config dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bolts: fix build for tiers 3 platforms. (#2700) cater to platforms knowingly support this feature instead. * Pre init module hooks (#2704) * differenciate pre qemu init and post qemu init hooks * api breakage: Emulator::new_with_qemu is not public anymore. * Fix edge module generators (#2702) * fix generators * fix metadata removal for ExecutionCountRestartHelper (#2705) * Ignore pyo3 update (#2709) * libafl-fuzz: feature-flag nyx mode (#2712) * Bump ctor dependency to make nightly compile again (#2713) * Batched timeout doc (#2716) * timeout doc * clp * FMT * More batched timeout doc (#2717) * timeout doc * clp * FMT * more * fixing an overexited cast * renaming variables * removing unnecessary brackets * fixing imports * fixing imports * renaming more variables * even more variable renaming * removing duplicate clap short options * reverting mistaken variable renaming * comparing the actual cores instead of an enumeration index --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Dominik Maier <domenukk@gmail.com> Co-authored-by: Subhojeet Mukherjee, PhD <57270300+CowBoy4mH3LL@users.noreply.github.com> Co-authored-by: jejuisland87654 <jejuisland87654@gmail.com> Co-authored-by: Marco C. <46560192+Marcondiro@users.noreply.github.com> Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com> Co-authored-by: Romain Malmain <romain.malmain@pm.me> Co-authored-by: Aarnav <aarnav@srlabs.de> Co-authored-by: Dominik Maier <dmnk@google.com> Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com> Co-authored-by: Mrmaxmeier <3913977+Mrmaxmeier@users.noreply.github.com> Co-authored-by: Sharad Khanna <sharad@mineo333.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: David CARLIER <devnexen@gmail.com> Co-authored-by: Henry Chu <henrytech@outlook.com>
LibAFL, the fuzzer library.
Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
LibAFL is a collection of reusable pieces of fuzzers, written in Rust, it gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include:
fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).scalable:Low Level Message Passing,LLMPfor short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.adaptable: You can replace each part of LibAFL. For example,BytesInputis just one potential form input: feel free to add an AST-based input for structured fuzzing, and more.multi platform: LibAFL was confirmed to work on Windows, MacOS, Linux, and Android on x86_64 and aarch64.LibAFLcan be built inno_stdmode to inject LibAFL into obscure targets like embedded devices and hypervisors.bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.
Core concepts
LibAFL is fast, multi-platform, no_std compatible, and scales over cores and machines. It offers a main crate that provide building blocks for custom fuzzers, libafl, a library containing common code that can be used for targets instrumentation, libafl_targets, and a library providing facilities to wrap compilers, libafl_cc. It offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
SanitizerCoverage, in libafl_targetsFrida, in libafl_fridaQEMUuser-mode and system mode, including hooks for emulation, in libafl_qemuTinyInst, in libafl_tinyinst by elbiazo
Building and installing
Install the Dependencies
- The Rust development language
- We highly recommend not to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found here.
- LLVM tools
- The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from here
- (In
libafl_concolic, we only support LLVM version newer than 18)
- Cargo-make:
- We use cargo-make to build the fuzzers in
fuzzers/directory. You can install it withcargo install cargo-make
- We use cargo-make to build the fuzzers in
Clone the LibAFL repository with
git clone https://github.com/AFLplusplus/LibAFL
Build the library using
cargo build --release
Build the API documentation with
cargo doc
Browse the LibAFL book (WIP!) with (requires mdbook)
cd docs && mdbook serve
Getting started
We collect all example fuzzers in ./fuzzers.
Be sure to read their documentation (and source), this is the natural way to get started!
cargo make run
You can run each example fuzzer with this following command, as long as the fuzzer directory has Makefile.toml file. The best-tested fuzzer is ./fuzzers/inprocess/libfuzzer_libpng, a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
Resources
- Installation guide
- Online API documentation
- The LibAFL book (WIP) online or in the repo
- Our research paper
- Our RC3 talk explaining the core concepts
- Our Fuzzcon Europe talk with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
- The Fuzzing101 solutions & series of blog posts by epi
- Blogpost on binary-only fuzzing lib libaf_qemu, Hacking TMNF - Fuzzing the game server, by RickdeJager.
- A LibAFL Introductory Workshop, by Jordan Whitehead
Contributors
LibAFL is written and maintained by
- Andrea Fioraldi andrea@aflplus.plus
- Dominik Maier dominik@aflplus.plus
- s1341 github@shmarya.net
- Dongjia Zhang toka@aflplus.plus
- Addison Crump me@addisoncrump.info
- Romain Malmain rmalmain@pm.me
Please check out CONTRIBUTING.md for the contributing guideline.
Cite
If you use LibAFL for your academic work, please cite the following paper:
@inproceedings{libafl,
author = {Andrea Fioraldi and Dominik Maier and Dongjia Zhang and Davide Balzarotti},
title = {{LibAFL: A Framework to Build Modular and Reusable Fuzzers}},
booktitle = {Proceedings of the 29th ACM conference on Computer and communications security (CCS)},
series = {CCS '22},
year = {2022},
month = {November},
location = {Los Angeles, U.S.A.},
publisher = {ACM},
}
License
Licensed under either of Apache License, Version 2.0 or MIT license at your option.Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.