Crate butterfly_fuzz
source · [−]Expand description
butterfly provides LibAFL components for stateful fuzzing
Overview
butterfly offers
- A new representation of inputs as sequences of packets that can be loaded from pcap files. The packets can be of any type.
- Packet-aware mutators that mutate only one packet and leave all others intact to reach deeper program states
- Protocol-aware mutators that can reorder, duplicate, splice and delete packets in addition to “normal” mutations
- An observer that tracks which states the target goes through as it processes the packets.
This is used to build a state-graph of the target and identify when new states have been reached.
Components
- Input
- In order to create a new, working input type you MUST implement the following traits:
Hash,Debug,Clone,Serialize,Deserialize,Input - To make it usable by other butterfly components, implement
HasPackets,HasLen - If you want to load it from a PCAP file, implement
HasPcapRepresentation
- In order to create a new, working input type you MUST implement the following traits:
- Mutators
- havoc:
PacketHavocMutatorgets a list of havoc mutators and usesHasHavocMutationto mutate a selected packet.
Not all of libafls havoc mutators work with packet-based inputs, though.supported_havoc_mutationsgives you all havoc mutators that work - packet-mutators:
- crossover mutators:
- splicing mutators:
- havoc:
- Observer
StateObserverbuilds a state-graph- The executor is responsible for calling
StateObserver::record()with state information inferred from the fuzz target
- Feedback
StateFeedbackdetermines if aStateObserverhas seen new states in the last run
- Monitor
- butterfly provides a
StateMonitorthat prints information about the state-graph in addition to all the other info - if you want to use a different monitor but still want to get state-graph information you can
implement
HasStateStats
- butterfly provides a
Features
graphviz- Adds
GraphvizMonitorthat writes a DOT representation of the state graph to a file
- Adds
safe_only- By default butterfly uses some unsafe code for performance reasons but this can be disabled with this feature
Tutorials, examples and more…
… can be found in our repository and wiki.
Structs
A monitor that periodically outputs a DOT representation of the state graph.
Like libafls CrossoverInsertMutator
but for two packets in one seed.
Like libafls CrossoverReplaceMutator
but for two packets in one seed.
A mutator that deletes a single, random packet.
A mutator that duplicates a single, random packet.
A mutator that applies a set of havoc mutations to a single packet.
A mutation scheduler for butterflys mutators.
A mutator that swaps two random packets.
A mutator that splices two random packets together.
Determines that an input is interesting if it led to new states or transitions in the previous run.
A monitor that prints information about the state-graph in addition to all other info.
An observer that builds a state-graph.
Statics
Key for user stats.
Key for user stats.
Key for user stats.
Traits
Signifies that a packet type supports the PacketCrossoverInsertMutator mutator.
Signifies that a packet type supports the PacketCrossoverReplaceMutator mutator.
Signifies that a packet type supports the PacketHavocMutator.
Signifies that an input consists of packets.
Signifies that an input can be constructed from a packet capture.
Signifies that a packet type supports the PacketSpliceMutator mutator.
Adds capabilities to a Monitor to get information about the state-graph.
Functions
Helper function that loads pcap files from a given directory into the corpus.
Returns a tuple with all the mutations that can be used by a PacketHavocMutator.
Type Definitions
Tuple of all havoc mutators in libafl that get exactly one input.