Crate butterfly_fuzz
source · [−]Expand description
butterfly provides LibAFL components for stateful fuzzing
Overview
butterfly offers
- A new representation of inputs as sequences of packets that can be loaded from pcap files. The packets can be of any type.
- Packet-aware mutators that mutate only one packet and leave all others intact to reach deeper program states
- Protocol-aware mutators that can reorder, duplicate, splice and delete packets in addition to “normal” mutations
- An observer that tracks which states the target goes through as it processes the packets.
This is used to build a state-graph of the target and identify when new states have been reached.
Components
- Input
- In order to create a new, working input type you MUST implement the following traits:
Hash
,Debug
,Clone
,Serialize
,Deserialize
,Input
- To make it usable by other butterfly components, implement
HasPackets
,HasLen
- If you want to load it from a PCAP file, implement
HasPcapRepresentation
- In order to create a new, working input type you MUST implement the following traits:
- Mutators
- havoc:
PacketHavocMutator
gets a list of havoc mutators and usesHasHavocMutation
to mutate a selected packet.
Not all of libafls havoc mutators work with packet-based inputs, though.supported_havoc_mutations
gives you all havoc mutators that work - packet-mutators:
- crossover mutators:
- splicing mutators:
- havoc:
- Observer
StateObserver
builds a state-graph- The executor is responsible for calling
StateObserver::record()
with state information inferred from the fuzz target
- Feedback
StateFeedback
determines if aStateObserver
has seen new states in the last run
- Monitor
- butterfly provides a
StateMonitor
that prints information about the state-graph in addition to all the other info - if you want to use a different monitor but still want to get state-graph information you can
implement
HasStateStats
- butterfly provides a
Features
graphviz
- Adds
GraphvizMonitor
that writes a DOT representation of the state graph to a file
- Adds
safe_only
- By default butterfly uses some unsafe code for performance reasons but this can be disabled with this feature
Tutorials, examples and more…
… can be found in our repository and wiki.
Structs
A monitor that periodically outputs a DOT representation of the state graph.
Like libafls CrossoverInsertMutator
but for two packets in one seed.
Like libafls CrossoverReplaceMutator
but for two packets in one seed.
A mutator that deletes a single, random packet.
A mutator that duplicates a single, random packet.
A mutator that applies a set of havoc mutations to a single packet.
A mutation scheduler for butterflys mutators.
A mutator that swaps two random packets.
A mutator that splices two random packets together.
Determines that an input is interesting if it led to new states or transitions in the previous run.
A monitor that prints information about the state-graph in addition to all other info.
An observer that builds a state-graph.
Statics
Key for user stats.
Key for user stats.
Key for user stats.
Traits
Signifies that a packet type supports the PacketCrossoverInsertMutator
mutator.
Signifies that a packet type supports the PacketCrossoverReplaceMutator
mutator.
Signifies that a packet type supports the PacketHavocMutator
.
Signifies that an input consists of packets.
Signifies that an input can be constructed from a packet capture.
Signifies that a packet type supports the PacketSpliceMutator
mutator.
Adds capabilities to a Monitor to get information about the state-graph.
Functions
Helper function that loads pcap files from a given directory into the corpus.
Returns a tuple with all the mutations that can be used by a PacketHavocMutator
.
Type Definitions
Tuple of all havoc mutators in libafl that get exactly one input.