autarkie_libfuzzer 0.6.0

libFuzzer shim which uses LibAFL with common defaults
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

# Autarkie - Instant Grammar Fuzzing Using Rust Macros
 <img align="right" src="image.jpeg" alt="LibAFL logo" width="250" heigh="250">

Autarkie is a native grammar fuzzer built in Rust. Using procedural macros, it (almost completely) automatically creates a grammar fuzzer. 
Autarkie is heavily inspired by [nautilus](https://github.com/nautilus-fuzz/nautilus).

# Features
- Essentially a drop-in replacement for [arbitrary](https://github.com/rust-fuzz/arbitrary)
- Actual grammar fuzzing - not "structure aware"
- Supports both AFL++ (Forkserver) and cargo-fuzz (Inprocess).
- As long as the grammar is defined using Rust, you can fuzz C/C++ too (using AFL++ forkserver)
- Really easy to use, complexity is abstracted for you.
- Trivial to integrate with other fuzzers.

# Niche features
Autarkie has several features that other grammar fuzzers do not have:
- No grammar maintenance; because the grammar is part of the code, if the project is updated, the grammar updates too.
- Grammar is completely exhaustive; the compiler will make sure that every necessary type is included. No more guesswork.
- Corpus is re-usable. If you stop the fuzzer, you can re-start it and it will be able to re-use the corpus!
- Can learn from other fuzzers! ``use -F to sync``
- Has native [cmplog](https://www.ndss-symposium.org/ndss-paper/redqueen-fuzzing-with-input-to-state-correspondence/) support.

# How to Use
There are two main walkthroughs:
1. Fuzz AFL++ instrumented C/C++ project

This example fuzzes ``sqlite3`` by using grammar defined in [datafusion-sqlparser-rs](https://github.com/apache/datafusion-sqlparser-rs). 
Personal favourite as it shows Autarkie's magic: you can build a highly sophisticated grammar fuzzer covering a language as complex as SQL in under 5 minutes.
This example also shows how you can render the internal structure into a different format for the harness

[Go to the walkthrough](guides/sql.md)


2. Fuzz a Rust project using cargo-fuzz

This example fuzzes Solana's ``sbpf`` interpreter which is implemented in Rust. Autarkie has ``cargo-fuzz`` integration, so it is trivial to fuzz native Rust projects.

[Go to the walkthrough](guides/rbpf.md)


# Limitations and Caveats
### Beta
Autarkie is in beta - expect issues, do not tread lightly. 

### Static Lifetimes
The type MUST own all it's data; it cannot use lifetimes. This is due to the use of ``std::any::type_id`` which require types to have a ``'static`` lifetime.

Note: that you can simply write a wrapper type that owns all the data and converts it to the native type

# Contributions
Contributions, questions and feedback welcome. 
Please engage!