Crate libafl

source ·
Expand description

Welcome to LibAFL

LibAFL Core

LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.

The online documentation for this crate is available here.

Feature Flags

General Features

  • std (enabled by default) — Enables features that need rust’s std lib to work, like print, env, … support

  • introspection — Collects performance statistics of the fuzzing pipeline and displays it on Monitor components

  • scalability_introspection — Collects stats about scalability

  • python — Will build the pyo3 bindings

  • prelude (enabled by default) — Expose libafl::prelude for access without additional using directives

  • afl_exec_sec — Calculate exec/sec like AFL, using 5 second time windows

  • errors_backtrace — Stores the backtraces of all generated Errors. Good for debugging, but may come with a slight performance hit.

  • corpus_btreemap — Switches from HashMap to BTreeMap for CorpusId

  • gzip (enabled by default) — Enables gzip compression in certain parts of the lib

  • fork (enabled by default) — If set, will use the fork() syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect on Windows).

  • adaptive_serialization — Collected stats to decide if observers must be serialized or not (which should reduce mem use and increase speed)

Additional Components

  • tcp_manager — Enables TcpEventManager, a simple EventManager proxying everything via TCP. This uses tokio.

  • regex (enabled by default) — Enables the NaiveTokenizer and StacktraceObserver

  • casr — Enables deduplication based on libcasr for StacktraceObserver

  • cmin — Enables features for corpus minimization

  • prometheus_monitor — Enables the PrometheusMonitor which will monitor stats via UDP, for Grafana and others.

  • concolic_mutation — Include a simple concolic mutator based on z3

  • tui_monitor (enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crossterm

  • unicode — Enables StringClassificationStage and associated mutators, which allow for mutations which preserve the Unicode property data

LibAFL-Bolts Features

  • derive (enabled by default) — Provide the #[derive(SerdeAny)] macro.

  • cli — Expose libafl_bolts::cli for easy commandline parsing of common fuzzer settings

  • qemu_cli — Enables extra commandline flags for qemu-based fuzzers in cli

  • frida_cli — Enables extra commandline flags for frida-based fuzzers in cli

  • rand_trait (enabled by default) — If set, libafl_bolt’s rand implementations will implement rand::Rng

SerdeAny features

  • serdeany_autoreg (enabled by default) — Automatically register all #[derive(SerdeAny)] types at startup.

LLMP features

  • llmp_broker_timeouts (enabled by default) — The broker loop will yield occasionally, even without status messages from client nodes

  • llmp_bind_public — If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default.

  • llmp_compression (enabled by default) — Enables llmp compression using GZip

  • llmp_debug — Enables debug output for LLMP (also needs a logger installed)

  • llmp_small_maps (enabled by default) — Reduces the initial map size for llmp

License-Changing Dependencies(!)

  • agpl — Enables all features hiding dependencies licensed under AGPL

  • nautilus — Enables the Nautilus Grammar Mutator (AGPL-licensed)

Re-exports

Modules

  • boltsDeprecated
    Dummy export that will warn with a deprecation note on usage. Use the libafl_bolts crate instead.
  • Corpuses contain the testcases, either in memory, on disk, or somewhere else.
  • An EventManager manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and other Events.
  • Executors take input, and run it in the target.
  • The feedbacks reduce observer state after each run to a single is_interesting-value. If a testcase is interesting, it may be added to a Corpus.
  • The Fuzzer is the main struct for a fuzz campaign.
  • Generators may generate bytes or, in general, data, for inputs.
  • Inputs are the actual contents sent to a target for each exeuction.
  • Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
  • Mutators mutate input during fuzzing.
  • Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
  • The purpose of this module is to alleviate imports of many components by adding a glob import.
  • Schedule the access to the Corpus.
  • A Stage is a technique used during fuzzing, working on one crate::corpus::Corpus entry, and potentially altering it or creating new entries. A well-known Stage, for example, is the mutational stage, running multiple crate::mutators::Mutators against a crate::corpus::Testcase, potentially storing new ones, according to crate::feedbacks::Feedback. Other stages may enrich crate::corpus::Testcases with metadata.
  • The fuzzer, and state are the core pieces of every good fuzzer

Macros

Enums

  • Main error struct for LibAFL