Crate libafl

Source
Expand description

Welcome to LibAFL

§LibAFL Core

LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.

The online documentation for this crate is available here.

§Feature Flags

§General Features

  • std (enabled by default) — Enables features that need rust’s std lib to work, like print, env, … support
  • track_hit_feedbacks — Tracks the Feedbacks and the Objectives that were interesting for a Testcase
  • value_bloom_feedbackValueBloomFeedback checks if an observed value has already been observed, and returns is_interesting=true otherwise.
  • introspection — Collects performance statistics of the fuzzing pipeline and displays it on Monitor components
  • prelude — Expose libafl::prelude for access without additional using directives
  • afl_exec_sec — Calculate exec/sec like AFL, using 5 second time windows
  • errors_backtrace — Stores the backtraces of all generated Errors. Good for debugging, but may come with a slight performance hit.
  • corpus_btreemap — Switches from HashMap to BTreeMap for CorpusId
  • gzip (enabled by default) — Enables gzip compression in certain parts of the lib
  • fork (enabled by default) — If set, will use the fork() syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect on Windows).
  • handle_sigpipe — If this feature is set, LibAFL targets (and the fuzzer) will crash on SIGPIPE on unix systems.

§Additional Components

  • tcp_manager — Enables TcpEventManager, a simple EventManager proxying everything via TCP. This uses tokio.
  • tcp_compression — Enables compression for the TCP manager
  • multi_machine — Enable multi-machine support
  • regex (enabled by default) — Enables the NaiveTokenizer and StacktraceObserver
  • casr — Enables deduplication based on libcasr for StacktraceObserver
  • intel_pt — Intel Processor Trace
  • intel_pt_export_raw — Save all the Intel PT raw traces to files, use only for debug
  • cmin — Enables features for corpus minimization
  • prometheus_monitor — Enables the PrometheusMonitor which will monitor stats via UDP, for Grafana and others.
  • statsd_monitor — Enables the StatsdMonitor.
  • concolic_mutation — Include a simple concolic mutator based on z3
  • tui_monitor (enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crossterm
  • unicode — Enables UnicodeClassificationStage and associated mutators, which allow for mutations which preserve the Unicode property data
  • multipart_inputs — Enable multi-part input formats and mutators

§LibAFL-Bolts Features

  • derive (enabled by default) — Provide the #[derive(SerdeAny)] macro.
  • cli — Expose libafl_bolts::cli for easy commandline parsing of common fuzzer settings
  • qemu_cli — Enables extra commandline flags for qemu-based fuzzers in cli
  • frida_cli — Enables extra commandline flags for frida-based fuzzers in cli
  • rand_trait (enabled by default) — If set, libafl_bolt’s rand implementations will implement rand::Rng

§SerdeAny features

  • serdeany_autoreg (enabled by default) — Automatically register all #[derive(SerdeAny)] types at startup.

§LLMP features

  • llmp_broker_timeouts (enabled by default) — The broker loop will yield occasionally, even without status messages from client nodes
  • llmp_bind_public — If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default.
  • llmp_compression (enabled by default) — Enables llmp compression using GZip
  • llmp_debug — Enables debug output for LLMP (also needs a logger installed)
  • llmp_small_maps (enabled by default) — Reduces the initial map size for llmp
  • nautilus — Grammar mutator. Requires nightly.

Re-exports§

pub use common::*;
pub use fuzzer::*;

Modules§

common
This module defines trait shared across different LibAFL modules
corpus
Corpuses contain the testcases, either in memory, on disk, or somewhere else.
events
An EventManager manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and other Events.
executors
Executors take input, and run it in the target.
feedbacks
The feedbacks reduce observer state after each run to a single is_interesting-value. If a testcase is interesting, it may be added to a Corpus.
fuzzer
The Fuzzer is the main struct for a fuzz campaign.
generators
Generators may generate bytes or, in general, data, for inputs.
inputs
Inputs are the actual contents sent to a target for each exeuction.
monitors
Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
mutators
Mutators mutate input during fuzzing.
observers
Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
prelude
The purpose of this module is to alleviate imports of many components by adding a glob import.
schedulers
Schedule the access to the Corpus.
stages
A Stage is a technique used during fuzzing, working on one crate::corpus::Corpus entry, and potentially altering it or creating new entries. A well-known Stage, for example, is the mutational stage, running multiple crate::mutators::Mutators against a crate::corpus::Testcase, potentially storing new ones, according to crate::feedbacks::Feedback. Other stages may enrich crate::corpus::Testcases with metadata.
state
The fuzzer, and state are the core pieces of every good fuzzer

Macros§

feedback_and
Variadic macro to create a chain of AndFeedback
feedback_and_fast
Variadic macro to create a chain of (fast) AndFeedback
feedback_not
Variadic macro to create a NotFeedback
feedback_or
Variadic macro to create a chain of OrFeedback
feedback_or_fast
Combines multiple feedbacks with an OR operation, not executing feedbacks after the first positive result
impl_default_multipart
Implements the marker trait super::DefaultMultipartMutator for one to many types, e.g.:
mark_feature_time
Mark the elapsed time for the given feature
mark_feedback_time
Mark the elapsed time for the given feature
none_input_converter
None type to satisfy the type infearence in an Option
nonzero
Zero-cost way to construct core::num::NonZeroUsize at compile-time.
random_corpus_id
Utility macro to call Corpus::random_id; fetches only enabled Testcases
random_corpus_id_with_disabled
Utility macro to call Corpus::random_id; fetches both enabled and disabled Testcases Note: use Corpus::get_from_all as disabled entries are inaccessible from Corpus::get
require_index_tracking
Use in the constructor of your component which requires index tracking of a super::MapObserver. See super::CanTrack for details.
require_novelties_tracking
Use in the constructor of your component which requires novelties tracking of a super::MapObserver. See super::CanTrack for details on the concept.
start_timer
Start the timer

Enums§

Error
Main error struct for LibAFL