Expand description
Welcome to LibAFL
LibAFL Core
LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.
The online documentation for this crate is available here.
Feature Flags
General Features
-
std
(enabled by default) — Enables features that need rust’sstd
lib to work, like print, env, … support -
introspection
— Collects performance statistics of the fuzzing pipeline and displays it onMonitor
components -
scalability_introspection
— Collects stats about scalability -
python
— Will build thepyo3
bindings -
prelude
(enabled by default) — Exposelibafl::prelude
for access without additional using directives -
afl_exec_sec
— Calculate exec/sec like AFL, using 5 second time windows -
errors_backtrace
— Stores the backtraces of all generatedError
s. Good for debugging, but may come with a slight performance hit. -
corpus_btreemap
— Switches fromHashMap
toBTreeMap
forCorpusId
-
gzip
(enabled by default) — Enables gzip compression in certain parts of the lib -
fork
(enabled by default) — If set, will use thefork()
syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect onWindows
). -
adaptive_serialization
— Collected stats to decide if observers must be serialized or not (which should reduce mem use and increase speed)
Additional Components
-
tcp_manager
— EnablesTcpEventManager
, a simple EventManager proxying everything via TCP. This usestokio
. -
regex
(enabled by default) — Enables theNaiveTokenizer
andStacktraceObserver
-
casr
— Enables deduplication based onlibcasr
forStacktraceObserver
-
cmin
— Enables features for corpus minimization -
prometheus_monitor
— Enables thePrometheusMonitor
which will monitor stats via UDP, forGrafana
and others. -
concolic_mutation
— Include a simple concolic mutator based on z3 -
tui_monitor
(enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crossterm -
unicode
— EnablesStringClassificationStage
and associated mutators, which allow for mutations which preserve the Unicode property data
LibAFL-Bolts Features
-
derive
(enabled by default) — Provide the#[derive(SerdeAny)]
macro. -
cli
— Exposelibafl_bolts::cli
for easy commandline parsing of common fuzzer settings -
qemu_cli
— Enables extra commandline flags for qemu-based fuzzers incli
-
frida_cli
— Enables extra commandline flags for frida-based fuzzers incli
-
rand_trait
(enabled by default) — If set, libafl_bolt’srand
implementations will implementrand::Rng
SerdeAny features
serdeany_autoreg
(enabled by default) — Automatically register all#[derive(SerdeAny)]
types at startup.
LLMP features
-
llmp_broker_timeouts
(enabled by default) — The broker loop will yield occasionally, even without status messages from client nodes -
llmp_bind_public
— If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default. -
llmp_compression
(enabled by default) — Enables llmp compression using GZip -
llmp_debug
— Enables debug output for LLMP (also needs alogger
installed) -
llmp_small_maps
(enabled by default) — Reduces the initial map size for llmp
License-Changing Dependencies(!)
-
agpl
— Enables all features hiding dependencies licensed underAGPL
-
nautilus
— Enables theNautilus
Grammar Mutator (AGPL-licensed)
Re-exports
pub use fuzzer::*;
Modules
- boltsDeprecatedDummy export that will warn with a deprecation note on usage. Use the
libafl_bolts
crate instead. - Corpuses contain the testcases, either in memory, on disk, or somewhere else.
- An
EventManager
manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and otherEvent
s. - Executors take input, and run it in the target.
- The feedbacks reduce observer state after each run to a single
is_interesting
-value. If a testcase is interesting, it may be added to a Corpus. - The
Fuzzer
is the main struct for a fuzz campaign. - Generators may generate bytes or, in general, data, for inputs.
- Inputs are the actual contents sent to a target for each exeuction.
- Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
- Mutators mutate input during fuzzing.
- Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
- The purpose of this module is to alleviate imports of many components by adding a glob import.
- Schedule the access to the Corpus.
- A
Stage
is a technique used during fuzzing, working on onecrate::corpus::Corpus
entry, and potentially altering it or creating new entries. A well-knownStage
, for example, is the mutational stage, running multiplecrate::mutators::Mutator
s against acrate::corpus::Testcase
, potentially storing new ones, according tocrate::feedbacks::Feedback
. Other stages may enrichcrate::corpus::Testcase
s with metadata. - The fuzzer, and state are the core pieces of every good fuzzer
Macros
- Variadic macro to create a chain of
AndFeedback
- Variadic macro to create a chain of (fast)
AndFeedback
- Variadic macro to create a
NotFeedback
- Variadic macro to create a chain of
OrFeedback
- Combines multiple feedbacks with an
OR
operation, not executing feedbacks after the first positive result - Mark the elapsed time for the given feature
- Mark the elapsed time for the given feature
None
type to satisfy the type infearence in anOption
- Utility macro to call
Corpus::random_id
- Start the timer
Enums
- Main error struct for
LibAFL