Crate libafl

Welcome to LibAFL

LibAFL Core

LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.

The online documentation for this crate is available here.

Feature Flags

General Features

• std (enabled by default) — Enables features that need rust’s std lib to work, like print, env, … support
• introspection — Collects performance statistics of the fuzzing pipeline and displays it on Monitor components
• scalability_introspection — Collects stats about scalability
• prelude (enabled by default) — Expose libafl::prelude for access without additional using directives
• afl_exec_sec — Calculate exec/sec like AFL, using 5 second time windows
• errors_backtrace — Stores the backtraces of all generated Errors. Good for debugging, but may come with a slight performance hit.
• corpus_btreemap — Switches from HashMap to BTreeMap for CorpusId
• gzip (enabled by default) — Enables gzip compression in certain parts of the lib
• fork (enabled by default) — If set, will use the fork() syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect on Windows).
• adaptive_serialization — Collected stats to decide if observers must be serialized or not (which should reduce mem use and increase speed)
• handle_sigpipe — If this feature is set, LibAFL targets (and the fuzzer) will crash on SIGPIPE on unix systems.

Additional Components

• tcp_manager — Enables TcpEventManager, a simple EventManager proxying everything via TCP. This uses tokio.
• regex (enabled by default) — Enables the NaiveTokenizer and StacktraceObserver
• casr — Enables deduplication based on libcasr for StacktraceObserver
• cmin — Enables features for corpus minimization
• prometheus_monitor — Enables the PrometheusMonitor which will monitor stats via UDP, for Grafana and others.
• concolic_mutation — Include a simple concolic mutator based on z3
• tui_monitor (enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crossterm
• unicode — Enables StringClassificationStage and associated mutators, which allow for mutations which preserve the Unicode property data
• multipart_inputs — Enable multi-part input formats and mutators

LibAFL-Bolts Features

• derive (enabled by default) — Provide the #[derive(SerdeAny)] macro.
• cli — Expose libafl_bolts::cli for easy commandline parsing of common fuzzer settings
• qemu_cli — Enables extra commandline flags for qemu-based fuzzers in cli
• frida_cli — Enables extra commandline flags for frida-based fuzzers in cli
• rand_trait (enabled by default) — If set, libafl_bolt’s rand implementations will implement rand::Rng

SerdeAny features

• serdeany_autoreg (enabled by default) — Automatically register all #[derive(SerdeAny)] types at startup.

LLMP features

• llmp_broker_timeouts (enabled by default) — The broker loop will yield occasionally, even without status messages from client nodes
• llmp_bind_public — If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default.
• llmp_compression (enabled by default) — Enables llmp compression using GZip
• llmp_debug — Enables debug output for LLMP (also needs a logger installed)
• llmp_small_maps (enabled by default) — Reduces the initial map size for llmp

License-Changing Dependencies(!)

• agpl — Enables all features hiding dependencies licensed under AGPL
• nautilus — Enables the Nautilus Grammar Mutator (AGPL-licensed)

Re-exports

• pub use common::*;
• pub use fuzzer::*;

Modules

• boltsDeprecated
  Dummy export that will warn with a deprecation note on usage. Use the libafl_bolts crate instead.
• common
  This module defines trait shared across different LibAFL modules
• corpus
  Corpuses contain the testcases, either in memory, on disk, or somewhere else.
• events
  An EventManager manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and other Events.
• executors
  Executors take input, and run it in the target.
• feedbacks
  The feedbacks reduce observer state after each run to a single is_interesting-value. If a testcase is interesting, it may be added to a Corpus.
• fuzzer
  The Fuzzer is the main struct for a fuzz campaign.
• generators
  Generators may generate bytes or, in general, data, for inputs.
• inputs
  Inputs are the actual contents sent to a target for each exeuction.
• monitors
  Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
• mutators
  Mutators mutate input during fuzzing.
• observers
  Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
• prelude
  The purpose of this module is to alleviate imports of many components by adding a glob import.
• schedulers
  Schedule the access to the Corpus.
• stages
  A Stage is a technique used during fuzzing, working on one crate::corpus::Corpus entry, and potentially altering it or creating new entries. A well-known Stage, for example, is the mutational stage, running multiple crate::mutators::Mutators against a crate::corpus::Testcase, potentially storing new ones, according to crate::feedbacks::Feedback. Other stages may enrich crate::corpus::Testcases with metadata.
• state
  The fuzzer, and state are the core pieces of every good fuzzer

Macros

• feedback_and
  Variadic macro to create a chain of AndFeedback
• feedback_and_fast
  Variadic macro to create a chain of (fast) AndFeedback
• feedback_not
  Variadic macro to create a NotFeedback
• feedback_or
  Variadic macro to create a chain of OrFeedback
• feedback_or_fast
  Combines multiple feedbacks with an OR operation, not executing feedbacks after the first positive result
• impl_default_multipart
  Implements the marker trait super::DefaultMultipartMutator for one to many types, e.g.:
• mark_feature_time
  Mark the elapsed time for the given feature
• mark_feedback_time
  Mark the elapsed time for the given feature
• none_input_converter
  None type to satisfy the type infearence in an Option
• random_corpus_id
  Utility macro to call Corpus::random_id; fetches only enabled testcases
• random_corpus_id_with_disabled
  Utility macro to call Corpus::random_id; fetches both enabled and disabled testcases Note: use Corpus::get_from_all as disabled entries are inaccessible from Corpus::get
• require_index_tracking
  Use in the constructor of your component which requires index tracking of a super::MapObserver. See super::CanTrack for details.
• require_novelties_tracking
  Use in the constructor of your component which requires novelties tracking of a super::MapObserver. See super::CanTrack for details on the concept.
• start_timer
  Start the timer

Enums

• Error
  Main error struct for LibAFL