Expand description
Welcome to LibAFL
§LibAFL Core
LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.
The online documentation for this crate is available here.
§Feature Flags
§General Features
std
(enabled by default) — Enables features that need rust’sstd
lib to work, like print, env, … supporttrack_hit_feedbacks
— Tracks the Feedbacks and the Objectives that were interesting for a Testcaseintrospection
— Collects performance statistics of the fuzzing pipeline and displays it onMonitor
componentsscalability_introspection
— Collects stats about scalabilityprelude
(enabled by default) — Exposelibafl::prelude
for access without additional using directivesafl_exec_sec
— Calculate exec/sec like AFL, using 5 second time windowserrors_backtrace
— Stores the backtraces of all generatedError
s. Good for debugging, but may come with a slight performance hit.corpus_btreemap
— Switches fromHashMap
toBTreeMap
forCorpusId
gzip
(enabled by default) — Enables gzip compression in certain parts of the libfork
(enabled by default) — If set, will use thefork()
syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect onWindows
).handle_sigpipe
— If this feature is set,LibAFL
targets (and the fuzzer) will crash onSIGPIPE
on unix systems.
§Additional Components
tcp_manager
— EnablesTcpEventManager
, a simple EventManager proxying everything via TCP. This usestokio
.tcp_compression
— Enables compression for the TCP managermulti_machine
— Enable multi-machine supportregex
(enabled by default) — Enables theNaiveTokenizer
andStacktraceObserver
casr
— Enables deduplication based onlibcasr
forStacktraceObserver
cmin
— Enables features for corpus minimizationprometheus_monitor
— Enables thePrometheusMonitor
which will monitor stats via UDP, forGrafana
and others.concolic_mutation
— Include a simple concolic mutator based on z3tui_monitor
(enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crosstermunicode
— EnablesUnicodeClassificationStage
and associated mutators, which allow for mutations which preserve the Unicode property datamultipart_inputs
— Enable multi-part input formats and mutators
§LibAFL-Bolts Features
derive
(enabled by default) — Provide the#[derive(SerdeAny)]
macro.cli
— Exposelibafl_bolts::cli
for easy commandline parsing of common fuzzer settingsqemu_cli
— Enables extra commandline flags for qemu-based fuzzers incli
frida_cli
— Enables extra commandline flags for frida-based fuzzers incli
rand_trait
(enabled by default) — If set, libafl_bolt’srand
implementations will implementrand::Rng
§SerdeAny features
serdeany_autoreg
(enabled by default) — Automatically register all#[derive(SerdeAny)]
types at startup.
§LLMP features
llmp_broker_timeouts
(enabled by default) — The broker loop will yield occasionally, even without status messages from client nodesllmp_bind_public
— If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default.llmp_compression
(enabled by default) — Enables llmp compression using GZipllmp_debug
— Enables debug output for LLMP (also needs alogger
installed)llmp_small_maps
(enabled by default) — Reduces the initial map size for llmpnautilus
— Grammar mutator. Requires nightly.
Re-exports§
Modules§
- This module defines trait shared across different
LibAFL
modules - Corpuses contain the testcases, either in memory, on disk, or somewhere else.
- An
EventManager
manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and otherEvent
s. - Executors take input, and run it in the target.
- The feedbacks reduce observer state after each run to a single
is_interesting
-value. If a testcase is interesting, it may be added to a Corpus. - The
Fuzzer
is the main struct for a fuzz campaign. - Generators may generate bytes or, in general, data, for inputs.
- Inputs are the actual contents sent to a target for each exeuction.
- Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
Mutator
s
mutate input during fuzzing. These can be used standalone or in combination with other mutators to explore the input space more effectively. You can read more about mutators in the libAFL book- Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
- The purpose of this module is to alleviate imports of many components by adding a glob import.
- Schedule the access to the Corpus.
- A
Stage
is a technique used during fuzzing, working on onecrate::corpus::Corpus
entry, and potentially altering it or creating new entries. A well-knownStage
, for example, is the mutational stage, running multiplecrate::mutators::Mutator
s against acrate::corpus::Testcase
, potentially storing new ones, according tocrate::feedbacks::Feedback
. Other stages may enrichcrate::corpus::Testcase
s with metadata. - The fuzzer, and state are the core pieces of every good fuzzer
Macros§
- Variadic macro to create a chain of
AndFeedback
- Variadic macro to create a chain of (fast)
AndFeedback
- Variadic macro to create a
NotFeedback
- Variadic macro to create a chain of
OrFeedback
- Combines multiple feedbacks with an
OR
operation, not executing feedbacks after the first positive result - Implements the marker trait
super::DefaultMultipartMutator
for one to many types, e.g.: - Mark the elapsed time for the given feature
- Mark the elapsed time for the given feature
None
type to satisfy the type infearence in anOption
- Utility macro to call
Corpus::random_id
; fetches only enabled testcases - Utility macro to call
Corpus::random_id
; fetches both enabled and disabled testcases Note: useCorpus::get_from_all
as disabled entries are inaccessible fromCorpus::get
- Use in the constructor of your component which requires index tracking of a
super::MapObserver
. Seesuper::CanTrack
for details. - Use in the constructor of your component which requires novelties tracking of a
super::MapObserver
. Seesuper::CanTrack
for details on the concept. - Start the timer
Enums§
- Main error struct for
LibAFL