Crate libafl

Welcome to LibAFL

LibAFL Core

LibAFL Core is the main library and contains the fuzzing components and their implementations. A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library.

The online documentation for this crate is available here.

Feature Flags

General Features

• std (enabled by default) — Enables features that need rust’s std lib to work, like print, env, … support
• track_hit_feedbacks — Tracks the Feedbacks and the Objectives that were interesting for a Testcase
• introspection — Collects performance statistics of the fuzzing pipeline and displays it on Monitor components
• scalability_introspection — Collects stats about scalability
• prelude (enabled by default) — Expose libafl::prelude for access without additional using directives
• afl_exec_sec — Calculate exec/sec like AFL, using 5 second time windows
• errors_backtrace — Stores the backtraces of all generated Errors. Good for debugging, but may come with a slight performance hit.
• corpus_btreemap — Switches from HashMap to BTreeMap for CorpusId
• gzip (enabled by default) — Enables gzip compression in certain parts of the lib
• fork (enabled by default) — If set, will use the fork() syscall to spawn children, instead of launching a new command, if supported by the OS (has no effect on Windows).
• handle_sigpipe — If this feature is set, LibAFL targets (and the fuzzer) will crash on SIGPIPE on unix systems.

Additional Components

• tcp_manager — Enables TcpEventManager, a simple EventManager proxying everything via TCP. This uses tokio.
• tcp_compression — Enables compression for the TCP manager
• multi_machine — Enable multi-machine support
• regex (enabled by default) — Enables the NaiveTokenizer and StacktraceObserver
• casr — Enables deduplication based on libcasr for StacktraceObserver
• cmin — Enables features for corpus minimization
• prometheus_monitor — Enables the PrometheusMonitor which will monitor stats via UDP, for Grafana and others.
• concolic_mutation — Include a simple concolic mutator based on z3
• tui_monitor (enabled by default) — Enable the fancy TuiMonitor for a termanal UI using crossterm
• unicode — Enables UnicodeClassificationStage and associated mutators, which allow for mutations which preserve the Unicode property data
• multipart_inputs — Enable multi-part input formats and mutators

LibAFL-Bolts Features

• derive (enabled by default) — Provide the #[derive(SerdeAny)] macro.
• cli — Expose libafl_bolts::cli for easy commandline parsing of common fuzzer settings
• qemu_cli — Enables extra commandline flags for qemu-based fuzzers in cli
• frida_cli — Enables extra commandline flags for frida-based fuzzers in cli
• rand_trait (enabled by default) — If set, libafl_bolt’s rand implementations will implement rand::Rng

SerdeAny features

• serdeany_autoreg (enabled by default) — Automatically register all #[derive(SerdeAny)] types at startup.

LLMP features

• llmp_broker_timeouts (enabled by default) — The broker loop will yield occasionally, even without status messages from client nodes
• llmp_bind_public — If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default.
• llmp_compression (enabled by default) — Enables llmp compression using GZip
• llmp_debug — Enables debug output for LLMP (also needs a logger installed)
• llmp_small_maps (enabled by default) — Reduces the initial map size for llmp
• nautilus — Grammar mutator. Requires nightly.

Re-exports

• pub use common::*;
• pub use fuzzer::*;

Modules

• common
  This module defines trait shared across different LibAFL modules
• corpus
  Corpuses contain the testcases, either in memory, on disk, or somewhere else.
• events
  An EventManager manages all events that go to other instances of the fuzzer. The messages are commonly information about new Testcases as well as stats and other Events.
• executors
  Executors take input, and run it in the target.
• feedbacks
  The feedbacks reduce observer state after each run to a single is_interesting-value. If a testcase is interesting, it may be added to a Corpus.
• fuzzer
  The Fuzzer is the main struct for a fuzz campaign.
• generators
  Generators may generate bytes or, in general, data, for inputs.
• inputs
  Inputs are the actual contents sent to a target for each exeuction.
• monitors
  Keep stats, and display them to the user. Usually used in a broker, or main node, of some sort.
• mutators
  Mutators mutate input during fuzzing. These can be used standalone or in combination with other mutators to explore the input space more effectively. You can read more about mutators in the libAFL book
• observers
  Observers give insights about runs of a target, such as coverage, timing, stack depth, and more.
• prelude
  The purpose of this module is to alleviate imports of many components by adding a glob import.
• schedulers
  Schedule the access to the Corpus.
• stages
  A Stage is a technique used during fuzzing, working on one crate::corpus::Corpus entry, and potentially altering it or creating new entries. A well-known Stage, for example, is the mutational stage, running multiple crate::mutators::Mutators against a crate::corpus::Testcase, potentially storing new ones, according to crate::feedbacks::Feedback. Other stages may enrich crate::corpus::Testcases with metadata.
• state
  The fuzzer, and state are the core pieces of every good fuzzer

Macros

• feedback_and
  Variadic macro to create a chain of AndFeedback
• feedback_and_fast
  Variadic macro to create a chain of (fast) AndFeedback
• feedback_not
  Variadic macro to create a NotFeedback
• feedback_or
  Variadic macro to create a chain of OrFeedback
• feedback_or_fast
  Combines multiple feedbacks with an OR operation, not executing feedbacks after the first positive result
• impl_default_multipart
  Implements the marker trait super::DefaultMultipartMutator for one to many types, e.g.:
• mark_feature_time
  Mark the elapsed time for the given feature
• mark_feedback_time
  Mark the elapsed time for the given feature
• none_input_converter
  None type to satisfy the type infearence in an Option
• random_corpus_id
  Utility macro to call Corpus::random_id; fetches only enabled testcases
• random_corpus_id_with_disabled
  Utility macro to call Corpus::random_id; fetches both enabled and disabled testcases Note: use Corpus::get_from_all as disabled entries are inaccessible from Corpus::get
• require_index_tracking
  Use in the constructor of your component which requires index tracking of a super::MapObserver. See super::CanTrack for details.
• require_novelties_tracking
  Use in the constructor of your component which requires novelties tracking of a super::MapObserver. See super::CanTrack for details on the concept.
• start_timer
  Start the timer

Enums

• Error
  Main error struct for LibAFL