Expand description
A Stage
is a technique used during fuzzing, working on one crate::corpus::Corpus
entry, and potentially altering it or creating new entries.
A well-known Stage
, for example, is the mutational stage, running multiple crate::mutators::Mutator
s against a crate::corpus::Testcase
, potentially storing new ones, according to crate::feedbacks::Feedback
.
Other stages may enrich crate::corpus::Testcase
s with metadata.
Re-exports§
pub use calibrate::CalibrationStage;
pub use concolic::ConcolicTracingStage;
pub use concolic::SimpleConcolicMutationalStage;
pub use generalization::GeneralizationStage;
pub use mutational::MutationalStage;
pub use mutational::StdMutationalStage;
pub use power::PowerMutationalStage;
pub use power::StdPowerMutationalStage;
pub use stats::AflStatsStage;
pub use tmin::MapEqualityFactory;
pub use tmin::MapEqualityFeedback;
pub use tmin::StdTMinMutationalStage;
pub use tmin::TMinMutationalStage;
pub use tracing::ShadowTracingStage;
pub use tracing::TracingStage;
pub use colorization::*;
pub use dump::*;
pub use logics::*;
pub use string::*;
pub use sync::*;
pub use tuneable::*;
Modules§
- The calibration stage. The fuzzer measures the average exec time and the bitmap size.
- The colorization stage from
colorization()
in afl++ - This module contains the
concolic
stages, which can trace a target using symbolic execution and use the results for fuzzer input and mutations. - The
DumpToDiskStage
is a stage that dumps the corpus and the solutions to disk to e.g. allow AFL to sync - The tracing stage can trace the target and enrich a
crate::corpus::Testcase
with metadata, for example forCmpLog
. - Stage wrappers that add logics to stage list
- Mutational stage is the normal fuzzing stage. For the current input, it will perform a range of random mutations, and then run them in the executor.
- The power schedules. This stage should be invoked after the calibration stage.
- While normal stages call the executor over and over again, push stages turn this concept upside down: A push stage instead returns an iterator that generates a new result for each time it gets called. With the new testcase, you will have to take care about testcase execution, manually. The push stage relies on internal mutability of the supplied
Observers
. - Stage to compute/report AFL stats
- Stages which analysis common to Unicode-style mutations
- The
SyncFromDiskStage
is a stage that imports inputs from disk for e.g. sync with AFL - The
TMinMutationalStage
is a stage which will attempt to minimize corpus entries. - The tracing stage can trace the target and enrich a testcase with metadata, for example for
CmpLog
. - A
crate::stages::MutationalStage
where the mutator iteration can be tuned at runtime
Structs§
- A
Stage
that will call a closure - A tool shed of functions to be used for stages that try to run for
n
iterations. SerdeAny
metadata used to keep track of executions since start for a given stage.- Allows us to use a
push::PushStage
as a normalStage
- Progress which permits a fixed amount of resumes per round of fuzzing. If this amount is ever exceeded, the input will no longer be executed by this stage.
Traits§
- Trait for types which track the current stage
- Trait for types which track nested stages. Stages which themselves contain stage tuples should ensure that they constrain the state with this trait accordingly.
- A stage is one step in the fuzzing process. Multiple stages will be scheduled one by one for each input.
- A tuple holding all
Stages
used for fuzzing.