├── .clang-format ├── .devcontainer ├── Build │ └── devcontainer.json └── Download │ └── devcontainer.json ├── .dockerignore ├── .github ├── .linkspector.yml ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── empty.md │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── build_and_test.yml │ ├── fuzzer-tester-prepare │ └── action.yml │ ├── librasan-prepare │ └── action.yml │ ├── qemu-fuzzer-tester-prepare │ └── action.yml │ ├── ubuntu-prepare │ └── action.yml │ └── windows-tester-prepare │ └── action.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .vscode └── settings.json.default ├── CONTRIBUTING.md ├── Cargo.toml ├── Dockerfile ├── LICENSE-APACHE ├── LICENSE-MIT ├── MIGRATION.md ├── README.md ├── TROPHIES.md ├── bindings └── pylibafl │ ├── .gitignore │ ├── Cargo.toml │ ├── README.md │ ├── pyproject.toml │ ├── src │ └── lib.rs │ ├── test.py │ └── test.sh ├── docs ├── .gitignore ├── README.md ├── book.toml ├── listings │ └── baby_fuzzer │ │ ├── .gitignore │ │ ├── justfile │ │ ├── listing-01 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ ├── listing-02 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ ├── listing-03 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ ├── listing-04 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ ├── listing-05 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ │ └── listing-06 │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ └── main.rs └── src │ ├── DEBUGGING.md │ ├── SUMMARY.md │ ├── advanced_features │ ├── advanced_features.md │ ├── concolic.md │ ├── frida.md │ ├── no_std.md │ ├── nyx.md │ └── statsd_monitor.md │ ├── baby_fuzzer │ ├── baby_fuzzer.md │ └── more_examples.md │ ├── core_concepts │ ├── core_concepts.md │ ├── corpus.md │ ├── executor.md │ ├── feedback.md │ ├── generator.md │ ├── input.md │ ├── mutator.md │ ├── observer.md │ └── stage.md │ ├── design │ ├── architecture.md │ ├── design.md │ ├── metadata.md │ ├── migration-0.11.md │ ├── migration-0.12.md │ └── migration-0.9.md │ ├── getting_started │ ├── build.md │ ├── crates.md │ ├── getting_started.md │ └── setup.md │ ├── introduction.md │ ├── libafl.md │ ├── message_passing │ ├── configurations.md │ ├── message_passing.md │ └── spawn_instances.md │ ├── resources │ ├── grafana-libafl.json │ └── statsd-grafana.png │ └── tutorial │ ├── intro.md │ └── tutorial.md ├── fuzzers ├── README.md ├── baby │ ├── baby_fuzzer │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── baby_fuzzer_custom_executor │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── baby_fuzzer_minimizing │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── baby_fuzzer_swap_differential │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── common.c │ │ ├── common.h │ │ ├── first.c │ │ ├── first.h │ │ ├── second.c │ │ ├── second.h │ │ └── src │ │ │ ├── bin │ │ │ └── libafl_cc.rs │ │ │ └── main.rs │ ├── baby_fuzzer_unicode │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── backtrace_baby_fuzzers │ │ ├── README.md │ │ ├── c_code_with_fork_executor │ │ │ ├── .cargo │ │ │ │ └── config │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ ├── build.rs │ │ │ └── src │ │ │ │ ├── harness.c │ │ │ │ └── main.rs │ │ ├── c_code_with_inprocess_executor │ │ │ ├── .cargo │ │ │ │ └── config │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ ├── build.rs │ │ │ └── src │ │ │ │ ├── harness.c │ │ │ │ └── main.rs │ │ ├── command_executor │ │ │ ├── .cargo │ │ │ │ └── config │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ ├── build.rs │ │ │ └── src │ │ │ │ ├── main.rs │ │ │ │ └── test_command.c │ │ ├── forkserver_executor │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ ├── build.rs │ │ │ └── src │ │ │ │ ├── main.rs │ │ │ │ └── program.c │ │ ├── rust_code_with_fork_executor │ │ │ ├── .cargo │ │ │ │ └── config │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ │ └── main.rs │ │ └── rust_code_with_inprocess_executor │ │ │ ├── .cargo │ │ │ └── config │ │ │ ├── .gitignore │ │ │ ├── Cargo.lock │ │ │ ├── Cargo.toml │ │ │ └── src │ │ │ └── main.rs │ └── tutorial │ │ ├── Cargo.toml │ │ ├── rust-toolchain │ │ ├── src │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ ├── input.rs │ │ ├── lib.rs │ │ ├── metadata.rs │ │ └── mutator.rs │ │ └── target.c ├── binary_only │ ├── frida_executable_libpng │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── lib.rs │ ├── frida_libpng │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ ├── harness.cc │ │ ├── harness_win.cpp │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── frida_windows_gdiplus │ │ ├── .cargo │ │ │ └── config.toml │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── cmplog_test.asm │ │ ├── cmplog_test.def │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── fuzzbench │ ├── fuzzbench_fork_qemu │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── corpus │ │ ├── fuzz.c │ │ ├── libfuzzer_main.c │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── fuzzbench_qemu │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── fuzz.c │ │ ├── libfuzzer_main.c │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── intel_pt_baby_fuzzer │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── intel_pt_command_executor │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ └── src │ │ │ ├── main.rs │ │ │ └── target_program.rs │ ├── python_qemu │ │ ├── README.md │ │ ├── fuzz.c │ │ └── fuzzer.py │ ├── qemu_cmin │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── qemu_coverage │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ ├── qemu_launcher │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ ├── harness.cc │ │ ├── injection_test │ │ │ └── .gitignore │ │ ├── injections.toml │ │ ├── injections.yaml │ │ ├── src │ │ │ ├── client.rs │ │ │ ├── fuzzer.rs │ │ │ ├── harness.rs │ │ │ ├── instance.rs │ │ │ ├── main.rs │ │ │ ├── options.rs │ │ │ └── version.rs │ │ ├── stats.txt │ │ └── tests │ │ │ ├── injection │ │ │ ├── .gitignore │ │ │ ├── Makefile │ │ │ ├── README.md │ │ │ ├── example.db │ │ │ ├── sqltest.c │ │ │ └── test.sh │ │ │ └── qasan │ │ │ ├── .gitignore │ │ │ ├── Makefile │ │ │ ├── gasan_test.sh │ │ │ ├── inputs │ │ │ ├── double_free.txt │ │ │ ├── memset.txt │ │ │ ├── overflow.txt │ │ │ ├── test_limits.txt │ │ │ ├── uaf.txt │ │ │ └── underflow.txt │ │ │ ├── qasan.c │ │ │ └── qasan_test.sh │ ├── qemu_tmin │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ ├── not_kitty.png │ │ │ ├── not_kitty_alpha.png │ │ │ ├── not_kitty_alpha_long.png │ │ │ ├── not_kitty_gamma.png │ │ │ └── not_kitty_icc.png │ │ ├── harness.cc │ │ └── src │ │ │ ├── tmin_multi_core.rs │ │ │ └── tmin_single_core.rs │ └── tinyinst_simple │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── src │ │ └── main.rs │ │ └── test │ │ ├── crash_input.txt │ │ ├── ok_input.txt │ │ └── test.cpp ├── forkserver │ ├── baby_fuzzer_with_forkexecutor │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ ├── forkserver_capture_stdout │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── build.rs │ │ └── src │ │ │ ├── main.rs │ │ │ └── program.c │ ├── forkserver_libafl_cc │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ │ └── testfile │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ ├── lib.rs │ │ │ ├── main.rs │ │ │ └── program.c │ ├── forkserver_simple │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ └── testfile │ │ └── src │ │ │ ├── main.rs │ │ │ └── program.c │ ├── fuzzbench_forkserver │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ └── src │ │ │ └── main.rs │ ├── fuzzbench_forkserver_cmplog │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── src │ │ │ └── main.rs │ │ └── test │ │ │ ├── compile.sh │ │ │ └── test-cmplog.c │ ├── fuzzbench_forkserver_sand │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ └── src │ │ │ ├── cc.rs │ │ │ ├── cxx.rs │ │ │ ├── lib.rs │ │ │ ├── main.rs │ │ │ └── vuln.c │ └── libafl-fuzz │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── rustfmt.toml │ │ ├── src │ │ ├── corpus.rs │ │ ├── env_parser.rs │ │ ├── executor.rs │ │ ├── feedback │ │ │ ├── filepath.rs │ │ │ ├── mod.rs │ │ │ ├── persistent_record.rs │ │ │ └── seed.rs │ │ ├── fuzzer.rs │ │ ├── hooks.rs │ │ ├── main.rs │ │ ├── scheduler.rs │ │ └── stages │ │ │ ├── mod.rs │ │ │ └── mutational_stage.rs │ │ └── test │ │ ├── seeds-frida │ │ └── init │ │ ├── seeds │ │ └── init │ │ ├── seeds_cmplog │ │ └── init │ │ ├── seeds_frida │ │ └── init │ │ ├── seeds_qemu │ │ └── init │ │ ├── seeds_unicorn │ │ └── in │ │ ├── seeds_unicorn_cmpcov │ │ └── in │ │ ├── test-cmpcov.c │ │ ├── test-cmplog.c │ │ ├── test-instr.c │ │ └── test.sh ├── full_system │ ├── nyx_launcher │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ ├── client.rs │ │ │ ├── fuzzer.rs │ │ │ ├── instance.rs │ │ │ ├── main.rs │ │ │ └── options.rs │ ├── nyx_libxml2_parallel │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── setup_libxml2.sh │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── main.rs │ ├── nyx_libxml2_standalone │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── setup_libxml2.sh │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── main.rs │ ├── qemu_baremetal │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ ├── random │ │ │ └── zero │ │ ├── example │ │ │ ├── main.c │ │ │ ├── mps2_m3.ld │ │ │ └── startup.c │ │ └── src │ │ │ ├── fuzzer_breakpoint.rs │ │ │ ├── fuzzer_low_level.rs │ │ │ ├── fuzzer_sync_exit.rs │ │ │ └── main.rs │ ├── qemu_linux_kernel │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ ├── random │ │ │ └── zero │ │ ├── runtime │ │ │ └── entrypoint.sh │ │ ├── setup │ │ │ ├── Makefile │ │ │ ├── harness.c │ │ │ ├── setup.sh │ │ │ ├── symfinder.c │ │ │ ├── symfinder.h │ │ │ ├── user.c │ │ │ └── x509-parser.h │ │ ├── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ │ └── workdir │ │ │ └── disks │ │ │ ├── OVMF_VARS.4m.fd.1 │ │ │ ├── OVMF_VARS.4m.fd.2 │ │ │ ├── linux.qcow2.1 │ │ │ └── linux.qcow2.2 │ ├── qemu_linux_process │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ ├── random │ │ │ └── zero │ │ ├── example │ │ │ ├── harness_lqemu.c │ │ │ └── harness_nyx.c │ │ ├── runtime │ │ │ └── entrypoint.sh │ │ ├── setup │ │ │ └── setup.sh │ │ └── src │ │ │ ├── fuzzer.rs │ │ │ └── main.rs │ └── unicorn │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── bin │ │ ├── Justfile │ │ └── foo.c │ │ └── src │ │ └── main.rs ├── fuzz_anything │ ├── baby_fuzzer_wasm │ │ ├── .cargo │ │ │ └── config.toml │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── pkg │ │ │ ├── .gitignore │ │ │ ├── index.html │ │ │ └── package.json │ │ ├── src │ │ │ ├── lib.rs │ │ │ └── utils.rs │ │ ├── tests │ │ │ └── web.rs │ │ └── webdriver.json │ ├── baby_no_std │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── rust-toolchain │ │ └── src │ │ │ └── main.rs │ ├── cargo_fuzz │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── fuzz │ │ │ ├── .gitignore │ │ │ ├── Cargo.toml │ │ │ └── fuzz_targets │ │ │ │ └── fuzz_target_1.rs │ │ └── src │ │ │ └── lib.rs │ ├── libafl_atheris │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Makefile │ │ ├── README.md │ │ └── src │ │ │ └── lib.rs │ ├── push_harness │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ │ └── main.rs │ └── push_stage_harness │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── README.md │ │ └── src │ │ └── main.rs ├── inprocess │ ├── fuzzbench │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── fuzz.c │ │ ├── src │ │ │ ├── bin │ │ │ │ ├── libafl_cc.rs │ │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ │ └── stub_rt.c │ ├── fuzzbench_ctx │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── fuzz.c │ │ ├── src │ │ │ ├── bin │ │ │ │ ├── libafl_cc.rs │ │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ │ └── stub_rt.c │ ├── fuzzbench_text │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── fuzz.c │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libafl_libfuzzer_windows │ │ ├── Justfile │ │ ├── README.md │ │ └── harness.cc │ ├── libfuzzer_libmozjpeg │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── build.rs │ │ ├── corpus │ │ │ └── blank.jpg │ │ ├── harness.cc │ │ ├── hook_allocs.c │ │ ├── jpeg.dict │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_accounting │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_centralized │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_cmin │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_launcher │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_ar.rs │ │ │ ├── libafl_cc.rs │ │ │ ├── libafl_cxx.rs │ │ │ └── libafl_libtool.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_norestart │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_libpng_tcp_manager │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ ├── libfuzzer_stb_image │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.cc │ │ ├── src │ │ │ ├── bin │ │ │ │ ├── libafl_cc.rs │ │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ │ └── stb_image.h │ ├── libfuzzer_stb_image_sugar │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ ├── harness.c │ │ ├── src │ │ │ ├── bin │ │ │ │ ├── libafl_cc.rs │ │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ │ └── stb_image.h │ ├── libfuzzer_windows_asan │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── README.md │ │ ├── corpus │ │ │ └── hello_world │ │ ├── harness.cpp │ │ └── src │ │ │ ├── bin │ │ │ ├── libafl_cc.rs │ │ │ └── libafl_cxx.rs │ │ │ └── lib.rs │ └── sqlite_centralized_multi_machine │ │ ├── Cargo.toml │ │ ├── README.md │ │ ├── build.sh │ │ ├── run_child.sh │ │ ├── run_parent.sh │ │ └── src │ │ ├── bin │ │ ├── libafl_cc.rs │ │ └── libafl_cxx.rs │ │ └── lib.rs └── structure_aware │ ├── baby_fuzzer_custom_input │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ └── src │ │ ├── input.rs │ │ └── main.rs │ ├── baby_fuzzer_gramatron │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ ├── auto.json │ ├── auto.postcard │ ├── corpus │ │ └── new file │ └── src │ │ └── main.rs │ ├── baby_fuzzer_grimoire │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ ├── corpus │ │ └── new file │ └── src │ │ └── main.rs │ ├── baby_fuzzer_multi │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ └── src │ │ └── main.rs │ ├── baby_fuzzer_nautilus │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ ├── grammar.json │ └── src │ │ └── main.rs │ ├── baby_fuzzer_tokens │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ ├── corpus │ │ └── new file │ └── src │ │ └── main.rs │ ├── forkserver_simple_nautilus │ ├── .gitignore │ ├── Cargo.lock │ ├── Cargo.toml │ ├── README.md │ ├── build.rs │ ├── corpus │ │ └── testfile │ └── src │ │ ├── main.rs │ │ └── program.c │ ├── libfuzzer_stb_image_concolic │ ├── README.md │ ├── fuzzer │ │ ├── .gitignore │ │ ├── Cargo.lock │ │ ├── Cargo.toml │ │ ├── build.rs │ │ ├── harness.c │ │ ├── harness_symcc.c │ │ ├── src │ │ │ └── main.rs │ │ └── stb_image.h │ └── runtime │ │ ├── Cargo.toml │ │ └── src │ │ └── lib.rs │ └── nautilus_sync │ ├── .gitignore │ ├── Cargo.toml │ ├── Justfile │ ├── grammar.json │ ├── harness.cc │ ├── rust-toolchain │ └── src │ ├── bin │ ├── libafl_cc.rs │ └── libafl_cxx.rs │ └── lib.rs ├── just ├── README.md ├── envs │ ├── .env.aarch64 │ ├── .env.arm │ ├── .env.i386 │ ├── .env.mips │ ├── .env.ppc │ └── .env.x86_64 ├── libafl-cc-libpng.just ├── libafl-cc.just ├── libafl-qemu-libpng.just ├── libafl-qemu.just └── libafl.just ├── libafl ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── build.rs ├── examples │ └── tui_mock │ │ └── main.rs └── src │ ├── common │ ├── mod.rs │ └── nautilus │ │ ├── README.md │ │ ├── grammartec │ │ ├── chunkstore.rs │ │ ├── context.rs │ │ ├── mod.rs │ │ ├── mutator.rs │ │ ├── newtypes.rs │ │ ├── python_grammar_loader.rs │ │ ├── recursion_info.rs │ │ ├── rule.rs │ │ └── tree.rs │ │ ├── mod.rs │ │ └── regex_mutator │ │ └── mod.rs │ ├── corpus │ ├── cached.rs │ ├── inmemory.rs │ ├── inmemory_ondisk.rs │ ├── minimizer.rs │ ├── mod.rs │ ├── nop.rs │ ├── ondisk.rs │ └── testcase.rs │ ├── events │ ├── broker_hooks │ │ ├── centralized.rs │ │ ├── centralized_multi_machine.rs │ │ └── mod.rs │ ├── centralized.rs │ ├── events_hooks │ │ └── mod.rs │ ├── launcher.rs │ ├── llmp │ │ ├── mod.rs │ │ └── restarting.rs │ ├── mod.rs │ ├── multi_machine.rs │ ├── simple.rs │ └── tcp.rs │ ├── executors │ ├── combined.rs │ ├── command.rs │ ├── differential.rs │ ├── forkserver.rs │ ├── hooks │ │ ├── inprocess.rs │ │ ├── inprocess_fork.rs │ │ ├── intel_pt.rs │ │ ├── mod.rs │ │ ├── timer.rs │ │ ├── unix.rs │ │ └── windows.rs │ ├── inprocess │ │ ├── inner.rs │ │ ├── mod.rs │ │ └── stateful.rs │ ├── inprocess_fork │ │ ├── inner.rs │ │ ├── mod.rs │ │ └── stateful.rs │ ├── mod.rs │ ├── nop.rs │ ├── sand.rs │ ├── shadow.rs │ └── with_observers.rs │ ├── feedbacks │ ├── bool.rs │ ├── capture_feedback.rs │ ├── concolic.rs │ ├── custom_filename.rs │ ├── differential.rs │ ├── list.rs │ ├── map.rs │ ├── mod.rs │ ├── nautilus.rs │ ├── new_hash_feedback.rs │ ├── simd.rs │ ├── stdio.rs │ ├── transferred.rs │ └── value_bloom.rs │ ├── fuzzer │ └── mod.rs │ ├── generators │ ├── gramatron.rs │ ├── mod.rs │ └── nautilus.rs │ ├── inputs │ ├── bytes.rs │ ├── bytessub.rs │ ├── encoded.rs │ ├── generalized.rs │ ├── gramatron.rs │ ├── list.rs │ ├── mod.rs │ ├── multi.rs │ ├── nautilus.rs │ └── value.rs │ ├── lib.rs │ ├── monitors │ ├── disk.rs │ ├── disk_aggregate.rs │ ├── logics.rs │ ├── mod.rs │ ├── multi.rs │ ├── prometheus.rs │ ├── stats │ │ ├── manager.rs │ │ ├── mod.rs │ │ ├── perf_stats.rs │ │ └── user_stats │ │ │ ├── mod.rs │ │ │ └── user_stats_value.rs │ ├── statsd.rs │ └── tui │ │ ├── mod.rs │ │ └── ui.rs │ ├── mutators │ ├── encoded_mutations.rs │ ├── gramatron.rs │ ├── grimoire.rs │ ├── hash.rs │ ├── havoc_mutations.rs │ ├── list.rs │ ├── lua.rs │ ├── mapping.rs │ ├── mod.rs │ ├── mopt_mutator.rs │ ├── multi.rs │ ├── mutations.rs │ ├── nautilus.rs │ ├── numeric.rs │ ├── scheduled.rs │ ├── token_mutations.rs │ ├── tuneable.rs │ └── unicode │ │ ├── mod.rs │ │ └── unicode_categories.rs │ ├── observers │ ├── cmp.rs │ ├── concolic │ │ ├── metadata.rs │ │ ├── mod.rs │ │ ├── observer.rs │ │ └── serialization_format.rs │ ├── list.rs │ ├── map │ │ ├── const_map.rs │ │ ├── hitcount_map.rs │ │ ├── mod.rs │ │ ├── multi_map.rs │ │ ├── owned_map.rs │ │ └── variable_map.rs │ ├── mod.rs │ ├── stacktrace.rs │ ├── stdio.rs │ └── value.rs │ ├── schedulers │ ├── accounting.rs │ ├── minimizer.rs │ ├── mod.rs │ ├── powersched.rs │ ├── probabilistic_sampling.rs │ ├── queue.rs │ ├── testcase_score.rs │ ├── tuneable.rs │ └── weighted.rs │ ├── stages │ ├── afl_stats.rs │ ├── calibrate.rs │ ├── colorization.rs │ ├── concolic.rs │ ├── dump.rs │ ├── dynamic.rs │ ├── generalization.rs │ ├── generation.rs │ ├── logics.rs │ ├── mod.rs │ ├── mutational.rs │ ├── nop.rs │ ├── power.rs │ ├── push │ │ ├── mod.rs │ │ └── mutational.rs │ ├── replay.rs │ ├── shadow.rs │ ├── sync.rs │ ├── time_tracker.rs │ ├── tmin.rs │ ├── tracing.rs │ ├── tuneable.rs │ ├── unicode.rs │ └── verify_timeouts.rs │ └── state │ ├── mod.rs │ └── stack.rs ├── libafl_bolts ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── build.rs ├── examples │ ├── llmp_test │ │ └── main.rs │ └── simd │ │ └── simd.rs └── src │ ├── anymap.rs │ ├── argparse.rs │ ├── build_id.rs │ ├── cli.rs │ ├── compress.rs │ ├── core_affinity.rs │ ├── cpu.rs │ ├── fs.rs │ ├── lib.rs │ ├── llmp.rs │ ├── math.rs │ ├── minibsod.rs │ ├── os │ ├── mod.rs │ ├── pipes.rs │ ├── unix_shmem_server.rs │ ├── unix_signals.rs │ └── windows_exceptions.rs │ ├── ownedref.rs │ ├── rands │ ├── loaded_dice.rs │ └── mod.rs │ ├── serdeany.rs │ ├── shmem.rs │ ├── simd.rs │ ├── staterestore.rs │ ├── subrange.rs │ ├── target_args.rs │ └── tuples.rs ├── libafl_cc ├── Cargo.toml ├── README.md ├── build.rs └── src │ ├── ar.rs │ ├── autotokens-pass.cc │ ├── cfg.rs │ ├── clang.rs │ ├── cmplog-instructions-pass.cc │ ├── cmplog-routines-pass.cc │ ├── common-llvm.h │ ├── coverage-accounting-pass.cc │ ├── ctx-pass.cc │ ├── dump-cfg-pass.cc │ ├── function-logging.cc │ ├── lib.rs │ ├── libtool.rs │ └── no-link-rt.c ├── libafl_concolic ├── symcc_libafl │ ├── Cargo.toml │ ├── README.md │ └── src │ │ └── lib.rs ├── symcc_runtime │ ├── Cargo.toml │ ├── README.md │ ├── build.rs │ └── src │ │ ├── filter.rs │ │ ├── filter │ │ └── coverage.rs │ │ ├── lib.rs │ │ └── tracing.rs └── test │ ├── .gitignore │ ├── README.md │ ├── dump_constraints │ ├── Cargo.toml │ └── src │ │ └── main.rs │ ├── expected_constraints.txt │ ├── if_test_input │ ├── runtime_test │ ├── Cargo.toml │ └── src │ │ └── lib.rs │ ├── smoke_test.sh │ └── smoke_test_ubuntu_deps.sh ├── libafl_derive ├── Cargo.toml └── src │ └── lib.rs ├── libafl_frida ├── Cargo.toml ├── build.rs ├── src │ ├── allocator.rs │ ├── asan │ │ ├── asan_rt.rs │ │ ├── errors.rs │ │ ├── hook_funcs.rs │ │ └── mod.rs │ ├── cmplog_rt.rs │ ├── coverage_rt.rs │ ├── drcov_rt.rs │ ├── executor.rs │ ├── frida_helper_shutdown_observer.rs │ ├── gettls.c │ ├── helper.rs │ ├── lib.rs │ ├── pthread_hook.rs │ ├── script.js │ ├── utils.rs │ └── windows_hooks.rs └── test_harness.cpp ├── libafl_intelpt ├── Cargo.toml ├── README.md ├── src │ ├── lib.rs │ └── linux.rs └── tests │ ├── integration_tests_linux.rs │ └── run_integration_tests_linux_with_caps.sh ├── libafl_libfuzzer ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── build.rs ├── runtime │ ├── Cargo.toml.template │ ├── build.rs │ └── src │ │ ├── corpus.rs │ │ ├── feedbacks.rs │ │ ├── fuzz.rs │ │ ├── harness_wrap.cpp │ │ ├── harness_wrap.h │ │ ├── lib.rs │ │ ├── merge.rs │ │ ├── misc.rs │ │ ├── observers.rs │ │ ├── options.rs │ │ ├── report.rs │ │ ├── schedulers.rs │ │ └── tmin.rs └── src │ └── lib.rs ├── libafl_libfuzzer_runtime ├── Cargo.toml ├── Justfile ├── LICENSE-APACHE ├── LICENSE-MIT ├── README.md ├── build.ps1 ├── build.rs ├── build.sh └── src ├── libafl_nyx ├── .clang-format ├── Cargo.toml ├── Makefile.libxdc ├── README.md ├── build.rs ├── build_nyx_support.sh └── src │ ├── cmplog.rs │ ├── executor.rs │ ├── helper.rs │ ├── lib.rs │ └── settings.rs ├── libafl_qemu ├── Cargo.toml ├── README.md ├── build.rs ├── build_linux.rs ├── libafl_qemu_build │ ├── Cargo.toml │ ├── README.md │ └── src │ │ ├── bindings.rs │ │ ├── build.rs │ │ └── lib.rs ├── libafl_qemu_sys │ ├── Cargo.toml │ ├── build.rs │ ├── build_linux.rs │ └── src │ │ ├── bindings │ │ ├── mod.rs │ │ └── x86_64_stub_bindings.rs │ │ ├── lib.rs │ │ ├── systemmode.rs │ │ └── usermode.rs ├── libqasan │ ├── Makefile │ ├── README.md │ ├── dlmalloc.c │ ├── hooks.c │ ├── libqasan.c │ ├── libqasan.h │ ├── malloc.c │ ├── map_macro.h │ ├── mmap.c │ ├── patch.c │ ├── printf │ │ ├── .gitattributes │ │ ├── .travis.yml │ │ ├── LICENSE │ │ ├── Makefile │ │ ├── README.md │ │ ├── printf.c │ │ └── printf.h │ ├── qasan.h │ ├── string.c │ └── uninstrument.c ├── librasan │ ├── .cargo │ │ └── config.toml │ ├── .gitignore │ ├── Cargo.toml │ ├── Justfile │ ├── README.md │ ├── asan │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── build.rs │ │ ├── cc │ │ │ ├── include │ │ │ │ ├── hooks.h │ │ │ │ └── trace.h │ │ │ └── src │ │ │ │ ├── asprintf.c │ │ │ │ ├── log.c │ │ │ │ └── vasprintf.c │ │ ├── src │ │ │ ├── allocator │ │ │ │ ├── backend │ │ │ │ │ ├── dlmalloc.rs │ │ │ │ │ ├── mimalloc.rs │ │ │ │ │ └── mod.rs │ │ │ │ ├── frontend │ │ │ │ │ ├── default.rs │ │ │ │ │ └── mod.rs │ │ │ │ └── mod.rs │ │ │ ├── arch │ │ │ │ ├── aarch64.rs │ │ │ │ ├── arm.rs │ │ │ │ └── mod.rs │ │ │ ├── env │ │ │ │ └── mod.rs │ │ │ ├── exit │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── file │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── hooks │ │ │ │ ├── aligned_alloc.rs │ │ │ │ ├── atoi.rs │ │ │ │ ├── atol.rs │ │ │ │ ├── atoll.rs │ │ │ │ ├── bcmp.rs │ │ │ │ ├── bzero.rs │ │ │ │ ├── calloc.rs │ │ │ │ ├── explicit_bzero.rs │ │ │ │ ├── fgets.rs │ │ │ │ ├── free.rs │ │ │ │ ├── malloc.rs │ │ │ │ ├── malloc_usable_size.rs │ │ │ │ ├── memalign.rs │ │ │ │ ├── memchr.rs │ │ │ │ ├── memcmp.rs │ │ │ │ ├── memcpy.rs │ │ │ │ ├── memmem.rs │ │ │ │ ├── memmove.rs │ │ │ │ ├── mempcpy.rs │ │ │ │ ├── memrchr.rs │ │ │ │ ├── memset.rs │ │ │ │ ├── mmap │ │ │ │ │ ├── libc.rs │ │ │ │ │ ├── linux.rs │ │ │ │ │ └── mod.rs │ │ │ │ ├── mod.rs │ │ │ │ ├── munmap │ │ │ │ │ ├── libc.rs │ │ │ │ │ ├── linux.rs │ │ │ │ │ └── mod.rs │ │ │ │ ├── posix_memalign.rs │ │ │ │ ├── pvalloc.rs │ │ │ │ ├── rawmemchr.rs │ │ │ │ ├── read │ │ │ │ │ ├── libc.rs │ │ │ │ │ ├── linux.rs │ │ │ │ │ └── mod.rs │ │ │ │ ├── realloc.rs │ │ │ │ ├── reallocarray.rs │ │ │ │ ├── stpcpy.rs │ │ │ │ ├── stpncpy.rs │ │ │ │ ├── strcasecmp.rs │ │ │ │ ├── strcasestr.rs │ │ │ │ ├── strcat.rs │ │ │ │ ├── strchr.rs │ │ │ │ ├── strchrnul.rs │ │ │ │ ├── strcmp.rs │ │ │ │ ├── strcpy.rs │ │ │ │ ├── strdup.rs │ │ │ │ ├── strlen.rs │ │ │ │ ├── strncasecmp.rs │ │ │ │ ├── strncat.rs │ │ │ │ ├── strncmp.rs │ │ │ │ ├── strncpy.rs │ │ │ │ ├── strndup.rs │ │ │ │ ├── strnlen.rs │ │ │ │ ├── strrchr.rs │ │ │ │ ├── strstr.rs │ │ │ │ ├── valloc.rs │ │ │ │ ├── wcschr.rs │ │ │ │ ├── wcscmp.rs │ │ │ │ ├── wcscpy.rs │ │ │ │ ├── wcslen.rs │ │ │ │ ├── wcsncmp.rs │ │ │ │ ├── wcsnlen.rs │ │ │ │ ├── wcsrchr.rs │ │ │ │ ├── wmemchr.rs │ │ │ │ └── write │ │ │ │ │ ├── libc.rs │ │ │ │ │ ├── linux.rs │ │ │ │ │ └── mod.rs │ │ │ ├── host │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── lib.rs │ │ │ ├── logger │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── maps │ │ │ │ ├── decode.rs │ │ │ │ ├── entry.rs │ │ │ │ ├── iterator.rs │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── mem.rs │ │ │ ├── mmap │ │ │ │ ├── libc.rs │ │ │ │ ├── linux.rs │ │ │ │ └── mod.rs │ │ │ ├── nostd │ │ │ │ └── mod.rs │ │ │ ├── patch │ │ │ │ ├── mod.rs │ │ │ │ └── raw.rs │ │ │ ├── shadow │ │ │ │ ├── guest.rs │ │ │ │ ├── host.rs │ │ │ │ └── mod.rs │ │ │ ├── symbols │ │ │ │ ├── dlsym.rs │ │ │ │ ├── mod.rs │ │ │ │ └── nop.rs │ │ │ ├── test.rs │ │ │ └── tracking │ │ │ │ ├── guest.rs │ │ │ │ ├── guest_fast.rs │ │ │ │ ├── host.rs │ │ │ │ └── mod.rs │ │ └── tests │ │ │ ├── default_frontend.rs │ │ │ ├── default_frontend_mock.rs │ │ │ ├── dlmalloc_backend.rs │ │ │ ├── env.rs │ │ │ ├── guest_shadow_align.rs │ │ │ ├── guest_shadow_example.rs │ │ │ ├── guest_shadow_is_memory.rs │ │ │ ├── guest_shadow_libc_is_poison.rs │ │ │ ├── guest_shadow_libc_poison.rs │ │ │ ├── guest_shadow_linux_is_poison.rs │ │ │ ├── guest_shadow_linux_poison.rs │ │ │ ├── guest_shadow_linux_unpoison.rs │ │ │ ├── guest_shadow_unpoison.rs │ │ │ ├── guest_tracking.rs │ │ │ ├── hooks_aligned_alloc.rs │ │ │ ├── hooks_atoi.rs │ │ │ ├── hooks_atol.rs │ │ │ ├── hooks_atoll.rs │ │ │ ├── hooks_bcmp.rs │ │ │ ├── hooks_bzero.rs │ │ │ ├── hooks_calloc.rs │ │ │ ├── hooks_explicit_bzero.rs │ │ │ ├── hooks_fgets.rs │ │ │ ├── hooks_free.rs │ │ │ ├── hooks_malloc.rs │ │ │ ├── hooks_malloc_usable_size.rs │ │ │ ├── hooks_memalign.rs │ │ │ ├── hooks_memchr.rs │ │ │ ├── hooks_memcmp.rs │ │ │ ├── hooks_memcpy.rs │ │ │ ├── hooks_memmem.rs │ │ │ ├── hooks_memmove.rs │ │ │ ├── hooks_mempcpy.rs │ │ │ ├── hooks_memrchr.rs │ │ │ ├── hooks_memset.rs │ │ │ ├── hooks_posix_memalign.rs │ │ │ ├── hooks_pvalloc.rs │ │ │ ├── hooks_rawmemchr.rs │ │ │ ├── hooks_read_libc.rs │ │ │ ├── hooks_read_linux.rs │ │ │ ├── hooks_realloc.rs │ │ │ ├── hooks_reallocarray.rs │ │ │ ├── hooks_stpcpy.rs │ │ │ ├── hooks_stpncpy.rs │ │ │ ├── hooks_strcasecmp.rs │ │ │ ├── hooks_strcasestr.rs │ │ │ ├── hooks_strcat.rs │ │ │ ├── hooks_strchr.rs │ │ │ ├── hooks_strchrnul.rs │ │ │ ├── hooks_strcmp.rs │ │ │ ├── hooks_strcpy.rs │ │ │ ├── hooks_strdup.rs │ │ │ ├── hooks_strlen.rs │ │ │ ├── hooks_strncasecmp.rs │ │ │ ├── hooks_strncat.rs │ │ │ ├── hooks_strncmp.rs │ │ │ ├── hooks_strncpy.rs │ │ │ ├── hooks_strndup.rs │ │ │ ├── hooks_strnlen.rs │ │ │ ├── hooks_strrchr.rs │ │ │ ├── hooks_strstr.rs │ │ │ ├── hooks_valloc.rs │ │ │ ├── hooks_wcschr.rs │ │ │ ├── hooks_wcscmp.rs │ │ │ ├── hooks_wcscpy.rs │ │ │ ├── hooks_wcslen.rs │ │ │ ├── hooks_wcsncmp.rs │ │ │ ├── hooks_wcsnlen.rs │ │ │ ├── hooks_wcsrchr.rs │ │ │ ├── hooks_wmemchr.rs │ │ │ ├── hooks_write_libc.rs │ │ │ ├── hooks_write_linux.rs │ │ │ ├── host.rs │ │ │ ├── libc_map_reader.rs │ │ │ ├── linux_map_reader.rs │ │ │ ├── patch_raw.rs │ │ │ └── symbols_dlsym.rs │ ├── dummy_libc │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── dummy_libc.map │ │ └── src │ │ │ └── lib.rs │ ├── fuzz │ │ ├── .gitignore │ │ ├── Cargo.toml │ │ ├── Justfile │ │ └── fuzz_targets │ │ │ ├── default_frontend_dlmalloc.rs │ │ │ ├── default_frontend_mock.rs │ │ │ ├── guest_shadow.rs │ │ │ └── guest_tracking.rs │ ├── fuzzer_name.just │ ├── gasan │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── gasan.map │ │ ├── rename_patch.syms │ │ ├── rename_real.syms │ │ └── src │ │ │ └── lib.rs │ ├── qasan │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── qasan.map │ │ ├── rename_patch.syms │ │ ├── rename_real.syms │ │ └── src │ │ │ └── lib.rs │ ├── runner │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── build.rs │ │ └── src │ │ │ ├── aarch64.rs │ │ │ ├── arm.rs │ │ │ ├── fuzz.rs │ │ │ ├── i386.rs │ │ │ ├── ppc.rs │ │ │ └── x86_64.rs │ └── zasan │ │ ├── Cargo.toml │ │ ├── Justfile │ │ ├── rename_patch.syms │ │ ├── rename_real.syms │ │ ├── src │ │ └── lib.rs │ │ └── zasan.map ├── runtime │ ├── libafl_qemu.h │ ├── libafl_qemu_arch.h │ ├── libafl_qemu_defs.h │ ├── libafl_qemu_impl.h │ ├── libafl_qemu_stub_bindings.rs │ ├── libafl_qemu_windows.asm │ ├── nyx_api.h │ └── nyx_stub_bindings.rs └── src │ ├── arch │ ├── aarch64.rs │ ├── arm.rs │ ├── hexagon.rs │ ├── i386.rs │ ├── mips.rs │ ├── mod.rs │ ├── ppc.rs │ ├── riscv.rs │ └── x86_64.rs │ ├── breakpoint.rs │ ├── command │ ├── mod.rs │ ├── nyx.rs │ └── parser │ │ ├── mod.rs │ │ └── nyx.rs │ ├── elf.rs │ ├── emu │ ├── builder.rs │ ├── drivers │ │ ├── mod.rs │ │ └── nyx.rs │ ├── hooks.rs │ ├── mod.rs │ ├── snapshot.rs │ ├── systemmode.rs │ └── usermode.rs │ ├── executor.rs │ ├── lib.rs │ ├── modules │ ├── calls.rs │ ├── cmplog.rs │ ├── drcov.rs │ ├── edges │ │ ├── child.rs │ │ ├── classic.rs │ │ ├── full.rs │ │ ├── helpers.rs │ │ └── mod.rs │ ├── logger.rs │ ├── mod.rs │ ├── systemmode │ │ ├── intel_pt.rs │ │ └── mod.rs │ ├── usermode │ │ ├── asan.rs │ │ ├── asan_guest.rs │ │ ├── injections.rs │ │ ├── mod.rs │ │ ├── redirect_stdin.rs │ │ ├── redirect_stdout.rs │ │ └── snapshot.rs │ └── utils │ │ ├── addr2line.rs │ │ ├── filters.rs │ │ └── mod.rs │ ├── qemu │ ├── config.rs │ ├── error.rs │ ├── hooks.rs │ ├── mod.rs │ ├── systemmode.rs │ └── usermode.rs │ └── sync_exit.rs ├── libafl_sugar ├── Cargo.toml ├── build.rs └── src │ ├── forkserver.rs │ ├── inprocess.rs │ ├── lib.rs │ └── qemu.rs ├── libafl_targets ├── Cargo.toml ├── LICENSE-APACHE ├── LICENSE-MIT ├── build.rs └── src │ ├── android-ashmem.h │ ├── call.rs │ ├── cmplog.c │ ├── cmplog.h │ ├── cmps │ ├── mod.rs │ ├── observers │ │ ├── aflpp.rs │ │ ├── cmplog.rs │ │ └── mod.rs │ └── stages │ │ ├── aflpptracing.rs │ │ └── mod.rs │ ├── common.c │ ├── common.h │ ├── coverage.c │ ├── coverage.rs │ ├── drcov.rs │ ├── forkserver.rs │ ├── lib.rs │ ├── libfuzzer.c │ ├── libfuzzer │ ├── FuzzerInterceptors.cpp │ ├── mod.rs │ ├── mutators.rs │ └── observers │ │ ├── mod.rs │ │ └── oom.rs │ ├── sancov_8bit.rs │ ├── sancov_cmp.c │ ├── sancov_cmp.rs │ ├── sancov_pcguard.rs │ ├── sanitizer_interfaces.h │ ├── value_profile.h │ ├── value_profile.rs │ ├── windows_asan.c │ └── windows_asan.rs ├── libafl_tinyinst ├── Cargo.toml ├── README.md └── src │ ├── executor.rs │ └── lib.rs ├── libafl_unicorn ├── Cargo.toml └── src │ ├── emu.rs │ ├── helper.rs │ ├── hooks.rs │ └── lib.rs ├── rustfmt.toml ├── scripts ├── afl-persistent-config ├── autofix.sh ├── check_for_blobs.sh ├── check_md_links.sh ├── check_tested_fuzzers.sh ├── clean_all.sh ├── clippy.ps1 ├── clippy.sh ├── createAliases.sh ├── dummy.rs ├── find_unused_rs_files.sh ├── fmt_all.sh ├── gen_lockfiles.sh ├── kill_all_ipc.sh ├── parallellize_cargo_clippy_on_fuzzers.py ├── precommit.sh ├── publish.sh ├── shmem_limits_fbsd.sh ├── shmem_limits_macos.sh ├── shmem_limits_obsd.sh ├── update_bindings.sh └── update_versions.py ├── seeds └── pngs │ ├── not_kitty.png │ ├── not_kitty_alpha.png │ ├── not_kitty_gamma.png │ └── not_kitty_icc.png └── utils ├── README.md ├── build_and_test_fuzzers ├── Cargo.toml └── src │ ├── diffing.rs │ └── main.rs ├── cfg_builder ├── README.md └── build.py ├── ci_runner ├── Cargo.toml └── src │ └── main.rs ├── ci_splitter ├── Cargo.toml └── src │ └── main.rs ├── deexit ├── Cargo.toml ├── README.md └── src │ └── lib.rs ├── desyscall ├── Cargo.toml ├── README.md ├── build.rs └── src │ ├── file.rs │ ├── lib.rs │ ├── mmap.rs │ ├── patch.c │ └── syscalls.c ├── drcov_utils ├── Cargo.toml ├── README.md └── src │ └── bin │ ├── drcov_dump_addrs.rs │ └── drcov_merge.rs ├── gdb_qemu ├── .cargo │ └── config.toml ├── .gitignore ├── Cargo.toml ├── Justfile ├── README.md ├── gdb_demo │ ├── Cargo.toml │ ├── build.rs │ └── src │ │ ├── args.rs │ │ └── main.rs └── gdb_qemu │ ├── Cargo.toml │ ├── build.rs │ └── src │ ├── args │ ├── level.rs │ ├── mod.rs │ └── version.rs │ ├── child.rs │ ├── errno.rs │ ├── exit.rs │ ├── logger.rs │ ├── main.rs │ └── parent.rs ├── gramatron ├── README.md ├── construct_automata.py ├── construct_automata │ ├── Cargo.toml │ └── src │ │ └── main.rs ├── gnf_converter.py └── grammars │ ├── js_grammar.json │ ├── php_grammar.json │ ├── ruby_grammar.json │ └── test1.json ├── libafl_benches ├── Cargo.toml └── benches │ ├── hash_speeds.rs │ └── rand_speeds.rs ├── libafl_jumper ├── Cargo.toml ├── README.md ├── linker_script.ld └── src │ └── main.rs ├── libafl_repo_tools ├── Cargo.lock ├── Cargo.toml └── src │ └── main.rs ├── multi_machine_generator ├── .gitignore ├── Cargo.lock ├── Cargo.toml └── src │ ├── graph.rs │ └── main.rs └── noaslr ├── Cargo.toml ├── Justfile ├── README.md ├── demo ├── Cargo.toml ├── build.rs └── src │ ├── args.rs │ └── main.rs ├── libnoaslr ├── Cargo.toml └── src │ └── lib.rs └── noaslr ├── Cargo.toml ├── build.rs └── src ├── args.rs └── main.rs /.dockerignore: -------------------------------------------------------------------------------- 1 | **/target 2 | **/.git 3 | Cargo.lock 4 | 5 | *.o 6 | *.a 7 | *.so 8 | *.out 9 | *.elf 10 | *.bin 11 | *.dll 12 | *.exe 13 | *.dSYM 14 | 15 | .cur_input 16 | 17 | crashes 18 | 19 | callgrind.out.* 20 | perf.data 21 | perf.data.old 22 | 23 | .vscode 24 | test.dict 25 | 26 | # Ignore all built fuzzers 27 | fuzzer_* 28 | AFLplusplus 29 | 30 | # Ignore common dummy and logfiles 31 | *.log 32 | a 33 | 34 | # ignore files from concolic tests 35 | symcc_build 36 | symcc -------------------------------------------------------------------------------- /.github/.linkspector.yml: -------------------------------------------------------------------------------- 1 | dirs: 2 | - . 3 | 4 | useGitIgnore: true 5 | 6 | ignorePatterns: 7 | - pattern: "^https://crates.io" 8 | - pattern: "^https://github.com/AFLplusplus/linux-qemu-image-builder" 9 | - pattern: "https://www.romu-random.org/" 10 | 11 | aliveStatusCodes: 12 | - 0 13 | - 200 14 | - 403 -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | github: AFLplusplus 5 | patreon: # Replace with a single Patreon username 6 | open_collective: AFLplusplusEU 7 | ko_fi: # Replace with a single Ko-fi username 8 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 9 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 10 | liberapay: # Replace with a single Liberapay username 11 | issuehunt: # Replace with a single IssueHunt username 12 | otechie: # Replace with a single Otechie username 13 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/empty.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Empty 3 | about: A question or issue that doesn't fit the templates 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: 'enhancement' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | *describe your PR here* 4 | 5 | ## Checklist 6 | 7 | - [ ] I have run `./scripts/precommit.sh` and addressed all comments 8 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "cargo" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | ignore: 8 | - dependency-name: "pyo3" 9 | -------------------------------------------------------------------------------- /.github/workflows/windows-tester-prepare/action.yml: -------------------------------------------------------------------------------- 1 | name: Setup Rust Environment 2 | description: Sets up the Rust environment for the CI workflow 3 | runs: 4 | using: composite 5 | steps: 6 | - uses: dtolnay/rust-toolchain@stable 7 | with: 8 | components: llvm-tools, clippy, rustfmt 9 | - uses: actions/checkout@v4 10 | - uses: Swatinem/rust-cache@v2 11 | - name: Build docs 12 | shell: pwsh 13 | run: cargo doc 14 | - uses: ilammy/msvc-dev-cmd@v1 15 | - name: Set LIBCLANG_PATH 16 | shell: pwsh 17 | run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV 18 | - name: install just 19 | uses: extractions/setup-just@v2 20 | with: 21 | just-version: '1.40.0' 22 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | repos: 4 | - repo: local 5 | hooks: 6 | - id: fmt 7 | name: fmt 8 | entry: scripts/fmt_all.sh check 9 | language: script 10 | - repo: https://github.com/ComPWA/taplo-pre-commit 11 | rev: v0.9.3 12 | hooks: 13 | - id: taplo-format 14 | -------------------------------------------------------------------------------- /.vscode/settings.json.default: -------------------------------------------------------------------------------- 1 | { 2 | "[rust]": { 3 | "editor.defaultFormatter": "rust-lang.rust-analyzer", 4 | "editor.formatOnSave": true 5 | }, 6 | "rust-analyzer.rustfmt.extraArgs": [ 7 | "+nightly" 8 | ], 9 | "rust-analyzer.cargo.buildScripts.overrideCommand": [ 10 | "cargo", 11 | "check", 12 | "--message-format=json", 13 | ], 14 | "rust-analyzer.check.overrideCommand": [ 15 | "cargo", 16 | "check", 17 | "--message-format=json", 18 | ] 19 | } -------------------------------------------------------------------------------- /TROPHIES.md: -------------------------------------------------------------------------------- 1 | # Bugs found by `libafl` and `libafl_libfuzzer` 2 | 3 | * pdf-rs 4 | * 5 | * 6 | * 7 | * 8 | * 9 | * 10 | * nu-shell 11 | * https://github.com/nushell/nushell/issues/10365 12 | * https://github.com/nushell/nushell/issues/9417 13 | * exrs 14 | * https://github.com/johannesvollmer/exrs/pull/221 15 | * pcre2 16 | * https://github.com/PCRE2Project/pcre2/issues/275 17 | 18 | -------------------------------------------------------------------------------- /bindings/pylibafl/.gitignore: -------------------------------------------------------------------------------- 1 | dist/ 2 | -------------------------------------------------------------------------------- /bindings/pylibafl/pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["maturin[patchelf]>=1.0,<2.0"] 3 | build-backend = "maturin" 4 | 5 | [project] 6 | name = "PyLibAFL" 7 | version = "0.15.3" 8 | description = "Advanced Fuzzing Library for Python" 9 | readme = "README.md" 10 | requires-python = ">=3.8" 11 | license = { text = "Apache-2.0" } 12 | classifiers = [ 13 | "License :: OSI Approved :: Apache Software License", 14 | "License :: OSI Approved :: MIT License", 15 | "Programming Language :: Rust", 16 | "Topic :: Security", 17 | ] 18 | 19 | [project.urls] 20 | repository = "https://github.com/AFLplusplus/LibAFL.git" 21 | 22 | [tool.maturin] 23 | bindings = "pyo3" 24 | manifest-path = "Cargo.toml" 25 | python-source = "src" 26 | all-features = true 27 | -------------------------------------------------------------------------------- /bindings/pylibafl/test.py: -------------------------------------------------------------------------------- 1 | import pylibafl.sugar as sugar 2 | import ctypes 3 | import platform 4 | 5 | print("Starting to fuzz from python!") 6 | fuzzer = sugar.InProcessBytesCoverageSugar( 7 | input_dirs=["./in"], output_dir="out", broker_port=1337, cores=[0, 1] 8 | ) 9 | fuzzer.run(lambda b: print("foo")) 10 | -------------------------------------------------------------------------------- /bindings/pylibafl/test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | mkdir in || true 4 | echo "a" > ./in/a 5 | 6 | timeout 10 python3 ./test.py 7 | export exit_code=$? 8 | if [ $exit_code -eq 124 ]; then 9 | # 124 = timeout happened. All good. 10 | exit 0 11 | else 12 | exit $exit_code 13 | fi 14 | 15 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | book 2 | !listings/**/* 3 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # LibAFL Documentation Book 2 | 3 | This project contains the out-of-source LibAFL documentation as a book. 4 | 5 | Here you can find tutorials, examples, and detailed explanations. 6 | 7 | For the API documentation instead, run `cargo doc` in the LibAFl root folder. 8 | 9 | ## Usage 10 | 11 | To build this book, you need [mdBook](https://github.com/rust-lang/mdBook). 12 | 13 | `mdbook build` to build, `mdbook serve` to serve the book locally. 14 | -------------------------------------------------------------------------------- /docs/book.toml: -------------------------------------------------------------------------------- 1 | [book] 2 | authors = ["Andrea Fioraldi", "Dominik Maier"] 3 | language = "en" 4 | multilingual = false 5 | src = "src" 6 | title = "The LibAFL Fuzzing Library" 7 | 8 | [output.html] 9 | 10 | [output.linkcheck] 11 | optional = true 12 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | crashes 3 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/justfile: -------------------------------------------------------------------------------- 1 | # Justfile to build all example projects 2 | 3 | default: build-all 4 | 5 | build PROJECT: 6 | @echo "Building project in directory: {{PROJECT}}" 7 | @cd {{PROJECT}} && cargo build 8 | @echo "Finished building project in directory: {{PROJECT}}" 9 | 10 | build-all: listing-01 listing-02 listing-03 listing-04 listing-05 listing-06 11 | 12 | listing-01: (build "listing-01") 13 | listing-02: (build "listing-02") 14 | listing-03: (build "listing-03") 15 | listing-04: (build "listing-04") 16 | listing-05: (build "listing-05") 17 | listing-06: (build "listing-06") 18 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-01/Cargo.lock: -------------------------------------------------------------------------------- 1 | # This file is automatically @generated by Cargo. 2 | # It is not intended for manual editing. 3 | version = 4 4 | 5 | [[package]] 6 | name = "baby_fuzzer_listing_01" 7 | version = "0.15.2" 8 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-01/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_01" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-01/src/main.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | println!("Hello, world!"); 3 | } 4 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-02/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_02" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [dependencies] 10 | #libafl = { version = ".." } 11 | libafl = { path = "../../../../libafl" } 12 | #libafl_bolts = { version = ".." } 13 | libafl_bolts = { path = "../../../../libafl_bolts" } 14 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-02/src/main.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | println!("Hello, world!"); 3 | } 4 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-03/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_03" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [features] 10 | test-panic = [] 11 | 12 | [dependencies] 13 | #libafl = { version = ".." } 14 | libafl = { path = "../../../../libafl" } 15 | #libafl_bolts = { version = ".." } 16 | libafl_bolts = { path = "../../../../libafl_bolts" } 17 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-04/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_04" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [features] 10 | test-panic = [] 11 | 12 | [dependencies] 13 | #libafl = { version = ".." } 14 | libafl = { path = "../../../../libafl" } 15 | #libafl_bolts = { version = ".." } 16 | libafl_bolts = { path = "../../../../libafl_bolts" } 17 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-05/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_05" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [features] 10 | test-panic = [] 11 | 12 | [dependencies] 13 | #libafl = { version = ".." } 14 | libafl = { path = "../../../../libafl" } 15 | #libafl_bolts = { version = ".." } 16 | libafl_bolts = { path = "../../../../libafl_bolts" } 17 | -------------------------------------------------------------------------------- /docs/listings/baby_fuzzer/listing-06/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_listing_06" 3 | version = "0.15.3" 4 | authors = ["Your Name "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [features] 10 | test-panic = [] 11 | 12 | [dependencies] 13 | #libafl = { version = ".." } 14 | libafl = { path = "../../../../libafl" } 15 | #libafl_bolts = { version = ".." } 16 | libafl_bolts = { path = "../../../../libafl_bolts" } 17 | -------------------------------------------------------------------------------- /docs/src/advanced_features/advanced_features.md: -------------------------------------------------------------------------------- 1 | # Advanced Features 2 | 3 | In addition to core building blocks for fuzzers, LibAFL also has features for more advanced/niche fuzzing techniques. 4 | The following sections are dedicated to some of these features. 5 | -------------------------------------------------------------------------------- /docs/src/core_concepts/core_concepts.md: -------------------------------------------------------------------------------- 1 | # Core Concepts 2 | 3 | LibAFL is designed around some core concepts that we think can effectively abstract most of the other fuzzers designs. 4 | 5 | Here, we discuss these concepts and provide some examples related to other fuzzers. 6 | -------------------------------------------------------------------------------- /docs/src/core_concepts/generator.md: -------------------------------------------------------------------------------- 1 | # Generator 2 | 3 | A Generator is a component designed to generate an Input from scratch. 4 | 5 | Typically, a random generator is used to generate random inputs. 6 | 7 | Generators are traditionally less used in Feedback-driven Fuzzing, but there are exceptions, like Nautilus, that uses a Grammar generator to create the initial corpus and a sub-tree Generator as a mutation of its grammar Mutator. 8 | 9 | In the code, [`Generator`](https://docs.rs/libafl/latest/libafl/generators/trait.Generator.html) is a trait. 10 | -------------------------------------------------------------------------------- /docs/src/design/design.md: -------------------------------------------------------------------------------- 1 | # Design 2 | 3 | In this chapter, we discuss how we designed the library taking into account the core concepts while allowing code reuse and extensibility. 4 | -------------------------------------------------------------------------------- /docs/src/getting_started/getting_started.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | To get started with LibAFL, there are some initial steps to take. 4 | In this chapter, we discuss how to download and build LibAFL, using Rust's `cargo` command. 5 | We also describe the structure of LibAFL's components, so-called crates, and the purpose of each individual crate. 6 | -------------------------------------------------------------------------------- /docs/src/message_passing/configurations.md: -------------------------------------------------------------------------------- 1 | # Configurations 2 | 3 | Configurations for individual fuzzer nodes are relevant for multi node fuzzing. 4 | The chapter describes how to run nodes with different configurations 5 | in one fuzzing cluster. 6 | This allows, for example, a node compiled with ASan, to know that it needs to rerun new testcases for a node without ASan, while the same binary/configuration does not. 7 | 8 | Fuzzers with the same configuration can exchange Observers for new testcases and reuse them without rerunning the input. 9 | A different configuration indicates, that only the raw input can be exchanged, it must be rerun on the other node to capture relevant observations. 10 | -------------------------------------------------------------------------------- /docs/src/resources/statsd-grafana.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/docs/src/resources/statsd-grafana.png -------------------------------------------------------------------------------- /docs/src/tutorial/intro.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | > ## Under Construction! 4 | > 5 | > This section is under construction. 6 | > Please check back later (or open a PR) 7 | > 8 | > In the meantime, find the final Lain-based fuzzer in [the fuzzers folder](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/tutorial) 9 | -------------------------------------------------------------------------------- /docs/src/tutorial/tutorial.md: -------------------------------------------------------------------------------- 1 | # Tutorial 2 | 3 | In this chapter, we will build a custom fuzzer using the [Lain](https://github.com/microsoft/lain) mutator in Rust. 4 | 5 | This tutorial will introduce you to writing extensions to LibAFL like Feedbacks and Testcase's metadata. 6 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | corpus -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer" 3 | version = "0.14.1" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | tui = [] 13 | std = [] 14 | 15 | [profile.dev] 16 | panic = "abort" 17 | 18 | [profile.release] 19 | panic = "abort" 20 | lto = true 21 | codegen-units = 1 22 | opt-level = 3 23 | debug = true 24 | 25 | [dependencies] 26 | env_logger = "0.11.7" 27 | libafl = { path = "../../../libafl", features = ["tui_monitor"] } 28 | libafl_bolts = { path = "../../../libafl_bolts" } 29 | log = { version = "0.4.22", features = ["release_max_level_info"] } 30 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer 2 | 3 | This is a minimalistic example about how to create a libafl based fuzzer. 4 | 5 | It runs on a single core until a crash occurs and then exits. 6 | 7 | The tested program is a simple Rust function without any instrumentation. 8 | For real fuzzing, you will want to add some sort to add coverage or other feedback. 9 | 10 | You can run this example using `cargo run`, and you can enable the TUI feature by running `cargo run --features tui`. -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_custom_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | corpus -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_custom_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "fuzzer_custom_executor" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std", "bloom_input_filter"] 12 | tui = ["libafl/tui_monitor"] 13 | bloom_input_filter = ["std"] 14 | std = [] 15 | 16 | [profile.dev] 17 | panic = "abort" 18 | 19 | [profile.release] 20 | panic = "abort" 21 | lto = true 22 | codegen-units = 1 23 | opt-level = 3 24 | debug = true 25 | 26 | [dependencies] 27 | libafl = { path = "../../../libafl/" } 28 | libafl_bolts = { path = "../../../libafl_bolts/" } 29 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_custom_executor/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer with Custom Executor 2 | 3 | This is a minimalistic example about how to create a LibAFL-based fuzzer. 4 | 5 | In contrast to the normal baby fuzzer, this uses a (very simple) custom executor. 6 | 7 | The custom executor won't catch any timeouts or actual errors (i.e., memory corruptions, etc.) in the target. 8 | 9 | The tested program is a simple Rust function without any instrumentation. 10 | For real fuzzing, you will want to add some sort to add coverage or other feedback. 11 | 12 | You can run this example using `cargo run`, and you can enable the TUI feature by running `cargo run --features tui`. 13 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_minimizing/.gitignore: -------------------------------------------------------------------------------- 1 | corpus 2 | minimized 3 | solutions 4 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_minimizing/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_minimizing" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | "Addison Crump ", 8 | ] 9 | edition = "2021" 10 | 11 | [features] 12 | default = ["std"] 13 | tui = ["libafl/tui_monitor"] 14 | std = [] 15 | 16 | [profile.dev] 17 | panic = "abort" 18 | 19 | [profile.release] 20 | panic = "abort" 21 | lto = true 22 | codegen-units = 1 23 | opt-level = 3 24 | debug = true 25 | 26 | [dependencies] 27 | libafl = { path = "../../../libafl", features = ["prelude"] } 28 | libafl_bolts = { path = "../../../libafl_bolts", features = ["prelude"] } 29 | log = { version = "0.4.22", features = ["release_max_level_info"] } 30 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_minimizing/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer 2 | 3 | This is a minimalistic example about how to create a libafl based fuzzer which leverages minimisation. 4 | 5 | The fuzzer steps until a crash occurs, minimising each corpus entry as it is discovered. Then, once a 6 | solution is found, it attempts to minimise that as well. 7 | 8 | The tested program is a simple Rust function without any instrumentation. 9 | For real fuzzing, you will want to add some sort to add coverage or other feedback. -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer (swap differential) 2 | 3 | This is a minimalistic example about how to create a libafl-based differential fuzzer which swaps out the AFL map during 4 | execution so that both maps may be measured. 5 | 6 | It runs on a single core until an input is discovered which both inputs accept. 7 | 8 | The tested programs are provided in `first.c` and `second.c`. 9 | 10 | You may execute this fuzzer with `just run`. If you prefer to do so manually, you may also simply use 11 | `cargo build --release --bin libafl_cc` followed by `cargo run --release --bin fuzzer_sd` -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/common.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | bool both_require(const uint8_t *bytes, size_t len) { 4 | if (len >= 1 && bytes[0] == 'a') { 5 | if (len >= 2 && bytes[1] == 'b') { 6 | if (len >= 3 && bytes[2] == 'c') { return ACCEPT; } 7 | } 8 | } 9 | return REJECT; 10 | } -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/common.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBAFL_COMMON_H 2 | #define LIBAFL_COMMON_H 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #define ACCEPT true 9 | #define REJECT false 10 | 11 | bool both_require(const uint8_t *bytes, size_t len); 12 | 13 | #endif // LIBAFL_COMMON_H 14 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/first.c: -------------------------------------------------------------------------------- 1 | #include "first.h" 2 | 3 | bool inspect_first(const uint8_t *bytes, size_t len) { 4 | if (both_require(bytes, len)) { 5 | if (len >= 4 && bytes[3] == 'd') { return ACCEPT; } 6 | } 7 | return REJECT; 8 | } 9 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/first.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBAFL_FIRST_H 2 | #define LIBAFL_FIRST_H 3 | 4 | #include "common.h" 5 | 6 | bool inspect_first(const uint8_t *bytes, size_t len); 7 | 8 | #endif // LIBAFL_FIRST_H 9 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/second.c: -------------------------------------------------------------------------------- 1 | #include "second.h" 2 | 3 | bool inspect_second(const uint8_t *bytes, size_t len) { 4 | if (both_require(bytes, len)) { 5 | if (len >= 5 && bytes[4] == 'e') { return ACCEPT; } 6 | } 7 | return REJECT; 8 | } -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_swap_differential/second.h: -------------------------------------------------------------------------------- 1 | #ifndef LIBAFL_SECOND_H 2 | #define LIBAFL_SECOND_H 3 | 4 | #include "common.h" 5 | 6 | bool inspect_second(const uint8_t *bytes, size_t len); 7 | 8 | #endif // LIBAFL_SECOND_H 9 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_unicode/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_unicode/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_unicode" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | tui = ["libafl/tui_monitor"] 13 | std = [] 14 | 15 | [profile.dev] 16 | panic = "abort" 17 | 18 | [profile.release] 19 | panic = "abort" 20 | lto = true 21 | codegen-units = 1 22 | opt-level = 3 23 | debug = true 24 | 25 | [dependencies] 26 | libafl = { path = "../../../libafl", features = ["unicode", "tui_monitor"] } 27 | libafl_bolts = { path = "../../../libafl_bolts" } 28 | log = { version = "0.4.22", features = ["release_max_level_info"] } 29 | -------------------------------------------------------------------------------- /fuzzers/baby/baby_fuzzer_unicode/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer: unicode 2 | 3 | This is a minimalistic example about how to create a libafl based fuzzer. 4 | 5 | It runs on a single core until a crash occurs and then exits. 6 | 7 | The tested program is a simple Rust function without any instrumentation. 8 | For real fuzzing, you will want to add some sort to add coverage or other feedback. 9 | 10 | You can run this example using `cargo run`, and you can enable the TUI feature by running `cargo run --features tui`. 11 | 12 | ## Unicode 13 | 14 | This fuzzer uses mutators which preserve unicode properties. For programs which have string-heavy inputs, you may 15 | consider using the same strategy. -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/README.md: -------------------------------------------------------------------------------- 1 | # Backtrace baby fuzzers 2 | 3 | The projects contained in this directory are simple fuzzers derived from the original baby_fuzzer examples, whose purpose is to show how to use a `BacktraceObserver` or an `ASANObserver` to dedupe crashes and other necessary components for this feature. To use `casr` deduplication for `BacktraceObserver` or `ASANObserver` build LibAFL with `casr` feature. 4 | 5 | The examples cover: 6 | 7 | - An `InProcessForkExecutor` fuzzing a C harness 8 | - An `InProcessForkExecutor` fuzzing a Rust harness 9 | - An `InProcessExecutor` fuzzing a C harness 10 | - An `InProcessExecutor` fuzzing a Rust harness 11 | - A `CommandExecutor` fuzzing a simple binary 12 | - A `ForkServerExecutor` fuzzing a simple binary 13 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor/.cargo/config: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-Cforce-unwind-tables=y"] -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "c_code_with_fork_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [features] 7 | default = ["std"] 8 | std = [] 9 | 10 | [profile.release] 11 | panic = "abort" 12 | lto = true 13 | codegen-units = 1 14 | opt-level = 3 15 | debug = true 16 | 17 | [dependencies] 18 | libafl = { path = "../../../../libafl" } 19 | libafl_bolts = { path = "../../../../libafl_bolts" } 20 | libc = "0.2.159" 21 | log = { version = "0.4.22", features = ["release_max_level_info"] } 22 | 23 | [build-dependencies] 24 | cc = "1.1.21" 25 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor/build.rs: -------------------------------------------------------------------------------- 1 | extern crate cc; 2 | 3 | fn main() { 4 | cc::Build::new().file("src/harness.c").compile("harness.a"); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor/.cargo/config: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-Cforce-unwind-tables=y"] -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "c_code_with_inprocess_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [features] 7 | default = ["std"] 8 | std = [] 9 | 10 | [profile.release] 11 | panic = "abort" 12 | lto = true 13 | codegen-units = 1 14 | opt-level = 3 15 | debug = true 16 | 17 | [dependencies] 18 | libafl = { path = "../../../../libafl" } 19 | libafl_bolts = { path = "../../../../libafl_bolts" } 20 | libc = "0.2.159" 21 | log = { version = "0.4.22", features = ["release_max_level_info"] } 22 | 23 | [build-dependencies] 24 | cc = "1.1.21" 25 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor/build.rs: -------------------------------------------------------------------------------- 1 | extern crate cc; 2 | 3 | fn main() { 4 | cc::Build::new().file("src/harness.c").compile("harness.a"); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/command_executor/.cargo/config: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-Cforce-unwind-tables=y"] -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/command_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/command_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "command_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [features] 7 | default = ["std"] 8 | std = [] 9 | 10 | [profile.release] 11 | lto = true 12 | codegen-units = 1 13 | opt-level = 3 14 | debug = true 15 | 16 | [build-dependencies] 17 | cc = "1.1.21" 18 | 19 | [dependencies] 20 | libafl = { path = "../../../../libafl" } 21 | libafl_bolts = { path = "../../../../libafl_bolts" } 22 | log = { version = "0.4.22", features = ["release_max_level_info"] } 23 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/command_executor/build.rs: -------------------------------------------------------------------------------- 1 | use std::env; 2 | 3 | fn main() { 4 | let cwd = env::current_dir().unwrap().to_string_lossy().to_string(); 5 | let mut command = cc::Build::new().get_compiler().to_command(); 6 | command 7 | .args(["src/test_command.c", "-o"]) 8 | .arg(format!("{}/test_command", &cwd)) 9 | .arg("-fsanitize=address") 10 | .status() 11 | .unwrap(); 12 | } 13 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor/.gitignore: -------------------------------------------------------------------------------- 1 | forkserver_simple 2 | rundumps 3 | asanlog* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "forkserver_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | 7 | [profile.dev] 8 | panic = "abort" 9 | 10 | [profile.release] 11 | panic = "abort" 12 | lto = true 13 | codegen-units = 1 14 | opt-level = 3 15 | 16 | [dependencies] 17 | libafl = { path = "../../../../libafl" } 18 | libafl_bolts = { path = "../../../../libafl_bolts" } 19 | log = { version = "0.4.22", features = ["release_max_level_info"] } 20 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor/.cargo/config: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-Cforce-unwind-tables=y"] -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "rust_code_with_fork_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [features] 7 | default = ["std"] 8 | std = [] 9 | 10 | [profile.dev] 11 | panic = "abort" 12 | 13 | [profile.release] 14 | panic = "abort" 15 | lto = true 16 | codegen-units = 1 17 | opt-level = 3 18 | debug = true 19 | 20 | [dependencies] 21 | libafl = { path = "../../../../libafl" } 22 | libafl_bolts = { path = "../../../../libafl_bolts" } 23 | log = { version = "0.4.22", features = ["release_max_level_info"] } 24 | -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/.cargo/config: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-Cforce-unwind-tables=y"] -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "rust_code_with_inprocess_executor" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [features] 7 | default = ["std"] 8 | std = [] 9 | 10 | [profile.dev] 11 | panic = "abort" 12 | 13 | [profile.release] 14 | panic = "abort" 15 | lto = true 16 | codegen-units = 1 17 | opt-level = 3 18 | debug = true 19 | 20 | [dependencies] 21 | libafl = { path = "../../../../libafl" } 22 | libafl_bolts = { path = "../../../../libafl_bolts" } 23 | log = { version = "0.4.22", features = ["release_max_level_info"] } 24 | -------------------------------------------------------------------------------- /fuzzers/baby/tutorial/rust-toolchain: -------------------------------------------------------------------------------- 1 | nightly 2 | -------------------------------------------------------------------------------- /fuzzers/baby/tutorial/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_executable_libpng/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | corpus_discovered 3 | libafl_frida 4 | frida_libpng 5 | zlib* -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_executable_libpng/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_libpng/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | corpus_discovered 3 | libafl_frida 4 | frida_libpng 5 | zlib* -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_libpng/build.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | println!("cargo:rustc-link-arg=-rdynamic"); 3 | } 4 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_libpng/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_libpng/harness_win.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | extern "C" __declspec(dllexport) size_t 7 | LLVMFuzzerTestOneInput(const char *data, unsigned int len) { 8 | if (data[0] == 'b') { 9 | if (data[1] == 'a') { 10 | if (data[2] == 'd') { 11 | // STATUS_ACCESS_VIOLATION 12 | int volatile *p = 0x0; 13 | *p = 0; 14 | } 15 | } 16 | } 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_libpng/src/main.rs: -------------------------------------------------------------------------------- 1 | mod fuzzer; 2 | pub fn main() { 3 | fuzzer::main(); 4 | } 5 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_windows_gdiplus/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | rustflags = ["-C", "target-feature=+crt-static"] 3 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_windows_gdiplus/.gitignore: -------------------------------------------------------------------------------- 1 | corpus_discovered 2 | output_t* 3 | *.exp 4 | *.lib 5 | *.obj 6 | *.lnk 7 | 8 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_windows_gdiplus/cmplog_test.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | t1 3 | t2 4 | t3 5 | t4 6 | t5 7 | t6 8 | t7 9 | -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_windows_gdiplus/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/frida_windows_gdiplus/src/main.rs: -------------------------------------------------------------------------------- 1 | mod fuzzer; 2 | pub fn main() { 3 | fuzzer::main(); 4 | } 5 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/fuzzbench -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_fork_qemu/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_fork_qemu/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_fork_qemu/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 6 | if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 7 | char buf[8] = {'a', 'b', 'c', 'd'}; 8 | 9 | if (memcmp(Data, buf, 4) == 0) { abort(); } 10 | return 0; 11 | } 12 | 13 | /* 14 | int main() { 15 | 16 | char buf [10] = {0}; 17 | LLVMFuzzerTestOneInput(buf, 10); 18 | 19 | }*/ 20 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_fork_qemu/libfuzzer_main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); 5 | 6 | int main() { 7 | char buf[10] = {0}; 8 | LLVMFuzzerTestOneInput(buf, 10); 9 | } 10 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_fork_qemu/src/main.rs: -------------------------------------------------------------------------------- 1 | #[cfg(target_os = "linux")] 2 | pub mod fuzzer; 3 | 4 | fn main() { 5 | #[cfg(target_os = "linux")] 6 | fuzzer::main(); 7 | } 8 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_qemu/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_qemu/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_qemu/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 6 | if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 7 | char buf[8] = {'a', 'b', 'c', 'd'}; 8 | 9 | if (memcmp(Data, buf, 4) == 0) { abort(); } 10 | return 0; 11 | } 12 | 13 | /* 14 | int main() { 15 | 16 | char buf [10] = {0}; 17 | LLVMFuzzerTestOneInput(buf, 10); 18 | 19 | }*/ 20 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_qemu/libfuzzer_main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); 5 | 6 | int main() { 7 | char buf[10] = {0}; 8 | LLVMFuzzerTestOneInput(buf, 10); 9 | } 10 | -------------------------------------------------------------------------------- /fuzzers/binary_only/fuzzbench_qemu/src/main.rs: -------------------------------------------------------------------------------- 1 | #[cfg(target_os = "linux")] 2 | pub mod fuzzer; 3 | 4 | fn main() { 5 | #[cfg(target_os = "linux")] 6 | fuzzer::main() 7 | } 8 | -------------------------------------------------------------------------------- /fuzzers/binary_only/intel_pt_baby_fuzzer/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "intel_pt_baby_fuzzer" 3 | version = "0.14.1" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | "Marco Cavenati ", 8 | ] 9 | edition = "2021" 10 | 11 | [features] 12 | tui = ["libafl/tui_monitor"] 13 | 14 | [dependencies] 15 | libafl = { path = "../../../libafl/", default-features = false, features = [ 16 | "intel_pt", 17 | ] } 18 | libafl_bolts = { path = "../../../libafl_bolts" } 19 | proc-maps = "0.4.0" 20 | -------------------------------------------------------------------------------- /fuzzers/binary_only/intel_pt_command_executor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "intel_pt_command_executor" 3 | version = "0.1.0" 4 | authors = ["Marco Cavenati "] 5 | edition = "2021" 6 | 7 | [dependencies] 8 | env_logger = "0.11.5" 9 | libafl = { path = "../../../libafl", default-features = false, features = [ 10 | "intel_pt", 11 | ] } 12 | libafl_bolts = { path = "../../../libafl_bolts" } 13 | libafl_intelpt = { path = "../../../libafl_intelpt" } 14 | log = { version = "0.4.22", features = ["release_max_level_info"] } 15 | -------------------------------------------------------------------------------- /fuzzers/binary_only/intel_pt_command_executor/Justfile: -------------------------------------------------------------------------------- 1 | import "../../../just/libafl.just" 2 | 3 | FUZZER_NAME := "intel_pt_command_executor" 4 | 5 | [unix] 6 | target_dir: 7 | mkdir -p {{ TARGET_DIR }} 8 | 9 | [unix] 10 | build_target: target_dir 11 | rustc src/target_program.rs --out-dir {{ TARGET_DIR }} -O 12 | 13 | [unix] 14 | build: 15 | cargo build --profile {{ PROFILE }} 16 | 17 | [unix] 18 | setcap: 19 | sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep {{ FUZZER }} 20 | 21 | [unix] 22 | run: build build_target setcap 23 | {{ FUZZER }} 24 | 25 | [unix] 26 | test: build 27 | echo "Build is successful." 28 | 29 | [unix] 30 | clean: 31 | cargo clean -------------------------------------------------------------------------------- /fuzzers/binary_only/intel_pt_command_executor/src/target_program.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | hint::black_box, 3 | io::{stdin, Read}, 4 | }; 5 | 6 | fn main() { 7 | let mut buf = Vec::new(); 8 | stdin().read_to_end(&mut buf).unwrap(); 9 | 10 | if !buf.is_empty() && buf[0] == b'a' { 11 | let _do_something = black_box(0); 12 | if buf.len() > 1 && buf[1] == b'b' { 13 | let _do_something = black_box(0); 14 | if buf.len() > 2 && buf[2] == b'c' { 15 | panic!("Artificial bug triggered =)"); 16 | } 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /fuzzers/binary_only/python_qemu/README.md: -------------------------------------------------------------------------------- 1 | # Python LibAFL QEMU 2 | 3 | ## Build 4 | 5 | First, install python bindings (check `LibAFL/bindings/pylibafl`) and use the virtual environment. 6 | 7 | Then, create the `in` folder and put some input inside 8 | ```bash 9 | $ mkdir in 10 | $ echo aaaaa > in/input 11 | ``` 12 | 13 | ## Run 14 | 15 | ```bash 16 | $ python fuzzer.py 17 | ``` 18 | -------------------------------------------------------------------------------- /fuzzers/binary_only/python_qemu/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 6 | // printf("Got %ld bytes.\n", Size); 7 | if (Size >= 4 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 8 | return 0; 9 | } 10 | 11 | int main() { 12 | char buf[10] = {0}; 13 | LLVMFuzzerTestOneInput(buf, 10); 14 | } 15 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_cmin/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libpng_harness 3 | libpng_harness_crashing 4 | zlib-* 5 | crashes 6 | target 7 | output 8 | corpus/ 9 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_cmin/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_cmin/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A binary-only corpus minimizer using qemu, similar to AFL++ afl-cmin 2 | #[cfg(target_os = "linux")] 3 | mod fuzzer; 4 | 5 | #[cfg(target_os = "linux")] 6 | pub fn main() { 7 | fuzzer::fuzz().unwrap(); 8 | } 9 | 10 | #[cfg(not(target_os = "linux"))] 11 | pub fn main() { 12 | panic!("qemu-user and libafl_qemu is only supported on linux!"); 13 | } 14 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_coverage/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libpng_harness 3 | libpng_harness_crashing 4 | zlib-* 5 | crashes 6 | target 7 | drcov.log 8 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_coverage/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_coverage/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A qemu test case runner to generate drcov coverage outputs 2 | #[cfg(target_os = "linux")] 3 | mod fuzzer; 4 | 5 | #[cfg(target_os = "linux")] 6 | pub fn main() { 7 | fuzzer::fuzz(); 8 | } 9 | 10 | #[cfg(not(target_os = "linux"))] 11 | pub fn main() { 12 | panic!("qemu-user and libafl_qemu is only supported on linux!"); 13 | } 14 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libpng_harness 3 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/injection_test/.gitignore: -------------------------------------------------------------------------------- 1 | injection_test 2 | static 3 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A libfuzzer-like fuzzer using qemu for binary-only coverage 2 | #[cfg(target_os = "linux")] 3 | mod client; 4 | #[cfg(target_os = "linux")] 5 | mod fuzzer; 6 | #[cfg(target_os = "linux")] 7 | mod harness; 8 | #[cfg(target_os = "linux")] 9 | mod instance; 10 | #[cfg(target_os = "linux")] 11 | mod options; 12 | #[cfg(target_os = "linux")] 13 | mod version; 14 | 15 | #[cfg(target_os = "linux")] 16 | use crate::fuzzer::Fuzzer; 17 | 18 | #[cfg(target_os = "linux")] 19 | pub fn main() { 20 | Fuzzer::new().fuzz().unwrap(); 21 | } 22 | 23 | #[cfg(not(target_os = "linux"))] 24 | pub fn main() { 25 | panic!("qemu-user and libafl_qemu is only supported on linux!"); 26 | } 27 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/stats.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_launcher/stats.txt -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/injection/.gitignore: -------------------------------------------------------------------------------- 1 | sqltest 2 | static -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/injection/Makefile: -------------------------------------------------------------------------------- 1 | all: static sqltest 2 | 3 | sqltest: sqltest.c 4 | gcc -g -o sqltest sqltest.c -l sqlite3 -lm -lpthread 5 | 6 | static: sqltest.c 7 | gcc -g -o static sqltest.c -l sqlite3 -lm -static -lpthread -ldl 8 | 9 | fuzz: sqltest.c 10 | afl-clang-fast -o fuzz sqltest.c -l sqlite3 11 | 12 | clean: 13 | rm -f sqltest static fuzz 14 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/injection/README.md: -------------------------------------------------------------------------------- 1 | ## Prerequisites 2 | ```bash 3 | sudo apt install libsqlite3-dev 4 | ``` 5 | 6 | # Injection test setup 7 | 8 | To build the injection test target: 9 | `make` 10 | 11 | To run qemu_launcher with the injection detection activated: 12 | 13 | ``` 14 | target/x86_64/release/qemu_launcher -j injections.yaml -i in -o out -- injection_test/static 15 | ``` 16 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/injection/example.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_launcher/tests/injection/example.db -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/.gitignore: -------------------------------------------------------------------------------- 1 | /qasan 2 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/Makefile: -------------------------------------------------------------------------------- 1 | all: qasan 2 | 3 | qasan: qasan.c 4 | gcc qasan.c -o qasan 5 | 6 | clean: 7 | rm -rf qasan out stats.txt 8 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/double_free.txt: -------------------------------------------------------------------------------- 1 | D 2 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/memset.txt: -------------------------------------------------------------------------------- 1 | M -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/overflow.txt: -------------------------------------------------------------------------------- 1 | O 2 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/test_limits.txt: -------------------------------------------------------------------------------- 1 | T -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/uaf.txt: -------------------------------------------------------------------------------- 1 | A -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_launcher/tests/qasan/inputs/underflow.txt: -------------------------------------------------------------------------------- 1 | U 2 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libpng_harness 3 | libpng_harness_crashing 4 | zlib-* 5 | crashes 6 | target 7 | output 8 | corpus/ 9 | -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/corpus/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_tmin/corpus/not_kitty.png -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/corpus/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_tmin/corpus/not_kitty_alpha.png -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/corpus/not_kitty_alpha_long.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_tmin/corpus/not_kitty_alpha_long.png -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/corpus/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_tmin/corpus/not_kitty_gamma.png -------------------------------------------------------------------------------- /fuzzers/binary_only/qemu_tmin/corpus/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/binary_only/qemu_tmin/corpus/not_kitty_icc.png -------------------------------------------------------------------------------- /fuzzers/binary_only/tinyinst_simple/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "tinyinst_simple" 3 | version = "0.15.3" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | libafl = { path = "../../../libafl", features = ["introspection"] } 8 | libafl_bolts = { path = "../../../libafl_bolts" } 9 | libafl_tinyinst = { path = "../../../libafl_tinyinst" } 10 | log = { version = "0.4.22", features = ["release_max_level_info"] } 11 | 12 | [profile.release] 13 | codegen-units = 1 14 | opt-level = 3 15 | -------------------------------------------------------------------------------- /fuzzers/binary_only/tinyinst_simple/README.md: -------------------------------------------------------------------------------- 1 | # Tinyinst example 2 | This is a fuzzer example to show how libafl_tinyinst works. 3 | 4 | ## How to build 5 | 1. Install cxxbridge-cmd with `cargo install cxxbridge-cmd` 6 | 2. Build the harness with `cl test\test.cpp -o test.exe` 7 | 3. Build the fuzzer with `cargo build --release`. The fuzzer is `target\release\tinyinst_simple.exe` 8 | 9 | ## Run with just 10 | Or, you can simply run it using just 11 | 1. If on Windows, open up a developer powershell so that you have access to cl (Windows Default Compiler) 12 | 2. Run `just run` to run the fuzzer 13 | -------------------------------------------------------------------------------- /fuzzers/binary_only/tinyinst_simple/test/crash_input.txt: -------------------------------------------------------------------------------- 1 | bad12 -------------------------------------------------------------------------------- /fuzzers/binary_only/tinyinst_simple/test/ok_input.txt: -------------------------------------------------------------------------------- 1 | ok -------------------------------------------------------------------------------- /fuzzers/forkserver/baby_fuzzer_with_forkexecutor/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | rundumps/* -------------------------------------------------------------------------------- /fuzzers/forkserver/baby_fuzzer_with_forkexecutor/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_with_forkexecutor" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | -------------------------------------------------------------------------------- /fuzzers/forkserver/baby_fuzzer_with_forkexecutor/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer with forkexecutor 2 | Example for `InProcessForkExecutor`. Compared with `InProcessExecutor`, it needs additional param `shmem_provider` to make it work. -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_capture_stdout/.gitignore: -------------------------------------------------------------------------------- 1 | forkserver_capture_stdout -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_capture_stdout/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "forkserver_capture_stdout" 3 | version = "0.14.1" 4 | authors = ["tokatoka ", "Ziqiao Kong "] 5 | edition = "2024" 6 | 7 | [profile.dev] 8 | panic = "abort" 9 | 10 | [profile.release] 11 | panic = "abort" 12 | lto = true 13 | codegen-units = 1 14 | opt-level = 3 15 | 16 | [dependencies] 17 | clap = { version = "4.5.18", features = ["derive"] } 18 | env_logger = "0.11.5" 19 | libafl = { path = "../../../libafl", features = ["std", "derive"] } 20 | libafl_bolts = { path = "../../../libafl_bolts" } 21 | log = { version = "0.4.22", features = ["release_max_level_info"] } 22 | nix = { version = "0.30.1", features = ["signal"] } 23 | serde = "1.0.219" 24 | serde_json = "1.0.140" 25 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_capture_stdout/README.md: -------------------------------------------------------------------------------- 1 | # Simple Forkserver Fuzzer to Capture Stdout 2 | 3 | This is a simple example fuzzer to showcase how to capture stdout(stderr) from `ForkserverExecutor`. 4 | 5 | ## Usage 6 | You can build this example by `cargo build --release`. 7 | This downloads AFLplusplus/AFLplusplus and compiles the example harness program in src/program.c with afl-cc 8 | 9 | ## Run 10 | After you build it you can run 11 | `cp ./target/release/forkserver_capture_stdout .` to copy the fuzzer into this directory, 12 | and you can run 13 | `taskset -c 1 ./forkserver_capture_stdout ./target/release/program ./corpus/ -t 1000` to run the fuzzer. 14 | `taskset` binds this process to a specific core to improve the throughput. -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_capture_stdout/src/program.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | // The following line is needed for shared memeory testcase fuzzing 4 | __AFL_FUZZ_INIT(); 5 | 6 | int main(int argc, char **argv) { 7 | FILE *file = stdin; 8 | if (argc > 1) { file = fopen(argv[1], "rb"); } 9 | 10 | // The following three lines are for normal fuzzing. 11 | /* 12 | char buf[16]; 13 | char* p = fgets(buf, 16, file); 14 | buf[15] = 0; 15 | */ 16 | 17 | // The following line is also needed for shared memory testcase fuzzing 18 | unsigned char *buf = __AFL_FUZZ_TESTCASE_BUF; 19 | int len = __AFL_FUZZ_TESTCASE_LEN; 20 | 21 | printf("{\"len\": %d}", len); 22 | 23 | return 0; 24 | } -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_libafl_cc/README.md: -------------------------------------------------------------------------------- 1 | # Simple Forkserver Fuzzer 2 | 3 | This is a simple example fuzzer to fuzz an executable instrumented by libafl_cc. 4 | 5 | ## Usage 6 | 7 | You can build this example by running `just fuzzer`. 8 | This compiles, libafl_cc, the fuzzer and the example harness program in 9 | `src/program.c` with libafl_cc. 10 | 11 | ## Run 12 | 13 | You can run this example by running `just run`. 14 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_libafl_cc/corpus/testfile: -------------------------------------------------------------------------------- 1 | aaa 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_libafl_cc/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_simple/.gitignore: -------------------------------------------------------------------------------- 1 | forkserver_simple 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_simple/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "forkserver_simple" 3 | version = "0.14.1" 4 | authors = ["tokatoka "] 5 | edition = "2024" 6 | 7 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 8 | 9 | [profile.dev] 10 | panic = "abort" 11 | 12 | [profile.release] 13 | panic = "abort" 14 | lto = true 15 | codegen-units = 1 16 | opt-level = 3 17 | 18 | [dependencies] 19 | clap = { version = "4.5.18", features = ["derive"] } 20 | env_logger = "0.11.5" 21 | libafl = { path = "../../../libafl", features = ["std", "derive"] } 22 | libafl_bolts = { path = "../../../libafl_bolts" } 23 | log = { version = "0.4.22", features = ["release_max_level_info"] } 24 | nix = { version = "0.30.1", features = ["signal"] } 25 | -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_simple/README.md: -------------------------------------------------------------------------------- 1 | # Simple Forkserver Fuzzer 2 | 3 | This is a simple example fuzzer to fuzz a executable instrumented by afl-cc. 4 | ## Usage 5 | You can build this example by `cargo build --release`. 6 | This downloads AFLplusplus/AFLplusplus and compiles the example harness program in src/program.c with afl-cc 7 | 8 | ## Run 9 | After you build it you can run 10 | `cp ./target/release/forkserver_simple .` to copy the fuzzer into this directory, 11 | and you can run 12 | `taskset -c 1 ./forkserver_simple ./target/release/program ./corpus/ -t 1000` to run the fuzzer. 13 | `taskset` binds this process to a specific core to improve the throughput. -------------------------------------------------------------------------------- /fuzzers/forkserver/forkserver_simple/corpus/testfile: -------------------------------------------------------------------------------- 1 | aaa 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/fuzzbench_forkserver/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | fuzzer 3 | -------------------------------------------------------------------------------- /fuzzers/forkserver/fuzzbench_forkserver_cmplog/test/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ~/AFLplusplus/afl-cc -O0 test-cmplog.c -o test-cmplog.afl 4 | AFL_LLVM_CMPLOG=1 ~/AFLplusplus/afl-cc -O0 test-cmplog.c -o test-cmplog.cmplog 5 | 6 | cp ./test-cmplog.afl .. 7 | cp ./test-cmplog.cmplog .. 8 | -------------------------------------------------------------------------------- /fuzzers/forkserver/fuzzbench_forkserver_sand/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | fuzzer 3 | -------------------------------------------------------------------------------- /fuzzers/forkserver/fuzzbench_forkserver_sand/src/cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod cc; 2 | 3 | fn main() { 4 | cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/.gitignore: -------------------------------------------------------------------------------- 1 | test/out-cmplog 2 | test/out-instr 3 | test/output-cmplog/ 4 | test/output/ 5 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/rustfmt.toml: -------------------------------------------------------------------------------- 1 | group_imports = "StdExternalCrate" 2 | imports_granularity = "Crate" 3 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/src/feedback/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod filepath; 2 | pub mod persistent_record; 3 | pub mod seed; 4 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/src/hooks.rs: -------------------------------------------------------------------------------- 1 | use libafl::{ 2 | events::{Event, EventManagerHook, EventWithStats}, 3 | state::Stoppable, 4 | Error, 5 | }; 6 | use libafl_bolts::ClientId; 7 | 8 | #[derive(Copy, Clone)] 9 | pub struct LibAflFuzzEventHook { 10 | exit_on_solution: bool, 11 | } 12 | 13 | impl EventManagerHook for LibAflFuzzEventHook 14 | where 15 | S: Stoppable, 16 | { 17 | fn pre_receive( 18 | &mut self, 19 | state: &mut S, 20 | _client_id: ClientId, 21 | event: &EventWithStats, 22 | ) -> Result { 23 | if self.exit_on_solution && matches!(event.event(), Event::Objective { .. }) { 24 | // TODO: dump state 25 | state.request_stop(); 26 | } 27 | Ok(true) 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/src/stages/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod mutational_stage; 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds-frida/init: -------------------------------------------------------------------------------- 1 | 00000 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds/init: -------------------------------------------------------------------------------- 1 | 0 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds_cmplog/init: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/forkserver/libafl-fuzz/test/seeds_cmplog/init -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds_frida/init: -------------------------------------------------------------------------------- 1 | 00000 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds_qemu/init: -------------------------------------------------------------------------------- 1 | 00000 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds_unicorn/in: -------------------------------------------------------------------------------- 1 | 0 2 | -------------------------------------------------------------------------------- /fuzzers/forkserver/libafl-fuzz/test/seeds_unicorn_cmpcov/in: -------------------------------------------------------------------------------- 1 |  -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_launcher/README.md: -------------------------------------------------------------------------------- 1 | # nyx_launcher 2 | 3 | Example fuzzer based on `qemu_launcher` but for Nyx. 4 | 5 | ## Run the fuzzer 6 | 7 | Run with an existing nyx shared dir: 8 | 9 | ``` 10 | cargo run -- --input input/ --output output/ --share /tmp/shareddir/ --buffer-size 4096 --cores 0-1 -v --cmplog-cores 1 11 | ``` 12 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_launcher/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A libfuzzer-like fuzzer using Nyx for binary-only coverage 2 | #[cfg(target_os = "linux")] 3 | mod client; 4 | #[cfg(target_os = "linux")] 5 | mod fuzzer; 6 | #[cfg(target_os = "linux")] 7 | mod instance; 8 | #[cfg(target_os = "linux")] 9 | mod options; 10 | 11 | #[cfg(target_os = "linux")] 12 | use crate::fuzzer::Fuzzer; 13 | 14 | #[cfg(target_os = "linux")] 15 | pub fn main() { 16 | Fuzzer::new().fuzz().unwrap(); 17 | } 18 | 19 | #[cfg(not(target_os = "linux"))] 20 | pub fn main() { 21 | panic!("libafl_nyx is only supported on linux!"); 22 | } 23 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_parallel/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "nyx_libxml2_parallel" 3 | version = "0.15.3" 4 | edition = "2021" 5 | default-run = "nyx_libxml2_parallel" 6 | 7 | [dependencies] 8 | libafl = { path = "../../../libafl" } 9 | libafl_bolts = { path = "../../../libafl_bolts" } 10 | libafl_cc = { path = "../../../libafl_cc" } 11 | libafl_nyx = { path = "../../../libafl_nyx" } 12 | 13 | log = { version = "0.4.22", features = ["release_max_level_info"] } 14 | 15 | [profile.release] 16 | codegen-units = 1 17 | opt-level = 3 18 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_parallel/Justfile: -------------------------------------------------------------------------------- 1 | import "../../../just/libafl.just" 2 | FUZZER_NAME := "nyx_libxml2_parallel" 3 | 4 | [unix] 5 | libxml2: 6 | ./setup_libxml2.sh 7 | 8 | [unix] 9 | enable_kvm_vmware_hypercall: 10 | #!/bin/bash 11 | if [ ! -e /sys/module/kvm/parameters/enable_vmware_backdoor ] || 12 | ! grep -qF Y /sys/module/kvm/parameters/enable_vmware_backdoor; then 13 | sudo modprobe -r kvm-intel # or kvm-amd for AMD 14 | sudo modprobe -r kvm 15 | sudo modprobe kvm enable_vmware_backdoor=y 16 | sudo modprobe kvm-intel 17 | fi; 18 | 19 | [unix] 20 | build: libxml2 21 | 22 | [unix] 23 | run: libxml2 enable_kvm_vmware_hypercall 24 | cargo run 25 | 26 | [unix] 27 | test: build 28 | 29 | [unix] 30 | clean: 31 | make -C libxml2 clean 32 | cargo clean -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_parallel/README.md: -------------------------------------------------------------------------------- 1 | this example shows to use `libafl_nyx` to fuzz `libxml2` 2 | 3 | # requirement 4 | the following command will: 5 | 1. run `cargo build --release` to generate `libafl_cc`,`libafl_cxx` 6 | 2. download and extract `libxml2` 7 | 3. instruct `libxml2` using `libafl_cc` and `libafl_cxx` 8 | 4. prepare nyx shared dir and config file at `/tmp/nyx_libxml2` 9 | 5. open kvm support 10 | ``` 11 | ./setup_libxml2.sh 12 | ``` 13 | 14 | # run the fuzzer 15 | use `just run` to run the fuzzer. If you have setup all environment, you can use `cargo run` directly. 16 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_parallel/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_standalone/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "nyx_libxml2_standalone" 3 | version = "0.15.3" 4 | edition = "2021" 5 | default-run = "nyx_libxml2_standalone" 6 | 7 | [dependencies] 8 | libafl = { path = "../../../libafl", features = ["tui_monitor"] } 9 | libafl_bolts = { path = "../../../libafl_bolts" } 10 | libafl_cc = { path = "../../../libafl_cc" } 11 | libafl_nyx = { path = "../../../libafl_nyx" } 12 | 13 | log = { version = "0.4.22", features = ["release_max_level_info"] } 14 | 15 | [profile.release] 16 | codegen-units = 1 17 | opt-level = 3 18 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_standalone/README.md: -------------------------------------------------------------------------------- 1 | this example shows to use `libafl_nyx` to fuzz `libxml2` 2 | 3 | # requirement 4 | the following command will: 5 | 1. run `cargo build --release` to generate `libafl_cc`,`libafl_cxx` 6 | 2. download and extract `libxml2` 7 | 3. instruct `libxml2` using `libafl_cc` and `libafl_cxx` 8 | 4. prepare nyx shared dir and config file at `/tmp/nyx_libxml2` 9 | 5. open kvm support 10 | ``` 11 | ./setup_libxml2.sh 12 | ``` 13 | 14 | # run the fuzzer 15 | use `just run` to run the fuzzer. If you have setup all environment, you can use `cargo run` directly. 16 | -------------------------------------------------------------------------------- /fuzzers/full_system/nyx_libxml2_standalone/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_baremetal/.gitignore: -------------------------------------------------------------------------------- 1 | *.qcow2 2 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_baremetal/build.rs: -------------------------------------------------------------------------------- 1 | use libafl_qemu_build::build_libafl_qemu; 2 | 3 | #[macro_export] 4 | macro_rules! assert_unique_feature { 5 | () => {}; 6 | ($first:tt $(,$rest:tt)*) => { 7 | $( 8 | #[cfg(all(not(any(doc, clippy)), feature = $first, feature = $rest))] 9 | compile_error!(concat!("features \"", $first, "\" and \"", $rest, "\" cannot be used together")); 10 | )* 11 | assert_unique_feature!($($rest),*); 12 | } 13 | } 14 | 15 | fn main() { 16 | assert_unique_feature!("low_level", "breakpoint", "sync_exit"); 17 | 18 | build_libafl_qemu(); 19 | } 20 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_baremetal/corpus/random: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_baremetal/corpus/random -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_baremetal/corpus/zero: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_baremetal/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A binary-only systemmode fuzzer using qemu for binary-only coverage 2 | #[cfg(all(target_os = "linux", feature = "low_level"))] 3 | mod fuzzer_low_level; 4 | 5 | #[cfg(all(target_os = "linux", feature = "breakpoint"))] 6 | mod fuzzer_breakpoint; 7 | 8 | #[cfg(all(target_os = "linux", feature = "sync_exit"))] 9 | mod fuzzer_sync_exit; 10 | 11 | #[cfg(target_os = "linux")] 12 | pub fn main() { 13 | #[cfg(feature = "low_level")] 14 | fuzzer_low_level::fuzz(); 15 | 16 | #[cfg(feature = "breakpoint")] 17 | fuzzer_breakpoint::fuzz(); 18 | 19 | #[cfg(feature = "sync_exit")] 20 | fuzzer_sync_exit::fuzz(); 21 | } 22 | 23 | #[cfg(not(target_os = "linux"))] 24 | pub fn main() { 25 | panic!("qemu-user and libafl_qemu is only supported on linux!"); 26 | } 27 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/.gitignore: -------------------------------------------------------------------------------- 1 | *.qcow2 2 | corpus_gen/ 3 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/build.rs: -------------------------------------------------------------------------------- 1 | use libafl_qemu_build::build_libafl_qemu; 2 | 3 | fn main() { 4 | build_libafl_qemu(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/corpus/random: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_kernel/corpus/random -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/corpus/zero: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/runtime/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | insmod /setup/harness.ko 4 | /setup/user 5 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/setup/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += harness.o 2 | # harness-objs += symfinder.o 3 | 4 | all: 5 | make EXTRA_CFLAGS="-DUSE_LQEMU=1" -C /lib/modules/$(LINUX_MODULES)/build M=$(PWD) modules 6 | gcc -Wall -Werror -o user user.c 7 | 8 | nyx: 9 | make EXTRA_CFLAGS="-DUSE_NYX=1" -C /lib/modules/$(LINUX_MODULES)/build M=$(PWD) modules 10 | gcc -Wall -Werror -o user user.c 11 | 12 | clean: 13 | make -C /lib/modules/$(LINUX_MODULES)/build M=$(PWD) clean 14 | rm -f user -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/setup/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LINUX_MODULES=$(pacman -Ql linux-headers | grep -m 1 -E '/usr/lib/modules/[^/]*/' | sed 's|.*/usr/lib/modules/\([^/]*\)/.*|\1|') 4 | export LINUX_MODULES 5 | 6 | # Default root password 7 | echo "root:toor" | chpasswd 8 | 9 | cd /setup 10 | 11 | make clean 12 | make -j nyx -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/setup/user.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main() { 8 | const char *device = "/dev/harness"; 9 | int fd; 10 | 11 | // Open the device 12 | fd = open(device, O_RDWR); 13 | if (fd == -1) { return 1; } 14 | 15 | // Close the device 16 | if (close(fd) == -1) { return 1; } 17 | 18 | return 0; 19 | } -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A systemmode linux kernel example 2 | #[cfg(target_os = "linux")] 3 | mod fuzzer; 4 | 5 | #[cfg(target_os = "linux")] 6 | pub fn main() { 7 | fuzzer::fuzz(); 8 | } 9 | 10 | #[cfg(not(target_os = "linux"))] 11 | pub fn main() { 12 | panic!("qemu and libafl_qemu is only supported on linux!"); 13 | } 14 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/workdir/disks/OVMF_VARS.4m.fd.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_kernel/workdir/disks/OVMF_VARS.4m.fd.1 -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/workdir/disks/OVMF_VARS.4m.fd.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_kernel/workdir/disks/OVMF_VARS.4m.fd.2 -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/workdir/disks/linux.qcow2.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_kernel/workdir/disks/linux.qcow2.1 -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_kernel/workdir/disks/linux.qcow2.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_kernel/workdir/disks/linux.qcow2.2 -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/.gitignore: -------------------------------------------------------------------------------- 1 | *.qcow2 2 | corpus_gen/ 3 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/build.rs: -------------------------------------------------------------------------------- 1 | use libafl_qemu_build::build_libafl_qemu; 2 | 3 | fn main() { 4 | build_libafl_qemu(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/corpus/random: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/full_system/qemu_linux_process/corpus/random -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/corpus/zero: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/runtime/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /runtime/harness 4 | 5 | # shutdown now -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/setup/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Nothing to do 4 | echo 'root:toor' | sudo chpasswd -------------------------------------------------------------------------------- /fuzzers/full_system/qemu_linux_process/src/main.rs: -------------------------------------------------------------------------------- 1 | //! A systemmode linux kernel example 2 | #[cfg(target_os = "linux")] 3 | mod fuzzer; 4 | 5 | #[cfg(target_os = "linux")] 6 | pub fn main() { 7 | fuzzer::fuzz(); 8 | } 9 | 10 | #[cfg(not(target_os = "linux"))] 11 | pub fn main() { 12 | panic!("qemu and libafl_qemu is only supported on linux!"); 13 | } 14 | -------------------------------------------------------------------------------- /fuzzers/full_system/unicorn/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "unicorn" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [features] 7 | # Enable a code hook which log the program counter at each executed instruction 8 | default = [] 9 | code_hook = [] 10 | mem_hook = [] 11 | 12 | [dependencies] 13 | libafl = { path = "../../../libafl/" } 14 | libafl_bolts = { path = "../../../libafl_bolts/" } 15 | libafl_targets = { path = "../../../libafl_targets" } 16 | libafl_unicorn = { path = "../../../libafl_unicorn/" } 17 | 18 | unicorn-engine = "2.1.2" 19 | log = "0.4.25" 20 | env_logger = "0.11.6" 21 | -------------------------------------------------------------------------------- /fuzzers/full_system/unicorn/bin/foo.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | char *data = (char *)0x8000; 3 | // Extract the input from the memory at 0x8000 4 | unsigned char a = data[0]; 5 | unsigned char b = data[1]; 6 | 7 | if (a > b) { 8 | if (a < 0x30) return 0x2; 9 | if (a > 0x80) return 0x3; 10 | if (a > 0x60) return 0x4; 11 | if (a != 0x50) return 0x5; 12 | 13 | if (b < 0x20) return 0x7; 14 | if (b > 0x60) return 0x8; 15 | if (b > 0x30) return 0x9; 16 | if (b == 0x24) return 0x6; // Success 17 | 18 | return 0x5; 19 | } 20 | 21 | return 0x1; 22 | } 23 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | target = "wasm32-unknown-unknown" 3 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | **/*.rs.bk 3 | Cargo.lock 4 | bin/ 5 | wasm-pack.log 6 | .idea/ 7 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/Justfile: -------------------------------------------------------------------------------- 1 | FUZZER_NAME := 'fuzzer_wasm' 2 | PROJECT_DIR := absolute_path(".") 3 | PROFILE := 'release' 4 | PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" } 5 | CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target") 6 | FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME 7 | LIBAFL_CC := CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc" 8 | 9 | build: 10 | cargo build --target web 11 | 12 | [linux] 13 | [macos] 14 | test: 15 | wasm-pack test --chrome --headless 16 | 17 | [windows] 18 | test: 19 | echo "Unsupported on this platform" 20 | 21 | clean: 22 | cargo clean 23 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/pkg/.gitignore: -------------------------------------------------------------------------------- 1 | * -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/pkg/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | libafl_wasm test 6 | 7 | 8 | 13 | 14 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/pkg/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "baby_fuzzer_wasm", 3 | "collaborators": [ 4 | "Addison Crump " 5 | ], 6 | "version": "0.1.0", 7 | "files": [ 8 | "baby_fuzzer_wasm_bg.wasm", 9 | "baby_fuzzer_wasm.js", 10 | "baby_fuzzer_wasm.d.ts" 11 | ], 12 | "module": "baby_fuzzer_wasm.js", 13 | "types": "baby_fuzzer_wasm.d.ts", 14 | "sideEffects": [ 15 | "./snippets/*" 16 | ] 17 | } -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/src/utils.rs: -------------------------------------------------------------------------------- 1 | pub fn set_panic_hook() { 2 | // When the `console_error_panic_hook` feature is enabled, we can call the 3 | // `set_panic_hook` function at least once during initialization, and then 4 | // we will get better error messages if our code ever panics. 5 | // 6 | // For more details see 7 | // https://github.com/rustwasm/console_error_panic_hook#readme 8 | #[cfg(feature = "console_error_panic_hook")] 9 | console_error_panic_hook::set_once(); 10 | } 11 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/tests/web.rs: -------------------------------------------------------------------------------- 1 | //! Test suite for the Web and headless browsers. 2 | 3 | #![cfg(target_arch = "wasm32")] 4 | 5 | extern crate wasm_bindgen_test; 6 | use baby_fuzzer_wasm::fuzz; 7 | use wasm_bindgen_test::*; 8 | 9 | wasm_bindgen_test_configure!(run_in_browser); 10 | 11 | #[wasm_bindgen_test] 12 | fn test_fuzz() { 13 | fuzz(); 14 | } 15 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_fuzzer_wasm/webdriver.json: -------------------------------------------------------------------------------- 1 | { 2 | "moz:firefoxOptions": { 3 | "prefs": { 4 | "media.navigator.streams.fake": true, 5 | "media.navigator.permission.disabled": true 6 | }, 7 | "args": [] 8 | }, 9 | "goog:chromeOptions": { 10 | "args": [ 11 | "--use-fake-device-for-media-stream", 12 | "--use-fake-ui-for-media-stream" 13 | ] 14 | } 15 | } -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_no_std/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_no_std/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_no_std" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [profile.dev] 11 | panic = "abort" 12 | 13 | [profile.release] 14 | panic = "abort" 15 | lto = true 16 | codegen-units = 1 17 | opt-level = 3 18 | debug = true 19 | 20 | [dependencies] 21 | libafl = { default-features = false, path = "../../../libafl" } 22 | libafl_bolts = { default-features = false, path = "../../../libafl_bolts" } 23 | log = { version = "0.4.22", features = ["release_max_level_info"] } 24 | static-alloc = "0.2.3" 25 | 26 | [target.'cfg(unix)'.dependencies] 27 | libc = "0.2.159" 28 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_no_std/README.md: -------------------------------------------------------------------------------- 1 | # Baby `no_std` 2 | 3 | This is a minimalistic example how to create a libafl based fuzzer that works on `no_std` environments like TEEs, Kernels or on barew metal. 4 | 5 | It runs on a single core until a crash occurs and then calls the panic handler. 6 | 7 | The tested program is a simple Rust function without any instrumentation. 8 | For real fuzzing, you will want to add some sort to add coverage or other feedback. -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_no_std/build.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | if std::env::var("CARGO_CFG_TARGET_FAMILY").unwrap_or_default() == "unix" { 3 | println!("cargo:rustc-link-lib=c"); 4 | }; 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/baby_no_std/rust-toolchain: -------------------------------------------------------------------------------- 1 | nightly 2 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "cargo_fuzz_test" 3 | edition = "2021" 4 | version = "0.15.3" 5 | description = "test" 6 | authors = [ 7 | "Andrea Fioraldi ", 8 | "Dominik Maier ", 9 | ] 10 | repository = "https://github.com/AFLplusplus/LibAFL/" 11 | keywords = ["fuzzing", "testing", "compiler"] 12 | categories = [ 13 | "development-tools::testing", 14 | "emulators", 15 | "embedded", 16 | "os", 17 | "no-std", 18 | ] 19 | 20 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 21 | 22 | [dependencies] 23 | log = { version = "0.4.22", features = ["release_max_level_info"] } 24 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/Justfile: -------------------------------------------------------------------------------- 1 | install_llvm_tools: 2 | rustup toolchain install nightly --component llvm-tools-preview 3 | 4 | install_cargo_fuzz: 5 | cargo install cargo-fuzz 6 | 7 | build: install_cargo_fuzz install_llvm_tools 8 | cargo +nightly fuzz build fuzz_target_1 9 | 10 | [linux] 11 | test: build 12 | #!/bin/bash 13 | timeout 30s cargo +nightly fuzz run fuzz_target_1 2>&1 | tee fuzz_stdout.log || true 14 | if grep -qa "objectives: 1" fuzz_stdout.log; then 15 | echo "Fuzzer is working" 16 | else 17 | echo "Fuzzer does not generate any testcases or any crashes" 18 | exit 1 19 | fi 20 | 21 | [macos] 22 | [windows] 23 | test: build 24 | echo "Unsupported on this platform" 25 | 26 | clean: 27 | rm -rf fuzz/target -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/README.md: -------------------------------------------------------------------------------- 1 | # cargo-fuzz 2 | 3 | This is a minimalistic example how to use LibAFL with cargo-fuzz. It uses the `libafl_libfuzzer` compatibility layer in order to be libFuzzer compatible. 4 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/fuzz/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | corpus 3 | artifacts 4 | coverage 5 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/fuzz/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libafl-fuzz" 3 | version = "0.15.3" 4 | publish = false 5 | edition = "2021" 6 | 7 | [workspace] 8 | 9 | [package.metadata] 10 | cargo-fuzz = true 11 | 12 | [dependencies] 13 | 14 | [dependencies.cargo_fuzz_test] 15 | path = ".." 16 | 17 | [dependencies.libfuzzer-sys] 18 | path = "../../../../libafl_libfuzzer" 19 | package = "libafl_libfuzzer" 20 | 21 | [[bin]] 22 | name = "fuzz_target_1" 23 | path = "fuzz_targets/fuzz_target_1.rs" 24 | test = false 25 | doc = false 26 | bench = false 27 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/fuzz/fuzz_targets/fuzz_target_1.rs: -------------------------------------------------------------------------------- 1 | #![no_main] 2 | 3 | use cargo_fuzz_test::do_thing; 4 | use libfuzzer_sys::fuzz_target; 5 | 6 | fuzz_target!(|data: &[u8]| do_thing(data)); 7 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/cargo_fuzz/src/lib.rs: -------------------------------------------------------------------------------- 1 | #[expect( 2 | clippy::collapsible_if, 3 | clippy::manual_assert, 4 | clippy::missing_panics_doc 5 | )] 6 | pub fn do_thing(data: &[u8]) { 7 | if data.first() == Some(&b'a') { 8 | if data.get(1) == Some(&b'b') { 9 | if data.get(2) == Some(&b'c') { 10 | if data.get(3) == Some(&b'd') { 11 | panic!("We found the objective!"); 12 | } 13 | } 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/libafl_atheris/.gitignore: -------------------------------------------------------------------------------- 1 | atheris 2 | env -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/libafl_atheris/README.md: -------------------------------------------------------------------------------- 1 | # Atheris Python Fuzzer 2 | 3 | This is a LibAFL-based Python fuzzer using [Atheris](https://github.com/google/atheris) for instrumentation. 4 | We switch out Atheris' libfuzzer implementation with LibAFL, by mimicking its API. 5 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_harness/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_harness/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "push_harness" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | klo-routines = { version = "0.1.0", git = "https://github.com/andreafioraldi/klo-routines.git", rev = "b8e2fb6" } 29 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_harness/README.md: -------------------------------------------------------------------------------- 1 | # Klo-based Fuzzer with Push Harness 2 | 3 | *Linux only* 4 | 5 | This is a minimalistic example create a fuzzer for Linux that pulls data out of LibAFL, instead of being called by it repeatedly. 6 | Use this only if there is absolutely no way to have a traditional harness function that gets called, but the target *needs* to call the fuzzer, instead. 7 | This technique comes at some runtime overhead, and you should very likely not need it for everyday fuzzing. -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_stage_harness/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_stage_harness/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "push_stage_harness" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | -------------------------------------------------------------------------------- /fuzzers/fuzz_anything/push_stage_harness/README.md: -------------------------------------------------------------------------------- 1 | # Push Stage Harness 2 | 3 | This is a minimalistic example create a fuzzer that pulls data out of LibAFL, instead of being called by it repeatedly. 4 | In contrast to Kloroutines, this should be reasonably sound and fast. -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | fuzzer 3 | fuzzbench 4 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 6 | if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 7 | char buf[8] = {'a', 'b', 'c', 'd'}; 8 | 9 | if (memcmp(Data, buf, 4) == 0) { abort(); } 10 | return 0; 11 | } 12 | 13 | /* 14 | int main() { 15 | 16 | char buf [10] = {0}; 17 | LLVMFuzzerTestOneInput(buf, 10); 18 | 19 | }*/ 20 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench_ctx/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 6 | if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 7 | char buf[8] = {'a', 'b', 'c', 'd'}; 8 | 9 | if (memcmp(Data, buf, 4) == 0) { abort(); } 10 | return 0; 11 | } 12 | 13 | /* 14 | int main() { 15 | 16 | char buf [10] = {0}; 17 | LLVMFuzzerTestOneInput(buf, 10); 18 | 19 | }*/ 20 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench_ctx/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench_text/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | fuzzer 3 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench_text/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 5 | if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } 6 | return 0; 7 | } 8 | 9 | /* 10 | int main() { 11 | 12 | char buf [10] = {0}; 13 | LLVMFuzzerTestOneInput(buf, 10); 14 | 15 | }*/ 16 | -------------------------------------------------------------------------------- /fuzzers/inprocess/fuzzbench_text/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libafl_libfuzzer_windows/README.md: -------------------------------------------------------------------------------- 1 | # LibAFL-LibFuzzer Windows 2 | 3 | A simple example demonstrating how to build LibFuzzer harnesses with LibAFL-LibFuzzer 4 | as an alternative runtime on Windows. -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libmozjpeg/.gitignore: -------------------------------------------------------------------------------- 1 | *.tar.gz* 2 | mozjpeg-4.0.3 -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libmozjpeg/build.rs: -------------------------------------------------------------------------------- 1 | // build.rs 2 | 3 | use std::env; 4 | 5 | fn main() { 6 | let out_dir = env::var_os("OUT_DIR").unwrap(); 7 | let out_dir = out_dir.to_string_lossy().to_string(); 8 | 9 | println!("cargo:rerun-if-changed=harness.c"); 10 | 11 | cc::Build::new() 12 | // Use sanitizer coverage to track the edges in the PUT 13 | // Take advantage of LTO (needs lld-link set in your cargo config) 14 | //.flag("-flto=thin") 15 | .file("./hook_allocs.c") 16 | .compile("hook_allocs"); 17 | 18 | println!("cargo:rustc-link-search=native={}", &out_dir); 19 | 20 | println!("cargo:rerun-if-changed=build.rs"); 21 | } 22 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libmozjpeg/corpus/blank.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/inprocess/libfuzzer_libmozjpeg/corpus/blank.jpg -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libmozjpeg/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL tokens file for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libmozjpeg/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_accounting/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_accounting/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_accounting/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_centralized/.gitignore: -------------------------------------------------------------------------------- 1 | fuzzer_stats.toml 2 | libpng-* 3 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_centralized/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_centralized/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_cmin/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_cmin/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_cmin/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_launcher/.gitignore: -------------------------------------------------------------------------------- 1 | fuzzer_stats.toml 2 | libpng-* 3 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_launcher/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_launcher/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_norestart/.gitignore: -------------------------------------------------------------------------------- 1 | fuzzer_stats.toml 2 | libpng-* 3 | corpus 4 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_norestart/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_norestart/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_tcp_manager/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_tcp_manager/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_libpng_tcp_manager/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libfuzzer_stb_image 3 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image_sugar/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | libfuzzer_stb_image 3 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image_sugar/README.md: -------------------------------------------------------------------------------- 1 | # Libfuzzer for stb_image with libafl_sugar 2 | 3 | This folder contains an example fuzzer for stb_image, using LLMP for fast multi-process fuzzing and crash detection. 4 | It has been tested on Linux and Windows. 5 | 6 | ## Build 7 | 8 | To build this example, run `cargo build --release`. 9 | This will build the the fuzzer (src/main.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback as a standalone binary. 10 | 11 | Unlike the libpng example, in this example the harness (that entirely includes the program under test) is compiled in the `build.rs` file while building the crate, and linked with the fuzzer by cargo when producing the final binary, `target/release/libfuzzer_stb_image`. 12 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image_sugar/corpus: -------------------------------------------------------------------------------- 1 | ../../../seeds/pngs/ -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image_sugar/harness.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define STBI_ASSERT(x) 5 | #define STBI_NO_SIMD 6 | #define STBI_NO_LINEAR 7 | #define STBI_NO_STDIO 8 | #define STB_IMAGE_IMPLEMENTATION 9 | 10 | #include "stb_image.h" 11 | 12 | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 13 | int x, y, channels; 14 | 15 | if (!stbi_info_from_memory(data, size, &x, &y, &channels)) { return 0; } 16 | 17 | /* exit if the image is larger than ~80MB */ 18 | if (y && x > (80000000 / 4) / y) { return 0; } 19 | 20 | unsigned char *img = stbi_load_from_memory(data, size, &x, &y, &channels, 4); 21 | 22 | free(img); 23 | 24 | // if (x > 10000) free(img); // free crash 25 | 26 | // if (x > 10000) {free(img);} // free crash 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_stb_image_sugar/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_windows_asan/.gitignore: -------------------------------------------------------------------------------- 1 | libfuzzer_windows_asan* -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_windows_asan/corpus/hello_world: -------------------------------------------------------------------------------- 1 | Hello World 2 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_windows_asan/harness.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void asan_crash() { 6 | int *array = new int[100]; 7 | delete[] array; 8 | array[5] += 1; 9 | fprintf(stdout, "%d\n", array[5]); 10 | } 11 | 12 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 13 | // abort(); 14 | if (size == 10) { asan_crash(); } 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /fuzzers/inprocess/libfuzzer_windows_asan/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main() 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/inprocess/sqlite_centralized_multi_machine/run_child.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ./ossfuzz --cores 0-3 --input ./corpus --parent-addr 0.0.0.0:50000 --broker-port 3000 4 | -------------------------------------------------------------------------------- /fuzzers/inprocess/sqlite_centralized_multi_machine/run_parent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ./ossfuzz --cores 0-1 --input ./corpus 4 | -------------------------------------------------------------------------------- /fuzzers/inprocess/sqlite_centralized_multi_machine/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_custom_input/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_custom_input" 3 | version = "0.1.0" 4 | authors = ["Valentin Huber "] 5 | edition = "2021" 6 | 7 | [features] 8 | default = ["simple_interface"] 9 | simple_interface = [] 10 | 11 | [profile.dev] 12 | panic = "abort" 13 | 14 | [profile.release] 15 | panic = "abort" 16 | lto = true 17 | codegen-units = 1 18 | opt-level = 3 19 | debug = true 20 | 21 | [dependencies] 22 | libafl = { path = "../../../libafl" } 23 | libafl_bolts = { path = "../../../libafl_bolts" } 24 | log = { version = "0.4.22", features = ["release_max_level_info"] } 25 | serde = "1.0.210" 26 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_custom_input/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer 2 | 3 | This is a minimalistic fuzzer demonstrating how to employ mapping mutators to use default mutators on custom inputs. Custom inputs are necessary when the input to your program is a combination of parts, especially when those parts have different data types. Check multipart inputs if you have an input consisting of multiple parts of the same datatype and you don't need your mutation scheduler to be able to select which mutation is performed on which part. 4 | 5 | The fuzzer runs on a single core until a crash occurs and then exits. The tested program is a simple Rust function without any instrumentation. For real fuzzing, you will want to add some sort to add coverage or other feedback. 6 | 7 | You can run this example using `cargo run`. -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_gramatron/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_gramatron/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_gramatron" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | postcard = { version = "1.0.10", features = [ 29 | "alloc", 30 | ], default-features = false } # no_std compatible serde serialization format 31 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_gramatron/auto.postcard: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/fuzzers/structure_aware/baby_fuzzer_gramatron/auto.postcard -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_gramatron/corpus/new file: -------------------------------------------------------------------------------- 1 | fn pippo(v) { return "hello world " + v; } 2 | var a = 666; 3 | name = "scozzo" + a; 4 | pippo(name); 5 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_grimoire/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_grimoire/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_grimoire" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_grimoire/corpus/new file: -------------------------------------------------------------------------------- 1 | fn pippo(v) { return "hello world " + v; } 2 | var a = 666; 3 | name = "scozzo" + a; 4 | pippo(name); 5 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_multi/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_multi/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_multi" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | "Addison Crump ", 8 | ] 9 | edition = "2021" 10 | 11 | [features] 12 | default = ["std"] 13 | tui = ["libafl/tui_monitor"] 14 | std = [] 15 | 16 | [profile.dev] 17 | panic = "abort" 18 | 19 | [profile.release] 20 | panic = "abort" 21 | lto = true 22 | codegen-units = 1 23 | opt-level = 3 24 | debug = true 25 | 26 | [dependencies] 27 | libafl = { path = "../../../libafl", features = ["multipart_inputs"] } 28 | libafl_bolts = { path = "../../../libafl_bolts" } 29 | log = { version = "0.4.22", features = ["release_max_level_info"] } 30 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_multi/README.md: -------------------------------------------------------------------------------- 1 | # Baby fuzzer multi 2 | 3 | This is a minimalistic example about how to create a libafl based fuzzer for targets with multipart inputs. 4 | 5 | It runs on a single core until a crash occurs and then exits. 6 | 7 | The tested program is a simple Rust function without any instrumentation. 8 | For real fuzzing, you will want to add some sort to add coverage or other feedback. 9 | 10 | You can run this example using `cargo run`, and you can enable the TUI feature by running `cargo run --features tui`. -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_nautilus/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_nautilus/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_nautilus" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl", features = ["default", "nautilus"] } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_nautilus/README.md: -------------------------------------------------------------------------------- 1 | ## baby nautilus fuzzer 2 | [Nautilus](https://www.ndss-symposium.org/ndss-paper/nautilus-fishing-for-deep-bugs-with-grammars/) is a coverage-guided and grammar-based fuzzer. It needs to read the mruby's context-free grammar stored in `grammar.json`. And then use the corresponding feedback, generator, and mutator to fuzz. 3 | `libafl::mutators::nautilus` contains: 4 | ``` 5 | NautilusInput,NautilusContext 6 | NautilusChunksMetadata,NautilusFeedback 7 | NautilusGenerator 8 | NautilusRandomMutator,NautilusRecursionMutator,NautilusSpliceMutator 9 | ``` 10 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_tokens/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_tokens/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "baby_fuzzer_tokens" 3 | version = "0.15.3" 4 | authors = [ 5 | "Andrea Fioraldi ", 6 | "Dominik Maier ", 7 | ] 8 | edition = "2021" 9 | 10 | [features] 11 | default = ["std"] 12 | std = [] 13 | 14 | [profile.dev] 15 | panic = "abort" 16 | 17 | [profile.release] 18 | panic = "abort" 19 | lto = true 20 | codegen-units = 1 21 | opt-level = 3 22 | debug = true 23 | 24 | [dependencies] 25 | libafl = { path = "../../../libafl" } 26 | libafl_bolts = { path = "../../../libafl_bolts" } 27 | log = { version = "0.4.22", features = ["release_max_level_info"] } 28 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_tokens/README.md: -------------------------------------------------------------------------------- 1 | # Baby tokens fuzzer 2 | 1. `tokenizer` are used to split inputs into tokens 3 | 2. `encoder_decoder` will give every new token a new id and record the mapping relation. Then it can convert tokens to `EncodedInput`, vice versa. 4 | 3. `encoded_mutations` are used to deal with token level mutation, following is the definition: 5 | ''' 6 | pub fn encoded_mutations() -> tuple_list_type!( 7 | EncodedRandMutator, 8 | EncodedIncMutator, 9 | EncodedDecMutator, 10 | EncodedAddMutator, 11 | EncodedDeleteMutator, 12 | EncodedInsertCopyMutator, 13 | EncodedCopyMutator, 14 | EncodedCrossoverInsertMutator, 15 | EncodedCrossoverReplaceMutator, 16 | ) 17 | ''' -------------------------------------------------------------------------------- /fuzzers/structure_aware/baby_fuzzer_tokens/corpus/new file: -------------------------------------------------------------------------------- 1 | fn pippo(v) { return "hello world " + v; } 2 | var a = 666; 3 | name = "scozzo" + a; 4 | pippo(name); 5 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/forkserver_simple_nautilus/.gitignore: -------------------------------------------------------------------------------- 1 | forkserver_simple 2 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/forkserver_simple_nautilus/README.md: -------------------------------------------------------------------------------- 1 | # Simple Forkserver Fuzzer 2 | 3 | This is a simple example fuzzer to fuzz a executable instrumented by afl-cc. 4 | ## Usage 5 | You can build this example by `cargo build --release`. 6 | This downloads AFLplusplus/AFLplusplus and compiles the example harness program in src/program.c with afl-cc 7 | 8 | ## Run 9 | After you build it you can run 10 | `cp ./target/release/forkserver_simple .` to copy the fuzzer into this directory, 11 | and you can run 12 | `taskset -c 1 ./forkserver_simple ./target/release/program ./corpus/ -t 1000` to run the fuzzer. 13 | `taskset` binds this process to a specific core to improve the throughput. -------------------------------------------------------------------------------- /fuzzers/structure_aware/forkserver_simple_nautilus/corpus/testfile: -------------------------------------------------------------------------------- 1 | aaa 2 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/.gitignore: -------------------------------------------------------------------------------- 1 | libpng-* 2 | cur_input -------------------------------------------------------------------------------- /fuzzers/structure_aware/nautilus_sync/.gitignore: -------------------------------------------------------------------------------- 1 | fuzzer_libpng_nautilus 2 | grammar.json 3 | libpng-* 4 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/nautilus_sync/rust-toolchain: -------------------------------------------------------------------------------- 1 | nightly 2 | -------------------------------------------------------------------------------- /fuzzers/structure_aware/nautilus_sync/src/bin/libafl_cxx.rs: -------------------------------------------------------------------------------- 1 | pub mod libafl_cc; 2 | 3 | fn main() { 4 | libafl_cc::main(); 5 | } 6 | -------------------------------------------------------------------------------- /just/README.md: -------------------------------------------------------------------------------- 1 | # LibAFL Just Library 2 | 3 | Here is stored the common library used by our example fuzzers. 4 | It mainly consists of boilerplate definitions and convenient functions. 5 | 6 | One of these files should always be included in final `Justfile`s. -------------------------------------------------------------------------------- /just/envs/.env.aarch64: -------------------------------------------------------------------------------- 1 | CROSS_TARGET="aarch64-unknown-linux-gnu" 2 | CROSS_CC="aarch64-linux-gnu-gcc" 3 | CROSS_CXX="aarch64-linux-gnu-g++" 4 | CROSS_OBJCOPY="aarch64-linux-gnu-objcopy" 5 | CROSS_STRIP="aarch64-linux-gnu-strip" 6 | CROSS_CFLAGS="" 7 | LIBRASAN_CFLAGS="-no-pie -fno-stack-protector" 8 | -------------------------------------------------------------------------------- /just/envs/.env.arm: -------------------------------------------------------------------------------- 1 | CROSS_TARGET="armv7-unknown-linux-gnueabi" 2 | CROSS_CC="arm-linux-gnueabi-gcc" 3 | CROSS_CXX="arm-linux-gnueabi-g++" 4 | CROSS_OBJCOPY="arm-linux-gnueabi-objcopy" 5 | CROSS_STRIP="arm-linux-gnueabi-strip" 6 | CROSS_CFLAGS="" 7 | LIBRASAN_CFLAGS="-no-pie -fno-stack-protector -marm" 8 | -------------------------------------------------------------------------------- /just/envs/.env.i386: -------------------------------------------------------------------------------- 1 | CROSS_TARGET="i686-unknown-linux-gnu" 2 | CROSS_CC="i686-linux-gnu-gcc" 3 | CROSS_CXX="i686-linux-gnu-g++" 4 | CROSS_OBJCOPY="i686-linux-gnu-objcopy" 5 | CROSS_STRIP="i686-linux-gnu-strip" 6 | CROSS_CFLAGS="-m32" 7 | LIBRASAN_CFLAGS="-m32 -no-pie -fno-stack-protector" 8 | -------------------------------------------------------------------------------- /just/envs/.env.mips: -------------------------------------------------------------------------------- 1 | CROSS_CC="mipsel-linux-gnu-gcc" 2 | CROSS_CXX="mipsel-linux-gnu-g++" 3 | CROSS_CFLAGS="" 4 | -------------------------------------------------------------------------------- /just/envs/.env.ppc: -------------------------------------------------------------------------------- 1 | CROSS_TARGET="powerpc-unknown-linux-gnu" 2 | CROSS_CC="powerpc-linux-gnu-gcc" 3 | CROSS_CXX="powerpc-linux-gnu-g++" 4 | CROSS_OBJCOPY="powerpc-linux-gnu-objcopy" 5 | CROSS_STRIP="powerpc-linux-gnu-strip" 6 | CROSS_CFLAGS="" 7 | LIBRASAN_CFLAGS="-no-pie -fno-stack-protector" 8 | -------------------------------------------------------------------------------- /just/envs/.env.x86_64: -------------------------------------------------------------------------------- 1 | CROSS_TARGET="x86_64-unknown-linux-gnu" 2 | CROSS_CC="x86_64-linux-gnu-gcc" 3 | CROSS_CXX="x86_64-linux-gnu-g++" 4 | CROSS_OBJCOPY="x86_64-linux-gnu-objcopy" 5 | CROSS_STRIP="x86_64-linux-gnu-strip" 6 | CROSS_CFLAGS="" 7 | LIBRASAN_CFLAGS="-m64 -no-pie -Wl,--no-relax -mcmodel=large -fno-stack-protector" 8 | -------------------------------------------------------------------------------- /just/libafl-cc.just: -------------------------------------------------------------------------------- 1 | import "libafl.just" 2 | 3 | LIBAFL_CC := BUILD_DIR / "libafl_cc" 4 | LIBAFL_CXX := BUILD_DIR / "libafl_cxx" 5 | -------------------------------------------------------------------------------- /just/libafl-qemu.just: -------------------------------------------------------------------------------- 1 | import "libafl.just" 2 | 3 | export LIBAFL_QEMU_DIR_DEFAULT := BUILD_DIR / "qemu-libafl-bridge" 4 | ARCH := env("ARCH", "x86_64") 5 | DOTENV := source_directory() / "envs" / ".env." + ARCH 6 | -------------------------------------------------------------------------------- /libafl/LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | ../LICENSE-APACHE -------------------------------------------------------------------------------- /libafl/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | ../LICENSE-MIT -------------------------------------------------------------------------------- /libafl/README.md: -------------------------------------------------------------------------------- 1 | # `LibAFL` Core 2 | 3 | `LibAFL` Core is the main library and contains the fuzzing components and their implementations. 4 | A large part of this library depends only on Rust core+alloc and, thus, can run without any standard library. 5 | 6 | The online documentation for this crate is available [here](https://docs.rs/crate/libafl/latest). 7 | -------------------------------------------------------------------------------- /libafl/build.rs: -------------------------------------------------------------------------------- 1 | #![forbid(unexpected_cfgs)] 2 | 3 | #[rustversion::nightly] 4 | fn nightly() { 5 | println!("cargo:rustc-cfg=nightly"); 6 | } 7 | 8 | #[rustversion::not(nightly)] 9 | fn nightly() {} 10 | 11 | fn main() { 12 | println!("cargo:rustc-check-cfg=cfg(nightly)"); 13 | println!("cargo:rerun-if-changed=build.rs"); 14 | nightly(); 15 | } 16 | -------------------------------------------------------------------------------- /libafl/examples/tui_mock/main.rs: -------------------------------------------------------------------------------- 1 | //! An example for TUI that uses the TUI without any real data. 2 | //! This is mainly to fix the UI without having to run a real fuzzer. 3 | 4 | use core::time::Duration; 5 | use std::thread::sleep; 6 | 7 | use libafl::monitors::{ 8 | Monitor, 9 | stats::{ClientStats, manager::ClientStatsManager}, 10 | tui::TuiMonitor, 11 | }; 12 | use libafl_bolts::ClientId; 13 | 14 | pub fn main() { 15 | let mut monitor = TuiMonitor::builder().build(); 16 | 17 | let _client_stats = ClientStats::default(); 18 | let mut client_stats_manager = ClientStatsManager::default(); 19 | 20 | let _ = monitor.display(&mut client_stats_manager, "Test", ClientId(0)); 21 | sleep(Duration::from_secs(10)); 22 | } 23 | -------------------------------------------------------------------------------- /libafl/src/common/nautilus/grammartec/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod chunkstore; 2 | pub mod context; 3 | pub mod mutator; 4 | pub mod newtypes; 5 | #[cfg(feature = "nautilus_py")] 6 | pub mod python_grammar_loader; 7 | pub mod recursion_info; 8 | pub mod rule; 9 | pub mod tree; 10 | -------------------------------------------------------------------------------- /libafl/src/common/nautilus/mod.rs: -------------------------------------------------------------------------------- 1 | //! LibAFL version of the [`Nautilus`](https://github.com/nautilus-fuzz/nautilus) grammar fuzzer 2 | #![doc = include_str!("README.md")] 3 | 4 | #[allow(missing_docs)] 5 | pub mod grammartec; 6 | #[allow(missing_docs)] 7 | pub mod regex_mutator; 8 | -------------------------------------------------------------------------------- /libafl_bolts/LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | ../LICENSE-APACHE -------------------------------------------------------------------------------- /libafl_bolts/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | ../LICENSE-MIT -------------------------------------------------------------------------------- /libafl_bolts/build.rs: -------------------------------------------------------------------------------- 1 | #[rustversion::nightly] 2 | fn nightly() { 3 | println!("cargo:rustc-cfg=nightly"); 4 | } 5 | 6 | #[rustversion::not(nightly)] 7 | fn nightly() {} 8 | 9 | fn main() { 10 | println!("cargo:rerun-if-changed=build.rs"); 11 | println!("cargo:rustc-check-cfg=cfg(nightly)"); 12 | nightly(); 13 | #[cfg(target_env = "musl")] 14 | println!("cargo:rustc-link-lib=ucontext"); 15 | } 16 | -------------------------------------------------------------------------------- /libafl_concolic/symcc_libafl/README.md: -------------------------------------------------------------------------------- 1 | This is a support crate for [symcc_runtime](https://crates.io/crates/symcc_runtime). 2 | It defines a stable URL and commit hash for the [LibAFL](https://github.com/AFLplusplus/LibAFL) [fork](https://github.com/AFLplusplus/symcc) of [SymCC](https://github.com/eurecom-s3/symcc). 3 | It also provides convenient methods to clone and build SymCC to be used in build scripts in LibAFL-based fuzzers. 4 | 5 | [Documentation](https://docs.rs/symcc_libafl) -------------------------------------------------------------------------------- /libafl_concolic/symcc_runtime/README.md: -------------------------------------------------------------------------------- 1 | # SymCC Concolic Tracing Runtime Rust Bindings 2 | This crate allows you to build custom runtimes for SymCC. 3 | See the [documentation](https://docs.rs/symcc_runtime) for details. 4 | -------------------------------------------------------------------------------- /libafl_concolic/test/.gitignore: -------------------------------------------------------------------------------- 1 | symcc 2 | symcc_build 3 | symqemu_build 4 | if 5 | constraints.txt 6 | constraints_filtered.txt 7 | expected_constraints_filtered.txt 8 | -------------------------------------------------------------------------------- /libafl_concolic/test/README.md: -------------------------------------------------------------------------------- 1 | This folder contains all the code necessary to run a smoke test of the whole concolic tracing setup. 2 | This is achieved by 3 | 1. Compiling SymCC. Dependencies are installed via `smoke_test_ubuntu_deps.sh`. 4 | 2. Compiling a custom runtime with tracing capability (`runtime_test`). 5 | 3. Compiling a test program using SymCC that instruments using the custom runtime. 6 | 4. Capturing an execution trace of the instrumented target using `dump_constraints` and a fixed input (`if_test_input`). 7 | 5. Snapshot-testing the captured trace against our expectation (`expected_constraints.txt`). 8 | 9 | This whole process is orchestrated by `smoke_test.sh`. 10 | -------------------------------------------------------------------------------- /libafl_concolic/test/if_test_input: -------------------------------------------------------------------------------- 1 | 1234 -------------------------------------------------------------------------------- /libafl_concolic/test/runtime_test/src/lib.rs: -------------------------------------------------------------------------------- 1 | // this is required to be allowed to call the final executable what we want (and need) in Cargo.toml 2 | #![allow(non_snake_case)] 3 | #![forbid(unexpected_cfgs)] 4 | //! Just a small runtime to be used in the smoke test. 5 | 6 | #[cfg(not(test))] 7 | use symcc_runtime::tracing::StdShMemMessageFileWriter; 8 | use symcc_runtime::{Runtime, StdShMem, export_runtime, filter::NoFloat, tracing}; 9 | 10 | export_runtime!( 11 | NoFloat => NoFloat; 12 | tracing::TracingRuntime::new( 13 | StdShMemMessageFileWriter::from_stdshmem_default_env() 14 | .expect("unable to construct tracing runtime writer. (missing env?)"), 15 | false 16 | ) 17 | => tracing::TracingRuntime 18 | ); 19 | -------------------------------------------------------------------------------- /libafl_concolic/test/smoke_test_ubuntu_deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # intends to install build dependencies for the smoke test on ubuntu 3 | set -eux; 4 | 5 | apt install -y clang cmake llvm-dev ninja-build pkg-config zlib1g-dev -------------------------------------------------------------------------------- /libafl_derive/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libafl_derive" 3 | version.workspace = true 4 | authors = ["Andrea Fioraldi "] 5 | description = "Derive proc-macro crate for LibAFL" 6 | documentation = "https://docs.rs/libafl_derive" 7 | repository = "https://github.com/AFLplusplus/LibAFL/" 8 | readme = "../README.md" 9 | license = "MIT OR Apache-2.0" 10 | keywords = ["fuzzing", "testing"] 11 | edition = "2024" 12 | rust-version = "1.87" 13 | categories = [ 14 | "development-tools::testing", 15 | "emulators", 16 | "embedded", 17 | "os", 18 | "no-std", 19 | ] 20 | 21 | [lib] 22 | proc-macro = true 23 | 24 | [dependencies] 25 | syn = { version = "2.0.77", features = ["full", "extra-traits"] } 26 | quote = "1.0.37" 27 | proc-macro2 = "1.0.86" 28 | 29 | [lints] 30 | workspace = true 31 | -------------------------------------------------------------------------------- /libafl_frida/src/asan/mod.rs: -------------------------------------------------------------------------------- 1 | //! Address sanitization using [`frida`](https://frida.re/) 2 | pub mod asan_rt; 3 | pub mod errors; 4 | 5 | #[allow(missing_docs)] // cfg dependent 6 | pub mod hook_funcs; 7 | -------------------------------------------------------------------------------- /libafl_frida/src/gettls.c: -------------------------------------------------------------------------------- 1 | #ifdef _MSC_VER 2 | __declspec(thread) int i = 0; 3 | #else 4 | __thread int i = 0; 5 | #endif 6 | 7 | void *tls_ptr() { 8 | return (void *)&i; 9 | } 10 | -------------------------------------------------------------------------------- /libafl_frida/src/script.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | class LibAfl { 3 | static testFunction(message) { 4 | const buf = Memory.allocUtf8String(message); 5 | LibAfl.jsApiTestFunction(buf); 6 | } 7 | 8 | static jsApiGetFunction(name, retType, argTypes) { 9 | const addr = Module.getExportByName(null, name); 10 | return new NativeFunction(addr, retType, argTypes); 11 | } 12 | }; 13 | LibAfl.jsApiTestFunction = LibAfl.jsApiGetFunction("test_function", "void", ["pointer"]); 14 | -------------------------------------------------------------------------------- /libafl_intelpt/README.md: -------------------------------------------------------------------------------- 1 | # Intel Processor Trace (PT) low level code 2 | 3 | This module is a wrapper around the IntelPT kernel driver, exposing functionalities specifically crafted for libafl. 4 | 5 | At the moment only linux hosts are supported. 6 | -------------------------------------------------------------------------------- /libafl_intelpt/tests/run_integration_tests_linux_with_caps.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | cargo test intel_pt_trace_fork --no-run 4 | 5 | for test_bin in ../target/debug/deps/integration_tests_linux-*; do 6 | if file "$test_bin" | grep -q "ELF"; then 7 | sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep "$test_bin" 8 | fi 9 | done 10 | 11 | cargo test intel_pt_trace_fork -- --show-output 12 | 13 | cargo test --release intel_pt_trace_fork --no-run 14 | 15 | for test_bin in ../target/release/deps/integration_tests_linux-*; do 16 | if file "$test_bin" | grep -q "ELF"; then 17 | sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep "$test_bin" 18 | fi 19 | done 20 | 21 | cargo test --release intel_pt_trace_fork -- --show-output 22 | -------------------------------------------------------------------------------- /libafl_libfuzzer/LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | ../LICENSE-APACHE -------------------------------------------------------------------------------- /libafl_libfuzzer/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | ../LICENSE-MIT -------------------------------------------------------------------------------- /libafl_libfuzzer/runtime/src/harness_wrap.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #ifdef __cplusplus 7 | extern "C" { 8 | #endif 9 | 10 | int libafl_libfuzzer_test_one_input(int (*harness)(const uint8_t *, size_t), 11 | const uint8_t *data, size_t len); 12 | 13 | #ifdef __cplusplus 14 | } 15 | #endif 16 | -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/Cargo.toml: -------------------------------------------------------------------------------- 1 | ../libafl_libfuzzer/runtime/Cargo.toml.template -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/Justfile: -------------------------------------------------------------------------------- 1 | set windows-shell := ['cmd.exe', '/c'] 2 | set unstable 3 | 4 | [unix] 5 | build: 6 | ./build.sh 7 | 8 | [windows] 9 | build: 10 | powershell -File build.ps1 -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | ../LICENSE-APACHE -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | ../LICENSE-MIT -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/README.md: -------------------------------------------------------------------------------- 1 | # libafl_libfuzzer_runtime 2 | 3 | This is the runtime for `libafl_libfuzzer`. 4 | 5 | Please see the [`libafl_libfuzzer`](../libafl_libfuzzer) documentation for details. 6 | This crate should not be used alone except in very special circumstances. -------------------------------------------------------------------------------- /libafl_libfuzzer_runtime/src: -------------------------------------------------------------------------------- 1 | ../libafl_libfuzzer/runtime/src -------------------------------------------------------------------------------- /libafl_nyx/.clang-format: -------------------------------------------------------------------------------- 1 | DisableFormat: true 2 | SortIncludes: Never -------------------------------------------------------------------------------- /libafl_nyx/build.rs: -------------------------------------------------------------------------------- 1 | use std::process::Command; 2 | 3 | fn main() { 4 | if cfg!(target_os = "linux") && cfg!(target_arch = "x86_64") && !cfg!(doc) { 5 | println!("cargo:rerun-if-changed=build.rs"); 6 | // let output = Command::new("./build_nyx_support.sh").output().expect("can't run ./build_nyx_support.sh"); 7 | let status = Command::new("./build_nyx_support.sh") 8 | .status() 9 | .expect("can't run ./build_nyx_support.sh"); 10 | if status.success() { 11 | println!("success to run ./build_nyx_support.sh"); 12 | } else { 13 | panic!("fail to run ./build_nyx_support.sh"); 14 | } 15 | } else { 16 | println!("cargo:warning=NYX node is only available on x64 Linux"); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /libafl_nyx/src/lib.rs: -------------------------------------------------------------------------------- 1 | #[cfg(target_os = "linux")] 2 | pub mod cmplog; 3 | #[cfg(target_os = "linux")] 4 | pub mod executor; 5 | #[cfg(target_os = "linux")] 6 | pub mod helper; 7 | #[cfg(target_os = "linux")] 8 | pub mod settings; 9 | -------------------------------------------------------------------------------- /libafl_qemu/build.rs: -------------------------------------------------------------------------------- 1 | mod host_specific { 2 | #[cfg(target_os = "linux")] 3 | include!("build_linux.rs"); 4 | 5 | #[cfg(not(target_os = "linux"))] 6 | pub fn build() { 7 | println!("cargo:warning=libafl_qemu only builds on Linux hosts"); 8 | } 9 | } 10 | 11 | #[rustversion::nightly] 12 | fn nightly() { 13 | println!("cargo:rustc-cfg=nightly"); 14 | } 15 | 16 | #[rustversion::not(nightly)] 17 | fn nightly() {} 18 | 19 | fn main() { 20 | println!("cargo:rustc-check-cfg=cfg(nightly)"); 21 | nightly(); 22 | host_specific::build(); 23 | } 24 | -------------------------------------------------------------------------------- /libafl_qemu/libafl_qemu_build/README.md: -------------------------------------------------------------------------------- 1 | # QEMU LibAFL bridge builder 2 | 3 | Parts of the codebase are originally taken from the Hoedur fuzzer, (c) Simon Wörner. 4 | -------------------------------------------------------------------------------- /libafl_qemu/libafl_qemu_sys/src/bindings/mod.rs: -------------------------------------------------------------------------------- 1 | #![expect(non_upper_case_globals)] 2 | #![expect(non_camel_case_types)] 3 | #![expect(non_snake_case)] 4 | #![expect(clippy::all)] 5 | #![expect(clippy::pedantic)] 6 | #![expect(improper_ctypes)] 7 | #![expect(unsafe_op_in_unsafe_fn)] 8 | #![allow(unused_imports)] 9 | #![allow(warnings)] 10 | 11 | #[cfg(all(not(feature = "clippy"), target_os = "linux"))] 12 | #[allow(warning)] 13 | #[rustfmt::skip] 14 | include!(concat!(env!("OUT_DIR"), "/bindings.rs")); 15 | 16 | #[cfg(any(feature = "clippy", not(target_os = "linux")))] 17 | mod x86_64_stub_bindings; 18 | #[cfg(any(feature = "clippy", not(target_os = "linux")))] 19 | pub use x86_64_stub_bindings::*; 20 | -------------------------------------------------------------------------------- /libafl_qemu/libafl_qemu_sys/src/systemmode.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/libafl_qemu/libafl_qemu_sys/src/systemmode.rs -------------------------------------------------------------------------------- /libafl_qemu/libqasan/README.md: -------------------------------------------------------------------------------- 1 | # QEMU AddressSanitizer Runtime 2 | 3 | This library is the injected runtime used by QEMU AddressSanitizer (QASan). 4 | 5 | The original repository is [here](https://github.com/andreafioraldi/qasan). 6 | 7 | The version embedded in libafl_qemu is an updated version of just the usermode part 8 | and this runtime is injected via LD_PRELOAD (so works just for dynamically 9 | linked binaries). 10 | 11 | For debugging purposes, we still suggest to run the original QASan as the 12 | stacktrace support for ARM (just a debug feature, it does not affect the bug 13 | finding capabilities during fuzzing) is WIP. 14 | -------------------------------------------------------------------------------- /libafl_qemu/libqasan/printf/.gitattributes: -------------------------------------------------------------------------------- 1 | # ignore test path 2 | test/* linguist-vendored 3 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [target.i686-unknown-linux-gnu] 2 | linker = "i686-linux-gnu-gcc" 3 | 4 | [target.armv7-unknown-linux-gnueabi] 5 | linker = "arm-linux-gnueabi-gcc" 6 | runner = "qemu-arm -L /usr/arm-linux-gnueabi/" 7 | 8 | 9 | [target.aarch64-unknown-linux-gnu] 10 | linker = "aarch64-linux-gnu-gcc" 11 | runner = "qemu-aarch64 -L /usr/aarch64-linux-gnu/" 12 | 13 | [target.powerpc-unknown-linux-gnu] 14 | linker = "powerpc-linux-gnu-gcc" 15 | runner = "qemu-ppc -L /usr/powerpc-linux-gnu/" 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | core 3 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | members = ["asan", "gasan", "qasan", "zasan", "fuzz", "dummy_libc", "runner"] 3 | resolver = "2" 4 | 5 | [workspace.package] 6 | version = "0.15.3" 7 | license = "MIT OR Apache-2.0" 8 | edition = "2024" 9 | rust-version = "1.87" 10 | 11 | [profile.dev] 12 | panic = "abort" 13 | 14 | [profile.release] 15 | panic = "abort" 16 | lto = true 17 | codegen-units = 1 18 | opt-level = 3 19 | debug = true 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/cc/include/hooks.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void asan_load(const void *addr, size_t size); 4 | void asan_store(const void *addr, size_t size); 5 | void *asan_alloc(size_t len, size_t align); 6 | void asan_dealloc(const void *addr); 7 | size_t asan_get_size(const void *addr); 8 | size_t asan_sym(const char *name); 9 | size_t asan_page_size(); 10 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/cc/include/trace.h: -------------------------------------------------------------------------------- 1 | #ifndef _LOG_H_ 2 | #define _LOG_H_ 3 | 4 | void trace(const char *fmt, ...); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/cc/src/asprintf.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "hooks.h" 6 | #include "trace.h" 7 | 8 | int asprintf(char **restrict strp, const char *restrict fmt, ...) { 9 | trace("asprintf - strp: %p, fmt: %p\n", strp, fmt); 10 | if (strp == NULL) { return -1; } 11 | 12 | if (fmt == NULL) { return -1; } 13 | 14 | va_list va; 15 | va_start(va, fmt); 16 | int len = vsnprintf(NULL, 0, fmt, va); 17 | va_end(va); 18 | 19 | if (len < 0) { return -1; } 20 | 21 | void *buffer = asan_alloc(len + 1, 0); 22 | if (buffer == NULL) { return -1; } 23 | 24 | *strp = buffer; 25 | return vsnprintf(buffer, len, fmt, va); 26 | } 27 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/cc/src/log.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | static char log_buffer[PATH_MAX] = {0}; 6 | 7 | extern void log_trace(char *msg); 8 | 9 | void trace(const char *fmt, ...) { 10 | va_list va; 11 | va_start(va, fmt); 12 | int len = vsnprintf(log_buffer, sizeof(log_buffer), fmt, va); 13 | if (len > 0) { log_trace(log_buffer); } 14 | va_end(va); 15 | } 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/cc/src/vasprintf.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "hooks.h" 6 | #include "trace.h" 7 | 8 | int vasprintf(char **restrict strp, const char *restrict fmt, va_list va) { 9 | trace("asprintf - strp: %p, fmt: %p\n", strp, fmt); 10 | if (strp == NULL) { return -1; } 11 | 12 | if (fmt == NULL) { return -1; } 13 | 14 | int len = vsnprintf(NULL, 0, fmt, va); 15 | 16 | if (len < 0) { return -1; } 17 | 18 | void *buffer = asan_alloc(len + 1, 0); 19 | if (buffer == NULL) { return -1; } 20 | 21 | *strp = buffer; 22 | return vsnprintf(buffer, len, fmt, va); 23 | } 24 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/allocator/frontend/mod.rs: -------------------------------------------------------------------------------- 1 | //! # frontend 2 | //! The frontend of the allocator is responsible for applying the value-added 3 | //! asan features on behalf of incoming user requests for allocations including 4 | //! red-zones, poisoning and memory tracking. 5 | use alloc::fmt::Debug; 6 | 7 | use crate::GuestAddr; 8 | 9 | pub mod default; 10 | 11 | pub trait AllocatorFrontend: Sized + Send { 12 | type Error: Debug; 13 | fn alloc(&mut self, len: usize, align: usize) -> Result; 14 | fn dealloc(&mut self, addr: GuestAddr) -> Result<(), Self::Error>; 15 | fn get_size(&self, addr: GuestAddr) -> Result; 16 | } 17 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/allocator/mod.rs: -------------------------------------------------------------------------------- 1 | //! # allocator 2 | //! The allocator is split into two parts: 3 | //! - `backend` - The is the portion responsible for allocating the underlying 4 | //! memory used by the application. 5 | //! - `frontend` - The portion is responsible for applying the value-added asan 6 | //! features on behalf of incoming user requests for allocations including 7 | //! red-zones, poisoning and memory tracking. 8 | pub mod backend; 9 | pub mod frontend; 10 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/arch/aarch64.rs: -------------------------------------------------------------------------------- 1 | #[unsafe(no_mangle)] 2 | extern "C" fn getauxval(_type: u64) -> u64 { 3 | 0 4 | } 5 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/arch/arm.rs: -------------------------------------------------------------------------------- 1 | use log::error; 2 | 3 | use crate::exit::abort; 4 | 5 | #[unsafe(no_mangle)] 6 | extern "C" fn __aeabi_unwind_cpp_pr0() { 7 | error!("__aeabi_unwind_cpp_pr0"); 8 | abort(); 9 | } 10 | 11 | #[unsafe(no_mangle)] 12 | extern "C" fn __aeabi_unwind_cpp_pr1() { 13 | error!("__aeabi_unwind_cpp_pr1"); 14 | abort(); 15 | } 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/arch/mod.rs: -------------------------------------------------------------------------------- 1 | use log::error; 2 | 3 | use crate::exit::abort; 4 | 5 | #[cfg(target_arch = "aarch64")] 6 | mod aarch64; 7 | 8 | #[cfg(target_arch = "arm")] 9 | mod arm; 10 | 11 | #[unsafe(no_mangle)] 12 | extern "C" fn _Unwind_Resume() { 13 | error!("_Unwind_Resume"); 14 | abort(); 15 | } 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/exit/linux.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::c_int; 2 | 3 | use rustix::process::{Signal, kill_current_process_group}; 4 | use syscalls::{Sysno, syscall1}; 5 | 6 | pub fn abort() -> ! { 7 | kill_current_process_group(Signal::ABORT).unwrap(); 8 | unreachable!(); 9 | } 10 | 11 | pub fn exit(status: c_int) -> ! { 12 | unsafe { syscall1(Sysno::exit_group, status as usize) }.unwrap(); 13 | unreachable!(); 14 | } 15 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/exit/mod.rs: -------------------------------------------------------------------------------- 1 | //! # die 2 | //! This module supports exiting the process 3 | #[cfg(feature = "libc")] 4 | pub use crate::exit::libc::abort; 5 | #[cfg(feature = "libc")] 6 | pub use crate::exit::libc::exit; 7 | #[cfg(all(feature = "linux", not(feature = "libc")))] 8 | pub use crate::exit::linux::abort; 9 | #[cfg(all(feature = "linux", not(feature = "libc")))] 10 | pub use crate::exit::linux::exit; 11 | 12 | #[cfg(feature = "libc")] 13 | pub mod libc; 14 | 15 | #[cfg(feature = "linux")] 16 | pub mod linux; 17 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/file/mod.rs: -------------------------------------------------------------------------------- 1 | use alloc::fmt::Debug; 2 | use core::ffi::CStr; 3 | 4 | #[cfg(feature = "libc")] 5 | pub mod libc; 6 | 7 | #[cfg(feature = "linux")] 8 | pub mod linux; 9 | 10 | pub trait FileReader: Debug + Send + Sized { 11 | type Error: Debug; 12 | fn new(path: &'static CStr) -> Result; 13 | fn read(&mut self, buf: &mut [u8]) -> Result; 14 | } 15 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/bzero.rs: -------------------------------------------------------------------------------- 1 | use core::{ 2 | ffi::{c_char, c_void}, 3 | ptr::write_bytes, 4 | }; 5 | 6 | use log::trace; 7 | 8 | use crate::{asan_panic, asan_store, size_t}; 9 | 10 | /// # Safety 11 | /// See man pages 12 | #[unsafe(export_name = "patch_bzero")] 13 | pub unsafe extern "C" fn bzero(s: *mut c_void, len: size_t) { 14 | unsafe { 15 | trace!("bzero - s: {:p}, len: {:#x}", s, len); 16 | 17 | if len == 0 { 18 | return; 19 | } 20 | 21 | if s.is_null() { 22 | asan_panic(c"bzero - s is null".as_ptr() as *const c_char); 23 | } 24 | 25 | asan_store(s, len); 26 | write_bytes(s, 0, len); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/explicit_bzero.rs: -------------------------------------------------------------------------------- 1 | use core::{ 2 | ffi::{c_char, c_void}, 3 | ptr::write_bytes, 4 | }; 5 | 6 | use log::trace; 7 | 8 | use crate::{asan_panic, asan_store, size_t}; 9 | 10 | /// # Safety 11 | /// See man pages 12 | #[unsafe(export_name = "patch_explicit_bzero")] 13 | pub unsafe extern "C" fn explicit_bzero(s: *mut c_void, len: size_t) { 14 | unsafe { 15 | trace!("explicit_bzero - s: {:p}, len: {:#x}", s, len); 16 | 17 | if len == 0 { 18 | return; 19 | } 20 | 21 | if s.is_null() { 22 | asan_panic(b"explicit_bzero - s is null".as_ptr() as *const c_char); 23 | } 24 | 25 | asan_store(s, len); 26 | write_bytes(s, 0, len); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/free.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::c_void; 2 | 3 | use log::trace; 4 | 5 | use crate::asan_dealloc; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_free")] 10 | pub unsafe extern "C" fn free(p: *mut c_void) { 11 | unsafe { 12 | trace!("free - p: {:p}", p); 13 | asan_dealloc(p); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/malloc.rs: -------------------------------------------------------------------------------- 1 | use core::{ffi::c_void, ptr::null_mut}; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_alloc, size_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_malloc")] 10 | pub unsafe extern "C" fn malloc(size: size_t) -> *mut c_void { 11 | unsafe { 12 | trace!("malloc - size: {:#x}", size); 13 | if size == 0 { 14 | null_mut() 15 | } else { 16 | asan_alloc(size, 0) 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/malloc_usable_size.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::c_void; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_get_size, size_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_malloc_usable_size")] 10 | pub unsafe extern "C" fn malloc_usable_size(ptr: *mut c_void) -> size_t { 11 | unsafe { 12 | trace!("malloc_usable_size - ptr: {:p}", ptr); 13 | if ptr.is_null() { 0 } else { asan_get_size(ptr) } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/memset.rs: -------------------------------------------------------------------------------- 1 | use core::{ 2 | ffi::{c_char, c_int, c_void}, 3 | ptr::write_bytes, 4 | }; 5 | 6 | use log::trace; 7 | 8 | use crate::{asan_panic, asan_store, size_t}; 9 | 10 | /// # Safety 11 | /// See man pages 12 | #[unsafe(export_name = "patch_memset")] 13 | pub unsafe extern "C" fn memset(dest: *mut c_void, c: c_int, n: size_t) -> *mut c_void { 14 | unsafe { 15 | trace!("memset - dest: {:p}, c: {:#x}, n: {:#x}", dest, c, n); 16 | 17 | if n == 0 { 18 | return dest; 19 | } 20 | 21 | if dest.is_null() { 22 | asan_panic(c"memset - dest is null".as_ptr() as *const c_char); 23 | } 24 | 25 | asan_store(dest, n); 26 | write_bytes(dest, c as u8, n); 27 | dest 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/mmap/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "libc")] 2 | pub mod libc; 3 | 4 | #[cfg(all(feature = "linux", not(feature = "libc")))] 5 | pub mod linux; 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/munmap/linux.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::{c_int, c_void}; 2 | 3 | use log::trace; 4 | use rustix::mm::munmap as rmunmap; 5 | 6 | use crate::{asan_untrack, hooks::size_t}; 7 | 8 | /// # Safety 9 | /// See man pages 10 | #[unsafe(export_name = "patch_munmap")] 11 | pub unsafe extern "C" fn munmap(addr: *mut c_void, len: size_t) -> c_int { 12 | unsafe { 13 | trace!("munmap - addr: {:p}, len: {:#x}", addr, len); 14 | 15 | if rmunmap(addr, len).is_ok() { 16 | asan_untrack(addr); 17 | 0 18 | } else { 19 | -1 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/munmap/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "libc")] 2 | pub mod libc; 3 | 4 | #[cfg(all(feature = "linux", not(feature = "libc")))] 5 | pub mod linux; 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/pvalloc.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::c_void; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_alloc, asan_page_size, size_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_pvalloc")] 10 | pub unsafe extern "C" fn pvalloc(size: size_t) -> *mut c_void { 11 | unsafe { 12 | trace!("pvalloc - size: {:#x}", size); 13 | let page_size = asan_page_size(); 14 | let aligned_size = if size == 0 { 15 | page_size 16 | } else { 17 | (size + page_size - 1) & !(page_size - 1) 18 | }; 19 | assert_ne!(aligned_size, 0); 20 | asan_alloc(aligned_size, page_size) 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/rawmemchr.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::{c_char, c_int, c_void}; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_load, asan_panic}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_rawmemchr")] 10 | pub unsafe extern "C" fn rawmemchr(s: *const c_void, c: c_int) -> *mut c_void { 11 | unsafe { 12 | trace!("rawmemchr - s: {:p}, c: {:#x}", s, c); 13 | 14 | if s.is_null() { 15 | asan_panic(c"rawmemchr - s is null".as_ptr() as *const c_char); 16 | } 17 | 18 | let mut len = 0; 19 | let pc = s as *const c_char; 20 | while *pc.add(len) != c as c_char { 21 | len += 1; 22 | } 23 | asan_load(s, len); 24 | s.add(len) as *mut c_void 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/read/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "libc")] 2 | pub mod libc; 3 | 4 | #[cfg(all(feature = "linux", not(feature = "libc")))] 5 | pub mod linux; 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/strlen.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::{c_char, c_void}; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_load, asan_panic, size_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_strlen")] 10 | pub unsafe extern "C" fn strlen(cs: *const c_char) -> size_t { 11 | unsafe { 12 | trace!("strlen - cs: {:p}", cs); 13 | 14 | if cs.is_null() { 15 | asan_panic(c"strlen - cs is null".as_ptr() as *const c_char); 16 | } 17 | 18 | let mut len = 0; 19 | while *cs.add(len) != 0 { 20 | len += 1; 21 | } 22 | asan_load(cs as *const c_void, len + 1); 23 | len 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/valloc.rs: -------------------------------------------------------------------------------- 1 | use core::{ffi::c_void, ptr::null_mut}; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_alloc, asan_page_size, size_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_valloc")] 10 | pub unsafe extern "C" fn valloc(size: size_t) -> *mut c_void { 11 | unsafe { 12 | trace!("valloc - size: {:#x}", size); 13 | 14 | if size == 0 { 15 | null_mut() 16 | } else { 17 | asan_alloc(size, asan_page_size()) 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/wcslen.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::{c_char, c_void}; 2 | 3 | use log::trace; 4 | 5 | use crate::{asan_load, asan_panic, size_t, wchar_t}; 6 | 7 | /// # Safety 8 | /// See man pages 9 | #[unsafe(export_name = "patch_wcslen")] 10 | pub unsafe extern "C" fn wcslen(buf: *const wchar_t) -> size_t { 11 | unsafe { 12 | trace!("wcslen - buf: {:p}", buf); 13 | 14 | if buf.is_null() { 15 | asan_panic(c"wcslen - buf is null".as_ptr() as *const c_char); 16 | } 17 | 18 | let mut len = 0; 19 | while *buf.add(len) != 0 { 20 | len += 1; 21 | } 22 | asan_load(buf as *const c_void, size_of::() * (len + 1)); 23 | len 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/hooks/write/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "libc")] 2 | pub mod libc; 3 | 4 | #[cfg(all(feature = "linux", not(feature = "libc")))] 5 | pub mod linux; 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/logger/mod.rs: -------------------------------------------------------------------------------- 1 | //! # logger 2 | //! This module provides an implementation of a logger which can be used to 3 | //! provide logging information about the operation of the `asan` library 4 | //! during execution. 5 | #[cfg(feature = "libc")] 6 | pub mod libc; 7 | 8 | #[cfg(feature = "linux")] 9 | pub mod linux; 10 | 11 | use core::ffi::{CStr, c_char}; 12 | 13 | use log::trace; 14 | 15 | /// # Safety 16 | /// `msg` must be a pointer to a zero-terminated string 17 | #[unsafe(no_mangle)] 18 | pub unsafe extern "C" fn log_trace(msg: *const c_char) { 19 | if msg.is_null() { 20 | return; 21 | } 22 | let c_str = unsafe { CStr::from_ptr(msg) }; 23 | if let Ok(rust_str) = c_str.to_str() { 24 | trace!("{}", rust_str); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/nostd/mod.rs: -------------------------------------------------------------------------------- 1 | //! # nostd 2 | //! This module is used to support `no_std` environments. 3 | use core::panic::PanicInfo; 4 | 5 | use log::error; 6 | 7 | use crate::exit::abort; 8 | 9 | #[panic_handler] 10 | fn panic(info: &PanicInfo) -> ! { 11 | error!("Panic!"); 12 | error!("INFO: {}", info); 13 | abort(); 14 | } 15 | 16 | #[unsafe(no_mangle)] 17 | extern "C" fn rust_eh_personality() { 18 | error!("rust_eh_personality"); 19 | abort(); 20 | } 21 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/symbols/nop.rs: -------------------------------------------------------------------------------- 1 | use core::ffi::c_char; 2 | 3 | use thiserror::Error; 4 | 5 | use crate::{GuestAddr, symbols::Symbols}; 6 | 7 | #[derive(Debug, Copy, Clone)] 8 | pub struct NopSymbols; 9 | 10 | impl Symbols for NopSymbols { 11 | type Error = NopSymbolsError; 12 | 13 | unsafe fn lookup_raw(name: *const c_char) -> Result { 14 | Err(NopSymbolsError::SymbolNotFound(name)) 15 | } 16 | } 17 | 18 | #[derive(Error, Debug, PartialEq, Clone)] 19 | pub enum NopSymbolsError { 20 | #[error("Symbol not found: {0:p}")] 21 | SymbolNotFound(*const c_char), 22 | } 23 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/src/tracking/mod.rs: -------------------------------------------------------------------------------- 1 | //! # tracking 2 | //! This module is responsible for supporting memory tracking. By logging the 3 | //! ranges of memory being allocated and freed by the target application, we 4 | //! can detect double-free defects. 5 | use alloc::fmt::Debug; 6 | 7 | use crate::GuestAddr; 8 | 9 | #[cfg(feature = "guest")] 10 | pub mod guest; 11 | #[cfg(feature = "guest")] 12 | pub mod guest_fast; 13 | #[cfg(feature = "host")] 14 | pub mod host; 15 | 16 | pub trait Tracking: Sized + Debug + Send { 17 | type Error: Debug; 18 | fn track(&mut self, start: GuestAddr, len: usize) -> Result<(), Self::Error>; 19 | fn untrack(&mut self, start: GuestAddr) -> Result<(), Self::Error>; 20 | } 21 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/hooks_free.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "hooks")] 3 | mod tests { 4 | use core::ptr::null_mut; 5 | 6 | use asan::hooks::{free::free, malloc::malloc}; 7 | 8 | #[test] 9 | fn test_free_null() { 10 | unsafe { free(null_mut()) }; 11 | } 12 | 13 | #[test] 14 | fn test_free_buff() { 15 | let p = unsafe { malloc(10) }; 16 | unsafe { free(p) } 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/hooks_malloc.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "hooks")] 3 | mod tests { 4 | use core::{ptr::null_mut, slice::from_raw_parts_mut}; 5 | 6 | use asan::hooks::malloc::malloc; 7 | 8 | #[test] 9 | fn test_malloc_zero() { 10 | let p = unsafe { malloc(0) }; 11 | assert_eq!(p, null_mut()); 12 | } 13 | 14 | #[test] 15 | fn test_malloc_buff() { 16 | let p = unsafe { malloc(10) }; 17 | assert_ne!(p, null_mut()); 18 | unsafe { 19 | from_raw_parts_mut(p as *mut u8, 10) 20 | .iter_mut() 21 | .for_each(|x| *x = 0) 22 | }; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/hooks_malloc_usable_size.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "hooks")] 3 | mod tests { 4 | use core::ptr::null_mut; 5 | 6 | use asan::hooks::{malloc::malloc, malloc_usable_size::malloc_usable_size}; 7 | 8 | #[test] 9 | fn test_malloc_usable_size_null() { 10 | let ret = unsafe { malloc_usable_size(null_mut()) }; 11 | assert_eq!(ret, 0); 12 | } 13 | 14 | #[test] 15 | fn test_malloc_usable_size_buff() { 16 | let p = unsafe { malloc(10) }; 17 | let ret = unsafe { malloc_usable_size(p) }; 18 | assert_eq!(ret, 10); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/hooks_strlen.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "hooks")] 3 | mod tests { 4 | use core::{ffi::c_char, ptr::null}; 5 | 6 | use asan::{expect_panic, hooks::strlen::strlen}; 7 | 8 | #[test] 9 | fn test_strlen_cs_null() { 10 | expect_panic(); 11 | unsafe { strlen(null() as *const c_char) }; 12 | unreachable!(); 13 | } 14 | 15 | #[test] 16 | fn test_strlen_cs_empty() { 17 | let data = c""; 18 | let ret = unsafe { strlen(data.as_ptr() as *const c_char) }; 19 | assert_eq!(ret, 0); 20 | } 21 | 22 | #[test] 23 | fn test_strlen_full() { 24 | let data = c"abcdefghij"; 25 | let ret = unsafe { strlen(data.as_ptr() as *const c_char) }; 26 | assert_eq!(ret, 10); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/hooks_valloc.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "hooks")] 3 | mod tests { 4 | use core::ptr::null_mut; 5 | 6 | use asan::hooks::valloc::valloc; 7 | 8 | #[test] 9 | fn test_valloc_zero() { 10 | let p = unsafe { valloc(0) }; 11 | assert_eq!(p, null_mut()); 12 | } 13 | 14 | #[test] 15 | fn test_valloc_buff() { 16 | let p = unsafe { valloc(10) }; 17 | assert_ne!(p, null_mut()); 18 | assert!(p as usize & 0xfff == 0); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/asan/tests/host.rs: -------------------------------------------------------------------------------- 1 | #[cfg(test)] 2 | #[cfg(feature = "host")] 3 | mod tests { 4 | use asan::host::linux::LinuxHost; 5 | 6 | #[test] 7 | fn test_sysno() { 8 | assert_eq!(LinuxHost::sysno() as u32, 0xa2a4); 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/dummy_libc/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "dummy_libc" 3 | version.workspace = true 4 | edition.workspace = true 5 | rust-version.workspace = true 6 | 7 | [lib] 8 | crate-type = ["staticlib"] 9 | 10 | [features] 11 | default = [] 12 | test = [] 13 | 14 | [dependencies] 15 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/dummy_libc/dummy_libc.map: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | dlsym; 4 | dlerror; 5 | 6 | local: 7 | *; 8 | }; 9 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/fuzz/.gitignore: -------------------------------------------------------------------------------- 1 | target 2 | corpus 3 | artifacts 4 | coverage 5 | fuzz-*.log 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/fuzzer_name.just: -------------------------------------------------------------------------------- 1 | FUZZER_NAME := "" 2 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/gasan/gasan.map: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | aligned_alloc; 4 | atoi; 5 | atol; 6 | atoll; 7 | calloc; 8 | free; 9 | malloc; 10 | malloc_usable_size; 11 | memalign; 12 | memset; 13 | mmap; 14 | munmap; 15 | posix_memalign; 16 | pvalloc; 17 | read; 18 | realloc; 19 | reallocarray; 20 | valloc; 21 | write; 22 | 23 | local: 24 | *; 25 | }; 26 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/gasan/rename_patch.syms: -------------------------------------------------------------------------------- 1 | patch_aligned_alloc aligned_alloc 2 | patch_atoi atoi 3 | patch_atol atol 4 | patch_atoll atoll 5 | patch_calloc calloc 6 | patch_free free 7 | patch_malloc malloc 8 | patch_malloc_usable_size malloc_usable_size 9 | patch_memalign memalign 10 | patch_memset memset 11 | patch_mmap mmap 12 | patch_munmap munmap 13 | patch_posix_memalign posix_memalign 14 | patch_pvalloc pvalloc 15 | patch_read read 16 | patch_realloc realloc 17 | patch_reallocarray reallocarray 18 | patch_valloc valloc 19 | patch_write write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/gasan/rename_real.syms: -------------------------------------------------------------------------------- 1 | aligned_alloc real_aligned_alloc 2 | atoi real_atoi 3 | atol real_atol 4 | atoll real_atoll 5 | calloc real_calloc 6 | free real_free 7 | malloc real_malloc 8 | malloc_usable_size real_malloc_usable_size 9 | memalign real_memalign 10 | memset real_memset 11 | mmap real_mmap 12 | munmap real_munmap 13 | posix_memalign real_posix_memalign 14 | pvalloc real_pvalloc 15 | read real_read 16 | realloc real_realloc 17 | reallocarray real_reallocarray 18 | valloc real_valloc 19 | write real_write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/qasan/qasan.map: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | aligned_alloc; 4 | atoi; 5 | atol; 6 | atoll; 7 | calloc; 8 | free; 9 | malloc; 10 | malloc_usable_size; 11 | memalign; 12 | memset; 13 | mmap; 14 | munmap; 15 | posix_memalign; 16 | pvalloc; 17 | read; 18 | realloc; 19 | reallocarray; 20 | valloc; 21 | write; 22 | 23 | local: 24 | *; 25 | }; 26 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/qasan/rename_patch.syms: -------------------------------------------------------------------------------- 1 | patch_aligned_alloc aligned_alloc 2 | patch_atoi atoi 3 | patch_atol atol 4 | patch_atoll atoll 5 | patch_calloc calloc 6 | patch_free free 7 | patch_malloc malloc 8 | patch_malloc_usable_size malloc_usable_size 9 | patch_memalign memalign 10 | patch_memset memset 11 | patch_mmap mmap 12 | patch_munmap munmap 13 | patch_posix_memalign posix_memalign 14 | patch_pvalloc pvalloc 15 | patch_read read 16 | patch_realloc realloc 17 | patch_reallocarray reallocarray 18 | patch_valloc valloc 19 | patch_write write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/qasan/rename_real.syms: -------------------------------------------------------------------------------- 1 | aligned_alloc real_aligned_alloc 2 | atoi real_atoi 3 | atol real_atol 4 | atoll real_atoll 5 | calloc real_calloc 6 | free real_free 7 | malloc real_malloc 8 | malloc_usable_size real_malloc_usable_size 9 | memalign real_memalign 10 | memset real_memset 11 | mmap real_mmap 12 | munmap real_munmap 13 | posix_memalign real_posix_memalign 14 | pvalloc real_pvalloc 15 | read real_read 16 | realloc real_realloc 17 | reallocarray real_reallocarray 18 | valloc real_valloc 19 | write real_write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/Justfile: -------------------------------------------------------------------------------- 1 | import "../../../just/libafl-qemu.just" 2 | import "../fuzzer_name.just" 3 | 4 | [unix] 5 | compile_runner: 6 | #!/bin/sh 7 | . {{ DOTENV }} 8 | cargo \ 9 | build \ 10 | --package runner \ 11 | --target x86_64-unknown-linux-gnu \ 12 | --profile {{ PROFILE }} \ 13 | --target-dir {{ TARGET_DIR }} \ 14 | --features {{ ARCH }} 15 | 16 | [unix] 17 | fix_runner: 18 | #!/bin/sh 19 | . {{ DOTENV }} 20 | cargo \ 21 | fix \ 22 | --package runner \ 23 | --target x86_64-unknown-linux-gnu \ 24 | --profile {{ PROFILE }} \ 25 | --target-dir {{ TARGET_DIR }} \ 26 | --features {{ ARCH }} \ 27 | --allow-dirty 28 | 29 | [unix] 30 | build_runner: compile_runner 31 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/src/aarch64.rs: -------------------------------------------------------------------------------- 1 | pub mod fuzz; 2 | 3 | fn main() { 4 | crate::fuzz::fuzz(); 5 | } 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/src/arm.rs: -------------------------------------------------------------------------------- 1 | pub mod fuzz; 2 | 3 | fn main() { 4 | crate::fuzz::fuzz(); 5 | } 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/src/i386.rs: -------------------------------------------------------------------------------- 1 | pub mod fuzz; 2 | 3 | fn main() { 4 | crate::fuzz::fuzz(); 5 | } 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/src/ppc.rs: -------------------------------------------------------------------------------- 1 | pub mod fuzz; 2 | 3 | fn main() { 4 | crate::fuzz::fuzz(); 5 | } 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/runner/src/x86_64.rs: -------------------------------------------------------------------------------- 1 | pub mod fuzz; 2 | 3 | fn main() { 4 | crate::fuzz::fuzz(); 5 | } 6 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/zasan/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "zasan" 3 | version.workspace = true 4 | edition.workspace = true 5 | rust-version.workspace = true 6 | 7 | [lib] 8 | crate-type = ["staticlib"] 9 | 10 | [features] 11 | default = [] 12 | test = ["asan/test"] 13 | 14 | [dependencies] 15 | asan = { path = "../asan", default-features = false, features = [ 16 | "dlmalloc", 17 | "global_allocator", 18 | "guest", 19 | "hooks", 20 | "host", 21 | "linux", 22 | "tracking", 23 | ] } 24 | log = { version = "0.4.22", default-features = false, features = [ 25 | "release_max_level_info", 26 | ] } 27 | spin = { version = "0.9.8", default-features = false, features = [ 28 | "lazy", 29 | "mutex", 30 | "spin_mutex", 31 | ] } 32 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/zasan/rename_patch.syms: -------------------------------------------------------------------------------- 1 | patch_aligned_alloc aligned_alloc 2 | patch_atoi atoi 3 | patch_atol atol 4 | patch_atoll atoll 5 | patch_calloc calloc 6 | patch_free free 7 | patch_malloc malloc 8 | patch_malloc_usable_size malloc_usable_size 9 | patch_memalign memalign 10 | patch_memset memset 11 | patch_mmap mmap 12 | patch_munmap munmap 13 | patch_posix_memalign posix_memalign 14 | patch_pvalloc pvalloc 15 | patch_read read 16 | patch_realloc realloc 17 | patch_reallocarray reallocarray 18 | patch_valloc valloc 19 | patch_write write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/zasan/rename_real.syms: -------------------------------------------------------------------------------- 1 | aligned_alloc real_aligned_alloc 2 | atoi real_atoi 3 | atol real_atol 4 | atoll real_atoll 5 | calloc real_calloc 6 | free real_free 7 | malloc real_malloc 8 | malloc_usable_size real_malloc_usable_size 9 | memalign real_memalign 10 | memset real_memset 11 | mmap real_mmap 12 | munmap real_munmap 13 | posix_memalign real_posix_memalign 14 | pvalloc real_pvalloc 15 | read real_read 16 | realloc real_realloc 17 | reallocarray real_reallocarray 18 | valloc real_valloc 19 | write real_write 20 | -------------------------------------------------------------------------------- /libafl_qemu/librasan/zasan/zasan.map: -------------------------------------------------------------------------------- 1 | { 2 | global: 3 | aligned_alloc; 4 | atoi; 5 | atol; 6 | atoll; 7 | calloc; 8 | free; 9 | malloc; 10 | malloc_usable_size; 11 | memalign; 12 | memset; 13 | mmap; 14 | munmap; 15 | posix_memalign; 16 | pvalloc; 17 | read; 18 | realloc; 19 | reallocarray; 20 | valloc; 21 | write; 22 | 23 | local: 24 | *; 25 | }; 26 | -------------------------------------------------------------------------------- /libafl_qemu/src/modules/systemmode/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "intel_pt")] 2 | pub mod intel_pt; 3 | -------------------------------------------------------------------------------- /libafl_qemu/src/modules/usermode/mod.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "injections")] 2 | pub mod injections; 3 | #[cfg(feature = "injections")] 4 | pub use injections::InjectionModule; 5 | 6 | #[cfg(not(cpu_target = "hexagon"))] 7 | pub mod snapshot; 8 | #[cfg(not(cpu_target = "hexagon"))] 9 | pub use snapshot::{IntervalSnapshotFilter, SnapshotModule}; 10 | 11 | #[cfg(not(cpu_target = "hexagon"))] 12 | pub mod asan; 13 | #[cfg(not(cpu_target = "hexagon"))] 14 | pub use asan::AsanModule; 15 | 16 | #[cfg(not(cpu_target = "hexagon"))] 17 | pub mod asan_guest; 18 | #[cfg(not(cpu_target = "hexagon"))] 19 | pub use asan_guest::AsanGuestModule; 20 | pub mod redirect_stdin; 21 | pub use redirect_stdin::*; 22 | 23 | pub mod redirect_stdout; 24 | pub use redirect_stdout::*; 25 | -------------------------------------------------------------------------------- /libafl_qemu/src/modules/utils/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod filters; 2 | 3 | #[cfg(feature = "usermode")] 4 | pub use addr2line::*; 5 | #[cfg(feature = "usermode")] 6 | pub mod addr2line; 7 | -------------------------------------------------------------------------------- /libafl_sugar/build.rs: -------------------------------------------------------------------------------- 1 | fn main() { 2 | #[cfg(feature = "python")] 3 | pyo3_build_config::add_extension_module_link_args(); 4 | } 5 | -------------------------------------------------------------------------------- /libafl_targets/LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | ../LICENSE-APACHE -------------------------------------------------------------------------------- /libafl_targets/LICENSE-MIT: -------------------------------------------------------------------------------- 1 | ../LICENSE-MIT -------------------------------------------------------------------------------- /libafl_targets/src/cmps/observers/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod cmplog; 2 | pub use cmplog::*; 3 | 4 | /// aflpp style cmplog observer 5 | pub mod aflpp; 6 | pub use aflpp::*; 7 | -------------------------------------------------------------------------------- /libafl_targets/src/cmps/stages/mod.rs: -------------------------------------------------------------------------------- 1 | /// cmplog tracing for aflpp style cmplog 2 | pub mod aflpptracing; 3 | pub use aflpptracing::*; 4 | -------------------------------------------------------------------------------- /libafl_targets/src/libfuzzer/observers/mod.rs: -------------------------------------------------------------------------------- 1 | /// oom observer 2 | #[cfg(feature = "libfuzzer_oom")] 3 | pub mod oom; 4 | #[cfg(feature = "libfuzzer_oom")] 5 | pub use oom::*; 6 | -------------------------------------------------------------------------------- /libafl_targets/src/windows_asan.c: -------------------------------------------------------------------------------- 1 | #include "common.h" 2 | 3 | EXT_FUNC_IMPL(__sanitizer_set_death_callback, void, (void), false) { 4 | return; 5 | } -------------------------------------------------------------------------------- /libafl_tinyinst/README.md: -------------------------------------------------------------------------------- 1 | # Requirements 2 | - `Visual Studio 17 2022`. It's not tested, it *should* work on older versions too. 3 | - `cxxbridge-cmd` to generate bridge files between Rust and c++, you can install this with `cargo install cxxbridge-cmd`. 4 | - `cmake` is needed to build tinyinst. -------------------------------------------------------------------------------- /libafl_unicorn/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libafl_unicorn" 3 | version.workspace = true 4 | authors = [""] 5 | description = "Unicorn backend library for LibAFL" 6 | documentation = "https://docs.rs/" 7 | repository = "https://github.com/AFLplusplus/" 8 | readme = "../README.md" 9 | license = "MIT OR Apache-2.0" 10 | keywords = ["fuzzing", "unicorn"] 11 | edition = "2024" 12 | categories = [ 13 | "development-tools::testing", 14 | "emulators", 15 | "embedded", 16 | "os", 17 | "no-std", 18 | ] 19 | 20 | [dependencies] 21 | libafl_targets = { path = "../libafl_targets" } 22 | 23 | # External dependencies 24 | capstone = { workspace = true } 25 | log = { workspace = true } 26 | unicorn-engine = { workspace = true } 27 | 28 | 29 | [lib] 30 | name = "libafl_unicorn" 31 | crate-type = ["cdylib", "rlib"] 32 | -------------------------------------------------------------------------------- /libafl_unicorn/src/helper.rs: -------------------------------------------------------------------------------- 1 | use unicorn_engine::{RegisterARM, RegisterARM64, RegisterRISCV, RegisterX86, unicorn_const::Arch}; 2 | 3 | pub fn get_stack_pointer(emu: &unicorn_engine::Unicorn<()>) -> u64 { 4 | match emu.get_arch() { 5 | Arch::ARM => emu.reg_read(RegisterARM::SP).unwrap(), 6 | Arch::ARM64 => emu.reg_read(RegisterARM64::SP).unwrap(), 7 | Arch::RISCV => emu.reg_read(RegisterRISCV::SP).unwrap(), 8 | Arch::X86 => emu.reg_read(RegisterX86::ESP).unwrap(), 9 | _ => 0, 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /libafl_unicorn/src/hooks.rs: -------------------------------------------------------------------------------- 1 | use libafl_targets::{EDGES_MAP_DEFAULT_SIZE, EDGES_MAP_PTR}; 2 | use unicorn_engine::Unicorn; 3 | 4 | fn coverage_hook(_emu: &mut unicorn_engine::Unicorn<()>, pc: u64, _: u32) { 5 | unsafe { 6 | let id = pc % EDGES_MAP_DEFAULT_SIZE as u64; 7 | 8 | let ptr = EDGES_MAP_PTR.add(id as usize); 9 | let val = ptr.read().wrapping_add(1); 10 | ptr.write(val); 11 | } 12 | } 13 | 14 | pub fn set_coverage_hook(emu: &mut Unicorn<()>) { 15 | emu.add_block_hook(0x0, !0x0_u64, coverage_hook).unwrap(); 16 | } 17 | -------------------------------------------------------------------------------- /libafl_unicorn/src/lib.rs: -------------------------------------------------------------------------------- 1 | pub mod emu; 2 | pub mod helper; 3 | pub mod hooks; 4 | -------------------------------------------------------------------------------- /rustfmt.toml: -------------------------------------------------------------------------------- 1 | group_imports = "StdExternalCrate" 2 | imports_granularity = "Crate" 3 | newline_style = "Unix" 4 | format_code_in_doc_comments = true 5 | format_macro_bodies = true 6 | format_macro_matchers = true 7 | -------------------------------------------------------------------------------- /scripts/check_md_links.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 4 | LIBAFL_DIR=$(realpath "$SCRIPT_DIR/..") 5 | 6 | echo "[*] Checking MD links..." 7 | 8 | cd "$LIBAFL" || exit 1 9 | 10 | if ! command -v linkspector > /dev/null; then 11 | echo "Error: install linkspector to check MD file links." 12 | exit 1 13 | fi 14 | 15 | linkspector check -c "${LIBAFL_DIR}/.github/.linkspector.yml" || exit 1 16 | 17 | echo "[*] Done :)" 18 | -------------------------------------------------------------------------------- /scripts/check_tested_fuzzers.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ret=0 4 | 5 | while read -r fuzzdir; do 6 | if ! grep -qa "$fuzzdir" .github/workflows/build_and_test.yml; then 7 | ret=1 8 | echo "Missing fuzzer ${fuzzdir} in CI tests!" 9 | fi 10 | if grep -qa "# - $fuzzdir" .github/workflows/build_and_test.yml; then 11 | echo "Fuzzer ${fuzzdir} is explicitly ignored" 12 | fi 13 | done < <( 14 | { 15 | find ./fuzzers -mindepth 2 -maxdepth 2 -type d 16 | find ./fuzzers/baby/backtrace_baby_fuzzers -mindepth 1 -maxdepth 1 -type d 17 | } | sed 's|^\./fuzzers/||' 18 | ) 19 | 20 | exit $ret 21 | -------------------------------------------------------------------------------- /scripts/clean_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 4 | cd "$SCRIPT_DIR/.." || exit 1 5 | 6 | # TODO: This should be rewritten in rust, a Makefile, or some platform-independent language 7 | 8 | echo "Welcome to the happy clean script. :)" 9 | echo "[*] Running clean for the main crates" 10 | cargo clean 11 | 12 | fuzzers=$(find ./fuzzers -maxdepth 1 -type d) 13 | backtrace_fuzzers=$(find ./fuzzers/backtrace_baby_fuzzers -maxdepth 1 -type d) 14 | 15 | # shellcheck disable=SC2116 16 | for fuzzer in $(echo "$fuzzers" "$backtrace_fuzzers"); 17 | do 18 | pushd "$fuzzer" || exit 1 19 | echo "[*] Running clean for $fuzzer" 20 | cargo clean 21 | popd || exit 1 22 | done 23 | -------------------------------------------------------------------------------- /scripts/createAliases.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # creates a symbolic link from bin-x.x to bin 4 | # This just strips off last 3 characters when creating a link 5 | 6 | LLVMFILES="/usr/bin/llvm*" 7 | CLANGFILES="/usr/bin/clang*" 8 | LLC=/usr/bin/llc-$1 9 | OPT=/usr/bin/opt-$1 10 | LLD=/usr/bin/lld-$1 11 | 12 | for f in $LLVMFILES $CLANGFILES $LLC $OPT $LLD 13 | do 14 | link=${f::-3} 15 | echo "linking" "$f" "to" "$link" 16 | ln -s "$f" "$link" 17 | if [ -e "$f" ] 18 | then cp "$link" /usr/local/bin/ 19 | fi 20 | done 21 | -------------------------------------------------------------------------------- /scripts/dummy.rs: -------------------------------------------------------------------------------- 1 | /// Dummy file for Docker build caching 2 | 3 | /// Just here as dummy in docker 4 | #[expect(dead_code)] 5 | fn main() { panic!("This is the CI dummy file - it should never run!") } -------------------------------------------------------------------------------- /scripts/find_unused_rs_files.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Script to find .rs files that don't get built. 4 | 5 | cargo build --examples --all-features --tests --examples --benches 6 | 7 | # Find all files in deps, then compare to all actual .d files. Ignore a range of files. 8 | grep --no-filename '^[^/].*\.rs:$' target/debug/deps/*.d | sed 's/:$//' | sort -u | diff - <(find . -name '*.rs' | sed 's/\.\///' | sort -u) | grep -Ev '(target/|scripts/|symcc_runtime/|build.rs|fuzzers/)' -------------------------------------------------------------------------------- /scripts/gen_lockfiles.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 4 | LIBAFL_DIR=$(realpath "$SCRIPT_DIR/..") 5 | 6 | cd "${LIBAFL_DIR}" || exit 1 7 | 8 | cargo run --manifest-path "$LIBAFL_DIR/utils/libafl_repo_tools/Cargo.toml" --release -- --generate-lockfiles --verbose || exit 1 9 | 10 | echo "[*] Done :)" 11 | -------------------------------------------------------------------------------- /scripts/kill_all_ipc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PATH="/bin:/usr/bin" 3 | 4 | IPCS_S=$(ipcs -s | grep -E "0x[0-9a-f]+ [0-9]+" | grep "${USER}" | cut -f2 -d" ") 5 | IPCS_M=$(ipcs -m | grep -E "0x[0-9a-f]+ [0-9]+" | grep "${USER}" | cut -f2 -d" ") 6 | IPCS_Q=$(ipcs -q | grep -E "0x[0-9a-f]+ [0-9]+" | grep "${USER}" | cut -f2 -d" ") 7 | 8 | for id in $IPCS_M; do 9 | ipcrm -m "$id"; 10 | done 11 | 12 | for id in $IPCS_S; do 13 | ipcrm -s "$id"; 14 | done 15 | 16 | for id in $IPCS_Q; do 17 | ipcrm -q "$id"; 18 | done 19 | 20 | -------------------------------------------------------------------------------- /scripts/precommit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" 3 | cd "$SCRIPT_DIR/.." || exit 1 4 | 5 | echo "[!] Running precommit script." 6 | echo 7 | echo 8 | echo "[*] Formatting this beautiful code" 9 | echo 10 | "$SCRIPT_DIR"/fmt_all.sh || exit 1 11 | echo 12 | echo "[*] Asking clippy how to excel" 13 | echo 14 | "$SCRIPT_DIR"/clippy.sh || { 15 | echo "[!] Error: clippy wasn't succesful." >&2 16 | echo "[*] Hint: run scripts/autofix.sh to fix a bunch of errors automatically." >&2 17 | exit 1 # Exit the script with a non-zero status. 18 | } 19 | echo 20 | echo "[!] All done. Ready to commit!" -------------------------------------------------------------------------------- /scripts/shmem_limits_fbsd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | sudo sysctl -a kern.ipc.shmmax=536870912 3 | sudo sysctl -a kern.ipc.shmmin=1 4 | sudo sysctl -a kern.ipc.shmall=131072000 5 | -------------------------------------------------------------------------------- /scripts/shmem_limits_macos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # shellcheck disable=SC2016 4 | echo "Warning: this script is not a proper fix to do LLMP fuzzing." \ 5 | 'Instead, run `afl-persistent-config` with SIP disabled.' 6 | 7 | sudo sysctl -w kern.sysv.shmmax=524288000 8 | sudo sysctl -w kern.sysv.shmmin=1 9 | sudo sysctl -w kern.sysv.shmseg=32 10 | sudo sysctl -w kern.sysv.shmall=131072000 11 | sudo sysctl -w kern.maxprocperuid=512 12 | -------------------------------------------------------------------------------- /scripts/shmem_limits_obsd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | doas sysctl kern.shminfo.shmmax=536870912 3 | doas sysctl kern.shminfo.shmmin=1 4 | doas sysctl kern.shminfo.shmall=131072000 5 | -------------------------------------------------------------------------------- /scripts/update_bindings.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)" 6 | cd "$SCRIPT_DIR/.." || exit 1 7 | 8 | # Update LibAFL QEMU bindings 9 | pushd libafl_qemu 10 | LIBAFL_QEMU_GEN_STUBS=1 cargo +nightly build || exit 1 11 | popd -------------------------------------------------------------------------------- /seeds/pngs/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/seeds/pngs/not_kitty.png -------------------------------------------------------------------------------- /seeds/pngs/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/seeds/pngs/not_kitty_alpha.png -------------------------------------------------------------------------------- /seeds/pngs/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/seeds/pngs/not_kitty_gamma.png -------------------------------------------------------------------------------- /seeds/pngs/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AFLplusplus/LibAFL/7e1f5f95992d9f5d920c76ab655cb3385c2b9d37/seeds/pngs/not_kitty_icc.png -------------------------------------------------------------------------------- /utils/README.md: -------------------------------------------------------------------------------- 1 | # LibAFL Utils 2 | 3 | Welcome to the LibAFL Utils folder. 4 | Here, you find some helful utilities that may be helpful for successfull fuzzing campaigns. 5 | 6 | ## DeExit: ldpreload exit lib 7 | 8 | In the `deexit` folder, you'll find a ldpreloadable library, that changes calls to `exit` to `abort()`s. 9 | When a target exits, it quits, and LibAFL will not be able to catch this or recover. 10 | Abort, on the other hand, raises an error LibAFL's inprocess executor will be able to catch, thanks to its signal handlers. 11 | 12 | ## Gramatron: gramatron grammars and preprocessing utils 13 | 14 | See https://github.com/HexHive/Gramatron 15 | 16 | ## libafl_benches 17 | 18 | This folder contains benchmarks for various things in LibAFL, like hash speeds and RNGs. 19 | Run with `cargo bench` -------------------------------------------------------------------------------- /utils/build_and_test_fuzzers/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "build_and_test_fuzzers" 3 | version.workspace = true 4 | edition = "2024" 5 | description = "Get diffing fuzzers from the last commit" 6 | repository = "https://github.com/AFLplusplus/LibAFL/" 7 | license = "MIT OR Apache-2.0" 8 | readme = "../../README.md" 9 | keywords = ["ci"] 10 | categories = ["development-tools::testing"] 11 | 12 | [dependencies] 13 | cargo_toml = "0.22.0" 14 | walkdir = "2.5.0" 15 | 16 | [lints] 17 | workspace = true 18 | -------------------------------------------------------------------------------- /utils/cfg_builder/README.md: -------------------------------------------------------------------------------- 1 | # CFG Builder 2 | 3 | This script builds the control flow graph (CFG) of the whole program. 4 | 5 | To use this, first you have to setup libafl_cc with `LLVMPasses::DumpCfg` pass. 6 | Then, compile the program with env var `CFG_OUTPUT_PATH`. The llvm pass will dump the cfg of each module into `CFG_OUTPUT_PATH` directory. 7 | 8 | After that, you can run `CFG_OUTPUT_PATH= python3 build.py`, and then you'll get the control flow graph in cfg.xdot and call graph in cg.xdot -------------------------------------------------------------------------------- /utils/ci_runner/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ci_runner" 3 | edition = "2024" 4 | authors = ["Dongjia Zhang "] 5 | version.workspace = true 6 | license.workspace = true 7 | description = "libafl CI tools for testing fuzzers" 8 | repository = "https://github.com/AFLplusplus/LibAFL/" 9 | keywords = ["fuzzing", "testing", "security"] 10 | categories = [ 11 | "development-tools::testing", 12 | "emulators", 13 | "embedded", 14 | "os", 15 | "no-std", 16 | ] 17 | readme = "../README.md" 18 | 19 | [dependencies] 20 | 21 | [lints] 22 | workspace = true 23 | -------------------------------------------------------------------------------- /utils/ci_splitter/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "ci_splitter" 3 | edition = "2024" 4 | authors = ["Dongjia Zhang "] 5 | version.workspace = true 6 | license.workspace = true 7 | description = "libafl CI tools for testing fuzzers" 8 | repository = "https://github.com/AFLplusplus/LibAFL/" 9 | keywords = ["fuzzing", "testing", "security"] 10 | categories = [ 11 | "development-tools::testing", 12 | "emulators", 13 | "embedded", 14 | "os", 15 | "no-std", 16 | ] 17 | readme = "../README.md" 18 | 19 | [dependencies] 20 | 21 | [lints] 22 | workspace = true 23 | -------------------------------------------------------------------------------- /utils/deexit/README.md: -------------------------------------------------------------------------------- 1 | # DeExit 2 | 3 | This util helps you, if your target calls `exit` during a fuzz run. 4 | A simple wrapper that can be inserted into a program to turn `exit` calls to `abort`, which LibAFL will be able to catch. 5 | If you are on MacOS, use the env variables `DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES="path/to/target/release/libdeexit.dylib" tool` 6 | On Linux, use `LD_PRELOAD="path/to/target/release/libdeexit.so" tool`. 7 | -------------------------------------------------------------------------------- /utils/deexit/src/lib.rs: -------------------------------------------------------------------------------- 1 | //! A simple wrapper that can be inserted into a program to turn `exit` calls to `abort`, which `LibAFL` will be able to catch. 2 | //! If you are on `MacOS`, use the env variables `DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES="path/to/target/release/libdeexit.dylib" tool` 3 | //! On Linux, use `LD_PRELOAD="path/to/target/release/libdeexit.so" tool`. 4 | 5 | unsafe extern "C" { 6 | fn abort(); 7 | } 8 | 9 | /// Hooked `exit` function 10 | #[unsafe(no_mangle)] 11 | pub extern "C" fn exit(status: i32) { 12 | println!("DeExit: The target called exit with status code {status}"); 13 | unsafe { 14 | abort(); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /utils/desyscall/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "desyscall" 3 | version = "0.15.3" 4 | edition = "2024" 5 | description = "DeSyscall: Hooks syscalls for reduces overhead during in-process fuzzing" 6 | repository = "https://github.com/AFLplusplus/LibAFL/" 7 | license = "MIT OR Apache-2.0" 8 | categories = [ 9 | "development-tools::testing", 10 | "emulators", 11 | "embedded", 12 | "os", 13 | "no-std", 14 | ] 15 | keywords = ["fuzzing", "libafl", "ldpreload"] 16 | 17 | [dependencies] 18 | meminterval = "0.4" 19 | libc = "0.2" 20 | 21 | [dev-dependencies] 22 | rusty-fork = "0.3.0" 23 | 24 | [build-dependencies] 25 | cc = "1" 26 | 27 | [lib] 28 | name = "desyscall" 29 | crate-type = ["rlib", "cdylib"] 30 | -------------------------------------------------------------------------------- /utils/desyscall/README.md: -------------------------------------------------------------------------------- 1 | # libdesyscall 2 | 3 | This library emulates in userspace various costly syscall to allow targets to scale better over cores in Linux 4 | -------------------------------------------------------------------------------- /utils/drcov_utils/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "drcov_utils" 3 | edition = "2024" 4 | version.workspace = true 5 | description = "Utility functions to work with DrCov coverage files" 6 | repository = "https://github.com/AFLplusplus/LibAFL/" 7 | license = "MIT OR Apache-2.0" 8 | categories = ["development-tools"] 9 | keywords = ["fuzzing", "libafl", "drcov"] 10 | 11 | [dependencies] 12 | env_logger = "0.11.6" 13 | libafl_targets = { workspace = true, default-features = true } 14 | clap = { workspace = true, features = ["derive", "wrap_help"] } 15 | walkdir = "2.5" 16 | 17 | [lints] 18 | workspace = true 19 | -------------------------------------------------------------------------------- /utils/gdb_qemu/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [build] 2 | target = "x86_64-unknown-linux-gnu" 3 | 4 | [target.powerpc-unknown-linux-gnu] 5 | linker = "powerpc-linux-gnu-gcc" 6 | runner = "qemu-ppc -L /usr/powerpc-linux-gnu" 7 | -------------------------------------------------------------------------------- /utils/gdb_qemu/.gitignore: -------------------------------------------------------------------------------- 1 | /target 2 | gdb_qemu.log 3 | -------------------------------------------------------------------------------- /utils/gdb_qemu/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | resolver = "2" 3 | members = ["gdb_qemu", "gdb_demo"] 4 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_demo/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "gdb_demo" 3 | version = "0.15.3" 4 | edition = "2024" 5 | 6 | [build-dependencies] 7 | vergen = { version = "8.1.1", features = [ 8 | "build", 9 | "cargo", 10 | "git", 11 | "gitcl", 12 | "rustc", 13 | "si", 14 | ] } 15 | 16 | [dependencies] 17 | anyhow = { version = "1.0", default-features = false } 18 | clap = { version = "4.5", default-features = false, features = [ 19 | "derive", 20 | "string", 21 | "std", 22 | "help", 23 | ] } 24 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_demo/build.rs: -------------------------------------------------------------------------------- 1 | use std::error::Error; 2 | 3 | use vergen::EmitBuilder; 4 | 5 | fn main() -> Result<(), Box> { 6 | EmitBuilder::builder() 7 | .all_build() 8 | .all_cargo() 9 | .all_git() 10 | .all_rustc() 11 | .all_sysinfo() 12 | .emit()?; 13 | 14 | Ok(()) 15 | } 16 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_demo/src/main.rs: -------------------------------------------------------------------------------- 1 | mod args; 2 | 3 | use std::{thread::sleep, time::Duration}; 4 | 5 | use clap::Parser; 6 | 7 | use crate::args::Args; 8 | 9 | #[unsafe(no_mangle)] 10 | extern "C" fn run_test(num: usize) { 11 | println!("OUT - test: {num:}"); 12 | if num & 1 == 0 { 13 | eprintln!("ERR - test: {num:}"); 14 | } 15 | } 16 | 17 | #[unsafe(no_mangle)] 18 | extern "C" fn test(num: usize) { 19 | for i in 0..num { 20 | run_test(i); 21 | sleep(Duration::from_millis(250)); 22 | } 23 | } 24 | 25 | fn main() { 26 | println!("Hello demo!"); 27 | let args = Args::parse(); 28 | println!("Args: {args:#?}"); 29 | test(10); 30 | } 31 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_qemu/build.rs: -------------------------------------------------------------------------------- 1 | use std::error::Error; 2 | 3 | use vergen::EmitBuilder; 4 | 5 | fn main() -> Result<(), Box> { 6 | EmitBuilder::builder() 7 | .all_build() 8 | .all_cargo() 9 | .all_git() 10 | .all_rustc() 11 | .all_sysinfo() 12 | .emit()?; 13 | 14 | Ok(()) 15 | } 16 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_qemu/src/args/level.rs: -------------------------------------------------------------------------------- 1 | use clap::ValueEnum; 2 | use simplelog::LevelFilter; 3 | 4 | #[derive(ValueEnum, Debug, Copy, Clone)] 5 | pub enum Level { 6 | Off, 7 | Error, 8 | Warn, 9 | Info, 10 | Debug, 11 | Trace, 12 | } 13 | 14 | impl From for LevelFilter { 15 | fn from(level: Level) -> LevelFilter { 16 | match level { 17 | Level::Off => LevelFilter::Off, 18 | Level::Error => LevelFilter::Error, 19 | Level::Warn => LevelFilter::Warn, 20 | Level::Info => LevelFilter::Info, 21 | Level::Debug => LevelFilter::Debug, 22 | Level::Trace => LevelFilter::Trace, 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_qemu/src/errno.rs: -------------------------------------------------------------------------------- 1 | use libc::__errno_location; 2 | 3 | pub fn errno() -> i32 { 4 | unsafe { *__errno_location() } 5 | } 6 | -------------------------------------------------------------------------------- /utils/gdb_qemu/gdb_qemu/src/logger.rs: -------------------------------------------------------------------------------- 1 | use std::fs::File; 2 | 3 | use anyhow::{Result, anyhow}; 4 | use simplelog::{Config, LevelFilter, WriteLogger}; 5 | 6 | use crate::args::LogArgs; 7 | 8 | pub struct Logger; 9 | 10 | impl Logger { 11 | pub fn init(args: &impl LogArgs) -> Result<()> { 12 | let filter: LevelFilter = args.log_level().into(); 13 | if filter != LevelFilter::Off { 14 | let logfile = File::create(args.log_file()) 15 | .map_err(|e| anyhow!("Failed to open log file: {e:}"))?; 16 | WriteLogger::init(filter, Config::default(), logfile) 17 | .map_err(|e| anyhow!("Failed to initalize logger: {e:}"))?; 18 | } 19 | Ok(()) 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /utils/gramatron/README.md: -------------------------------------------------------------------------------- 1 | # Gramatron preprocessing scripts 2 | 3 | In this folder live the scripts to convert a grammar (some examples in the `grammars/` subfolder) into a serialized Automaton. 4 | 5 | You need as first to convert the grammar to the GNF form using the `gnf_converter.py` Python script. 6 | 7 | Then use the output as input of the `construct_automata` crate. 8 | 9 | Here an example using the Ruby grammar: 10 | 11 | ``` 12 | ./gnf_converter.py --gf grammars/ruby_grammar.json --out ruby_gnf.json --start PROGRAM 13 | cd construct_automata 14 | RUSTFLAGS="-C target-cpu=native" cargo run --release -- --gf ../ruby_gnf.json --out ../ruby_automaton.postcard 15 | ``` 16 | 17 | You can add the `--limit` flag to limit the stack size, as described in the Gramatron paper. 18 | -------------------------------------------------------------------------------- /utils/gramatron/grammars/test1.json: -------------------------------------------------------------------------------- 1 | { 2 | "B": ["'a'", "'b'"], 3 | "A": ["A 'a'", "'a'"] 4 | } 5 | -------------------------------------------------------------------------------- /utils/libafl_jumper/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libafl_jumper" 3 | edition = "2024" 4 | version.workspace = true 5 | description = "LibAFL_Jumper: Jump to any address in memory." 6 | repository = "https://github.com/AFLplusplus/LibAFL/" 7 | license = "MIT OR Apache-2.0" 8 | categories = ["development-tools::testing", "os"] 9 | keywords = ["fuzzing", "libafl"] 10 | 11 | [features] 12 | default = ["std"] 13 | std = [] 14 | 15 | [build-dependencies] 16 | cc = "1" 17 | -------------------------------------------------------------------------------- /utils/libafl_jumper/linker_script.ld: -------------------------------------------------------------------------------- 1 | MEMORY 2 | { 3 | FLASH (rx) : ORIGIN = 0x20001000, LENGTH = 512K 4 | RAM (xrw) : ORIGIN = 0x21000000, LENGTH = 64K 5 | } 6 | 7 | SECTIONS 8 | { 9 | .text : { *(.text*) } > FLASH 10 | .rodata : { *(.rodata*) } > FLASH 11 | .bss : { *(.bss*) } > RAM 12 | } -------------------------------------------------------------------------------- /utils/libafl_repo_tools/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libafl_repo_tools" 3 | version = "0.15.3" 4 | edition = "2024" 5 | description = "A set of useful tools to manage the LibAFL repository" 6 | authors = ["Romain Malmain "] 7 | license = "MIT OR Apache-2.0" 8 | repository = "https://github.com/AFLplusplus/LibAFL.git" 9 | 10 | [dependencies] 11 | project-root = "0.2" 12 | walkdir = "2.5" 13 | regex = "1.10" 14 | tokio = { version = "1.44", features = [ 15 | "process", 16 | "rt", 17 | "rt-multi-thread", 18 | "macros", 19 | ] } 20 | clap = { version = "4.5", features = ["derive"] } 21 | exitcode = "1.1" 22 | which = "7.0.2" 23 | colored = "3.0.0" 24 | -------------------------------------------------------------------------------- /utils/multi_machine_generator/.gitignore: -------------------------------------------------------------------------------- 1 | *.txt 2 | *.dot -------------------------------------------------------------------------------- /utils/multi_machine_generator/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "multi_machine_generator" 3 | authors = ["Romain Malmain "] 4 | version = "0.15.3" 5 | description = "Generator for multi-machine setup" 6 | license = "MIT OR Apache-2.0" 7 | keywords = ["fuzzing", "testing", "security"] 8 | edition = "2024" 9 | 10 | [dependencies] 11 | petgraph = "0.6" 12 | clap = { version = "4.5", features = ["derive"] } 13 | serde = { version = "1.0", features = ["derive"] } 14 | serde_json = "1.0" 15 | -------------------------------------------------------------------------------- /utils/noaslr/Cargo.toml: -------------------------------------------------------------------------------- 1 | [workspace] 2 | resolver = "2" 3 | members = ["noaslr", "demo", "libnoaslr"] 4 | -------------------------------------------------------------------------------- /utils/noaslr/Justfile: -------------------------------------------------------------------------------- 1 | import "../../just/libafl.just" 2 | FUZZER_NAME := "" 3 | 4 | clean: 5 | cargo clean 6 | 7 | format: 8 | cargo fmt -- --emit=files 9 | 10 | demo: format 11 | cargo build -p noaslr_demo --profile {{PROFILE}} 12 | 13 | run_demo: demo 14 | cargo run -p noaslr_demo 15 | 16 | build: format 17 | cargo build -p noaslr --profile {{PROFILE}} 18 | 19 | buildlib: format 20 | cargo build -p libnoaslr --profile {{PROFILE}} 21 | 22 | run: demo 23 | cargo run -p noaslr --profile {{PROFILE}} -- {{BUILD_DIR}}/demo -- -f /proc/self/maps -- test 24 | 25 | 26 | runlib: demo buildlib 27 | LD_PRELOAD={{BUILD_DIR}}/libnoaslr.so cargo run -p noaslr_demo --profile {{PROFILE}} -- -f /proc/self/maps -- test 28 | 29 | all: demo build buildlib 30 | -------------------------------------------------------------------------------- /utils/noaslr/demo/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "noaslr_demo" 3 | version = "0.15.3" 4 | edition = "2024" 5 | 6 | [build-dependencies] 7 | vergen = { version = "8.1.1", features = [ 8 | "build", 9 | "cargo", 10 | "git", 11 | "gitcl", 12 | "rustc", 13 | "si", 14 | ] } 15 | 16 | [dependencies] 17 | anyhow = { version = "1.0", default-features = false } 18 | clap = { version = "4.5", default-features = false, features = [ 19 | "derive", 20 | "string", 21 | "std", 22 | "help", 23 | ] } 24 | readonly = { version = "0.2.8", default-features = false } 25 | -------------------------------------------------------------------------------- /utils/noaslr/demo/build.rs: -------------------------------------------------------------------------------- 1 | use std::error::Error; 2 | 3 | use vergen::EmitBuilder; 4 | 5 | fn main() -> Result<(), Box> { 6 | EmitBuilder::builder() 7 | .all_build() 8 | .all_cargo() 9 | .all_git() 10 | .all_rustc() 11 | .all_sysinfo() 12 | .emit()?; 13 | 14 | Ok(()) 15 | } 16 | -------------------------------------------------------------------------------- /utils/noaslr/libnoaslr/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "libnoaslr" 3 | version = "0.15.3" 4 | edition = "2024" 5 | 6 | [lib] 7 | name = "noaslr" 8 | path = "src/lib.rs" 9 | crate-type = ["dylib"] 10 | 11 | # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html 12 | 13 | [dependencies] 14 | anyhow = { version = "1.0", default-features = false } 15 | ctor = "0.4.0" 16 | nix = { version = "0.30.1", default-features = false, features = [ 17 | "process", 18 | "personality", 19 | ] } 20 | 21 | [target.'cfg(any(target_os = "freebsd", target_os = "netbsd"))'.dependencies] 22 | libc = "0.2" 23 | -------------------------------------------------------------------------------- /utils/noaslr/noaslr/build.rs: -------------------------------------------------------------------------------- 1 | use std::error::Error; 2 | 3 | use vergen::EmitBuilder; 4 | 5 | fn main() -> Result<(), Box> { 6 | EmitBuilder::builder() 7 | .all_build() 8 | .all_cargo() 9 | .all_git() 10 | .all_rustc() 11 | .all_sysinfo() 12 | .emit()?; 13 | 14 | Ok(()) 15 | } 16 | --------------------------------------------------------------------------------