LibAFL, the fuzzer library.
Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
LibAFL is written and maintained by
- Andrea Fioraldi [email protected]
- Dominik Maier [email protected]
- s1341 [email protected]
- Dongjia Zhang [email protected]
LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include:
fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
Low Level Message Passing,
LLMPfor short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.
adaptable: You can replace each part of LibAFL. For example,
BytesInputis just one potential form input: feel free to add an AST-based input for structured fuzzing, and more.
multi platform: LibAFL was confirmed to work on Windows, MacOS, Linux, and Android on x86_64 and aarch64.
LibAFLcan be built in
no_stdmode to inject LibAFL into obscure targets like embedded devices and hypervisors.
bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.
LibAFL is a collection of reusable pieces of fuzzers, written in Rust. It is fast, multi-platform, no_std compatible, and scales over cores and machines.
It offers a main crate that provide building blocks for custom fuzzers, libafl, a library containing common code that can be used for targets instrumentation, libafl_targets, and a library providing facilities to wrap compilers, libafl_cc.
LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
Install the Rust development language. We highly recommend not to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found here.
Clone the LibAFL repository with
git clone https://github.com/AFLplusplus/LibAFL
Build the library using
cargo build --release
- Build the API documentation with
- Browse the LibAFL book (WIP!) with (requires mdbook)
cd docs && mdbook serve
We collect all example fuzzers in
./fuzzers. Be sure to read their documentation (and source), this is the natural way to get started!
The best-tested fuzzer is
./fuzzers/libfuzzer_libpng, a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
Our RC3 talk explaining the core concepts
Our Fuzzcon Europe talk with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
Check the TODO.md file for features that we plan to support.
For bugs, feel free to open issues or contact us directly. Thank you for your support. <3
Even though we will gladly assist you in finishing up your PR, try to
- keep all the crates compiling with stable rust (hide the eventual non-stable code under
cargo fmton your code before pushing
- check the output of
cargo clippy --allor
cargo build --no-default-featuresto check for
no_stdcompatibility (and possibly add
#[cfg(feature = "std")]) to hide parts of your code.
Some of the parts in this list may be hard, don't be afraid to open a PR if you cannot fix them by yourself, so we can help.
Licensed under either of LicenseApache License, Version 2.0 or MIT license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Dependencies under more restrictive licenses, such as GPL or AGPL, can be enabled using the respective feature in each crate when it is present, such as the 'agpl' feature of the libafl crate.