Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...


LibAFL, the fuzzer library.

AFL++ Logo

Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.

LibAFL is written and maintained by

Why LibAFL?

LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include:

  • fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
  • scalable: Low Level Message Passing, LLMP for short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.
  • adaptable: You can replace each part of LibAFL. For example, BytesInput is just one potential form input: feel free to add an AST-based input for structured fuzzing, and more.
  • multi platform: LibAFL was confirmed to work on Windows, MacOS, Linux, and Android on x86_64 and aarch64. LibAFL can be built in no_std mode to inject LibAFL into obscure targets like embedded devices and hypervisors.
  • bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.


LibAFL is a collection of reusable pieces of fuzzers, written in Rust. It is fast, multi-platform, no_std compatible, and scales over cores and machines.

It offers a main crate that provide building blocks for custom fuzzers, libafl, a library containing common code that can be used for targets instrumentation, libafl_targets, and a library providing facilities to wrap compilers, libafl_cc.

LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:

Getting started

  1. Install the Rust development language. We highly recommend not to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found here.

  2. Clone the LibAFL repository with

git clone

Build the library using

cargo build --release
  1. Build the API documentation with
cargo doc
  1. Browse the LibAFL book (WIP!) with (requires mdbook)
cd docs && mdbook serve

We collect all example fuzzers in ./fuzzers. Be sure to read their documentation (and source), this is the natural way to get started!

The best-tested fuzzer is ./fuzzers/libfuzzer_libpng, a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.



Check the file for features that we plan to support.

For bugs, feel free to open issues or contact us directly. Thank you for your support. <3

Even though we will gladly assist you in finishing up your PR, try to

  • keep all the crates compiling with stable rust (hide the eventual non-stable code under cfgs)
  • run cargo fmt on your code before pushing
  • check the output of cargo clippy --all or ./
  • run cargo build --no-default-features to check for no_std compatibility (and possibly add #[cfg(feature = "std")]) to hide parts of your code.

Some of the parts in this list may be hard, don't be afraid to open a PR if you cannot fix them by yourself, so we can help.


Licensed under either of Apache License, Version 2.0 or MIT license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Dependencies under more restrictive licenses, such as GPL or AGPL, can be enabled using the respective feature in each crate when it is present, such as the 'agpl' feature of the libafl crate.
  • Test fuzzers

    Test fuzzers

    I've made scripts for 6 fuzzers in fuzzer/ (excluding baby, generic, frida, fuzzbench), that can test the building for each, so that we can tell if something is going wrong at CI. yes they are bash scripts and the platform-independent workaround is a TODO.

    what do you think 🤗 ?

    opened by tokatoka 45
  • Frida Address Sanitizer for x86_64

    Frida Address Sanitizer for x86_64

    still WIP. but I just thought ci would help, so I put it here as a draft pr

    • TODOs
    • [x] handle_trap for amd64
    • [x] the speed issue of hook_func
    • [x] blob_report for amd64
    • [x] Get merged, this repo extends frida-rust for some missing instructions on amd64 (PR submitted)
    opened by tokatoka 39
  • Google Summer of Code

    Google Summer of Code

    Welcome Students :)

    This is libAFL, our new fuzzing library. It's not public just yet, but will be opened up soon! Take a look around in the code base, look at the (todos)[./] and issues if you already feel like coding, feel free to post any questions in this issue or open your own issues.

    In case anybody wants to open a PR, talk to @andreafioraldi or me.

    opened by domenukk 29
  • LLVM AutoTokens

    LLVM AutoTokens

    This pr implements LLVM autodict Based on andrea's autodict branch and aflpp's implementation

    I decided not to use the new PM because it just does not work :/ (not sure why). instead of writing to a file, the llvm pass puts the tokens into a section named "libafl_dict". And from Rust side we retrieve the pointer to the start of the section and parse it.

    opened by tokatoka 27
  • [READY] Add options parser

    [READY] Add options parser

    There's probably a few things that could be added still, remote_broker_port, cmplog, asan, and a few others come to mind. I'll poke around and get this to where it covers most options, but wanted to open it up for comments sooner rather than later.

    opened by epi052 25
  • Windows Inprocess Fuzzing + Asan does not work

    Windows Inprocess Fuzzing + Asan does not work

    Describe the bug LibAFL on MSVC is marking discovered crashes as fuzzer crashes instead of target crashes.

    To Reproduce Steps to reproduce the behavior:

    1. Download the included project file
    2. Open it with your MSVC developer powershell
    3. run ./build_libafl.ps1 - optionally changing the position of sancov.lib within
    4. cd fuzzer_rust
    5. cargo run - you should get crash marked as occurring outside of the target

    Expected behavior The crash should be classified as occurring inside the target

    Screen output/Screenshots image

    Additional context

    Note Changing the VEH installed at from 1 to 0 seemed to fix the problem here, but I'm not sure if this may have broken anything else / things in other scenarios.

    bug help wanted 
    opened by Ben-Lichtman 23
  • libafl_cc fixes for windows

    libafl_cc fixes for windows

    This PR includes changes that enable LibAFL's optimization passes on Windows. I think this is not perfect, but could be used as a start.

    In order to get these running, one has to:

    • Compile LLVM (tested with version 14.0.6) in order to get llvm-config.exe which is not distributed in the Windows package. I used the following commands
    mkdir build; cd build
    cmake -G "Visual Studio 17 2022" -A x64             `
        -DLLVM_ENABLE_PROJECTS="clang;compiler-rt;lld"  `
        -DLLVM_TARGETS_TO_BUILD=X86 -Thost=x64          `
    cmake --build . --config Release
    • Link the rust code against the static runtime libraries by setting the following environment variable
    $env:RUSTFLAGS='-C target-feature=+crt-static' cargo build --release

    I made a Dockerfile to build a Windows container here which install the various dependencies required to set things up. I also wrote down some extended notes here.

    There is currently a problem that I am still trying to figure out. If I compile stuff with the libafl_cc wrapper and with -fsanitize=address, there is an ACCESS VIOLATION triggered before the target is even started. This gist might be related.

    opened by abgeana 23
  • Handling/Warning for OOM

    Handling/Warning for OOM

    Hey I just played a little bit with this library and tried to fuzz libcue.

    After some time the client just spamms this message over and over:

    thread 'main' panicked at 'Allocated new message without calling send() inbetween. ret: 0x7f01465ad030, page: 0x7f01465ad000, complete_msg_size: 48, size_used: 1736144, last_msg: 0x0', /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
    stack backtrace:
       0: rust_begin_unwind
                 at /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/
       1: std::panicking::begin_panic_fmt
                 at /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/
       2: libafl::bolts::llmp::LlmpSender<SH>::alloc_next_if_space
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       3: libafl::bolts::llmp::LlmpSender<SH>::alloc_next
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       4: libafl::bolts::llmp::LlmpSender<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       5: libafl::bolts::llmp::LlmpClient<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       6: libafl::bolts::llmp::LlmpConnection<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       7: <libafl::events::llmp::LlmpEventManager<I,S,SH,ST> as libafl::events::EventManager<I,S>>::fire
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/events/
       8: <libafl::events::llmp::LlmpRestartingEventManager<I,S,SH,ST> as libafl::events::EventManager<I,S>>::fire
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/events/
       9: libafl::state::State<C,FT,libafl::inputs::bytes::BytesInput,OFT,R,SC>::load_initial_inputs
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/state/
      10: libfuzzer_libcue::fuzz
                 at ./src/
      11: libfuzzer_libcue::main
                 at ./src/
      12: core::ops::function::FnOnce::call_once
                 at /home/max/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/
    note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
    [libafl/src/events/] "Spawning next client (id {})" = "Spawning next client (id {})"
    [libafl/src/events/] ctr = 1337
    We're a client, let's fuzz :)
    First run. Let's set it all up
    We're a client, let's fuzz :)
    Loading file "./corpus/test.cue" ...

    My fuzzer is identical to that of the libpng example. Only the build and harness script is different. If you need the code then I can upload it somewhere as ZIP as forking is disabled and I can not create branches.

    opened by maxammann 23
  • ForkserverExecutor



    Only the ForkserverExecutor, still WIP TODO:

    • [x] use Pipe made by Dominik.
    • [x] We need to check if the execution has crashed
    • [x] We might want to allocate the shared memory (calling StdShMemProvider::new()) outside the Executor?, because the Observer needs that address.
    • [x] Add an example that uses ForkserverExecutor
    opened by tokatoka 22
  • Use Unix timer_* API instead of setitimer

    Use Unix timer_* API instead of setitimer

    Currently, to set and reset timeouts in the TimeoutExecutor the setitimer FFI is used. The function is not exposed in libc:: and is hence linked in via extern "C", required structs are defined manually in LibAFL.

    As these do not seem to account for different layouts/ pointer sizes, the call fails under armv7 and no alarm is being set (also cf. this).

    While working on this issue, I decided to use the newer timer API (timer_create, timer_settime), as setitimer is marked obsolete.

    As this requires global access to a timer_id struct, e.g., in order to disarm timers in the crash handler, a new trait was introduced for _Executor_s, also streamlining the clock reset between Unix and Windows.

    Feedback is welcome.

    opened by pr0me 21
  • InProcessForkExecutor


    ATM these two Executors are missing:

    • ForkserverExecutor must be an AFL-like forkserver executor, I guess we can borrow code from Angora
    • InProcessForkExecutor is a version of InProcessExecutor that forks before calling the harness. In this case, LibAFL must be still embedded into the target and we avoid to control the target via pipe, but then we still need an harness and cannot fuzz binaries compile with afl-cc
    enhancement good first issue 
    opened by andreafioraldi 20
  • Memory leak in qemu_fullsystem mode

    Memory leak in qemu_fullsystem mode


    1. You have verified that the issue to be present in the current main branch

    Thank you for making LibAFL better!

    Describe the bug A clear and concise description of what the bug is. it looks like qemu fullsystem mode does not let go of memory maxing out ram usage.

    To Reproduce Steps to reproduce the behavior:

    1. run qemu_fullsystem example from fuzzer directory
    2. wait few minutes.

    Expected behavior A clear and concise description of what you expected to happen. It does not use all of my memory.

    Screen output/Screenshots If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in English and not in Chinese, Russian, German, etc. Screenshot from 2023-01-06 13-20-39 Screenshot from 2023-01-06 13-21-09

    opened by elbiazo 0
  • fixing linking issue on qemu build

    fixing linking issue on qemu build

    Trying to run qemu_systemmode example and qemu_arm example, i received linker error shown below. Odd thing is I tried it on 6 different machine and 3 of them worked while other 3 times it didnt.

    Screenshot from 2023-01-06 10-09-45

    opened by elbiazo 2
  • Create an `on_crash` callback in QemuHooks

    Create an `on_crash` callback in QemuHooks

    QemuHooks should expose an API for calling a method only when certain conditions occur, such as a crash.

    This would be useful, for example, when using QemuCallTraceHelper to collect traces only when a crash has occurred (as opposed to every exec). This particular use case implies re-running the target when a crash is found, so perhaps it could be implemented as a Stage with access to QemuHooks.

    opened by dlmarrero 0
  • Use Metadata to store QemuCallTracerHelper callstack

    Use Metadata to store QemuCallTracerHelper callstack

    Currently, QemuCallTracerHelper stores its callstack values inside of the struct. This makes the data difficult to access post-execution. Like other QemuHelpers, a Metadata instance should be stored in State and used to collect call addresses. This would enable post-processing in Observers and Feedbacks.

    opened by dlmarrero 0
  • 0.8.2(Oct 12, 2022)


    • NYX bridge with LibAFL with libafl_nyx by @syheliel
    • JSON logging monitor by @eknoes
    • Testcase and corpus minimizers by @VTCAKAVSMoACE
    • TimeoutInprocessForkExecutor by @tokatoka
    • Builds on various *nix operating systems by @devnexen

    What's Changed

    • New Pass Manager Arguments in
    • Core affinity implementation for freebsd by @devnexen in
    • NYX Executor (GSoC '22) by @syheliel in
    • OSX force_load option in
    • Add continous JSON Logging monitor by @eknoes in
    • Netopenbsd build fix by @devnexen in
    • follow-up on netbsd build fix, simplification. by @devnexen in
    • Add test case minimising stage by @VTCAKAVSMoACE in
    • Implement a corpus minimiser by @VTCAKAVSMoACE in
    • Skippable stage, generator wrapper for Grimoire in
    • MapFeedback: Adding support for with_name() by @TeumessianFox in
    • dragonflybsd build fix for core affinity. by @devnexen in
    • CI for FreeBSD in
    • core affinity for FreeBSD pinning task to the wanted cpu by @devnexen in
    • Do not zero-init struct in QEMU in
    • adjust NyxExecutor trait bound to HasTargetBytes from HasBytesVec by @tcheinen in
    • libafl_frida ASan hook adding apple's memset_pattern* api. by @devnexen in
    • frida follow up on previous change for apple. by @devnexen in
    • Add track_stability option to CalibrationStage in
    • Dump registers on freebsd amd64 by @devnexen in
    • Builds on Illumos, by @devnexen in
    • reduces warnings when only version output is asked. by @devnexen in
    • Extend gramatron recursive mutator to recurse 5 times in
    • Dump registers on NetBSD amd64 by @devnexen in
    • Add support for ARMBE8 by @WorksButNotTested in
    • Dump reg for openbsd by @devnexen in
    • Windows gdiplus by @expend20 in &
    • Remove clang download from windows CI by @expend20 in
    • write_crash netbsd implementation by @devnexen in
    • bolts::cpu::read_time_counter on arm64 by @devnexen in
    • Add ability to use virtual dispatch to stagesTuple by @radl97 in
    • Adding CPSR register for arm qemu emulation by @TeumessianFox in
    • Enable additional rustc errors in test only in
    • Adding fork feature passing from libafl_qemu to libafl crate by @TeumessianFox in
    • Hide prelude behind feature flag in
    • TimeoutInprocessForkExecutor in
    • Fixes typo and grammar in doc by @Emauz in
    • Minor changes for linux without fork feature by @TeumessianFox in
    • Hook IsProcessorFeaturePresent to crash with STATUS_STACK_BUFFER_OVERRUN exception by @expend20 in
    • Added Hacking TMNF blogpost to Resources in
    • Moving to named parameters in format strings in


    • Unbreak tui with 1 client by @nicklangsysdig in
    • Fix autotokens doc in
    • Fix spelling error by @AidenRHall in
    • Fix documentation error by @Lancern in
    • Add doc for nyx by @syheliel in
    • Fix cargo doc failed on windows by @SpaceWhite in
    • Fix forkserver options in
    • Stability improvements in
    • Fix len miscalculation in grimoire string replace in
    • Disable ObserversOwnedMap due to new Rust error in
    • Fix FreeBSD CI in
    • Backport AFL++ issue #1548 in
    • Various Doc and CI fixes by @andreafioraldi, @tokatoka, @domenukk, @thebendavis, @Emauz

    New Contributors

    • @nicklangsysdig made their first contribution in
    • @AidenRHall made their first contribution in
    • @Lancern made their first contribution in
    • @VTCAKAVSMoACE made their first contribution in
    • @tcheinen made their first contribution in
    • @SpaceWhite made their first contribution in
    • @WorksButNotTested made their first contribution in
    • @thebendavis made their first contribution in
    • @radl97 made their first contribution in
    • @Emauz made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.8.1(Aug 18, 2022)


    • Qemu arm launcher example by @TeumessianFox in
    • Windows support for LLVM passes by @abgeana in
    • Mac OS Autotokens by @tokatoka
    • Raw API for full-system libafl_qemu by @andreafioraldi in

    Further Changes

    • Prelude module by @andreafioraldi in
    • Change StdWeightedScheduler API by @tokatoka in
    • Add HitcountsIterableMapObserver, rename AsMutIter to AsIterMut by @domenukk in
    • Updated requirements in &
    • Remove num_cpus dependency by @domenukk in
    • Deriving Clone for NopMonitor by @z2-2z in
    • add rustfmt.toml by @syheliel in


    • Update fuzzbench_weighted to EXPLORE, fix linking by @tokatoka in
    • Fix Autotokens by @tokatoka in
    • Fix SIGILL handling in libafl_qemu by @andreafioraldi in
    • Resize MapFeedbackMetadata with observer.initial() by @tokatoka in
    • Simd Fix by @tokatoka in
    • fix typo in by @zuypt in

    New Contributors

    • @zuypt made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.8.0(Jul 18, 2022)


    • Graphical TUI Monitor based on tui-rs (
    • Differential Fuzzing Support: Differential executor, diff feedback, stdio observers (
    • Grimoire structured fuzzing support (
    • LLVM AutoTokens (
    • Much simpler API for feedback states (
    • Switched all example fuzzers from Makefiles to cargo-make (
    • libafl::Error can generate Backtraces (
    • Refactored libafl Python (
    • [libafl_frida] Enabled ASan for Apple (
    • [libafl_qemu] snapshot fuzzing (
    • [libafl_qemu] custom GDB commands for LibAFL (

    Further Changes

    • Rework ShMem by @domenukk in
    • libfuzzer-like repro arguments for fuzzbench by @andreafioraldi in
    • Add AsSlice, AsMutSlice traits, refactor MapObservers to be iterable, and have associated types by @domenukk in
    • [libafl_qemu] map_fixed and mprotect target memory by @evanrichter in
    • AnyMap and owned collections of Observers and Stages by @andreafioraldi in
    • [libafl_qemu] simplify emu::{read,write}_mem by @evanrichter in
    • Expose more options to python qemu sugar by @epi052 in
    • [libafl_qemu] GuestAddr type by @evanrichter in
    • extend python forkserver api by @epi052 in
    • Add options parser by @epi052 in
    • Implement backtrace observers for crash dedupe by @yussf in
    • Builder for CommandExecutor & Tokens Refactoring by @domenukk in
    • Coverage accounting (BB metric atm) by @andreafioraldi in
    • Frida Runtime Tuples by @tokatoka in
    • frida-asan: Throw an exception on a failed new instead of just returning null by @s1341 in
    • libafl_cc: -fsanitize=fuzzer is an alias to --libafl by @andreafioraldi in
    • Non weak default sanitizers options functions by @andreafioraldi in
    • Set map observers initial value to T::default() on creation by @andreafioraldi in
    • Forkserver builder by @tokatoka in
    • Autodict forkserver by @tokatoka in
    • Github workflows frida build on windows by @tokatoka in
    • Initial support to Python bindings for the libafl crate by @faroukfaiz10 in
    • Walk the map observer using as_ref_iter() in the map feedback by @andreafioraldi in
    • libafl_qemu decouple hooks from the executor and QemuForkExecutor by @andreafioraldi in
    • [libafl_qemu] EasyElf::resolve_symbol return GuestAddr by @evanrichter in
    • Add signal option to forkserver_simple by @tklengyel in
    • Closure hooks and on thread create hook by @andreafioraldi in
    • afl_exec_sec feature to count executions per second in the same way as AFL (sliding window), disabled by default by @andreafioraldi in
    • Add function call level granularity for coverage accounting by @shouc in
    • Add probabilistic sampling corpus scheduler by @shouc in
    • Dump Control Flow Graph in AFLCoverage LLVM Pass by @shouc in
    • Weighted corpus entry selection by @tokatoka in
    • Set the number of stacked mutations in MOpt mutator by @tokatoka in
    • Powerschedule::RAND by @tokatoka in
    • Use ucontext from bolts::os::unix_signals for armv7 support by @pr0me in
    • Update clap by @tokatoka in
    • adding equivalent arm32 syscall for qemu snapshot by @elbiazo in
    • Cmplog New Pass Manager & LLVM 14 Fixes by @tokatoka in
    • Added autofix script by @domenukk in
    • Moved to no_std preamble by @domenukk in
    • Drop the build_id depedency and move to bolts by @andreafioraldi in
    • Make OutFile auto-remove refcounted on drop by @domenukk in
    • Windows-rs Update by @tokatoka in
    • Moved core_affinity to bolts by @domenukk in
    • Windows CI for frida by @tokatoka in
    • C forkserver logic in libafl_targets by @andreafioraldi in
    • Apple aarch64 fixes by @domenukk in
    • LIBAFL_DEBUG_OUTPUT in Launcher and OnDiskTOMLMonitor to create fuzzer_stats by @andreafioraldi in
    • Generating core ids based on the actual count of logical cores by @wizche in
    • CustomBuf Events to exchange any data between fuzzers by @domenukk in
    • New hooks for libafl_qemu by @andreafioraldi in
    • Extend weighted scheduler by @tokatoka in
    • TUI monitor no longer breaks the terminal if main thread panics by @TeumessianFox in

    New Contributors

    • @sagittarius-a made their first contribution in
    • @epi052 made their first contribution in
    • @yussf made their first contribution in
    • @tklengyel made their first contribution in
    • @shouc made their first contribution in
    • @syheliel made their first contribution in
    • @h1994st made their first contribution in
    • @WilliamParks made their first contribution in
    • @aoli-al made their first contribution in
    • @elbiazo made their first contribution in
    • @peamaeq made their first contribution in
    • @wizche made their first contribution in
    • @z2-2z made their first contribution in
    • @Scepticz made their first contribution in
    • @TeumessianFox made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.7.1(Jan 13, 2022)


    • a new libafl_qemu API for binary-only fuzzing
    • heaps of fixes for libafl_frida and better Windows support
    • MiMalloc allocator for speed and stability in examples
    • Less (!) generics
    • Message-passing fixes for aarch64

    What's Changed

    • Windows timeout fix with critical sections by @tokatoka in
    • Symcc submodule referencing a path by @domenukk in
    • Fix timeout type from u32 to i64 in windows TimeoutExecutor by @tokatoka in
    • Fix forkserver_simple clap issue by @tokatoka in
    • Fix Clap about() issue by @tokatoka in
    • Debug output for forkserver by @andreafioraldi in
    • Reworking example fuzzers to use Structopt instead of yaml, and introduced Cores API by @domenukk in
    • Fix makefile for frida_libpng by @domenukk in
    • Various fixes for CI by @domenukk in
    • Open the stdout-file once by @s1341 in
    • Use AddVectoredExceptionHandler to register exception handlers by @tokatoka in
    • Frida Refactor: Separate Frida other helper functions into each Runtime by @tokatoka in
    • Implement AflMap by @vanhauser-thc in
    • Frida shadow fix by @tokatoka in
    • Fix frida-mode for debug builds, ensure it will continue to work on release builds by @s1341 in
    • Other/User defined WIndows Exceptions by @tokatoka in
    • Refactor libafl_qemu creating the Emulator struct and post syscall hooks by @andreafioraldi in
    • Drcov remodelling by @domenukk in
    • DrCov Runtime by @tokatoka in
    • Implement max total allocation size for frida asan by @s1341 in
    • Fix strncmp hook to only check the length of the needle string by @s1341 in
    • [libafl_qemu] fix by @evanrichter in
    • Frida various fixes by @s1341 in
    • Use MiMalloc for fuzzbench fuzzer by @tokatoka in
    • Add errors for missing Docs, add Docs by @domenukk in
    • [libafl_qemu] prevent unneeded runs by @evanrichter in
    • Updated dependencies by @domenukk in
    • Derive debug for all structs in LibAFL by @domenukk in
    • Cpu atomics for LLMP by @domenukk in
    • [libafl_qemu] fix i386 Regs values by @evanrichter in
    • Various fixes related to frida mode by @s1341 in
    • Fix a typo in by @yerke in
    • Reorder type parameters in the correct order by @tokatoka in
    • Disable pita 🥙 compiler in debug mode by @domenukk in
    • Move to clap 3.0 by @domenukk in
    • Add OwnedSlice::RefRaw to keep track of raw pointers by @domenukk in
    • Reduce generics for various Has* traits by @evanrichter in
    • Use UserStats for Stability by @tokatoka in
    • Optional signal value to kill forked processes on timeout by @v-p-b in
    • Fix windows build by @tokatoka in
    • Asan fix by @tokatoka in
    • Add --libaf-no-link to libafl_cc by @andreafioraldi in
    • Shadow bit by @tokatoka in
    • Bump to 0.7.1 by @andreafioraldi in
    • Add --libafl arg in libafl_cc and enable it for fuzzbench by @andreafioraldi in
    • Bump libafl_frida to 0.7.1 by @andreafioraldi in
    • Bump libafl_sugar to 0.7.1 by @andreafioraldi in

    New Contributors

    • @yerke made their first contribution in
    • @v-p-b made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0(Dec 9, 2021)

    What's Changed

    • process crash handler, dump registers on macos arm64 by @devnexen in
    • initial book entry for concolic by @julihoh in
    • renamed target_os macos to target_vendor apple by @domenukk in
    • Fix shmem on android by @s1341 in
    • Symcc runtime docsrs fix by @julihoh in
    • Build LibAFL Android in CI by @domenukk in
    • Refactor configurations with EventConfig by @andreafioraldi in
    • Token level fuzzing by @andreafioraldi in
    • openbsd port. by @devnexen in
    • Fix _LLMP_BIND_ADDR for Windows by @tokatoka in
    • Build id configuration in std by @andreafioraldi in
    • Use external, custom time function for no_std environments by @bitwave in
    • ShMem server race-condition fix for #276 by @domenukk in
    • Add core_id to launcher run_client closure signature by @s1341 in
    • PowerSchedule::COE fix by @tokatoka in
    • added write_file_atomic against ondisk corpus races by @domenukk in
    • armv7 support: add ucontext struct definition by @pr0me in
    • cbz, tbz, tbnz support for aarch64 cmplog by @domenukk in
    • Qemu as lib by @andreafioraldi in
    • WIP: added unfinished no_std docs by @bitwave in
    • Example how to build baby-fuzzer as push instead of pull, using Klo-routines by @domenukk in
    • Python basic bindings for sugar and qemu by @andreafioraldi in
    • Book refactoring and update by @andreafioraldi in
    • Fixed CI by ignoring python, resolved multiple warnings by @domenukk in
    • Fix default UBSan options and avoid timeouts in crash handler by @andreafioraldi in
    • Qemu new syscall hook and more python API by @andreafioraldi in
    • Still fixing CI by @domenukk in
    • Frida windows by @tokatoka in
    • Qemu Helpers and basic snapshotting by @andreafioraldi in
    • Allowlist and denylist for QEMU edges and cmps by @andreafioraldi in
    • Qemu partial instr fix by @andreafioraldi in
    • Qemu generic hooks by @andreafioraldi in
    • Python generic qemu hook by @andreafioraldi in
    • dumping process address maps on netbsd too by @devnexen in
    • fix tutorial fuzzer by @julihoh in
    • remove libafl_tests by @tokatoka in
    • concolic optional runtime by @julihoh in
    • init git submodule for symcc for symcc_runtime crate when publishing by @julihoh in
    • don't include all of libafl for symcc_runtime by default by @julihoh in
    • delayed checkout in ci by @domenukk in
    • add ability to trace location information in concolic tracer by @julihoh in
    • update packages related to concolic by @julihoh in
    • 32 bit arm regs by @domenukk in
    • update deps by @julihoh in
    • Fix Typo. by @intrigus-lgtm in
    • Error message in most likely case of using NONASAN and ASAN fuzzers using the same Fuzzer config by @marcinguy in
    • Gramatron by @andreafioraldi in
    • fixes for frida mode for win and checks in rust 1.56 by @domenukk in
    • fix concolic nofloat filter by @julihoh in
    • add support for aarch64 in libafl_qemu by @abgeana in
    • Minor doc fixes by @faroukfaiz10 in
    • Port gramatron preprocessing to Rust by @andreafioraldi in
    • Atheris example to fuzz Python Code by @domenukk in
    • Fix warnings for windows by @tokatoka in
    • Fix #344 by @tokatoka in
    • Upgrade to Rust 2021 Edition by @jamcleod in
    • MultiMapObserver and sancov 8bit-counters instrumentation by @andreafioraldi in
    • Fix double borrow mut in CachedOnDiskCorpus by @andreafioraldi in
    • Frida Address Sanitizer for x86_64 by @tokatoka in
    • Refcnt for MapIndexesMetadata by @andreafioraldi in
    • Fix the number of clients spawned by @tokatoka in
    • Minor readme improvement in frida_libpng fuzzer. by @expend20 in
    • Fix Numbering in Docs by @expend20 in
    • Fix cfgs for frida asan by @tokatoka in
    • Fork feature flag to disable fork in Launcher by @domenukk in
    • Bridge grammartec from Nautilus to libafl by @andreafioraldi in
    • Fix MaxReducer docstring by @eknoes in
    • remove unused const hashing mode by @domenukk in
    • Fixed potential unsoundness due to Rc threading for ShMemProvider by @domenukk in
    • Add minibsod by @s1341 in
    • Cmplog instrumentation by @OmreeBenari in
    • Launch every 100ms by @s1341 in
    • Fix cfg directives for frida-asan by @s1341 in
    • make dump_registers method public by @domenukk in
    • frida-asan: Support different names for the libc++ shared object when hooking by @s1341 in
    • Support suppression of hooked functions by @s1341 in
    • Mutational Push Stage by @domenukk in
    • implemented MapMaxPow2Feedback by @domenukk in
    • Renamed Stats to Monitors by @domenukk in
    • Fix staterestore by @tokatoka in
    • Disk sync by @andreafioraldi in
    • Reachability fuzzer fix by @tokatoka in
    • Fix api by @tokatoka in
    • Frida Refactor: Split FridaHelper into each Runtime by @tokatoka in
    • AddressSanitizer for libafl_qemu by @andreafioraldi in
    • Clippy fixes for main by @domenukk in
    • libafl_qemu cpu_target cfg by @andreafioraldi in
    • Delete "We're a client, let's fuzz :)" from lib by @tokatoka in
    • Push stage trait by @domenukk in
    • Frida Refactor: Frida executor by @tokatoka in
    • Cmplog instrumentation by @OmreeBenari in
    • InProcessHandlers by @andreafioraldi in
    • Qemu fixes and syscalls for every supported arch by @andreafioraldi in
    • Fix by @tokatoka in
    • More LLVM passes from AFL++ by @andreafioraldi in
    • dump_registers and write_crash for armv7 by @pr0me in
    • make map debuggable by @domenukk in
    • Ignored qemu fuzzer for non-linux by @domenukk in
    • better forkserver example by @tokatoka in
    • Frida_libpng document change by @tokatoka in
    • forkserver docus by @tokatoka in
    • Forkserver Example Fix by @tokatoka in
    • add set_timeout fn to TimeoutExecutor by @pr0me in
    • QEMU target arch selector via feature flag by @domenukk in
    • Implement unstable edge detection+ignore in calibration stage by @vanhauser-thc in

    New Contributors

    • @bitwave made their first contribution in
    • @pr0me made their first contribution in
    • @intrigus-lgtm made their first contribution in
    • @abgeana made their first contribution in
    • @faroukfaiz10 made their first contribution in
    • @jamcleod made their first contribution in
    • @expend20 made their first contribution in
    • @eknoes made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.6.0(Aug 20, 2021)

    • libafl_qemu with CmpLog, syscalls hooks and more
    • Refactor MOpt
    • CachedOnDiskCorpus to have an in-memory cache while saving testcases on disk
    • libafl_sugar with builder patterns to create common fuzzers
    • Concolic Tracing (libafl_concolic @julihoh GSOC 2021)
    • InProcessForkExecutor
    • ForkserverExecutor shared mem testcase
    • TimeoutExecutor for win32
    • AFLFast power schedules (@tokatoka GSOC 2021)
    • Fix shared memory on macOS
    Source code(tar.gz)
    Source code(zip)
  • 0.5.0(Jul 5, 2021)

    • LLVM passes support in libafl_cc
    • Support to routines arguments in CmpLog
    • We don't enforce serde on Observer anymore
    • MOpt stage and mutator (@tokatoka GSOC 2021)
    • Fix link issue when using the Libfuzzer layer and libafl_cc
    • Fix some macOS build issues
    Source code(tar.gz)
    Source code(zip)
  • 0.4.0(Jun 23, 2021)

    • CmpLog instructions instrumentation for SanCov and Frida
    • Naive Input-to-state mutator using the CmpLog metadata
    • Generalize InProcessExecutor to a generic Input trait
    • MultiStats stats display
    • TimeoutForkserverExecutor
    • Shadow Executor and Stage
    • Single threaded restartable EventManager
    • Configurations in EventManager
    • Remove HasExecHooks
    • Decouple broker from LlmpEventManager
    • New fuzzers: Generic libfuzzer, Fuzzbench
    Source code(tar.gz)
    Source code(zip)
  • 0.3.0(May 19, 2021)

  • 0.2.0(May 6, 2021)

    • baby_fuzzer book chapter
    • LLMP TCP multi-machine
    • Conditional composition of Feedbacks
    • Allow lifetime in Observers
    • Reachability example and Feedback
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Apr 30, 2021)

Advanced Fuzzing League ++
We want to make fuzzing better and better
Advanced Fuzzing League ++
A self-hosted Fuzzing-As-A-Service platform

OneFuzz A self-hosted Fuzzing-As-A-Service platform Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior t

Microsoft 2.6k Jan 8, 2023
A Comprehensive Web Fuzzer and Content Discovery Tool

rustbuster A Comprehensive Web Fuzzer and Content Discovery Tool Introduction Check the blog post: Introducing Rustbuster — A Comprehensive Web Fuzzer

Francesco Soncina 467 Dec 26, 2022
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
A fuzzer framework built in Rust

lain This crate provides functionality one may find useful while developing a fuzzer. A recent nightly Rust build is required for the specialization f

Microsoft 469 Dec 9, 2022
a grammar based feedback fuzzer


Chair for Sys­tems Se­cu­ri­ty 157 Oct 26, 2022
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

Patrick Hayes 94 Sep 29, 2022
cert_installer - a utility that adds a CA certificate to Android's System Trust Store

cert_installer is a utility that adds a CA certificate to Android's System Trust Store by overwriting the /system/etc/security/cacerts directory with a tmpfs mount. Changes made to the System Trust Store is not persistant across reboots.

Terry Chia 5 Apr 11, 2022
Bindings to the macOS Security.framework

macOS/iOS Security framework for Rust Documentation Bindings to the Apple's Security.framework. Allows use of TLS and Keychain from Rust. License Lice

Kornel 172 Jan 2, 2023
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
Linux anti-debugging and anti-analysis rust library

DebugOff Library Linux anti-analysis Rust library The goal of this library is to make both static and dynamic (debugging) analysis more difficult. The

null 65 Jan 7, 2023
Memory hacking library for windows.

Memory hacking library for windows.

sy1ntexx 40 Jan 3, 2023
Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Ronflex Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for penteste

null 5 Apr 17, 2023
Rapidly Search and Hunt through Windows Event Logs

Rapidly Search and Hunt through Windows Event Logs Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows

F-Secure Countercept 1.8k Dec 28, 2022
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Single stub direct and indirect syscalling with runtime SSN resolving for windows.

RUST_SYSCALLS Single stub direct and indirect syscalling with runtime SSN resolving for windows. Features: One single line for all your syscalls Funct

Yxel 81 Dec 4, 2022
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
Binary coverage tool without binary modification for Windows

Summary Mesos is a tool to gather binary code coverage on all user-land Windows targets without need for source or recompilation. It also provides an

null 381 Dec 22, 2022
Rslide - A web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app console or the browser. Currently only supports Windows.

rslide rslide is a web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app conso

Jason Dongheng Lee 3 Jan 1, 2022