Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...


LibAFL, the fuzzer library.

AFL++ Logo

Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.

LibAFL is written and maintained by Andrea Fioraldi [email protected] and Dominik Maier [email protected].

Why LibAFL?

LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable. Some highlight features currently include:

  • fast: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
  • scalable: Low Level Message Passing, LLMP for short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.
  • adaptable: You can replace each part of LibAFL. For example, BytesInput is just one potential form input: feel free to add an AST-based input for structured fuzzing, and more.
  • multi platform: LibAFL was confirmed to work on Windows, MacOS, Linux, and Android on x86_64 and aarch64. LibAFL can be built in no_std mode to inject LibAFL into obscure targets like embedded devices and hypervisors.
  • bring your own target: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.


LibAFL is a collection of reusable pieces of fuzzers, written in Rust. It is fast, multi-platform, no_std compatible, and scales over cores and machines.

It offers a main crate that provide building blocks for custom fuzzers, libafl, a library containing common code that can be used for targets instrumentation, libafl_targets, and a library providing facilities to wrap compilers, libafl_cc.

LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:

Getting started

  1. Install the Rust development language. We highly recommend not to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found here.

  2. Clone the LibAFL repository with

git clone

Build the library using

cargo build --release
  1. Build the API documentation with
cargo doc
  1. Browse the LibAFL book (WIP!) with (requires mdbook)
cd docs && mdbook serve

We collect all example fuzzers in ./fuzzers. Be sure to read their documentation (and source), this is the natural way to get started!

The best-tested fuzzer is ./fuzzers/libfuzzer_libpng, a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.



Check the file for features that we plan to support.

For bugs, feel free to open issues or contact us directly. Thank you for your support. <3

Even though we will gladly assist you in finishing up your PR, try to

  • use stable rust
  • run cargo fmt on your code before pushing
  • check the output of cargo clippy --all or ./
  • run cargo build --no-default-features to check for no_std compatibility (and possibly add #[cfg(feature = "std")]) to hide parts of your code.

Some of the parts in this list may be hard, don't be afraid to open a PR if you cannot fix them by yourself, so we can help.


Licensed under either of Apache License, Version 2.0 or MIT license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
  • Test fuzzers

    Test fuzzers

    I've made scripts for 6 fuzzers in fuzzer/ (excluding baby, generic, frida, fuzzbench), that can test the building for each, so that we can tell if something is going wrong at CI. yes they are bash scripts and the platform-independent workaround is a TODO.

    what do you think 🤗 ?

    opened by tokatoka 45
  • Frida Address Sanitizer for x86_64

    Frida Address Sanitizer for x86_64

    still WIP. but I just thought ci would help, so I put it here as a draft pr

    • TODOs
    • [x] handle_trap for amd64
    • [x] the speed issue of hook_func
    • [x] blob_report for amd64
    • [x] Get merged, this repo extends frida-rust for some missing instructions on amd64 (PR submitted)
    opened by tokatoka 39
  • Google Summer of Code

    Google Summer of Code

    Welcome Students :)

    This is libAFL, our new fuzzing library. It's not public just yet, but will be opened up soon! Take a look around in the code base, look at the (todos)[./] and issues if you already feel like coding, feel free to post any questions in this issue or open your own issues.

    In case anybody wants to open a PR, talk to @andreafioraldi or me.

    opened by domenukk 29
  • LLVM AutoTokens

    LLVM AutoTokens

    This pr implements LLVM autodict Based on andrea's autodict branch and aflpp's implementation

    I decided not to use the new PM because it just does not work :/ (not sure why). instead of writing to a file, the llvm pass puts the tokens into a section named "libafl_dict". And from Rust side we retrieve the pointer to the start of the section and parse it.

    opened by tokatoka 27
  • [READY] Add options parser

    [READY] Add options parser

    There's probably a few things that could be added still, remote_broker_port, cmplog, asan, and a few others come to mind. I'll poke around and get this to where it covers most options, but wanted to open it up for comments sooner rather than later.

    opened by epi052 25
  • Windows Inprocess Fuzzing + Asan does not work

    Windows Inprocess Fuzzing + Asan does not work

    Describe the bug LibAFL on MSVC is marking discovered crashes as fuzzer crashes instead of target crashes.

    To Reproduce Steps to reproduce the behavior:

    1. Download the included project file
    2. Open it with your MSVC developer powershell
    3. run ./build_libafl.ps1 - optionally changing the position of sancov.lib within
    4. cd fuzzer_rust
    5. cargo run - you should get crash marked as occurring outside of the target

    Expected behavior The crash should be classified as occurring inside the target

    Screen output/Screenshots image

    Additional context

    Note Changing the VEH installed at from 1 to 0 seemed to fix the problem here, but I'm not sure if this may have broken anything else / things in other scenarios.

    bug help wanted 
    opened by Ben-Lichtman 23
  • libafl_cc fixes for windows

    libafl_cc fixes for windows

    This PR includes changes that enable LibAFL's optimization passes on Windows. I think this is not perfect, but could be used as a start.

    In order to get these running, one has to:

    • Compile LLVM (tested with version 14.0.6) in order to get llvm-config.exe which is not distributed in the Windows package. I used the following commands
    mkdir build; cd build
    cmake -G "Visual Studio 17 2022" -A x64             `
        -DLLVM_ENABLE_PROJECTS="clang;compiler-rt;lld"  `
        -DLLVM_TARGETS_TO_BUILD=X86 -Thost=x64          `
    cmake --build . --config Release
    • Link the rust code against the static runtime libraries by setting the following environment variable
    $env:RUSTFLAGS='-C target-feature=+crt-static' cargo build --release

    I made a Dockerfile to build a Windows container here which install the various dependencies required to set things up. I also wrote down some extended notes here.

    There is currently a problem that I am still trying to figure out. If I compile stuff with the libafl_cc wrapper and with -fsanitize=address, there is an ACCESS VIOLATION triggered before the target is even started. This gist might be related.

    opened by abgeana 23
  • Handling/Warning for OOM

    Handling/Warning for OOM

    Hey I just played a little bit with this library and tried to fuzz libcue.

    After some time the client just spamms this message over and over:

    thread 'main' panicked at 'Allocated new message without calling send() inbetween. ret: 0x7f01465ad030, page: 0x7f01465ad000, complete_msg_size: 48, size_used: 1736144, last_msg: 0x0', /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
    stack backtrace:
       0: rust_begin_unwind
                 at /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/
       1: std::panicking::begin_panic_fmt
                 at /rustc/cb75ad5db02783e8b0222fee363c5f63f7e2cf5b/library/std/src/
       2: libafl::bolts::llmp::LlmpSender<SH>::alloc_next_if_space
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       3: libafl::bolts::llmp::LlmpSender<SH>::alloc_next
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       4: libafl::bolts::llmp::LlmpSender<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       5: libafl::bolts::llmp::LlmpClient<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       6: libafl::bolts::llmp::LlmpConnection<SH>::send_buf
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/bolts/
       7: <libafl::events::llmp::LlmpEventManager<I,S,SH,ST> as libafl::events::EventManager<I,S>>::fire
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/events/
       8: <libafl::events::llmp::LlmpRestartingEventManager<I,S,SH,ST> as libafl::events::EventManager<I,S>>::fire
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/events/
       9: libafl::state::State<C,FT,libafl::inputs::bytes::BytesInput,OFT,R,SC>::load_initial_inputs
                 at /home/max/projects/fuzzing/LibAFL/libafl/src/state/
      10: libfuzzer_libcue::fuzz
                 at ./src/
      11: libfuzzer_libcue::main
                 at ./src/
      12: core::ops::function::FnOnce::call_once
                 at /home/max/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/
    note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
    [libafl/src/events/] "Spawning next client (id {})" = "Spawning next client (id {})"
    [libafl/src/events/] ctr = 1337
    We're a client, let's fuzz :)
    First run. Let's set it all up
    We're a client, let's fuzz :)
    Loading file "./corpus/test.cue" ...

    My fuzzer is identical to that of the libpng example. Only the build and harness script is different. If you need the code then I can upload it somewhere as ZIP as forking is disabled and I can not create branches.

    opened by maxammann 23
  • ForkserverExecutor



    Only the ForkserverExecutor, still WIP TODO:

    • [x] use Pipe made by Dominik.
    • [x] We need to check if the execution has crashed
    • [x] We might want to allocate the shared memory (calling StdShMemProvider::new()) outside the Executor?, because the Observer needs that address.
    • [x] Add an example that uses ForkserverExecutor
    opened by tokatoka 22
  • Use Unix timer_* API instead of setitimer

    Use Unix timer_* API instead of setitimer

    Currently, to set and reset timeouts in the TimeoutExecutor the setitimer FFI is used. The function is not exposed in libc:: and is hence linked in via extern "C", required structs are defined manually in LibAFL.

    As these do not seem to account for different layouts/ pointer sizes, the call fails under armv7 and no alarm is being set (also cf. this).

    While working on this issue, I decided to use the newer timer API (timer_create, timer_settime), as setitimer is marked obsolete.

    As this requires global access to a timer_id struct, e.g., in order to disarm timers in the crash handler, a new trait was introduced for _Executor_s, also streamlining the clock reset between Unix and Windows.

    Feedback is welcome.

    opened by pr0me 21
  • InProcessForkExecutor


    ATM these two Executors are missing:

    • ForkserverExecutor must be an AFL-like forkserver executor, I guess we can borrow code from Angora
    • InProcessForkExecutor is a version of InProcessExecutor that forks before calling the harness. In this case, LibAFL must be still embedded into the target and we avoid to control the target via pipe, but then we still need an harness and cannot fuzz binaries compile with afl-cc
    enhancement good first issue 
    opened by andreafioraldi 20
  • Memory leak in qemu_fullsystem mode

    Memory leak in qemu_fullsystem mode


    1. You have verified that the issue to be present in the current main branch

    Thank you for making LibAFL better!

    Describe the bug A clear and concise description of what the bug is. it looks like qemu fullsystem mode does not let go of memory maxing out ram usage.

    To Reproduce Steps to reproduce the behavior:

    1. run qemu_fullsystem example from fuzzer directory
    2. wait few minutes.

    Expected behavior A clear and concise description of what you expected to happen. It does not use all of my memory.

    Screen output/Screenshots If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in English and not in Chinese, Russian, German, etc. Screenshot from 2023-01-06 13-20-39 Screenshot from 2023-01-06 13-21-09

    opened by elbiazo 0
  • fixing linking issue on qemu build

    fixing linking issue on qemu build

    Trying to run qemu_systemmode example and qemu_arm example, i received linker error shown below. Odd thing is I tried it on 6 different machine and 3 of them worked while other 3 times it didnt.

    Screenshot from 2023-01-06 10-09-45

    opened by elbiazo 1
  • Create an `on_crash` callback in QemuHooks

    Create an `on_crash` callback in QemuHooks

    QemuHooks should expose an API for calling a method only when certain conditions occur, such as a crash.

    This would be useful, for example, when using QemuCallTraceHelper to collect traces only when a crash has occurred (as opposed to every exec). This particular use case implies re-running the target when a crash is found, so perhaps it could be implemented as a Stage with access to QemuHooks.

    opened by dlmarrero 0
  • Use Metadata to store QemuCallTracerHelper callstack

    Use Metadata to store QemuCallTracerHelper callstack

    Currently, QemuCallTracerHelper stores its callstack values inside of the struct. This makes the data difficult to access post-execution. Like other QemuHelpers, a Metadata instance should be stored in State and used to collect call addresses. This would enable post-processing in Observers and Feedbacks.

    opened by dlmarrero 0
  • Full libfuzzer shimming (for cargo-fuzz libfuzzer alternative and other use cases)

    Full libfuzzer shimming (for cargo-fuzz libfuzzer alternative and other use cases)

    Seeing as how libfuzzer has entered maintenance mode, we should provide a full libfuzzer alternative which stays up to date with modern fuzzing standards.

    To this end, this PR seeks to offer libafl_libfuzzer, a full drop-in replacement for libfuzzer with support for the most common flags and sancov settings. Specifically, all of the things supported by cargo-fuzz. We can provide this shim to cargo-fuzz via environmental variable in libfuzzer-sys or, in the future, an init flag in cargo-fuzz itself.

    We need to implement corpus merging (fairly straightforward with IndexesLenTimeMinimizingScheduler or cmin), crash minification (doable with tmin + InProcessForkExecutor), and a basic fuzzing runtime (optionally with dict support). cargo-fuzz uses many of the available sancov features, so we need some additional support for __san*cov items. As of writing, we have the following undefined references:

    $ cargo fuzz build -s none |& grep -Eo "undefined reference to.*'" | sort -u 
    undefined reference to `LLVMFuzzerMutate'
    undefined reference to `__sancov_lowest_stack'
    undefined reference to `__sanitizer_cov_pcs_init'
    undefined reference to `__sanitizer_cov_trace_pc_indir'

    I'm unfamiliar with __san*cov features, so I could use some help in developing that support.

    I think this would be a good addition to the 0.9 release as well.

    opened by VTCAKAVSMoACE 4
  • 0.8.2(Oct 12, 2022)


    • NYX bridge with LibAFL with libafl_nyx by @syheliel
    • JSON logging monitor by @eknoes
    • Testcase and corpus minimizers by @VTCAKAVSMoACE
    • TimeoutInprocessForkExecutor by @tokatoka
    • Builds on various *nix operating systems by @devnexen

    What's Changed

    • New Pass Manager Arguments in
    • Core affinity implementation for freebsd by @devnexen in
    • NYX Executor (GSoC '22) by @syheliel in
    • OSX force_load option in
    • Add continous JSON Logging monitor by @eknoes in
    • Netopenbsd build fix by @devnexen in
    • follow-up on netbsd build fix, simplification. by @devnexen in
    • Add test case minimising stage by @VTCAKAVSMoACE in
    • Implement a corpus minimiser by @VTCAKAVSMoACE in
    • Skippable stage, generator wrapper for Grimoire in
    • MapFeedback: Adding support for with_name() by @TeumessianFox in
    • dragonflybsd build fix for core affinity. by @devnexen in
    • CI for FreeBSD in
    • core affinity for FreeBSD pinning task to the wanted cpu by @devnexen in
    • Do not zero-init struct in QEMU in
    • adjust NyxExecutor trait bound to HasTargetBytes from HasBytesVec by @tcheinen in
    • libafl_frida ASan hook adding apple's memset_pattern* api. by @devnexen in
    • frida follow up on previous change for apple. by @devnexen in
    • Add track_stability option to CalibrationStage in
    • Dump registers on freebsd amd64 by @devnexen in
    • Builds on Illumos, by @devnexen in
    • reduces warnings when only version output is asked. by @devnexen in
    • Extend gramatron recursive mutator to recurse 5 times in
    • Dump registers on NetBSD amd64 by @devnexen in
    • Add support for ARMBE8 by @WorksButNotTested in
    • Dump reg for openbsd by @devnexen in
    • Windows gdiplus by @expend20 in &
    • Remove clang download from windows CI by @expend20 in
    • write_crash netbsd implementation by @devnexen in
    • bolts::cpu::read_time_counter on arm64 by @devnexen in
    • Add ability to use virtual dispatch to stagesTuple by @radl97 in
    • Adding CPSR register for arm qemu emulation by @TeumessianFox in
    • Enable additional rustc errors in test only in
    • Adding fork feature passing from libafl_qemu to libafl crate by @TeumessianFox in
    • Hide prelude behind feature flag in
    • TimeoutInprocessForkExecutor in
    • Fixes typo and grammar in doc by @Emauz in
    • Minor changes for linux without fork feature by @TeumessianFox in
    • Hook IsProcessorFeaturePresent to crash with STATUS_STACK_BUFFER_OVERRUN exception by @expend20 in
    • Added Hacking TMNF blogpost to Resources in
    • Moving to named parameters in format strings in


    • Unbreak tui with 1 client by @nicklangsysdig in
    • Fix autotokens doc in
    • Fix spelling error by @AidenRHall in
    • Fix documentation error by @Lancern in
    • Add doc for nyx by @syheliel in
    • Fix cargo doc failed on windows by @SpaceWhite in
    • Fix forkserver options in
    • Stability improvements in
    • Fix len miscalculation in grimoire string replace in
    • Disable ObserversOwnedMap due to new Rust error in
    • Fix FreeBSD CI in
    • Backport AFL++ issue #1548 in
    • Various Doc and CI fixes by @andreafioraldi, @tokatoka, @domenukk, @thebendavis, @Emauz

    New Contributors

    • @nicklangsysdig made their first contribution in
    • @AidenRHall made their first contribution in
    • @Lancern made their first contribution in
    • @VTCAKAVSMoACE made their first contribution in
    • @tcheinen made their first contribution in
    • @SpaceWhite made their first contribution in
    • @WorksButNotTested made their first contribution in
    • @thebendavis made their first contribution in
    • @radl97 made their first contribution in
    • @Emauz made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.8.1(Aug 18, 2022)


    • Qemu arm launcher example by @TeumessianFox in
    • Windows support for LLVM passes by @abgeana in
    • Mac OS Autotokens by @tokatoka
    • Raw API for full-system libafl_qemu by @andreafioraldi in

    Further Changes

    • Prelude module by @andreafioraldi in
    • Change StdWeightedScheduler API by @tokatoka in
    • Add HitcountsIterableMapObserver, rename AsMutIter to AsIterMut by @domenukk in
    • Updated requirements in &
    • Remove num_cpus dependency by @domenukk in
    • Deriving Clone for NopMonitor by @z2-2z in
    • add rustfmt.toml by @syheliel in


    • Update fuzzbench_weighted to EXPLORE, fix linking by @tokatoka in
    • Fix Autotokens by @tokatoka in
    • Fix SIGILL handling in libafl_qemu by @andreafioraldi in
    • Resize MapFeedbackMetadata with observer.initial() by @tokatoka in
    • Simd Fix by @tokatoka in
    • fix typo in by @zuypt in

    New Contributors

    • @zuypt made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.8.0(Jul 18, 2022)


    • Graphical TUI Monitor based on tui-rs (
    • Differential Fuzzing Support: Differential executor, diff feedback, stdio observers (
    • Grimoire structured fuzzing support (
    • LLVM AutoTokens (
    • Much simpler API for feedback states (
    • Switched all example fuzzers from Makefiles to cargo-make (
    • libafl::Error can generate Backtraces (
    • Refactored libafl Python (
    • [libafl_frida] Enabled ASan for Apple (
    • [libafl_qemu] snapshot fuzzing (
    • [libafl_qemu] custom GDB commands for LibAFL (

    Further Changes

    • Rework ShMem by @domenukk in
    • libfuzzer-like repro arguments for fuzzbench by @andreafioraldi in
    • Add AsSlice, AsMutSlice traits, refactor MapObservers to be iterable, and have associated types by @domenukk in
    • [libafl_qemu] map_fixed and mprotect target memory by @evanrichter in
    • AnyMap and owned collections of Observers and Stages by @andreafioraldi in
    • [libafl_qemu] simplify emu::{read,write}_mem by @evanrichter in
    • Expose more options to python qemu sugar by @epi052 in
    • [libafl_qemu] GuestAddr type by @evanrichter in
    • extend python forkserver api by @epi052 in
    • Add options parser by @epi052 in
    • Implement backtrace observers for crash dedupe by @yussf in
    • Builder for CommandExecutor & Tokens Refactoring by @domenukk in
    • Coverage accounting (BB metric atm) by @andreafioraldi in
    • Frida Runtime Tuples by @tokatoka in
    • frida-asan: Throw an exception on a failed new instead of just returning null by @s1341 in
    • libafl_cc: -fsanitize=fuzzer is an alias to --libafl by @andreafioraldi in
    • Non weak default sanitizers options functions by @andreafioraldi in
    • Set map observers initial value to T::default() on creation by @andreafioraldi in
    • Forkserver builder by @tokatoka in
    • Autodict forkserver by @tokatoka in
    • Github workflows frida build on windows by @tokatoka in
    • Initial support to Python bindings for the libafl crate by @faroukfaiz10 in
    • Walk the map observer using as_ref_iter() in the map feedback by @andreafioraldi in
    • libafl_qemu decouple hooks from the executor and QemuForkExecutor by @andreafioraldi in
    • [libafl_qemu] EasyElf::resolve_symbol return GuestAddr by @evanrichter in
    • Add signal option to forkserver_simple by @tklengyel in
    • Closure hooks and on thread create hook by @andreafioraldi in
    • afl_exec_sec feature to count executions per second in the same way as AFL (sliding window), disabled by default by @andreafioraldi in
    • Add function call level granularity for coverage accounting by @shouc in
    • Add probabilistic sampling corpus scheduler by @shouc in
    • Dump Control Flow Graph in AFLCoverage LLVM Pass by @shouc in
    • Weighted corpus entry selection by @tokatoka in
    • Set the number of stacked mutations in MOpt mutator by @tokatoka in
    • Powerschedule::RAND by @tokatoka in
    • Use ucontext from bolts::os::unix_signals for armv7 support by @pr0me in
    • Update clap by @tokatoka in
    • adding equivalent arm32 syscall for qemu snapshot by @elbiazo in
    • Cmplog New Pass Manager & LLVM 14 Fixes by @tokatoka in
    • Added autofix script by @domenukk in
    • Moved to no_std preamble by @domenukk in
    • Drop the build_id depedency and move to bolts by @andreafioraldi in
    • Make OutFile auto-remove refcounted on drop by @domenukk in
    • Windows-rs Update by @tokatoka in
    • Moved core_affinity to bolts by @domenukk in
    • Windows CI for frida by @tokatoka in
    • C forkserver logic in libafl_targets by @andreafioraldi in
    • Apple aarch64 fixes by @domenukk in
    • LIBAFL_DEBUG_OUTPUT in Launcher and OnDiskTOMLMonitor to create fuzzer_stats by @andreafioraldi in
    • Generating core ids based on the actual count of logical cores by @wizche in
    • CustomBuf Events to exchange any data between fuzzers by @domenukk in
    • New hooks for libafl_qemu by @andreafioraldi in
    • Extend weighted scheduler by @tokatoka in
    • TUI monitor no longer breaks the terminal if main thread panics by @TeumessianFox in

    New Contributors

    • @sagittarius-a made their first contribution in
    • @epi052 made their first contribution in
    • @yussf made their first contribution in
    • @tklengyel made their first contribution in
    • @shouc made their first contribution in
    • @syheliel made their first contribution in
    • @h1994st made their first contribution in
    • @WilliamParks made their first contribution in
    • @aoli-al made their first contribution in
    • @elbiazo made their first contribution in
    • @peamaeq made their first contribution in
    • @wizche made their first contribution in
    • @z2-2z made their first contribution in
    • @Scepticz made their first contribution in
    • @TeumessianFox made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.7.1(Jan 13, 2022)


    • a new libafl_qemu API for binary-only fuzzing
    • heaps of fixes for libafl_frida and better Windows support
    • MiMalloc allocator for speed and stability in examples
    • Less (!) generics
    • Message-passing fixes for aarch64

    What's Changed

    • Windows timeout fix with critical sections by @tokatoka in
    • Symcc submodule referencing a path by @domenukk in
    • Fix timeout type from u32 to i64 in windows TimeoutExecutor by @tokatoka in
    • Fix forkserver_simple clap issue by @tokatoka in
    • Fix Clap about() issue by @tokatoka in
    • Debug output for forkserver by @andreafioraldi in
    • Reworking example fuzzers to use Structopt instead of yaml, and introduced Cores API by @domenukk in
    • Fix makefile for frida_libpng by @domenukk in
    • Various fixes for CI by @domenukk in
    • Open the stdout-file once by @s1341 in
    • Use AddVectoredExceptionHandler to register exception handlers by @tokatoka in
    • Frida Refactor: Separate Frida other helper functions into each Runtime by @tokatoka in
    • Implement AflMap by @vanhauser-thc in
    • Frida shadow fix by @tokatoka in
    • Fix frida-mode for debug builds, ensure it will continue to work on release builds by @s1341 in
    • Other/User defined WIndows Exceptions by @tokatoka in
    • Refactor libafl_qemu creating the Emulator struct and post syscall hooks by @andreafioraldi in
    • Drcov remodelling by @domenukk in
    • DrCov Runtime by @tokatoka in
    • Implement max total allocation size for frida asan by @s1341 in
    • Fix strncmp hook to only check the length of the needle string by @s1341 in
    • [libafl_qemu] fix by @evanrichter in
    • Frida various fixes by @s1341 in
    • Use MiMalloc for fuzzbench fuzzer by @tokatoka in
    • Add errors for missing Docs, add Docs by @domenukk in
    • [libafl_qemu] prevent unneeded runs by @evanrichter in
    • Updated dependencies by @domenukk in
    • Derive debug for all structs in LibAFL by @domenukk in
    • Cpu atomics for LLMP by @domenukk in
    • [libafl_qemu] fix i386 Regs values by @evanrichter in
    • Various fixes related to frida mode by @s1341 in
    • Fix a typo in by @yerke in
    • Reorder type parameters in the correct order by @tokatoka in
    • Disable pita 🥙 compiler in debug mode by @domenukk in
    • Move to clap 3.0 by @domenukk in
    • Add OwnedSlice::RefRaw to keep track of raw pointers by @domenukk in
    • Reduce generics for various Has* traits by @evanrichter in
    • Use UserStats for Stability by @tokatoka in
    • Optional signal value to kill forked processes on timeout by @v-p-b in
    • Fix windows build by @tokatoka in
    • Asan fix by @tokatoka in
    • Add --libaf-no-link to libafl_cc by @andreafioraldi in
    • Shadow bit by @tokatoka in
    • Bump to 0.7.1 by @andreafioraldi in
    • Add --libafl arg in libafl_cc and enable it for fuzzbench by @andreafioraldi in
    • Bump libafl_frida to 0.7.1 by @andreafioraldi in
    • Bump libafl_sugar to 0.7.1 by @andreafioraldi in

    New Contributors

    • @yerke made their first contribution in
    • @v-p-b made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0(Dec 9, 2021)

    What's Changed

    • process crash handler, dump registers on macos arm64 by @devnexen in
    • initial book entry for concolic by @julihoh in
    • renamed target_os macos to target_vendor apple by @domenukk in
    • Fix shmem on android by @s1341 in
    • Symcc runtime docsrs fix by @julihoh in
    • Build LibAFL Android in CI by @domenukk in
    • Refactor configurations with EventConfig by @andreafioraldi in
    • Token level fuzzing by @andreafioraldi in
    • openbsd port. by @devnexen in
    • Fix _LLMP_BIND_ADDR for Windows by @tokatoka in
    • Build id configuration in std by @andreafioraldi in
    • Use external, custom time function for no_std environments by @bitwave in
    • ShMem server race-condition fix for #276 by @domenukk in
    • Add core_id to launcher run_client closure signature by @s1341 in
    • PowerSchedule::COE fix by @tokatoka in
    • added write_file_atomic against ondisk corpus races by @domenukk in
    • armv7 support: add ucontext struct definition by @pr0me in
    • cbz, tbz, tbnz support for aarch64 cmplog by @domenukk in
    • Qemu as lib by @andreafioraldi in
    • WIP: added unfinished no_std docs by @bitwave in
    • Example how to build baby-fuzzer as push instead of pull, using Klo-routines by @domenukk in
    • Python basic bindings for sugar and qemu by @andreafioraldi in
    • Book refactoring and update by @andreafioraldi in
    • Fixed CI by ignoring python, resolved multiple warnings by @domenukk in
    • Fix default UBSan options and avoid timeouts in crash handler by @andreafioraldi in
    • Qemu new syscall hook and more python API by @andreafioraldi in
    • Still fixing CI by @domenukk in
    • Frida windows by @tokatoka in
    • Qemu Helpers and basic snapshotting by @andreafioraldi in
    • Allowlist and denylist for QEMU edges and cmps by @andreafioraldi in
    • Qemu partial instr fix by @andreafioraldi in
    • Qemu generic hooks by @andreafioraldi in
    • Python generic qemu hook by @andreafioraldi in
    • dumping process address maps on netbsd too by @devnexen in
    • fix tutorial fuzzer by @julihoh in
    • remove libafl_tests by @tokatoka in
    • concolic optional runtime by @julihoh in
    • init git submodule for symcc for symcc_runtime crate when publishing by @julihoh in
    • don't include all of libafl for symcc_runtime by default by @julihoh in
    • delayed checkout in ci by @domenukk in
    • add ability to trace location information in concolic tracer by @julihoh in
    • update packages related to concolic by @julihoh in
    • 32 bit arm regs by @domenukk in
    • update deps by @julihoh in
    • Fix Typo. by @intrigus-lgtm in
    • Error message in most likely case of using NONASAN and ASAN fuzzers using the same Fuzzer config by @marcinguy in
    • Gramatron by @andreafioraldi in
    • fixes for frida mode for win and checks in rust 1.56 by @domenukk in
    • fix concolic nofloat filter by @julihoh in
    • add support for aarch64 in libafl_qemu by @abgeana in
    • Minor doc fixes by @faroukfaiz10 in
    • Port gramatron preprocessing to Rust by @andreafioraldi in
    • Atheris example to fuzz Python Code by @domenukk in
    • Fix warnings for windows by @tokatoka in
    • Fix #344 by @tokatoka in
    • Upgrade to Rust 2021 Edition by @jamcleod in
    • MultiMapObserver and sancov 8bit-counters instrumentation by @andreafioraldi in
    • Fix double borrow mut in CachedOnDiskCorpus by @andreafioraldi in
    • Frida Address Sanitizer for x86_64 by @tokatoka in
    • Refcnt for MapIndexesMetadata by @andreafioraldi in
    • Fix the number of clients spawned by @tokatoka in
    • Minor readme improvement in frida_libpng fuzzer. by @expend20 in
    • Fix Numbering in Docs by @expend20 in
    • Fix cfgs for frida asan by @tokatoka in
    • Fork feature flag to disable fork in Launcher by @domenukk in
    • Bridge grammartec from Nautilus to libafl by @andreafioraldi in
    • Fix MaxReducer docstring by @eknoes in
    • remove unused const hashing mode by @domenukk in
    • Fixed potential unsoundness due to Rc threading for ShMemProvider by @domenukk in
    • Add minibsod by @s1341 in
    • Cmplog instrumentation by @OmreeBenari in
    • Launch every 100ms by @s1341 in
    • Fix cfg directives for frida-asan by @s1341 in
    • make dump_registers method public by @domenukk in
    • frida-asan: Support different names for the libc++ shared object when hooking by @s1341 in
    • Support suppression of hooked functions by @s1341 in
    • Mutational Push Stage by @domenukk in
    • implemented MapMaxPow2Feedback by @domenukk in
    • Renamed Stats to Monitors by @domenukk in
    • Fix staterestore by @tokatoka in
    • Disk sync by @andreafioraldi in
    • Reachability fuzzer fix by @tokatoka in
    • Fix api by @tokatoka in
    • Frida Refactor: Split FridaHelper into each Runtime by @tokatoka in
    • AddressSanitizer for libafl_qemu by @andreafioraldi in
    • Clippy fixes for main by @domenukk in
    • libafl_qemu cpu_target cfg by @andreafioraldi in
    • Delete "We're a client, let's fuzz :)" from lib by @tokatoka in
    • Push stage trait by @domenukk in
    • Frida Refactor: Frida executor by @tokatoka in
    • Cmplog instrumentation by @OmreeBenari in
    • InProcessHandlers by @andreafioraldi in
    • Qemu fixes and syscalls for every supported arch by @andreafioraldi in
    • Fix by @tokatoka in
    • More LLVM passes from AFL++ by @andreafioraldi in
    • dump_registers and write_crash for armv7 by @pr0me in
    • make map debuggable by @domenukk in
    • Ignored qemu fuzzer for non-linux by @domenukk in
    • better forkserver example by @tokatoka in
    • Frida_libpng document change by @tokatoka in
    • forkserver docus by @tokatoka in
    • Forkserver Example Fix by @tokatoka in
    • add set_timeout fn to TimeoutExecutor by @pr0me in
    • QEMU target arch selector via feature flag by @domenukk in
    • Implement unstable edge detection+ignore in calibration stage by @vanhauser-thc in

    New Contributors

    • @bitwave made their first contribution in
    • @pr0me made their first contribution in
    • @intrigus-lgtm made their first contribution in
    • @abgeana made their first contribution in
    • @faroukfaiz10 made their first contribution in
    • @jamcleod made their first contribution in
    • @expend20 made their first contribution in
    • @eknoes made their first contribution in

    Full Changelog:

    Source code(tar.gz)
    Source code(zip)
  • 0.6.0(Aug 20, 2021)

    • libafl_qemu with CmpLog, syscalls hooks and more
    • Refactor MOpt
    • CachedOnDiskCorpus to have an in-memory cache while saving testcases on disk
    • libafl_sugar with builder patterns to create common fuzzers
    • Concolic Tracing (libafl_concolic @julihoh GSOC 2021)
    • InProcessForkExecutor
    • ForkserverExecutor shared mem testcase
    • TimeoutExecutor for win32
    • AFLFast power schedules (@tokatoka GSOC 2021)
    • Fix shared memory on macOS
    Source code(tar.gz)
    Source code(zip)
  • 0.5.0(Jul 5, 2021)

    • LLVM passes support in libafl_cc
    • Support to routines arguments in CmpLog
    • We don't enforce serde on Observer anymore
    • MOpt stage and mutator (@tokatoka GSOC 2021)
    • Fix link issue when using the Libfuzzer layer and libafl_cc
    • Fix some macOS build issues
    Source code(tar.gz)
    Source code(zip)
  • 0.4.0(Jun 23, 2021)

    • CmpLog instructions instrumentation for SanCov and Frida
    • Naive Input-to-state mutator using the CmpLog metadata
    • Generalize InProcessExecutor to a generic Input trait
    • MultiStats stats display
    • TimeoutForkserverExecutor
    • Shadow Executor and Stage
    • Single threaded restartable EventManager
    • Configurations in EventManager
    • Remove HasExecHooks
    • Decouple broker from LlmpEventManager
    • New fuzzers: Generic libfuzzer, Fuzzbench
    Source code(tar.gz)
    Source code(zip)
  • 0.3.0(May 19, 2021)

  • 0.2.0(May 6, 2021)

    • baby_fuzzer book chapter
    • LLMP TCP multi-machine
    • Conditional composition of Feedbacks
    • Allow lifetime in Observers
    • Reachability example and Feedback
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Apr 30, 2021)

Advanced Fuzzing League ++
We want to make fuzzing better and better
Advanced Fuzzing League ++
Hopper is a tool for generating fuzzing test cases for libraries automatically using interpretative fuzzing.

Hopper Hopper is an tool for generating fuzzing test cases for libraries automatically using interpretative fuzzing. It transforms the problem of libr

FuzzAnything 124 Nov 24, 2023
Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows

trust Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows Featur

Jorge Aparicio 1.2k Dec 30, 2022
An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing

LibAFL QuickJS Fuzzing Example An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing. Prepare Make sure to have

Andrea Fioraldi 32 Dec 21, 2022
Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Quarkslab 259 Dec 26, 2022
A structure-aware HTTP fuzzing library

?? FeroxFuzz ?? A structure-aware HTTP fuzzing library ?? Another ferox? why? ?? Chill, it's not another command-line tool, this one's a library! ?? M

epi 141 Dec 27, 2022
🐇 Fuzzing Rust code with American Fuzzy Lop Fuzzing Rust code with AFLplusplus What is it? Fuzz testing is a software testing technique used to find security and stability issues by provi

Rust Fuzzing Authority 1.3k Jan 5, 2023
Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) -> b

Loïc Lecrenier 394 Dec 20, 2022
A self-hosted Fuzzing-As-A-Service platform

OneFuzz A self-hosted Fuzzing-As-A-Service platform Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior t

Microsoft 2.6k Dec 30, 2022
Pre-Silicon Hardware Fuzzing Toolkit

Disclaimer All components are provided for research and validation purposes only. Use at your own risk. Pre-Silicon Hardware Fuzzing Toolkit From CPU

Intel Labs 12 Dec 13, 2022
µFUZZ: Redesign of Parallel Fuzzing using Microservice Architecture

mufuzz, a parallel fuzzing framework TODO: Add reference Build Install cargo and protoc curl --proto '=https' --tlsv1.2 -sSf | sh

Software Systems Security Team at Penn State University 7 May 15, 2023
Easy-to-use grammar-based black-box fuzzer. Has found dozens of bugs in important targets like Clang, Deno, and rustc.

tree-crasher tree-crasher is an easy-to-use grammar-based black-box fuzzer. It parses a number of input files using tree-sitter grammars, and produces

Langston Barrett 5 Mar 28, 2023
A fuzzer framework built in Rust

lain This crate provides functionality one may find useful while developing a fuzzer. A recent nightly Rust build is required for the specialization f

Microsoft 469 Dec 9, 2022
a grammar based feedback fuzzer


Chair for Sys­tems Se­cu­ri­ty 157 Oct 26, 2022
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

PHAYES 94 Sep 29, 2022
A symbolic-model-guided fuzzer for TLS

tlspuffin TLS Protocol Under FuzzINg A symbolic-model-guided fuzzer for TLS Master Thesis | Thesis Presentation | Documentation Description Fuzzing im

null 69 Dec 20, 2022
Black-box fuzzer that fuzzes APIs based on OpenAPI specification. Find bugs for free!

OpenAPI fuzzer Black-box fuzzer that fuzzes APIs based on OpenAPI specification. All you need to do is to supply URL of the API and its specification.

Matúš Ferech 406 Dec 31, 2022
StdFuzzer - StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL

StdFuzzer StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL Building Build with $ cargo build --release Compiling a

Advanced Fuzzing League ++ 41 Sep 7, 2022
A fuzzer setup to fuzz libc functions.

libc-fuzzer This does what it sounds like! It attempts to, as automatically as possible, generate and run fuzzers for up to the entire set of libc (in

null 9 Nov 30, 2022
A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS

TSFFS: Target Software Fuzzer For SIMICS TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it eas

Intel Corporation 194 Oct 9, 2023