StdFuzzer - StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL

Related tags

Testing StdFuzzer
Overview

StdFuzzer

StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL

Building

Build with

$ cargo build --release

Compiling a target

Compile a target setting the compiler wrappers for C and C++ as compilers in the build system.

For instance:

$ CC=/path/to/StdFuzzer/target/build/libafl_cc CXX=/path/to/StdFuzzer/target/build/libafl_cxx ./configure
$ make

This fuzzer assumes that the target is exporting a LibFuzzer harness (LLVMTestOneInput).

Run the fuzzer

Take the output harness binary and execute with -h to see the required command line:

$ ./harness -h
StdFuzzer 0.1.0
Andrea Fioraldi <[email protected]>
StdFuzzer is the reference implementation of a generic bit-level fuzzer with LibAFL

USAGE:
    harness [OPTIONS] --cores <CORES> --broker-port <PORT>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
    -c, --cores <CORES>                  Spawn a client in each of the provided cores. Broker runs in the 0th core.
                                         'all' to select all available cores. 'none' to run a client without binding to
                                         any core. eg: '1,2-4,6' selects the cores 1,2,3,4,6.
    -i, --input <INPUT>...               Set an initial corpus directory
    -o, --output <OUTPUT>                Set the output directory, default is ./out [default: ./out]
    -p, --broker-port <PORT>             Choose the broker TCP port, default is 1337
    -a, --remote-broker-addr <REMOTE>    Specify a remote broker
    -t, --timeout <TIMEOUT>              Set the exeucution timeout in milliseconds, default is 1000 [default: 1000]
    -x, --tokens <TOKENS>...             Feed the fuzzer with an user-specified list of tokens (often called
                                         "dictionary"
You might also like...
Rust library to convert RGB 24-bit colors into ANSI 256 (8-bit) color codes with zero dependencies and at compile-time.
Rust library to convert RGB 24-bit colors into ANSI 256 (8-bit) color codes with zero dependencies and at compile-time.

rgb2ansi256 rgb2ansi256 is a small Rust library to convert RGB 24-bit colors into ANSI 256 (8-bit) color codes with zero dependencies and const fn. Th

A bit like tee, a bit like script, but all with a fake tty. Lets you remote control and watch a process

teetty teetty is a wrapper binary to execute a command in a pty while providing remote control facilities. This allows logging the stdout of a process

An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing

LibAFL QuickJS Fuzzing Example An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing. Prepare Make sure to have

wait-free 4-level 64-bit pagetable for contiguous low-contention concurrent metadata

pagetable Wait-free 4-level page table that maps from a u64 key to an &AtomicU64 value. Page fan-out is 2^16. If a key doesn't exist, intermediate pag

Simple bit-level protocol definitions in Rust.

bin-proto Simple & fast structured bit-level binary co/dec in Rust. An improved and modernized fork of protocol. A more efficient but (slightly) less

The reference implementation of the Linux FUSE (Filesystem in Userspace) interface

libfuse About FUSE (Filesystem in Userspace) is an interface for userspace programs to export a filesystem to the Linux kernel. The FUSE project consi

Reference implementation for the Poseidon Snark-friendly Hash algorithm.

Dusk-Poseidon Reference implementation for the Poseidon Hashing algorithm. Reference Starkad and Poseidon: New Hash Functions for Zero Knowledge Proof

Command line interface for BDSP RNG, primarily used as a reference implementation and as a tool for testing.

BDSP RNG Reference This is a command line interface for BDSP RNG, primarily used as a reference implementation and as a tool for testing. Building Bui

Reference implementation of a full-stack Rust application
Reference implementation of a full-stack Rust application

Full-stack Rust with WebAssembly Look Ma, No JavaScript !!! My very first Rust project (implementation of the "Connect 5" game), I used as a learning

Reference implementation of a decentralized exchange for custom instruments, risk, and fees

Dexterity What is Dexterity At a high level, Dexterity is a smart contract (or collection of smart contracts) that allow for the creation of a decentr

Neptune-core is the reference implementation for the Neptune protocol

Neptune Core Neptune-core is the reference implementation for the Neptune protocol. The implementation is not complete yet, but already supports many

SD-JWT Rust Reference Implementation

SD-JWT Rust Reference Implementation This is the reference implementation of the IETF SD-JWT specification written in Rust. Supported version: 6. Note

A naive native 128-bit cityhash v102 implementation

Naive CityHash naive-cityhash is a naive native 128-bit cityhash v102 implementation for clickhouse*. Contact Chojan Shang - @PsiACE - psiace@outlook.

A Rust implementation of generic prefix tree (trie) map with wildcard capture support

prefix_tree_map A Rust implementation of generic prefix tree (trie) map with wildcard capture support. Design Trie is a good data structure for storin

Generic k-means implementation written in Rust

RKM - Rust k-means A simple Rust implementation of the k-means clustering algorithm based on a C++ implementation, dkm. This implementation is generic

Generic framebuffer implementation in Rust for use with embedded-graphics library

Fraramebuffer implementation for Rust's Embedded-graphics Framebuffer approach helps to deal with display flickering when you update multiple parts of

A lightweight Rust library for BitVector Rank&Select operations, coupled with a generic Sparse Array implementation

A lightweight Rust library for BitVector Rank&Select operations, coupled with a generic Sparse Array implementation

Implementation of generic IBC queries in CosmWasm.

CosmWasm IBC Queries Implements generic IBC queries in CosmWasm. This implementation requires the same contract to be deployed on both chains wishing

A timer toolkit that is generic over the underlying timer implementation.

timer-kit A timer toolkit that is generic over the underlying timer implementation. This crate does not implement any platform-specific timer but uses

Comments
  • Error when compiling SerenityOS fuzzer multiple definition of __sanitizer_cov_trace_const_cmp

    Error when compiling SerenityOS fuzzer multiple definition of __sanitizer_cov_trace_const_cmp

    When I compiling SerenityOS with StdFuzzer it return an error. Here is command I used to compile SerenityOS

    sudo apt-get install -y libboost-all-dev build-essential cmake curl e2fsprogs libmpfr-dev libmpc-dev libgmp-dev ninja-build unzip qemu-system-i386 qemu-utils ccache rsync libgsf-1-dev
    git clone https://github.com/SerenityOS/serenity.git; cd serenity
    cmake -GNinja -S Meta/Lagom -B Build/lagom-fuzzers \
      -DBUILD_LAGOM=ON \
      -DENABLE_FUZZER_SANITIZER=ON \
      -DENABLE_ADDRESS_SANITIZER=ON \
      -DCMAKE_CXX_COMPILER=$HOME/StdFuzzer/target/release/libafl_cxx \
      -DCMAKE_C_COMPILER=$HOME/StdFuzzer/target/release/libafl_cc
    cd Build/lagom-fuzzers
    ninja
    

    Here is the error log

    cityoflight@SerenityOS:~/serenity/Build/lagom-fuzzers$ ninja
    [0/2] Re-checking globbed directories...
    [244/638] Linking CXX executable Fuzzers/FuzzZip
    FAILED: Fuzzers/FuzzZip
    : && /home/cityoflight/StdFuzzer/target/release/libafl_cxx    -fsanitize=address Fuzzers/CMakeFiles/FuzzZip.dir/FuzzZip.cpp.o  -o Fuzzers/FuzzZip  -Wl,-rpath,/home/cityoflight/serenity/Build/lagom-fuzzers  liblagom-archive.so.0.0.0  liblagom-core.so.0.0.0  -fsanitize=fuzzer  -lcrypt && :
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(stdfuzzer-02081e40da0c85a2.stdfuzzer.3418a45c-cgu.0.rcgu.o): in function `__sanitizer_cov_trace_pc_guard':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_pcguard.rs:20: multiple definition of `__sanitizer_cov_trace_pc_guard'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_pc_guard+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(stdfuzzer-02081e40da0c85a2.stdfuzzer.3418a45c-cgu.0.rcgu.o): in function `__sanitizer_cov_trace_pc_guard_init':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_pcguard.rs:53: multiple definition of `__sanitizer_cov_trace_pc_guard_init'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_pc_guard_init+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_cmp1':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:11: multiple definition of `__sanitizer_cov_trace_cmp1'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_cmp1+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_cmp2':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:27: multiple definition of `__sanitizer_cov_trace_cmp2'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_cmp2+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_cmp4':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:43: multiple definition of `__sanitizer_cov_trace_cmp4'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_cmp4+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_cmp8':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:59: multiple definition of `__sanitizer_cov_trace_cmp8'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_cmp8+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_switch':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:75: multiple definition of `__sanitizer_cov_trace_switch'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_switch+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_const_cmp1':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:113: multiple definition of `__sanitizer_cov_trace_const_cmp1'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_const_cmp1+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_const_cmp2':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:117: multiple definition of `__sanitizer_cov_trace_const_cmp2'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_const_cmp2+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_const_cmp4':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:121: multiple definition of `__sanitizer_cov_trace_const_cmp4'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_const_cmp4+0x0): first defined here
    /usr/bin/ld: /home/cityoflight/StdFuzzer/target/release/libstdfuzzer.a(sancov_cmp.o): in function `__sanitizer_cov_trace_const_cmp8':
    /home/cityoflight/.cargo/git/checkouts/libafl-c33dc6f5ec2f7a70/906bb4e/libafl_targets/src/sancov_cmp.c:125: multiple definition of `__sanitizer_cov_trace_const_cmp8'; /usr/lib/llvm-13/lib/clang/13.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a(FuzzerTracePC.cpp.o):(.text.__sanitizer_cov_trace_const_cmp8+0x0): first defined here
    clang: error: linker command failed with exit code 1 (use -v to see invocation)
    [246/638] Building CXX object CMakeFiles/LagomJS.dir/hom...ty/Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp.o
    ninja: build stopped: subcommand failed.
    
    opened by CityOfLight77 1
Owner
Advanced Fuzzing League ++
We want to make fuzzing better and better
Advanced Fuzzing League ++
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Dec 29, 2022
A fuzzer framework built in Rust

lain This crate provides functionality one may find useful while developing a fuzzer. A recent nightly Rust build is required for the specialization f

Microsoft 469 Dec 9, 2022
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 157 Oct 26, 2022
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

PHAYES 94 Sep 29, 2022
Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Rewind is a snapshot-based coverage-guided fuzzer targeting Windows kernel components.

Quarkslab 259 Dec 26, 2022
A symbolic-model-guided fuzzer for TLS

tlspuffin TLS Protocol Under FuzzINg A symbolic-model-guided fuzzer for TLS Master Thesis | Thesis Presentation | Documentation Description Fuzzing im

null 69 Dec 20, 2022
Black-box fuzzer that fuzzes APIs based on OpenAPI specification. Find bugs for free!

OpenAPI fuzzer Black-box fuzzer that fuzzes APIs based on OpenAPI specification. All you need to do is to supply URL of the API and its specification.

Matúš Ferech 406 Dec 31, 2022
A fuzzer setup to fuzz libc functions.

libc-fuzzer This does what it sounds like! It attempts to, as automatically as possible, generate and run fuzzers for up to the entire set of libc (in

null 9 Nov 30, 2022
Easy-to-use grammar-based black-box fuzzer. Has found dozens of bugs in important targets like Clang, Deno, and rustc.

tree-crasher tree-crasher is an easy-to-use grammar-based black-box fuzzer. It parses a number of input files using tree-sitter grammars, and produces

Langston Barrett 5 Mar 28, 2023
A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS

TSFFS: Target Software Fuzzer For SIMICS TSFFS is a snapshotting, coverage-guided fuzzer built on the SIMICS full system simulator. TSFFS makes it eas

Intel Corporation 194 Oct 9, 2023