| OLD | NEW |
|---|
| (Empty) | |
| 1 =============== |
| 2 Sister projects |
| 3 =============== |
| 4 |
| 5 This doc lists some of the projects that are inspired by, derived from, |
| 6 designed for, or meant to integrate with AFL. See README for the general |
| 7 instruction manual. |
| 8 |
| 9 ---------------------------- |
| 10 Support for other languages: |
| 11 ---------------------------- |
| 12 |
| 13 Python AFL (Jakub Wilk) |
| 14 ----------------------- |
| 15 |
| 16 Allows fuzz-testing of Python programs. Uses custom instrumentation and its |
| 17 own forkserver. |
| 18 |
| 19 http://jwilk.net/software/python-afl |
| 20 |
| 21 Go-fuzz (Dmitry Vyukov) |
| 22 ----------------------- |
| 23 |
| 24 AFL-inspired guided fuzzing approach for Go targets: |
| 25 |
| 26 https://github.com/dvyukov/go-fuzz |
| 27 |
| 28 afl.rs (Keegan McAllister) |
| 29 -------------------------- |
| 30 |
| 31 Allows Rust features to be easily fuzzed with AFL (using the LLVM mode). |
| 32 |
| 33 https://github.com/kmcallister/afl.rs |
| 34 |
| 35 OCaml support (KC Sivaramakrishnan) |
| 36 ----------------------------------- |
| 37 |
| 38 Adds AFL-compatible instrumentation to OCaml programs. |
| 39 |
| 40 https://github.com/ocamllabs/opam-repo-dev/pull/23 |
| 41 http://canopy.mirage.io/Posts/Fuzzing |
| 42 |
| 43 AFL for GCJ Java and other GCC frontends (-) |
| 44 -------------------------------------------- |
| 45 |
| 46 GCC Java programs are actually supported out of the box - simply rename |
| 47 afl-gcc to afl-gcj. Unfortunately, by default, unhandled exceptions in GCJ do |
| 48 not result in abort() being called, so you will need to manually add a |
| 49 top-level exception handler that exits with SIGABRT or something equivalent. |
| 50 |
| 51 Other GCC-supported languages should be fairly easy to get working, but may |
| 52 face similar problems. See https://gcc.gnu.org/frontends.html for a list of |
| 53 options. |
| 54 |
| 55 AFL-style in-process fuzzer for LLVM (Kostya Serebryany) |
| 56 -------------------------------------------------------- |
| 57 |
| 58 Provides an evolutionary instrumentation-guided fuzzing harness that allows |
| 59 some programs to be fuzzed without the fork / execve overhead. (Similar |
| 60 functionality is now available as the "persistent" feature described in |
| 61 ../llvm_mode/README.llvm.) |
| 62 |
| 63 http://llvm.org/docs/LibFuzzer.html |
| 64 |
| 65 AFL fixup shim (Ben Nagy) |
| 66 ------------------------- |
| 67 |
| 68 Allows AFL_POST_LIBRARY postprocessors to be written in arbitrary languages |
| 69 that don't have C / .so bindings. Includes examples in Go. |
| 70 |
| 71 https://github.com/bnagy/aflfix |
| 72 |
| 73 ---------------- |
| 74 Network fuzzing: |
| 75 ---------------- |
| 76 |
| 77 Preeny (Yan Shoshitaishvili) |
| 78 ---------------------------- |
| 79 |
| 80 Provides a fairly simple way to convince dynamically linked network-centric |
| 81 programs to read from a file or not fork. Not AFL-specific, but described as |
| 82 useful by many users. Some assembly required. |
| 83 |
| 84 https://github.com/zardus/preeny |
| 85 |
| 86 ------------------------------------------- |
| 87 Distributed fuzzing and related automation: |
| 88 ------------------------------------------- |
| 89 |
| 90 roving (Richo Healey) |
| 91 --------------------- |
| 92 |
| 93 A client-server architecture for effortlessly orchestrating AFL runs across |
| 94 a fleet of machines. You don't want to use this on systems that face the |
| 95 Internet or live in other untrusted environments. |
| 96 |
| 97 https://github.com/richo/roving |
| 98 |
| 99 Distfuzz-AFL (Martijn Bogaard) |
| 100 ------------------------------ |
| 101 |
| 102 Simplifies the management of afl-fuzz instances on remote machines. The |
| 103 author notes that the current implementation isn't secure and should not |
| 104 be exposed on the Internet. |
| 105 |
| 106 https://github.com/MartijnB/disfuzz-afl |
| 107 |
| 108 afl-launch (Ben Nagy) |
| 109 --------------------- |
| 110 |
| 111 Batch AFL launcher utility with a simple CLI. |
| 112 |
| 113 https://github.com/bnagy/afl-launch |
| 114 |
| 115 AFL Utils (rc0r) |
| 116 ---------------- |
| 117 |
| 118 Simplifies the triage of discovered crashes, start parallel instances, etc. |
| 119 |
| 120 https://github.com/rc0r/afl-utils |
| 121 |
| 122 afl-fuzzing-scripts (Tobias Ospelt) |
| 123 ----------------------------------- |
| 124 |
| 125 Simplifies starting up multiple parallel AFL jobs. |
| 126 |
| 127 https://github.com/floyd-fuh/afl-fuzzing-scripts/ |
| 128 |
| 129 afl-sid (Jacek Wielemborek) |
| 130 --------------------------- |
| 131 |
| 132 Allows users to more conveniently build and deploy AFL via Docker. |
| 133 |
| 134 https://github.com/d33tah/afl-sid |
| 135 |
| 136 ----------------------------------------------------------- |
| 137 Crash triage, coverage analysis, and other companion tools: |
| 138 ----------------------------------------------------------- |
| 139 |
| 140 afl-crash-analyzer (Tobias Ospelt) |
| 141 ---------------------------------- |
| 142 |
| 143 Makes it easier to navigate and annotate crashing test cases. |
| 144 |
| 145 https://github.com/floyd-fuh/afl-crash-analyzer/ |
| 146 |
| 147 Crashwalk (Ben Nagy) |
| 148 -------------------- |
| 149 |
| 150 AFL-aware tool to annotate and sort through crashing test cases. |
| 151 |
| 152 https://github.com/bnagy/crashwalk |
| 153 |
| 154 afl-cov (Michael Rash) |
| 155 ---------------------- |
| 156 |
| 157 Produces human-readable coverage data based on the output queue of afl-fuzz. |
| 158 |
| 159 https://github.com/mrash/afl-cov |
| 160 |
| 161 RecidiVM (Jakub Wilk) |
| 162 --------------------- |
| 163 |
| 164 Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN. |
| 165 |
| 166 http://jwilk.net/software/recidivm |
| 167 |
| 168 aflize (Jacek Wielemborek) |
| 169 -------------------------- |
| 170 |
| 171 Automatically build AFL-enabled versions of Debian packages. |
| 172 |
| 173 https://github.com/d33tah/aflize |
| 174 |
| 175 afl-ddmin-mod (Markus Teufelberger) |
| 176 ----------------------------------- |
| 177 |
| 178 A variant of afl-tmin that uses a more sophisticated (but slower) |
| 179 minimization algorithm. |
| 180 |
| 181 https://github.com/MarkusTeufelberger/afl-ddmin-mod |
| 182 |
| 183 ------------------------------- |
| 184 Narrow-purpose or experimental: |
| 185 ------------------------------- |
| 186 |
| 187 Cygwin support (Ali Rizvi-Santiago) |
| 188 ----------------------------------- |
| 189 |
| 190 Pretty self-explanatory. As per the author, this "mostly" ports AFL to |
| 191 Windows. Field reports welcome! |
| 192 |
| 193 https://github.com/arizvisa/afl-cygwin |
| 194 |
| 195 Pause and resume scripts (Ben Nagy) |
| 196 ----------------------------------- |
| 197 |
| 198 Simple automation to suspend and resume groups of fuzzing jobs. |
| 199 |
| 200 https://gist.github.com/bnagy/8f0eb29eb125653f73fd |
| 201 |
| 202 Static binary-only instrumentation (Aleksandar Nikolich) |
| 203 -------------------------------------------------------- |
| 204 |
| 205 Allows black-box binaries to be instrumented statically (i.e., by modifying |
| 206 the binary ahead of the time, rather than translating it on the run). Author |
| 207 reports better performance compared to QEMU, but occasional translation |
| 208 errors with stripped binaries. |
| 209 |
| 210 https://github.com/vrtadmin/moflow/tree/master/afl-dyninst |
| 211 |
| 212 AFL PIN (Parker Thompson) |
| 213 ------------------------- |
| 214 |
| 215 Early-stage Intel PIN instrumentation support (from before we settled on |
| 216 faster-running QEMU). |
| 217 |
| 218 https://github.com/mothran/aflpin |
| 219 |
| 220 AFL-style instrumentation in llvm (Kostya Serebryany) |
| 221 ----------------------------------------------------- |
| 222 |
| 223 Allows AFL-equivalent instrumentation to be injected at compiler level. |
| 224 This is currently not supported by AFL as-is, but may be useful in other |
| 225 projects. |
| 226 |
| 227 https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counter
s |
| 228 |
| 229 AFL JS (Han Choongwoo) |
| 230 ---------------------- |
| 231 |
| 232 One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely |
| 233 superseded by LLVM deferred forkserver init - see llvm_mode/README.llvm). |
| 234 |
| 235 https://github.com/tunz/afl-fuzz-js |
| 236 |
| 237 AFL harness for fwknop (Michael Rash) |
| 238 ------------------------------------- |
| 239 |
| 240 An example of a fairly involved integration with AFL. |
| 241 |
| 242 https://github.com/mrash/fwknop/tree/master/test/afl |
| 243 |
| 244 Building harnesses for DNS servers (Jonathan Foote, Ron Bowes) |
| 245 -------------------------------------------------------------- |
| 246 |
| 247 Two articles outlining the general principles and showing some example code. |
| 248 |
| 249 https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop |
| 250 https://goo.gl/j9EgFf |
| 251 |
| 252 Fuzzer shell for SQLite (Richard Hipp) |
| 253 -------------------------------------- |
| 254 |
| 255 A simple SQL shell designed specifically for fuzzing the underlying library. |
| 256 |
| 257 http://www.sqlite.org/src/artifact/9e7e273da2030371 |
| 258 |
| 259 Support for Python mutation modules (Christian Holler) |
| 260 ------------------------------------------------------ |
| 261 |
| 262 https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt |
| 263 |
| 264 Support for selective instrumentation (Christian Holler) |
| 265 -------------------------------------------------------- |
| 266 |
| 267 https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentatio
n.txt |
| 268 |
| 269 Kernel fuzzing (Dmitry Vyukov) |
| 270 ------------------------------ |
| 271 |
| 272 A similar guided approach as applied to fuzzing syscalls: |
| 273 |
| 274 https://github.com/google/syzkaller/wiki/Found-Bugs |
| 275 https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd61259
31 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2075883002:
Add American Fuzzy Lop (afl) to third_party/afl/ (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master