afl_runner

Crates.ioafl_runner
lib.rsafl_runner
version
sourcesrc
created_at2024-01-22 08:19:43.913361
updated_at2024-12-05 08:31:44.082805
descriptionScaling best-practice AFLPlusPlus fuzzing campaigns made easy
homepage
repositoryhttps://github.com/0xricksanchez/AFL_Runner
max_upload_size
id1108451
Cargo.toml error:TOML parse error at line 18, column 1 | 18 | autolib = false | ^^^^^^^ unknown field `autolib`, expected one of `name`, `version`, `edition`, `authors`, `description`, `readme`, `license`, `repository`, `homepage`, `documentation`, `build`, `resolver`, `links`, `default-run`, `default_dash_run`, `rust-version`, `rust_dash_version`, `rust_version`, `license-file`, `license_dash_file`, `license_file`, `licenseFile`, `license_capital_file`, `forced-target`, `forced_dash_target`, `autobins`, `autotests`, `autoexamples`, `autobenches`, `publish`, `metadata`, `keywords`, `categories`, `exclude`, `include`
size0
434b (0xricksanchez)

documentation

README

AFL Runner

Crates.io License Rust

AFL_Runner is a modern CLI tool designed to streamline running efficient multi-core AFLPlusPlus campaigns. The default configuration is based on the section Using multiple cores of the official documentation.

Getting Started πŸš€

Currently, this tool should work on all *NIX flavor operating-systems.

Prerequisites

Installation

You can compile AFL_Runner yourself...:

git clone https://github.com/0xricksanchez/AFL_Runner.git
cd AFL_Runner
cargo build --release
./target/release/aflr --help

...or install directly via crates.io:

cargo install afl_runner
aflr --help

Features ✨

AFL_Runner allows you to set the most necessary AFLPlusplus flags and mimics the AFLplusplus syntax for these options:

  • Supported AFLplusplus flags:

    • Corpus directory
    • Output directory
    • Dictionary file/directory
    • Custom afl-fuzz binary path for all instances
    • Supply arguments to target binary (including @@)
    • Amount of runner commands to generate
    • Support for *SAN, CMPLOG, CMPCOV binaries

  • Other features:

    • Coverage collection/visualization
    • Tmux or screen option to automatically create an appropriate layout for all runners
    • TUI
    • Provide a configuration file via --config to make sharing/storing per project configurations easier
      • Automatically read out a configuration named aflr_cfg.toml in the CWD when no --config was supplied
    • Mode: default (vanilla AFL++), multiple-cores (Ref.), and ci-fuzzing (Ref.)!
    • Deterministic command generation and AFL++ with seeding

Note: Arguments supplied over the command-line take precedence over any configuration file options.

What is not? ❌

AFL_Runner aims to be a plug & play solution for when you're at a stage of fuzzing campaign where all that is left is running a multi-core setup. So, this tool is not (yet) a helper for:

  • Compiling a target in multiple flavors
  • Preparing a good initial seed corpus
  • Providing a decent dictionary to boost code-coverage
  • Debugging a fuzzing campaign

Roadmap πŸ—ΊοΈ

  • Add remote option 🌐
  • Native integration for statsd
  • Add more configuration options
    • Add more sensible defaults for other options
    • Full modularity to cater to very specialized fuzzing campaigns
  • Allow AFLPlusPlus forks to be used on some amount of runners

Usage Example πŸ’‘

Here's an example of generating AFL++ commands with AFL_Runner:

AFL_Runner_cmd_gen

Note: Supplying the *SAN, CMPLOG, or CMPCOV binaries is optional and if omitted all invocations just contain the (mandatory) instrumented target instead.

Showcase πŸŽ₯

AFL_Runner also includes a terminal user interface (TUI) for monitoring the fuzzing campaign progress. The following demo can be found in examples/ and can be build locally by running cargo make from the root directory of the project.

The example builds a recent version of libxml2 four times with different compile-time instrumentations:

  1. plain AFL++ instrumentation
  2. Address-Sanitizer (ASan)
  3. CMPCOV,
  4. CMPLOG, and
  5. Coverage visualization

Afterwards, the necessary commands for 16 instances are being generated, which then are executed in a dedicated TMUX session. Finally, a custom TUI offered by AFL Runner is tracking the progress of the fuzzing campaign in a centralized space:

AFL_Runner demo

Note: The TUI can be used as a full replacement for afl-whatsup by using afl_runner tui <afl_output_dir>!

Coverage visualization is also covered by AFL_Runner:

AFL_Runner cov

Note: IFF you ran the AFLR demo campaign for a while you can run cargo make afl_coverage to run the coverage collection as shown above.

Contributing 🀝

Contributions are welcome! Please feel free to submit a pull request or open an issue for any bugs, feature requests, or improvements. Any other support is also more than welcome :). Feel to reach out on X or BSKY.

License πŸ“œ

This project is licensed under the Apache License. See the LICENSE file for details.


πŸ”Ό Back to top

Commit count: 62

cargo fmt