Advanced Fuzzing LeagueLibAFL 0.15.4 has just been released 🎉
Of the 30 Contributers for this release, almost half are new faces <3
AddisonWant to learn how to build your own #libafl components, but never had the right project? Try working through the interactive exercises that I released today: https://github.com/addisoncrump/parking-game-fuzzer
You'll work through building your own LibAFL components with templates, allowing you to understand them progressively through the context of trying to solve "Tokyo Parking" (AKA Thinkfun's "Rush Hour") puzzles with fuzzing.
#fuzzing #aflplusplus #puzzles #rust #rustlang
You'll work through building your own LibAFL components with templates, allowing you to understand them progressively through the context of trying to solve "Tokyo Parking" (AKA Thinkfun's "Rush Hour") puzzles with fuzzing.
#fuzzing #aflplusplus #puzzles #rust #rustlang
Guess who just released #LibAFL 0.15.3?
That's right, you all did! (thank you☺️)
Highlights:
- better forkserver
- scriptable Lua mutations
- SIMD performance in stable rust
- CmpLog and RISC-V for LibAFL_Unicorn
- TMin for LibAFL_QEMU
- Updated Sugar for easy fuzzing
🚨 LibAFL 0.15.2 🚨
- Rust 2024 edition
- LibAFL_Unicorn
- Use LibAFL rand types for other crates
- Allow logging to StatsD
- LibAFL_QEMU updates like binary-only ASan in Rust 🦀🦀🦀, inputs via StdIn, better snapshots
And so much more:
stfis there a simple way to have the target binary dump it's own test-case while running from afl-fuzz #aflplusplus #afl++ - the thing is, the target binary generates some crypto keys at the start which are used later. i thought to have persistent mode first generate the internal state, then dump the message that is basis for fuzzing and that later in processing needs those keys. but when i run afl-fuzz it complains that the input directory is empty, and when i write the file it's not picked up...
Late last year we released #LibAFL 0.11.2
Highlights:
- Unicode-preserving mutators, better mutations for text!
- GSoC project: Nicer TUI
- Scalability introspector
- Improved libafl_frida
- Extended libafl_qemu - added CmpLog and more!
Full changelog:
https://github.com/AFLplusplus/LibAFL/releases/tag/0.11.2
If you want to play with the injection vulnerability detection feature shown at #37c3: for AFL++ read instrumentation/README.injections.md; for libafl_qemu check out the vhqemu branch and use fuzzers/qemu_launcher with "-y injections.yaml". #aflplusplus #afl #fuzzing #fuzzing-tools
Addison CrumpFuzz your cargo-fuzz harness with LibAFL!
I'm happy to share the fuzz runtime described in our recent FUZZING'23 report, CrabSandwich, which expands on libafl_libfuzzer to allow for Rust support. This allows Rust developers to switch away from the now-in-stasis libFuzzer to a LibAFL-based runtime which supports most common features of libFuzzer seamlessly.
Want to try it out for yourself? Simply edit your existing cargo-fuzz harnesses' Cargo.toml to change the libfuzzer-sys dependency as shown here: https://github.com/rust-fuzz/cargo-fuzz/issues/330#issuecomment-1592911175
In most cases, the entire edit is a single-line change (!). At this time, we only support Linux, but are looking for contributions to expand to Windows and macOS as well.
Happy hunting! #fuzzing #rust #libafl #AFLplusplus
domenukAlmost a year after my defense, my PhD thesis "Automated Security Testing of Unexplored Targets Through Feedback-Guided Fuzzing" is now archived on the university server. 🎉
We fuzzed Nvidia drivers, tcp servers, basebands, WebAssembly,...
Enjoy reading :)
https://depositonce.tu-berlin.de/items/c3aaf2ec-8036-4651-a609-9c3b11a7f705
Automated security testing of unexplored targets through feedback-guided fuzzing
Fuzzing is an automated method to uncover bugs in software. A fuzzer will generate inputs to a target program and execute the target repeatedly, in rapid succession. These random mutations aim to reach corner cases a human tester will not detect easily. Fuzzing has uncovered a variety of critical bugs in recent years. However, a large amount of low-level code remains un-fuzzed. Most research improves certain bits and pieces and focuses on easy-to-fuzz user space applications with available source code. While this makes it possible to evaluate and compare the proposed methods, novel targets will not get the much-needed attention. This thesis aims to scale and automate the detection of security-critical bugs across a wide range of previously unexplored and traditionally hard-to-test targets. We consolidate available fuzzing research with our tool AFL++, a fork of the well-known AFL fuzzer. We aim at a wide range of new targets using this state-of-the-art fuzzer. We pick targets that are hard to test, such as kernels, device drivers, and firmware. Even vendors with access to source code cannot use existing fuzzers for these targets. The architecture of fuzzers needs to be adapted to them. The tools written for this thesis uncovered memory corruptions in the Linux kernel, graphics card drivers, baseband chips of smartphones, servers, and smart contract VM implementations. We develop entirely new approaches, such as differential fuzzing, instrumentation for WebAssembly binaries, kernel-land snapshot fuzzing, and the snapshot-based FitM project, uncovering stateful bugs in network stacks.
eikendevFinally came around to do some #fuzzing on #sectxtlib with #AFLplusplus and directly found an issue in one of its dependencies 🔥