american fuzzy lop rust rust (afl++.rs)

This is not AFLRustRust from the fuzzing competition. For it, go to https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/fuzzbench_forkserver

This is a autogenerated rust version of afl_fuzz, generated with c2rust.

It's 100% PoC :)

Speed wise, this is very comparable for my test binary. Please report stats.

To run the rust version afl, install rustup/cargo, then use

cargo run --release --bin afl_fuzz -- -i ..

The rust mode was 100% autogenerated off the current dev version of afl++. You might need to install c2rust. For Linux:

rustup install nightly-2019-12-05
rustup component add --toolchain nightly-2019-12-05 rustfmt rustc-dev 
rustup install nightly-2019-12-05
rustup component add --toolchain nightly-2019-12-05 rustfmt rustc-dev 

To recreate the bindings from upstream AFLplusplus:

intercept-build make NO_PYTHON=1 CFLAGS="-w"
c2rust transpile --binary afl_fuzz --binary afl_showmap --binary afl_tmin --binary afl_analyze --binary afl_gotcpu --binary afl_analyze compile_commands.json

(to clean all autogenerated build files, I use rm -rf **/*.rs *.rs Cargo.toml rust-toolchain target)

Note that all binaries use underscore instead of dashes.

american fuzzy lop plus plus (afl++)

<img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo">

Release Version: 2.63c

Github Version: 2.63d

includes all necessary/interesting changes from Google's afl 2.56b

Originally developed by Michal "lcamtuf" Zalewski.

Repository: https://github.com/AFLplusplus/AFLplusplus

afl++ is maintained by: * Marc "van Hauser" Heuse mh@mh-sec.de, * Heiko "hexcoder-" Eißfeldt heiko.eissfeldt@hexco.de, * Andrea Fioraldi andreafioraldi@gmail.com and * Dominik Maier mail@dmnk.co.

Note that although afl now has a Google afl repository https://github.com/Google/afl, it is unlikely to receive any notable enhancements: https://twitter.com/Dor3s/status/1154737061787660288

The enhancements compared to the original stock afl

Many improvements were made over the official afl release - which did not get any feature improvements since November 2017.

Among other changes afl++ has a more performant llvm_mode, supports llvm up to version 11, QEMU 3.1, more speed and crashfixes for QEMU, better *BSD and Android support and much, much more.

Additionally the following features and patches have been integrated:

• AFLfast's power schedules by Marcel Böhme: https://github.com/mboehme/aflfast

• The new excellent MOpt mutator: https://github.com/puppet-meteor/MOpt-AFL

• InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: https://github.com/csienslab/instrim

• C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: https://github.com/choller/afl

• Custom mutator by a library (instead of Python) by kyakdan

• Unicorn mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk)

• LAF-Intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode

• NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage

• Persistent mode and deferred forkserver for qemu_mode

• Win32 PE binary-only fuzzing with QEMU and Wine

• Radamsa mutator (enable with -R to add or -RR to run it exclusively).

• QBDI mode to fuzz android native libraries via QBDI framework

• The new CmpLog instrumentation for LLVM and QEMU inspired by Redqueen

• LLVM mode Ngram coverage by Adrian Herrera https://github.com/adrianherrera/afl-ngram-pass

A more thorough list is available in the PATCHES file.

| Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode | | ----------------------- |:-------:|:---------:|:----------:|:----------------:|:------------:| | NeverZero | x | x(1) | (2) | x | x | | Persistent mode | | x | x | x86[_64]/arm[64] | x | | LAF-Intel / CompCov | | x | | x86[_64]/arm[64] | x86[_64]/arm | | CmpLog | | x | | x86[_64]/arm[64] | | | Whitelist | | x | x | (x)(3) | | | Non-colliding coverage | | x(4) | | (x)(5) | | | InsTrim | | x | | | | | Ngram prev_loc coverage | | x(6) | | | | | Context coverage | | x | | | | | Snapshot LKM support | | x | | (x)(5) | |

neverZero:

(1) default for LLVM >= 9.0, env var for older version due an efficiency bug in llvm <= 8

(2) GCC creates non-performant code, hence it is disabled in gcc_plugin

(3) partially via AFL_CODE_START/AFL_CODE_END

(4) Only for LLVM >= 9 and not all targets compile

(5) upcoming, development in the branch

(6) not compatible with LTO and InsTrim and needs at least LLVM >= 4.1

So all in all this is the best-of afl that is currently out there :-)

For new versions and additional information, check out: https://github.com/AFLplusplus/AFLplusplus

To compare notes with other users or get notified about major new features, send a mail to afl-users+subscribe@googlegroups.com.

See docs/QuickStartGuide.md if you don't have time to read this file.

Branches

The following branches exist:

• master/trunk : stable state of afl++ - it is synced from dev from time to time when we are satisfied with it's stability
• dev : development state of afl++ - bleeding edge and you might catch a checkout which does not compile or has a bug. We only accept PRs in dev!!
• (any other) : experimental branches to work on specific features or testing new functionality or changes.

For releases, please see the Releases tab.

Google Summer of Code 2020 (and any other students and enthusiast developers)

We are happy to be part of Google Summer of Code 2020! :-)

We have several ideas we would like to see in AFL++ to make it even better. However, we already work on so many things that we do not have the time for all the big ideas.

This can be your way to support and contribute to AFL++ - extend it to something cool.

We have an idea list in docs/ideas.md.

For everyone who wants to contribute (and send pull requests) please read CONTRIBUTING.md before your submit.

Building and installing afl++

afl++ has many build options. The easiest is to build and install everything:

$ sudo apt install build-essential libtool-bin python3 automake bison libglib2.0-dev libpixman-1-dev clang python-setuptools
$ make distrib
$ sudo make install

Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and more. If you just want plain afl then do "make all", however compiling and using at least llvm_mode is highly recommended for much better results - hence in this case

$ make source-only

is what you should choose.

These build targets exist:

• all: just the main afl++ binaries
• binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa
• source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa
• distrib: everything (for both binary-only and source code fuzzing)
• man: creates simple man pages from the help option of the programs
• install: installs everything you have compiled with the build options above
• clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
• code-format: format the code, do this before you commit and send a PR please!
• tests: runs test cases to ensure that all features are still working as they should
• unit: perform unit tests (based on cmocka)
• help: shows these build options

Unless you are on Mac OS X you can also build statically linked versions of the afl++ binaries by passing the STATIC=1 argument to make:

$ make all STATIC=1

These build options exist:

• STATIC - compile AFL++ static
• ASAN_BUILD - compiles with memory sanitizer for debug purposes
• PROFILING - compile with profiling information (gprof)
• AFL_NO_X86 - if compiling on non-intel/amd platforms
• LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)

e.g.: make ASAN_BUILD=1

Note that afl++ is faster and better the newer the compilers used are. Hence at least gcc-9 and especially llvm-9 should be the compilers of choice. If your distribution does n