Giter Club home page Giter Club logo

awesome-afl's Introduction

Awesome-AFL

Welcome to Awesome AFL

A curated list of different AFL forks and AFL inspired fuzzers with detailed equivalent academic papers with AFL-fuzzing tutorials

Projects

  • AFL by Michal Zalewski

    • Original & first versions of AFL fuzzer, american fuzzy lop is a free security-oriented fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it helped in detection of significant software bugs in dozens of major free software projects, including X.Org Server, PHP, OpenSSL, pngcrush, bash, Firefox, BIND, Qt, and SQLite.

  • AFL++ by van Hauser

    • afl++ is afl 2.56b with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode and a lot more!

  • WinAFL by Ivan Fratric

    • A fork of AFL for fuzzing Windows binaries

  • afl-dyninst by Cisco Talos Lab

    • American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries

  • TriforceAFL by Jesse Hertz and Tim Newsham of nccgroup

    • This is a patched version of AFL that supports full-system fuzzing using QEMU. The included QEMU has been updated to allow tracing of branches when running a system emulator for x86_64. Extra instructions have been added to start AFL's forkserver, make fuzz settings, and mark the start and stop of test cases.

  • AFL-abiondo by Abiondo

  • aflsmart by Maintained by Thuan Pham

  • aflfast by Marcel Böhme

  • WineAFLplusplusDEMO by Andrea Fioraldi

    • A set of helpers and examples to fuzz Win32 binaries with AFL++ QEMU

  • afl-sensitive by Heng Yin

  • Redqueen by Syssec lab of Ruhr university of germany

  • afl-pin by van Hauser

    • run AFL with pintool

  • Driller by Shellphish team of University of Santa Barbara

    • Augmenting AFL with Symbolic execution, a powerful symbolic execution engine aims at hybrid fuzzing

  • AngoraFuzzer

    • Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution. Angora: Efficient Fuzzing by Principled Search (https://arxiv.org/abs/1803.01307)

  • VUzzer by Systems and Network Security Group at VU Amsterdam

  • Manul by Maksim Shudrak

  • QSYM by SSLab of Georgia Tech University

    • QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

  • netafl by gavz

    • winAFL patch to enable network-based apps fuzzing

  • Unicorefuzz by The Computer Security Group at Berlin University of Technology

  • SharpFuzz: AFL-based fuzz testing for .NET by Nemanja Mijailovic

  • Nautilus 2.0 - a grammar based feedback fuzzer by Syssec lab of Ruhr university of germany

  • frida-js-afl-instr by Andrea Fioraldi

  • UnTracer-AFL by Stefan Nagy ([email protected]) and Matthew Hicks ([email protected])

  • kleefl by julieeen

    • Seeding fuzzers with symbolic execution

  • AFLGo Maintained by @mboehme, @thuanpv, and @strongcourage

    • AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo generates inputs specifically with the objective to exercise these target locations (https://mboehme.github.io/paper/CCS17.pdf)

  • afl-dyninst Maintained by van Hauser

    • American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries

  • afl-dynamorio Maintained by van Hauser

    • run AFL with dynamorio - binary-only fuzzing with dynamorio and afl

  • FairFuzz Maintained by Caroline Lemieux of UC-Berkeley

    • An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested structure (packet analyzers, xmllint, programs compiled with laf-inte, etc) (http://www.carolemieux.com/fairfuzz-ase18.pdf)

  • Superion Maintained by zhunki

  • UnTracer-AFL Maintained by FoRTE-Research

    • An AFL implementation with UnTracer (our coverage-guided tracer)

  • neuzz Maintained by Dongdongshe

  • FuzzFactory Maintained by Rohan Padhye

    • FuzzFactory is an extension of AFL that generalizes coverage-guided fuzzing to domain-specific testing goals. FuzzFactory allows users to guide the fuzzer's search process without having to modify anything in AFL's search algorithm (https://dl.acm.org/doi/10.1145/3360600)

  • kAFL Maintained by RUB-SysSec

  • AFLNet Maintained by Thuan Pham

  • Grimoire Maintained by Tim Blazytko

  • JQF Maintained by Rohan Padhye of UC-Berkeley

    • JQF is a feedback-directed fuzz testing platform for Java, which uses the abstraction of property-based testing. JQF is built on top of junit-quickcheck: a tool for generating random arguments for parametric Junit test methods. JQF enables better input generation using coverage-guided fuzzing algorithms such as Zest. (https://cs.berkeley.edu/~rohanpadhye/files/zest-issta19.pdf)

  • PerfFuzz Maintained by Caroline Lemieux of UC-Berkeley

    • PerfFuzz: Automatically Generate Pathological Inputs for C/C++ programs : Performance problems in software can arise unexpectedly when programs are provided with inputs that exhibit pathological behavior. But how can we find these inputs in the first place? PerfFuzz can generate such inputs automatically: given a program and at least one seed input, PerfFuzz automatically generates inputs that exercise pathological behavior across program locations, without any domain knowledge.PerfFuzz uses multi-dimensional performance feedback and independently maximizes execution counts for all program locations. This enables PerfFuzz to find a variety of inputs that exercise distinct hot spots in a program. (http://www.carolemieux.com/perffuzz-issta2018.pdf)

  • Ankou Maintained by Valentin Manès aka Jilyac

    • Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering the combination of branches during program execution. The details of the technique can be found in our paper "Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference", which is published in ICSE 2020. (https://www.jiliac.com/files/ankou-icse2020.pdf)

  • Savior Maintained by @yaohway

    • SAVIOR, a new hybrid testing framework pioneering a bug-driven principle. Unlike the existing hybrid testing tools, SAVIOR prioritizes the concolic execution of the seeds that are likely to uncover more vulnerabilities. Moreover, SAVIOR verifies all vulnerable program locations along the executing program path. By modeling faulty situations using SMT constraints, SAVIOR reasons the feasibility of vulnerabilities and generates concrete test cases as proofs. Our evaluation shows that the bug-driven approach outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage. (https://arxiv.org/pdf/1906.07327.pdf)

  • T-Fuzz Maintained by @HexHive

    • To improve coverage, existing approaches rely on imprecise heuristics or complex input mutation techniques (e.g., symbolic execution or taint analysis) to bypass sanity checks. Our novel method tackles coverage from a different angle: by removing sanity checks in the target program. T-Fuzz leverages a coverage guided fuzzer to generate inputs. Whenever the fuzzer can no longer trigger new code paths, a light-weight, dynamic tracing based technique detects the input checks that the fuzzergenerated inputs fail. These checks are then removed from the target program. Fuzzing then continues on the transformed program, allowing the code protected by the removed checks to be triggered and potential bugs discovered. Fuzzing transformed programs to find bugs poses two challenges: (1) removal of checks leads to over-approximation andfalse positives, and (2) even for true bugs, the crashing input on the transformed program may not trigger the bug in the original program. As an auxiliary post-processing step, T-Fuzz leverages a symbolic execution-based approach to filter out false positives and reproduce true bugs in the original program. (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8418632)

  • afl-compiler-fuzzer Maintained by Alex Groce from TrailOfBits

    • This is basically afl, run as usual, except that the afl-fuzz-compiler executable should (considerably) improve effectveness when fuzzing any target that takes C-like (in terms of syntax, e.g., Java, Solidity, Rust, C#, Swift, Javascript, Scala, etc. etc.) language files as input.

  • Eclipser Maintained by KAIST-Softsec Lab

    • Eclipser is a binary-based fuzz testing tool that improves upon classic coverage-based fuzzing by leveraging a novel technique called grey-box concolic testing. The details of the technique can be found in our paper "Grey-box Concolic Testing on Binary Code", which is published in ICSE 2019.

  • Parmesan Maintained by Sebastian Österlund of VUSEC

    • ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. we present sanitizer-guided fuzzing, a new design point in this space that specifically optimizes for bug coverage. For this purpose, we make the key observation that while the instrumentation performed by existing software sanitizers are regularly used for detecting fuzzer-induced error conditions, they can further serve as a generic and effective mechanism to identify interesting basic blocks for guiding fuzzers. We present the design and implementation of ParmeSan, a new sanitizer-guided fuzzer that builds on this observation. We show that ParmeSan greatly reduces the TTE of real-world bugs, and finds bugs 37% faster than existing state-of-the-art coverage-based fuzzers (Angora) and 288% faster than directed fuzzers (AFLGo), while still covering the same set of bugs. ParmeSan: Sanitizer-guided Greybox Fuzzing

  • Weizz-Fuzzer by Andrea Fioraldi

    • Fuzzing technologies have evolved at a fast pace in recent years, revealing bugs in programs with ever increasing depth and speed. Applications working with complex formats are however more difficult to take on, as inputs need to meet certain format-specific characteristics to get through the initial parsing stage and reach deeper behaviors of the program. Unlike prior proposals based on manually written format specifications, we propose a technique to automatically generate and mutate inputs for unknown chunk-based binary formats. We identify dependencies between input bytes and comparison instructions, and use them to assign tags that characterize the processing logic of the program. Tags become the building block for structure-aware mutations involving chunks and fields of the input. Our technique can perform comparably to structure-aware fuzzing proposals that require human assistance. Our prototype implementation Weizz revealed 16 unknown bugs in widely used programs. WEIZZ: Automatic Grey-Box Fuzzing for Structured Binary Formats Slides-ISSTA-2020

  • MOpt-AFL by puppet-meteor

    • MOpt-AFL is a AFL-based fuzzer that utilizes a customized Particle Swarm Optimization (PSO) algorithm to find the optimal selection probability distribution of operators with respect to fuzzing effectiveness. More details can be found in the technical report. The installation of MOpt-AFL is the same as AFL's. MOpt: Optimized Mutation Scheduling for Fuzzers

  • Kirenenko by Chengyu Song from University of California, Riverside

    • Super Fast Concolic Execution Engine based on Source Code Taint Tracing

  • UAFuzz by @strongcourage

    • Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities, built on top of AFL-QEMU.

  • Intriguer by Seclab@Yonsei University

    • Hybrid fuzzing, which combines fuzzing and concolic execution, is promising in light of the recent performance improvements in concolic engines. We have observed that there is room for further improvement: symbolic emulation is still slow, unnecessary constraints dominate solving time, resources are overly allocated, and hard-to-trigger bugs are missed. To address these problems, we present a new hybrid fuzzer named Intriguer. The key idea of Intriguer is field-level constraint solving, which optimizes symbolic execution with field-level knowledge. Intriguer performs instruction-level taint analysis and records execution traces without data transfer instructions like mov. Intriguer then reduces the execution traces for tainted instructions that accessed a wide range of input bytes, and infers input fields to build field transition trees. With these optimizations, Intriguer can efficiently perform symbolic emulation for more relevant instructions and invoke a solver for complicated constraints only. Our evaluation results indicate that Intriguer outperforms the state-of-the-art fuzzers: Intriguer found all the bugs in the LAVAM(5h) benchmark dataset for ground truth performance, and also discovered 43 new security bugs in seven real-world programs. We reported the bugs and received 23 new CVEs. Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing

  • TinyAFL by linhlhq

    • TinyAFL is built on top of AFL and TinyInst. It can be fuzz on windows user-mode application without source (supports both x32 and x64) but it is not so reliable and dirty.

  • Haze by Richard Johnson

    • Haze is a binary fuzzer. This is a fuzzer for Windows based on TinyInst Current version is a modification of litecov to perform fuzzing Fuzzer currently sorts input dir by smalles size and for each input if new coverage is found, it is added to the working queue Queue contents can be added to dynamically.

  • DeepFuzzer by Ljiee

    • In this paper, we present DeepFuzzer, an enhanced greybox fuzzer with qualified seed generation, balanced seed selection, and hybrid seed mutation. First, we use symbolic execution in a lightweight approach to generate qualified initial seeds which then guide the fuzzer through complex checks. Second, we apply a statistical seed selection algorithm to balance the mutation frequency between different seeds. Further, we develop a hybrid mutation strategy. The random and restricted mutation strategies are combined to maintain a dynamic balance between global exploration and deep search . DeepFuzzer: Accelerated Deep Greybox Fuzzing

  • MEUZZ by RiS3 Lab Of Northeastern University

    • Seed scheduling is a prominent factor in determining the yields of hybrid fuzzing. Existing hybrid fuzzers schedule seeds based on fixed heuristics that aim to predict input utilities. However, such heuristics are not generalizable as there exists no one-size-fits-all rule applicable to different programs. They may work well on the programs from which they were derived, but not others. To overcome this problem, we design a Machine learning-Enhanced hybrid fUZZing system (MEUZZ), which employs supervised machine learning for adaptive and generalizable seed scheduling. MEUZZ determines which new seeds are expected to produce better fuzzing yields based on the knowledge learned from past seed scheduling decisions made on the same or similar programs. MEUZZ's learning is based on a series of features extracted via code reachability and dynamic analysis, which incurs negligible runtime overhead (in microseconds). Moreover, MEUZZ automatically infers the data labels by evaluating the fuzzing performance of each selected seed. MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing

  • winafl-powermopt by Hardik Shah

    • winafl with mopt mutators and afl fast power schedulers

Tutorials

awesome-afl's People

Contributors

boltomli avatar eqv avatar microsvuln avatar rootup avatar strongcourage avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.