Nytro Posted May 9, 2020 Report Posted May 9, 2020 Awesome-AFL Welcome to Awesome AFL A curated list of different AFL forks and AFL inspired fuzzers with detailed equivalent academic papers with AFL-fuzzing tutorials Projects AFL by Michal Zalewski Original & first versions of AFL fuzzer, american fuzzy lop is a free security-oriented fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it helped in detection of significant software bugs in dozens of major free software projects, including X.Org Server, PHP, OpenSSL, pngcrush, bash, Firefox, BIND, Qt, and SQLite. AFL++ by van Hauser afl++ is afl 2.56b with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode and a lot more! WinAFL by Ivan Fratric A fork of AFL for fuzzing Windows binaries afl-dyninst by Cisco Talos Lab American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries TriforceAFL by Jesse Hertz and Tim Newsham of nccgroup This is a patched version of AFL that supports full-system fuzzing using QEMU. The included QEMU has been updated to allow tracing of branches when running a system emulator for x86_64. Extra instructions have been added to start AFL's forkserver, make fuzz settings, and mark the start and stop of test cases. AFL-abiondo by Abiondo Improved version of AFL-Qemu mode (https://abiondo.me/2018/09/21/improving-afl-qemu-mode/) aflsmart by Maintained by Thuan Pham Smart Greybox Fuzzing (https://thuanpv.github.io/publications/TSE19_aflsmart.pdf) aflfast by Marcel Böhme Coverage-based Greybox Fuzzing as Markov Chain (https://mboehme.github.io/paper/CCS16.pdf) WineAFLplusplusDEMO by Andrea Fioraldi A set of helpers and examples to fuzz Win32 binaries with AFL++ QEMU afl-sensitive by Heng Yin Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing (https://www.cs.ucr.edu/~heng/pubs/afl-sensitive.pdf) Redqueen by Syssec lab of Ruhr university of germany REDQUEEN: Fuzzing with Input-to-State Correspondence (http://synthesis.to/papers/NDSS19-Redqueen.pdf) afl-pin by van Hauser run AFL with pintool Driller by Shellphish team of University of Santa Barbara Augmenting AFL with Symbolic execution, a powerful symbolic execution engine aims at hybrid fuzzing AngoraFuzzer Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution. Angora: Efficient Fuzzing by Principled Search (https://arxiv.org/abs/1803.01307) VUzzer by Systems and Network Security Group at VU Amsterdam VUzzer: Application-aware Evolutionary Fuzzing (https://www.cs.vu.nl/~giuffrida/papers/vuzzer-ndss-2017.pdf) Manul by Maksim Shudrak Manul is a coverage-guided parallel fuzzer for open-source and blackbox binaries on Windows, Linux and MacOS (https://www.slideshare.net/MaximShudrak/shudrak-zero-bugs-found-hold-my-beer-afl-how-to-improve-coverageguided-fuzzing-and-find-new-zerodays-in-tough-targets) QSym by SSLab of Georgia Tech University QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing netafl by gavz winAFL patch to enable network-based apps fuzzing Unicorefuzz by The Computer Security Group at Berlin University of Technology Fuzzing the Kernel using AFL Unicorn. For details, skim through the WOOT paper or watch this talk at CCCamp19 (https://www.usenix.org/system/files/woot19-paper_maier.pdf) SharpFuzz: AFL-based fuzz testing for .NET by Nemanja Mijailovic SharpFuzz is a tool that brings the power of afl-fuzz to .NET platform (https://mijailovic.net/2019/01/03/sharpfuzz/) Nautilus 2.0 - a grammar based feedback fuzzer by Syssec lab of Ruhr university of germany https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Nautilus.pdf frida-js-afl-instr by Andrea Fioraldi UnTracer-AFL by Stefan Nagy (snagy2@vt.edu) and Matthew Hicks (mdhicks2@vt.edu) Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing kleefl by julieeen Seeding fuzzers with symbolic execution AFLGo Maintained by @mboehme, @thuanpv, and @strongcourage AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo generates inputs specifically with the objective to exercise these target locations (https://mboehme.github.io/paper/CCS17.pdf) afl-dyninst Maintained by van Hauser American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries afl-dynamorio Maintained by van Hauser run AFL with dynamorio - binary-only fuzzing with dynamorio and afl FairFuzz Maintained by Caroline Lemieux of UC-Berkeley An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested structure (packet analyzers, xmllint, programs compiled with laf-inte, etc) (http://www.carolemieux.com/fairfuzz-ase18.pdf) Superion Maintained by zhunki Superion is a fuzzer which extends the famous AFL to support structured inputs such as JavaScript and XML (https://2019.icse-conferences.org/track/icse-2019-Technical-Papers#event-overview) UnTracer-AFL Maintained by FoRTE-Research An AFL implementation with UnTracer (our coverage-guided tracer) neuzz Maintained by Dongdongshe neural network assisted fuzzer (https://arxiv.org/abs/1807.05620) FuzzFactory Maintained by Rohan Padhye FuzzFactory is an extension of AFL that generalizes coverage-guided fuzzing to domain-specific testing goals. FuzzFactory allows users to guide the fuzzer's search process without having to modify anything in AFL's search algorithm (https://dl.acm.org/doi/10.1145/3360600) kAFL Maintained by RUB-SysSec Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows (https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf) AFLNet Maintained by Thuan Pham AFLNet: A Greybox Fuzzer for Network Protocols (https://thuanpv.github.io/publications/AFLNet_ICST20.pdf) Grimoire Maintained by Tim Blazytko Grimoire: Synthesizing Structure while Fuzzing - Grimoire is coverage-guided fuzzer for structured input languages. It is built upon Redqueen (https://www.usenix.org/system/files/sec19-blazytko.pdf) JQF Maintained by Rohan Padhye of UC-Berkeley JQF is a feedback-directed fuzz testing platform for Java, which uses the abstraction of property-based testing. JQF is built on top of junit-quickcheck: a tool for generating random arguments for parametric Junit test methods. JQF enables better input generation using coverage-guided fuzzing algorithms such as Zest. (https://cs.berkeley.edu/~rohanpadhye/files/zest-issta19.pdf) PerfFuzz Maintained by Caroline Lemieux of UC-Berkeley PerfFuzz: Automatically Generate Pathological Inputs for C/C++ programs : Performance problems in software can arise unexpectedly when programs are provided with inputs that exhibit pathological behavior. But how can we find these inputs in the first place? PerfFuzz can generate such inputs automatically: given a program and at least one seed input, PerfFuzz automatically generates inputs that exercise pathological behavior across program locations, without any domain knowledge.PerfFuzz uses multi-dimensional performance feedback and independently maximizes execution counts for all program locations. This enables PerfFuzz to find a variety of inputs that exercise distinct hot spots in a program. (http://www.carolemieux.com/perffuzz-issta2018.pdf) Ankou Maintained by Valentin Manès aka Jilyac Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering the combination of branches during program execution. The details of the technique can be found in our paper "Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference", which is published in ICSE 2020. (https://www.jiliac.com/files/ankou-icse2020.pdf) Tutorials AFL-Workshop Materials of the "Fuzzing with AFL" workshop by Michael Macnair (@michael_macnair) Fuzzing with AFL is an Art an awesome AFL coverage improvement idea by Brendan Dolan-Gavitt aka moyix of Computer Science and Engineering Department at NYU-Poly Software Exploit Development – Fuzzing with AFL Basic usage of American Fuzzy Lop with real world examples Advanced usage of American Fuzzy Lop with real world examples Advanced AFL usage with real-world examples -- preeny and dictionaries Advanced AFL usage with real-world examples -- Persistent mode More advanced usage of AFL with real world examples -- Fuzzing libraries Fuzzing – how to find bugs automagically using AFL Effective AFL Fuzzing 1: Better Harness AFL / WinAFL Tips and Tricks Hunting For Bugs With AFL 101 - A PRIMER Fuzzing capstone using AFL persistent mode afl-unicorn: Fuzzing Arbitrary Binary Code INTRO TO AMERICAN FUZZY LOP – FUZZING WITH ASAN AND BEYOND Guided Fuzzing with Driller Super Awesome Fuzzing, Part One INTRO TO AMERICAN FUZZY LOP – FUZZING IN 5 STEPS How to Use Fuzzing in Security Research Investigating Windows Graphics Vulnerabilities: A Reverse Engineering and Fuzzing Story Hunting For Bugs With AFL 101 - A PRIMER Fuzzing arbitrary functions in ELF binaries Filesystem Fuzzing with American Fuzzy Lop Fuzzing workflows; a fuzz job from start to finish Finding pearls; fuzzing ClamAV Tutorial: Fuzzing GIMP Fuzzing projects with american fuzzy lop (AFL) Fuzzing with AFL Starting fuzz with AFL Fuzzing 101 The prime focus of this workshop would be around the following areas: Input-based fuzzing (AFL), finding memory bugs using ASAN with AFL integration, protocol fuzzing (HTTP, FTP, SMTP). Then we concluded the workshop by showcasing multiple bugs found during their research. Sursa: https://github.com/Microsvuln/Awesome-AFL Quote
