Fuzzing: Difference between revisions

Fuzzing (or fuzz testing) is an automated software testing technique that feeds invalid, unexpected, or random data as inputs to a program and monitors for crashes, hangs, failed assertions, memory leaks, or other undesirable behavior. If, for example, a program expects the user to provide an integer, and you provide 10 MB of raw binary data instead, what happens to the program?

Fuzzing is an excellent way to discover bugs, trigger exceptions, find crashes, and uncover security vulnerabilities. It is widely used by both security researchers and software developers as part of a defense-in-depth strategy.

How Fuzzing Works

Modern fuzzers typically follow a feedback loop:

1. Input generation — The fuzzer generates or mutates test inputs, either from scratch (generation-based) or by modifying a seed corpus (mutation-based).
2. Execution — The target program is run with the generated input.
3. Instrumentation/Feedback — The fuzzer observes what code paths were exercised, typically via compile-time instrumentation (e.g., LLVM sanitizer coverage), binary instrumentation (e.g., QEMU, DynamoRIO, FRIDA), or hardware-assisted tracing (e.g., Intel PT).
4. Corpus management — Inputs that trigger new code coverage are saved and used as the basis for further mutations. Inputs that do not improve coverage are discarded.
5. Crash triage — When a crash or hang is detected, the fuzzer saves the crashing input for later analysis, often with deduplication to avoid storing duplicate crashes.

Key components of a fuzzing pipeline include:

• Instrumentation — Code inserted at compile time or runtime to track edge coverage, basic blocks, or comparisons.
• Sanitizers — Tools like AddressSanitizer (ASan), UndefinedBehaviorSanitizer (UBSan), and MemorySanitizer (MSan) that catch memory errors at runtime.
• Corpus minimization — Reducing the set of interesting inputs to the smallest set that achieves the same code coverage.
• Crash deduplication — Grouping crashes by root cause (e.g., by stack hash) so each unique bug is reported once.

Types of Fuzzing

Fuzzers can be categorized along several axes:

By Input Generation Strategy

• Mutation-based fuzzing — Starts with valid seed inputs and applies random mutations (bit flips, byte flips, arithmetic operations, dictionary-based substitutions, splicing). Fast and easy to set up. Examples: AFL, AFL++, honggfuzz, Radamsa, zzuf.
• Generation-based fuzzing — Generates inputs from scratch based on a grammar, protocol specification, or file format definition. Produces structurally valid inputs that reach deeper code paths. Examples: Domato, Peach Fuzzer, boofuzz, Fuzzilli.
• Grammar-aware fuzzing — Uses a formal grammar (e.g., ANTLR, context-free grammar) to generate or mutate inputs that respect the target's syntax. Examples: Grammarinator, Domato.

By Feedback Mechanism

• Dumb fuzzing — No feedback; generates random inputs blindly. Simple but shallow. Examples: zzuf, Radamsa (standalone).
• Coverage-guided fuzzing (greybox) — Uses code coverage as a fitness function to guide mutations. Examples: AFL, AFL++, libFuzzer, honggfuzz.
• Directed fuzzing (whitebox) — Targets specific code locations (e.g., a patch or a suspected buggy function). Examples: AFLGo, directed libFuzzer.

By Target Type

• File format fuzzers — Fuzz parsers for formats like PDF, PNG, JSON, XML, etc. Examples: AFL, Binspector.
• Network protocol fuzzers — Fuzz network services by sending malformed packets. Examples: boofuzz, Mutiny, Fuzzotron, AFLNet.
• Kernel fuzzers — Fuzz operating system kernels via syscall sequences. Example: syzkaller.
• Browser/DOM fuzzers — Fuzz browser rendering engines and JavaScript runtimes. Examples: Domato, Fuzzilli, FreeDom.
• API fuzzers — Fuzz function or library APIs. Examples: libFuzzer, DeepState.
• Smart contract fuzzers — Fuzz blockchain smart contracts. Example: Echidna.

Tools

AFL++ (AFLplusplus)

• Website: https://aflplus.plus/
• GitHub: https://github.com/AFLplusplus/AFLplusplus

AFL++ is the community-maintained fork and successor to the original American Fuzzy Lop (AFL). It incorporates years of fuzzing research and improvements, making it one of the most widely used fuzzers today.

Key features:

• Multiple instrumentation backends: LLVM (clang), GCC plugin, QEMU user-mode, Unicorn (emulation), and FRIDA (dynamic binary instrumentation).
• Custom mutators: Supports pluggable custom mutation engines via a C API or Python (libprotobuf-mutator, custom mutators).
• Power schedules: Multiple seed scheduling strategies — explore, fast, coe, lin, quad, exploit, rare.
• MOpt mutators: Machine-learning-optimized mutation operators.
• RedQueen and laf-intel: Comparison splitting to overcome magic-byte and checksum barriers.
• Collision-free coverage: Improved edge coverage tracking with no hash collisions.
• CmpLog: Comparison logging for solving multi-byte comparisons.
• Sanitizer integration: Works with ASan, UBSan, MSan, TSan.

Supports Linux, macOS, Android, and (via QEMU/FRIDA) binary-only targets on various platforms.

American Fuzzy Lop (AFL) — Legacy

• Website: https://lcamtuf.coredump.cx/afl/
• Readme: https://lcamtuf.coredump.cx/afl/README.txt
• Quickstart: https://afl-1.readthedocs.io/en/latest/quick_start.html

The original AFL by Michał Zalewski (lcamtuf) is a pioneering coverage-guided fuzzer that employs compile-time instrumentation and genetic algorithms. It can automatically discover clean, interesting test cases that trigger internal state changes in the target binary. AFL is designed to be practical, with modest overhead and a variety of highly effective fuzzing strategies. It requires minimal configuration.

Note: AFL is no longer actively maintained. Users should prefer AFL++ for new projects. The original AFL is retained here for historical reference.

Instructions for installing: https://afl-1.readthedocs.io/en/latest/INSTALL.html Guide to instrumenting programs: https://afl-1.readthedocs.io/en/latest/instrumenting.html Guide to fuzzing: https://afl-1.readthedocs.io/en/latest/fuzzing.html

libFuzzer

• Website: https://llvm.org/docs/LibFuzzer.html

libFuzzer is an in-process, coverage-guided, evolutionary fuzzing engine that ships with LLVM. It is linked directly into the target (a "fuzz target" function) and mutates inputs in memory, avoiding the overhead of process creation for each test case.

Key features:

• In-process fuzzing: Extremely fast — millions of executions per second.
• Sanitizer integration: Tightly integrated with ASan, UBSan, MSan, TSan.
• Corpus management: Automatic corpus minimization and merging.
• LibFuzzer + AFL: Can run in a libFuzzer-AFL hybrid mode.
• Fuzzbench support: Regularly evaluated in Google FuzzBench.

Typically used via LLVM's -fsanitize=fuzzer flag. Commonly paired with sanitizers via -fsanitize=fuzzer,address,undefined.

honggfuzz

• Website: https://honggfuzz.dev/
• GitHub: https://github.com/google/honggfuzz

A security-oriented, feedback-driven evolutionary fuzzer. Features:

• Multi-process and multi-threaded.
• Supports multiple feedback-driven fuzzing modes (code coverage via hardware counters, Intel BTS, Intel PT, and sanitizer coverage).
• Low-level interfaces for process monitoring.
• Works on Linux, FreeBSD, macOS, and Android.
• Can expand and improve a seed corpus over time.
• Supports both persistent (in-process) and fork-server execution modes.

Docker environments: https://github.com/skysider/honggfuzz_docker_apps

OSS-Fuzz

• Website: https://google.github.io/oss-fuzz/
• GitHub: https://github.com/google/oss-fuzz

OSS-Fuzz is Google's continuous fuzzing service for open-source software. It integrates with ClusterFuzz to run fuzz targets at scale and report bugs directly to maintainers.

Key facts:

• Supports C, C++, Go, Python, Rust, Java, and other languages.
• Integrates with libFuzzer, AFL++, honggfuzz, and other engines.
• Has found tens of thousands of bugs across thousands of open-source projects.
• Automatic bug filing with a 90-day disclosure deadline.
• Free for any critical open-source project.

syzkaller

• GitHub: https://github.com/google/syzkaller

syzkaller is an unsupervised, coverage-guided kernel fuzzer developed by Google. It generates random sequences of syscalls and executes them inside virtual machines, monitoring for crashes, hangs, memory errors (via KASAN/KCSAN), and other anomalies.

Key features:

• Primarily targets the Linux kernel, with experimental support for other OS kernels (FreeBSD, NetBSD, OpenBSD, macOS, Windows).
• Uses KCOV (kernel coverage) for feedback.
• Supports declarative syscall descriptions (syzlang) that encode argument types, structures, and flags.
• Manages fleets of VMs for parallel fuzzing.
• Includes tools for crash reproduction (syz-repro) and bisection.
• Has found thousands of kernel bugs, including many exploitable vulnerabilities.

boofuzz

• Website: https://boofuzz.readthedocs.io/
• GitHub: https://github.com/jtpereyda/boofuzz

Boofuzz is a fork and the active successor to the Sulley fuzzing framework. It is a Python framework for network protocol fuzzing, providing:

• Protocol definition: Define message structures with fields, lengths, checksums, and block primitives.
• Session management: Graph-based protocol state tracking to fuzz complex multi-step protocols.
• Target monitoring: Process/network health monitoring to detect crashes.
• Extensibility: Pluggable monitors, callbacks, and serializers.

Boofuzz is the de facto standard for custom network protocol fuzzing in Python.

cargo-fuzz

• GitHub: https://github.com/rust-fuzz/cargo-fuzz
• Documentation: https://rust-fuzz.github.io/book/cargo-fuzz.html

cargo-fuzz is the standard tool for fuzz testing Rust code. It provides a cargo fuzz subcommand that invokes libFuzzer on Rust fuzz targets. Features:

• Seamless integration with Cargo build system.
• Leverages libFuzzer and LLVM sanitizers (ASan, UBSan).
• Supports corpus management, minimization, and coverage reporting.
• Cross-platform (Linux, macOS, Windows).

Jazzer

• GitHub: https://github.com/CodeIntelligenceTesting/jazzer

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform. Based on libFuzzer, it brings instrumentation-powered mutation features to Java and other JVM languages (Kotlin, Scala, etc.).

Key features:

• libFuzzer integration: Uses the same mutation engine as libFuzzer.
• Coverage instrumentation: Instrumented at the bytecode level via a Java agent.
• Sanitizer-like hooks: Detects issues like SQL injection, command injection, and insecure deserialization.
• OSS-Fuzz support: Integrated into Google's OSS-Fuzz for fuzzing Java projects.

Atheris

• GitHub: https://github.com/google/atheris
• PyPI: https://pypi.org/project/atheris/

Atheris is a coverage-guided fuzzer for Python, built on libFuzzer. It supports fuzzing both pure Python code and native CPython extensions.

Key features:

• pip-installable (pip install atheris).
• Coverage guidance for Python bytecode.
• Supports fuzzing native extensions with ASan/UBSan.
• Simple API: decorate a function with @atheris.instrument_func and call atheris.Fuzz().

Go Fuzzing (Native)

• Documentation: https://go.dev/doc/security/fuzz/

Starting with Go 1.18, Go includes built-in fuzzing support via go test -fuzz. Fuzz tests are written as functions following the FuzzXxx(*testing.F) naming convention and are run as part of the standard Go test suite.

Key features:

• Native integration: No external tools required.
• Coverage-guided: Uses Go's internal coverage instrumentation.
• Corpus management: Automatic corpus seeding from seed inputs.
• Minimization: Automatic test case minimization on crash.

For pre-1.18 users, the original go-fuzz by Dmitry Vyukov remains available.

Fuzzilli

• GitHub: https://github.com/googleprojectzero/fuzzilli

Fuzzilli is a coverage-guided fuzzer for JavaScript engines, developed by Google Project Zero. It uses an intermediate representation (FuzzIL) to mutate JavaScript programs in a semantics-aware manner.

Key features:

• Grammar-aware mutation: Operates on a structured IR, not raw text, enabling valid JS mutations.
• Coverage-guided: Uses engine instrumentation (e.g., V8, JavaScriptCore, SpiderMonkey) to guide mutations.
• Multi-engine support: Targets V8, JavaScriptCore, SpiderMonkey, and other JS runtimes.
• Has found hundreds of vulnerabilities in major JavaScript engines.

Domato

• GitHub: https://github.com/googleprojectzero/domato

Domato is a DOM fuzzer by Google Project Zero. It is a grammar-based generator that uses a context-free grammar description to generate valid HTML, CSS, and JavaScript inputs that exercise browser DOM engines.

Key features:

• Generative: Generates samples from scratch using grammars.
• Grammar format: Simple, human-readable grammar definition language.
• Template system: Supports parameterized templates for generating structured layouts.
• Has been used to find numerous bugs in Chrome, Firefox, Safari, and Edge.

A descendant project, FreeDom, adds coverage guidance.

WinAFL

• GitHub: https://github.com/googleprojectzero/winafl

WinAFL is a fork of AFL adapted for fuzzing Windows binaries. It uses DynamoRIO (dynamic binary instrumentation) for coverage feedback, enabling fuzzing of closed-source Windows applications.

Key features:

• DynamoRIO instrumentation: Collects edge coverage from black-box binaries.
• Persistent mode: Loop-based persistent fuzzing for Windows targets.
• DLL fuzzing: Can fuzz specific functions within DLLs.
• Works with both 32-bit and 64-bit Windows binaries.

Note: AFL++ now supports Windows fuzzing via its own DynamoRIO and FRIDA backends, which are generally preferred for new work.

Centipede

• GitHub: https://github.com/google/fuzztest (merged into FuzzTest)

Centipede is a distributed fuzzing engine developed by Google, now merged into the FuzzTest framework. It is designed for large-scale, server-side fuzzing with features for:

• Distributed fuzzing: Sharding across many machines; each shard maintains its own corpus.
• Customizable mutators: Pluggable mutation engines.
• Corpus distillation: Efficiently prunes and merges corpora from distributed shards.
• Continuous operation: Designed for 24/7 fuzzing campaigns.

OneFuzz

• GitHub: https://github.com/microsoft/onefuzz

OneFuzz is Microsoft's self-hosted fuzzing-as-a-service platform. It replaces Microsoft's older Security Risk Detection service and is open-source under the MIT license.

Key features:

• Multi-platform: Fuzz on Windows and Linux.
• Composable workflows: Define custom fuzzing pipelines.
• Built-in ensemble fuzzing: Run multiple fuzzers on the same target simultaneously.
• Programmatic triage: Automatic crash deduplication and analysis.
• Crash notification: Callbacks to Azure DevOps, Microsoft Teams, and custom webhooks.
• On-demand live debugging: Debug crashing inputs in place.
• Custom hypervisor support: Fuzz with custom OS builds or nested hypervisors.

Binspector

• GitHub: https://github.com/binspector/binspector

Binspector is built around the idea of exposing the guts of binary formats and files. It uses Binary File Format Templates (BFFTs) — formalized descriptions of binary formats — to:

• Verify a binary meets format requirements.
• Analyze and interpret raw data in binary files.
• Inspect binary values with context.
• Intelligently fuzz binaries at potential weak points and auto-generate files containing attack vectors.

Build system uses CMake.

Cluster-Related Tools

CloudFuzzer

• GitHub: https://github.com/ouspg/cloudfuzzer

CloudFuzzer is a framework for running a fuzzing cluster in the cloud. FuzzVM instances consist of one swarm master and N swarm nodes. A bastion instance works as an SSH gateway between the outside world and the fuzzing cluster, and is used to deliver Docker images and store fuzzing results.

ClusterFuzz

• Website: https://google.github.io/clusterfuzz/
• GitHub: https://github.com/google/clusterfuzz

ClusterFuzz is a scalable fuzzing infrastructure framework used by Google to fuzz the Chrome browser and as the backend for OSS-Fuzz. It manages pools of fuzzers, automatically triages crashes, and files bugs.

Nightmare

• GitHub: https://github.com/joxeankoret/nightmare

Nightmare is a distributed fuzzing testing suite with web administration. It supports network fuzzing and was originally created for LaCon 2013, then enhanced for SYSCAN 2014. It is actively maintained.

DeepState

• GitHub: https://github.com/trailofbits/deepstate

DeepState provides a unit test-like interface for fuzzing and symbolic execution. It allows you to write test harnesses that can be run as either a fuzzer (backed by libFuzzer, AFL, or honggfuzz) or a symbolic execution engine (backed by Manticore or angr), from the same source code.

FuzzBench

• Website: https://google.github.io/fuzzbench/
• GitHub: https://github.com/google/FuzzBench

FuzzBench is a free service from Google that evaluates fuzzers against real-world benchmarks. It provides:

• Standardized benchmarking across many fuzzers.
• 24-hour fuzzing trials with statistically rigorous comparisons.
• Coverage and bug-finding metrics.
• A public leaderboard comparing fuzzer performance.

This makes it easier to rigorously evaluate fuzzing research and promotes reproducible fuzzing experiments.

Fuzzotron

• GitHub: https://github.com/denandz/fuzzotron

A TCP/UDP based network daemon fuzzer. Uses Radamsa and Blab for test case generation. Supports multi-threaded fuzzing.

Mutiny

• GitHub: https://github.com/Cisco-Talos/mutiny-fuzzer

Mutiny is a network fuzzer from Cisco Talos that operates by replaying PCAPs through a mutational fuzzer. The goal is to begin network fuzzing as quickly as possible, at the expense of being thorough. It takes a sample of legitimate traffic (e.g., a browser request), feeds it into a prep script to generate a .fuzzer file, then uses Radamsa to perform mutations.

Peach Fuzzer (Legacy)

• GitLab: https://gitlab.com/peachtech/peach-fuzzer-community

Peach Fuzzer is a cross-platform fuzzer capable of both smart (generation-based) and dumb (mutation-based) fuzzing. It includes a robust monitoring system and is adaptable to fuzz any form of data consumer — commonly used for file formats, network protocols, and APIs.

Note: Peach Fuzzer Community Edition is no longer maintained (last release in 2014). The project has been succeeded by Protocol Fuzzer.

Protocol Fuzzer

• GitLab: https://gitlab.com/gitlab-org/security-products/protocol-fuzzer-ce

This is the community edition of GitLab's protocol fuzzing framework, based on Peach Fuzzer Professional with some features removed. It has limited documentation and no pre-built binaries.

Radamsa

• GitLab: https://gitlab.com/akihe/radamsa

Radamsa reads sample files of valid data and generates "interestingly different outputs" from them. It is easily scriptable, quick to set up, and used as a test-case generator by other fuzzing tools like Fuzzotron and Mutiny.

Rmadair

• Website: https://rmadair.github.io/fuzzer/
• GitHub: https://github.com/rmadair/fuzzer

A file fuzzer that uses mutation fuzzing and pydbg to monitor for signals of interest. Client-server architecture allows running multiple clients on a single box:

1. Client connects to server, gets copy of input file, possible mutations, and path to executable.
2. Client enters loop, asks server for next mutation; server responds with offset into file and mutation index.
3. Client creates mutated file, executes with pydbg.
4. If crash occurs, client sends crash info to server; server creates a local copy of the file.

Zzuf

• Website: http://caca.zoy.org/wiki/zzuf
• GitHub: https://github.com/samhocevar/zzuf
• Tutorial: https://fuzzing-project.org/tutorial1.html

Zzuf is an application fuzzer implemented in C. It works by intercepting file operations and changing random bits in the program's input. Zzuf behavior is deterministic, so bugs are easily reproduced.

Resources

• Google Fuzzing Documentation: https://github.com/google/fuzzing/tree/master/docs
• Awesome Fuzzing (curated list): https://github.com/secfigo/Awesome-Fuzzing
• Extensive fuzzing resources: https://github.com/alphaSeclab/fuzzing-stuff/blob/master/Readme_en.md
• Fuzzing in Depth (AFL++): https://aflplus.plus/docs/fuzzing_in_depth/
• Rust Fuzz Book: https://rust-fuzz.github.io/book/
• OSS-Fuzz Documentation: https://google.github.io/oss-fuzz/
• Fuzzing Project (Linux/open-source): https://fuzzing-project.org/

Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack. Metasploitable Databases: Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres Metasploitable Networking: Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing /etc/shadow File: Metasploitable/John Shadow File Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind Metasploitable Services: distcc: Metasploitable/distcc Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...) Fuzzing  · American Fuzzy Lop Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableRedTeamFlag  · e

Kali Linux "The quieter you become, the more you are able to hear." Penetration testing Linux distribution. Kali  · Category:Kali Kali/Wireless Reboot Kali Software: Kali Tools Kali Top 10 Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix Dirbuster  · Valgrind Attack Workflow: Kali/Workflow 1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks Red Team Blue Team Metasploitable - Red Team Metasploitable - Blue Team Networking: Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA Kali/IPv6 Booting: Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB Installing: Kali/Installing  · Kali/Post Install  · Kali/Fixes Kali on Raspberry Pi: Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin Flags  · Template:KaliFlag  · e