AFL Runner

AFL_Runneris a modern CLI tool designed to streamline running efficient multi-coreAFLPlusPluscampaigns. The default configuration is based on the sectionUsing multiple coresof the official documentation.

• AFL Runner
  • Getting Started 🚀
    • Prerequisites
    • Installation
  • Features ✨
    • What is not? ❌
    • Roadmap 🗺️
  • Usage Example 💡
  • Showcase 🎥
  • Contributing 🤝
  • License 📜

Getting Started 🚀

Currently, this tool should work on all *NIX flavor operating-systems.

Prerequisites

• Rust (nightly) toolchain🦀
• AFLPlusPlus
• pgrep
• TMUX||screen(Optional)

Installation

You can compileAFL_Runneryourself...:

git clone https://github /0xricksanchez/AFL_Runner.git
cdAFL_Runner
cargo build --release
./target/release/aflr --help

...or install directly viacrates.io:

cargo install afl_runner
aflr --help

Features ✨

AFL_Runnerallows you to set the most necessary AFLPlusplus flags and mimics the AFLplusplus syntax for these options:

• Supported AFLplusplus flags:

  • Corpus directory
  • Output directory
  • Dictionary file
  • Customafl-fuzzbinary path for all instances
  • Supply arguments to target binary (including @@)
  • Amount of runner commands to generate
  • Support for *SAN, CMPLOG, CMPCOV binaries

• Other features:

  • Tmuxorscreenoption to automatically create an appropriate layout for all runners
  • TUI
  • Provide a configuration file via--configto make sharing/storing per project configurations easier
    • Automatically read out a configuration namedaflr_cfg.tomlin theCWDwhen no--configwas supplied

Note:Arguments supplied over the command-line take precedence over any configuration file options.

What is not? ❌

AFL_Runneraims to be a plug & play solution for when you're at a stage of fuzzing campaign where all that is left is running a multi-core setup. So, this tool isnot(yet) a helper for:

• Compiling a target in multiple flavors
• Preparing a good initial seed corpus
• Providing a decent dictionary to boost code-coverage
• Debugging a fuzzing campaign

Roadmap 🗺️

• Add remote option 🌐
• Native integration forstatsd
• Add more configuration options
  • Add more sensible defaults for other options
• Allow AFLPlusPlus forks to be used on some amount of runners

Usage Example 💡

Here's an example of generating AFL++ commands withAFL_Runner:

Note:Supplying the *SAN, CMPLOG, or CMPCOV binaries is optional and if omitted all invocations just contain the (mandatory) instrumented target instead.

Showcase 🎥

AFL_Runneralso includes a terminal user interface (TUI) for monitoring the fuzzing campaign progress. The following demo can be found inexamples/and can be build locally by runningcargo makefrom the root directory of the project.

The example builds a recent version oflibxml2four times with different compile-time instrumentations:

1. plain AFL++ instrumentation
2. Address-Sanitizer (ASan)
3. CMPCOV, and
4. CMPLOG.

Afterwards, the necessary commands for 16 instances are being generated, which then are executed in a dedicated TMUX session. Finally, a custom TUI offered by *AFL Runneris tracking the progress of the fuzzing campaign in a centralized space:

Note:The TUI can be used as afullreplacement forafl-whatsupby usingafl_runner tui <afl_output_dir>!

Contributing 🤝

Contributions are welcome! Please feel free to submit a pull request or open an issue for any bugs, feature requests, or improvements. Any other support is also more than welcome:).

License 📜

This project is licensed under the Apache License. See theLICENSEfile for details.

---

🔼 Back to top