Announcing afl.rs 0.2 - bindings for American fuzzy lop


#1

required reading

Fuzz testing is a software testing technique used to find security and stability issues by providing pseudo-random data as input to software. American fuzzy lop is a popular, effective, and modern fuzz testing tool. afl.rs, allows one to run AFL on code written in the Rust programming language.

okay so what’s this update

If you’ve tried using afl.rs before, you know the workflow wasn’t easy.

Over the past couple weekends, I rewrote the crate and redesigned the workflow, so hopefully it’ll be a lot easier to use. In particular, afl.rs

  • no longer requires unstable Rust features
  • works on all Rust channels (stable, beta, nightly)
  • no longer requires modifying crate dependencies; just write the fuzz target and all crate dependencies get instrumented
  • is Linux-only for now, but if this Rust bug gets fixed, it’ll also work on macOS
  • no longer requires Docker (unless you’re on macOS or Windows – see the last bullet point)

For a more technical understanding of the differences (and some of the history) see this rustc issue and this cargo-fuzz issue and this afl.rs PR.

What does the new workflow look like? Here’s a little (only two minutes!) screen recording I threw together showing the whole fuzzing process from start to finish (fuzzing rust-url):

asciicast

I wrote a (overly brief) written description/tutorial of this new workflow in the Rust Fuzz Book. Soo if you want to try afl.rs out, I recommend reading that section in the book and if you come across any issues in the docs (or if they’res confusing), go ahead and open an issue on that repo.

In the future, I’m looking to extend cargo-fuzz to support afl.rs so one can use multiple fuzzers (libfuzzer and AFL) with a single fuzz target.

As always, if you find any bugs in software while fuzzing, add the bug to our trophy case :trophy:

Happy fuzzing!


#2

If anyone is curious what kinds of bugs AFL uncovers with Rust code, I started fuzzing the regex crate three days ago and a few hours ago (patience pays off!) found a utf-8 char boundary indexing bug:


#3

afl has the snazzy display and libfuzzer has the speed… Do they differ differ in how they fuzz and how they modify their input; is afl for example better at finding some corner cases than libfuzzer?


#4

Regarding afl vs libfuzzer, I unfortunately don’t know too much of the specific differences. I’d be very interested to know though, especially regarding performance and fuzzing strategies. Both have found bugs for me, and both have slightly different communities/tooling built around them. I do love afl’s interface though :slight_smile:


#5

FYI, afl.rs now works on macOS! https://github.com/rust-fuzz/afl.rs/issues/118