blob: dff32c1df0b5ecc49be139c3e87ae35aab308244 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# Adding custom mutators to AFL
This file describes how you can implement custom mutations to be used in AFL.
Implemented by Khaled Yakdan from Code Intelligence <yakdan@code-intelligence.de>
## 1) Description
Custom mutator libraries can be passed to afl-fuzz to perform custom mutations
on test cases beyond those available in AFL - for example, to enable
structure-aware fuzzing by using libraries that perform mutations according to
a given grammar.
The custom mutator library is passed to afl-fuzz via the
AFL_CUSTOM_MUTATOR_LIBRARY environment variable. The library must export
the afl_custom_mutator() function and must be compiled as a shared object.
For example:
```
$CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so
```
Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, it is a state mutator like any
other, so it will be used for some test cases, and other mutators for others.
Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
be called every time it needs to mutate a test case.
For some cases, the format of the mutated data returned from the custom
mutator is not suitable to directly execute the target with this input.
For example, when using libprotobuf-mutator, the data returned is in a
protobuf format which corresponds to a given grammar.
In order to execute the target, the protobuf data must be converted to the
plain-text format expected by the target.
In such scenarios, the user can define the afl_pre_save_handler() function.
This function is then transforms the data into the format expected by the
API before executing the target.
afl_pre_save_handler is optional and does not have to be implemented if its
functionality is not needed.
## 2) Example
A simple example is provided in ../examples/custom_mutators/
There is also a libprotobuf example available at [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator)
Another implementation can be found at [https://github.com/thebabush/afl-libprotobuf-mutator](https://github.com/thebabush/afl-libprotobuf-mutator)
|
