AFLplusplus-protobuf-mutator

AFLplusplus + libprotobuf-mutator

Overview

AFLplusplus-protobuf-mutator integrates AFLplusplus and libprotobuf-mutator. It could be used to feed the target on INTERESTING data based on protobuf.

Quick start

Install prerequisites

sudo apt-get update
sudo apt-get install liblzma-dev libz-dev

Download source code && update submodule

git clone https://github.com/P1umer/AFLplusplus-protobuf-mutator.git
cd AFLplusplus-protobuf-mutator
git submodule update

AFLplusplus needs to be compiled separately according to the README.md

Build

use CMake to build.

mkdir build
cd build
cmake ..
make

Clang is needed for compilation. By default, protobuf and LPM will be automatically downloaded and built for this library. However, you can also pass LIB_PROTOBUF_DOWNLOAD/LIB_PROTOBUF_MUTATOR_DOWNLOAD=OFF to use system-installed version of protobuf/LPM

Usage

To use AFLplusplus-protobuf-mutator simply include afl-mutator.h into your files. DEFINE_AFL_PROTO_FUZZER defines the functions required by afl++ for custom mutations. To apply one mutation to a protobuf object do the following:

#include "src/afl-mutator.h"

DEFINE_AFL_PROTO_FUZZER(const MessageType& input, unsigned char **out_buf){
    // transfer the input to some interesting DATA
    // and output the DATA to *out_buf
    
    /*
     * @param[in] Protobuf Buffer containing the test case
     * @param[out] out_buf Pointer to the buffer containing the test case after tranferance. 
     * @return Size of the output buffer after processing or the needed amount.
    */
    TransferMessageType(input, out_buf); 
}

The generated library can be passed to afl-fuzz via the AFL_CUSTOM_MUTATOR_LIBRARY. Please see test_fuzzzer.cc as an example. And there is a harness.c file for testing, which needs to be compiled with afl-cc generated by AFLplusplus.

Note: It is recommended to set AFL_CUSTOM_MUTATOR_ONLY flag to make all mutations solely be performed with the custom mutator.