- Open Source fuzzers
- Fuzzing harnesses/frameworks
- Other fuzzers (Paid) worth mentioning
- Blogs that will help you fuzz better
- Other fuzzing blogs/resources
1. Open Source Fuzzers
American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code. The compact synthesized corpora produced by the tool are also useful for seeding other, more labor- or resource-intensive testing regimes down the road.
Compared to other instrumented fuzzers, afl-fuzz is designed to be practical: it has modest performance overhead, uses a variety of highly effective fuzzing strategies and effort minimization tricks, requiresessentially no configuration, and seamlessly handles complex, real-world use cases – say, common image parsing or file compression libraries.
AFL/QEMU fuzzing with full-system emulation. This is a patched version of AFL that supports full-system
fuzzing using QEMU. The included QEMU has been updated to allow tracing of branches when running a system emulator for x86_64. Extra instructions have been added to start AFL’s forkserver, make fuzz settings, and mark the start and stop of test cases.
High-throughput fuzzer and emulator of DECREE binaries
A Random-based Fuzzer in Python
An Evolutionary Interpreter Fuzzer
- Can send to L2 as well as to upper layers (TCP/UDP/SCTP)
- Ability to work with odd length packet fields (no need to match byte borders, so even single flags or 7bit long fields can be represented and fuzzed)
- Very easy protocol definition syntax
- Ability to do multi packet state-full fuzzing with the ability to use received target data in response
AddressSanitizer, ThreadSanitizer, MemorySanitizer
Find potential bugs in your services with Diffy
Fuzz testing for go.
Sulley is an actively developed fuzzing engine and fuzz testing framework consisting of multiple extensible components. Sulley (IMHO) exceeds the capabilities of most previously published fuzzing technologies, commercial and public domain. The goal of the framework is to Simplify not only datarepresentation but to Simplify data transmission and instrumentation. Sulley is affectionately named after the creature from Monsters Inc., because, well, he is fuzzy.
Written in python.
The cert Basic Fuzzing framework (BFF) is a software testing tool that finds defects in applications that run on the linux and mac os x platforms. BFF performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways,looking for cases that cause crashes.) The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover andanalyze security vulnerabilities found via fuzzing.
CERT Failure Observation Engine (FOE)For windows
The cert Failure Observation Engine (FOE) is a software testing tool that finds defects in applicationsthat run on the windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
DranzerFor ActiveX Controls.
Radamsaa general purpose fuzzer
Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well aprogram can stand malformed and potentially malicious inputs. It works by making files which are interestingly different from given typically valid sample files. The modified files are then given to theTarget program, either as such or by some script. The main selling points of radamsa as opposed to other fuzzers are, that it is extremely easy to get running on most machines, is easy to script fromcommand line, and has already been used to find a slew of security issues in programs you are likely using right now.
zzuf is a transparent application input fuzzer. It works by intercepting file Operations and changingrandom bits in the program’s input. zzuf’s behaviour is deterministic, making it easy to reproduce bugs. For instructions and examples on how to use zzuf, see the manual page and the website at <http://caca.zoy.org/wiki/zzuf>.
Backfuzz is a fuzzing tool for different protocols (FTP, HTTP, IMAP, etc) written in python. The general idea is that this script has several predefined functions, so whoever wants to write their own plugin’s (for another protocol) can do that in few lines.
Wadi is a Fuzzing module to use with NodeFuzz fuzzing Harness and utilizes AddressSanitizer(ASan) for instrumentation on Linux and Mac OSX.
The World Wide Web Consortium (W3C) is an international community that develops open standards to ensure the long-term growth of the Web . It is the W3C that allows us to search for grammar to use in our test cases.
LibFuzzer, Clang-format-fuzzer, clang-fuzzer
We have implemented two fuzzers on top of LibFuzzer: clang-format-fuzzer and clang-fuzzer. Clang-format is mostly a lexical analyzer, so giving it random bytes to format worked perfectly and discoveredover 20 bugs. Clang however is more than just a lexer and giving it random bytes barely scratches thesurface, so in addition to testing with random bytes we also fuzzed Clang in token-aware mode. Both modes found bugs; some of them were previously detected byAFL, some others were not: we?ve run this fuzzer with AddressSanitizer and some of the bugs are not easily discoverable without it.
Test suite for the Linux perf_event subsystem
HTTP2 fuzzer built in Golang.
QuickFuzz is a grammar fuzzer powered by QuickCheck, template Haskell and specific libraries from Hackage to generate many complex file-formats like Jpeg, Png, Svg, Xml, Zip, Tar and more!. QuickFuzz is open-source (GPL3) and it can use other bug detection tools like zzuf, radamsa, honggfuzz and valgrind.
Abstract?We present the design of an algorithm to maximize the number of bugs found for black-box mutational fuzzing given a program and a seed input. The major intuition is to leverage white-box symbolic analysis on an execution trace for a given program-seed pair to detect dependencies among the BIT positions of an input, and then use this dependency relation to compute a probabilistically optimal mutation ratio for this program-seed pair. Our result is promising: we found an average of 38.6% more bugs than three previous fuzzers over 8 applications using the same amount of fuzzing time.
OFuzz is a fuzzing platform written in OCaml. OFuzz currently focuses on file-processing applications that run on *nix platforms. The main design principle of OFuzz is flexibility: it must be easy to add/replace fuzzing components (crash triaging module, test case generator, etc.) or algorithms (mutation algorithms, scheduling algorithms).
Neural-Fuzzer is an experimental fuzzer designed to use state-of-the-art Machine Learning to learn from a set of initial files. It works in two phases: training and generation.
Protocol Learning, Simulation and Stateful Fuzzer
Pulsar is a network fuzzer with automatic protocol learning and simulation capabilites. The tool allows tomodel a protocol through machine learning techniques, such as clustering and hidden Markov models. These models can be used to simulate communication between Pulsar and a real client or server thanks to semantically correct messages which, in combination with a series of fuzzing primitives, allow to test the implementation of an unknown protocol for errors in deeper states of its protocol state machine.
dfuzzer is the D-Bus fuzzer, the tool for fuzz testing processes communicating through D-Bus. It can be used to test processes connected to both, the session bus and the system bus daemon. The fuzzer works as a client, it first connects to the bus daemon and then it traverses and fuzz tests all the methodsprovided by a D-Bus service.
Choronzon is an evolutionary fuzzer. It tries to imitate the evolutionary process in order to keep producing better results. To achieve this, it has an evaluation system to classify which of the fuzzed files are interesting and which should be dropped.
Moreover, Choronzon is a knowledge-based fuzzer. It uses user-defined information to read and write files of the targeted file format. To become familiar with Choronzon’s terminology, you should consider that each file is represented by a chromosome. Users should describe the elementary structure of the file format under consideration. A high level overview of the file format is preferred instead of describing every detail and aspect of it. Each one of those user-defined elementary structures is considered a gene. Each chromosome contains a tree of genes and it is able to build the corresponding file from it.
‘exploitable’ is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for anattacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first.
The extension implements a GDB command called ‘exploitable’. The command uses heuristics to describe the exploitability of the state of the application that is currently being debugged in GDB. The command is designed to be used on Linux platforms and versions of GDB that include the GDB Python API. Note that the command will not operate correctly on core file targets at this time.
We want to design a general-use fuzzer that can be configured to use known-good input and delimiters in order to fuzz specific locations. Somewhere between a totally dumb fuzzer and something a little smarter, with significantly less effort than with implementation of a proper smart fuzzer. Hodor.
BrundleFuzz is a distributed fuzzer for Windows and Linux using dynamic binary instrumentation.
An open source tool for reverse engineering, traffic generation and fuzzing of communication protocols
Cross Platform Kernel Fuzzer Framework. DEF CON 24 video: https://www.youtube.com/watch?v=M8ThCIfVXow
2. Fuzzing Harnesses/Frameworks to make fuzzers improve:
Fuzzflow is a distributed fuzzing management framework from cisco talos that offers virtual machinemanagement, fuzzing job configuration, pluggable mutation engines, pre/post mutation scripting, and crash collection, and pluggable crash analysis.
Fuzzinator is a fuzzing framework that helps you to automate tasks usually needed during a fuzz session:
- run your favorite test generator and feed the test cases to the system-under-test,
- catch and save the unique issues,
- Reduce the failing test cases,
- ease the reporting of issues in bug trackers (e.g., Bugzilla or GitHub),
- regularly update SUTs if needed, and
- schedule multiple SUTs and generators without overloading your workstation.
FuzzLabs in a modular fuzzing framework, written in Python. It uses a modified version of the amazing Sulley fuzzing framework as the core fuzzing engine. FuzzLabs is still under development.
For Linux and Mac OSX. NodeFuzz is a fuzzer harness for web browsers and browser-like applications. There are two main ideas behind NodeFuzz: First is to create a simple, and fast, way to fuzz different browsers. Second to have one harness that can be easily expanded with new test case generators and client instrumentations, without modifications for the core.
Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.
3. Additionally, there are these free but not open source fuzzers:
For windows. SDL MiniFuzz File Fuzzer is a basic file fuzzing tool designed to ease adoption of fuzz testing by non-security developers who are unfamiliar with file fuzzing tools or have never used them in their current Software Development processes.
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked vil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.
DL Regex Fuzzer is a verification tool to help test regular expressions for potential denial of servicevulnerabilities. Regular expression patterns containing certain clauses that execute in exponential time (for example, grouping clauses containing repetition that are themselves repeated) can be exploited byattackers to cause a denial-of-service (DoS) condition. SDL Regex Fuzzer integrates with the SDL Process template and the MSF-Agile+SDL Process template to help users track and eliminate any detected regex vulnerabilities in their projects.
4. Blogs that will help you fuzz better
Start-to-finish fuzzing of Yawml with AFL – a complete fuzzjob by foxglovesecurityhttp://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/
Fuzz smarter not harder – fuzzing with afl, a primer from bsidessf2016https://www.peerlyst.com/posts/bsidessf-2016-recap-of-fuzz-smarter-not-harder-an-afl-primer-claus-cramon