Fuzzers like LEGO

domenukk and andreafioraldi

Playlists: 'rc3' videos starting here / audio

From the AFL++ team comes a talk about the core concepts of fuzzing, novel fuzzing research, a library, and parts of fuzzing that can be edited and swapped out.

In this talk, we present the theory, building blocks and ideas behind our evolution to AFL++, a powerful and flexible new fuzzer design. Instead of a command line tool one-trick-pony, security researchers will be able to build the perfect fuzzer for their target, and extend parts of their fuzzer with their own code. After dealing with the monolithic C codebase inherited from AFL for over a year, we learned how to build a better toolsuite from scratch, as a library, with reusable components and easily maintainable code. The design of the framework follows a clear division of fuzz testing concepts into interconnected entities. Like LEGO bricks, each part of the fuzzer can be swapped out with other implementations, and behavior. The first prototype, libAFL, was developed as one of the AFL++ Google Summer of Code projects in C. After seeing that the concepts work in practice, we are now creating a powerful fuzzing framework in Rust. This talk discusses these concepts and how they relate to existing fuzzers at the state of the art. Thanks to its flexibility, the library can be used to reimplement a wide variety of fuzzers. We discuss how we tackle common problems like scaling between cores, and embedding the fuzzer directly into the target for maximum speed. The building blocks discussed in this talk will be the engine under the hood of a future AFL++ release, and, hopefully, your next custom-build fuzzer.