Example/skeleton for using libprotobuf-mutator together with AFL.
- Download and compile AFLplusplus
- Put your protobuffer in
gen/out.proto - Write your own protobuffer-message-to-raw-data methods
export AFL_CUSTOM_MUTATOR_ONLY=1export AFL_CUSTOM_MUTATOR_LIBRARY=./mutator.so
The current implementation turns enum values into bytes. It was an experiment in encoding regexps as protobuffers. Unfortunately, PBs are not powerful enough to do that.
export AFL_CUSTOM_MUTATOR_ONLY=1 export AFL_CUSTOM_MUTATOR_LIBRARY=./mutator.so afl-fuzz -i /tmp/in -o /tmp/out -Q -- ./dumper @@
In order to dump/verify the content of the protobuffers:
for f in /tmp/out/queue/id*src*; do echo "== $f =="; ./dumper $f; done
./build.sh make
- AFLplusplus doesn't yet provide a custom splicing hook, so we can't mix two
protobuffers
- I have a custom version on my PC but I'm not sure it's bug-free so I won't push it for the time being
- honggfuzz has support for external mutators/postprocessors, so it should be trivial to add support (maybe it'll be a little bit slower do to I/O)