|
|
# ZAFL: Zipr-based AFL
|
|
|
Welcome to **ZAFL**: a project to extend compiler-quality instrumentation speed *and* transformation support to the fuzzing of x86-64 binary programs. The key features of ZAFL include:
|
|
|
* Fast, space-efficient, and inlined binary fuzzing instrumentation via the Zipr binary rewriting infrastructure.
|
|
|
* A platform to extend and combine compiler-style code transformations (e.g., CMP unfolding) to binary-only fuzzing.
|
|
|
* Full compatibility with the AFL and AFLPlusPlus fuzzer ecosystem.
|
|
|
|
|
|
<table><tr><td align=center colspan="2"><div><b>Presented in our paper</b> <a href="https://www.usenix.org/conference/usenixsecurity21/presentation/nagy"><i>Breaking-through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing</i></a><br>(2021 USENIX Security Symposium).</td </tr>
|
|
|
<tr><td><b>Citing this repository:</b></td>
|
|
|
<td><code class="rich-diff-level-one">@inproceedings{nagy:breakingthrough, title = {Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing}, author = {Stefan Nagy and Anh Nguyen-Tuong and Jason D. Hiser and Jack W. Davidson and Matthew Hicks}, booktitle = {{USENIX} Security Symposium (USENIX)}, year = {2021},}</code></td></tr>
|
|
|
<tr><td><b>License:</b></td><td><a href="https://git.zephyr-software.com/opensrc/zafl/-/blob/master/LICENSE">BSD 3-Clause License</a></td></tr>
|
|
|
<tr><td><b>Disclaimer:</b></td><td><i>This software is provided as-is with no warranty.</i></td></tr></table>
|
|
|
|
|
|
## Demonstration
|
|
|
Below is a short [video demonstration](ZAFL Video) highlighting ZAFL's ease-of-use and application in a DevOps pipeline:
|
|
|
[![ZAFL-binary-fuzzing](uploads/video_preview.png)](http://www.youtube.com/watch?v=8ZIMTfWP3vg "ZAFL binary fuzzing")
|
|
|
|
|
|
## Fuzzing-enhancing Binary Transformations
|
|
|
ZAFL facilitates *binary-level* reimplementations of the many transformations successful among the open-source fuzzing world. Some built-in examples:
|
|
|
* Edge-to-block instrumentation downgrading
|
|
|
* Dominator tree-based instrumentation pruning
|
|
|
* Sub-instruction profiling (e.g., laf-Intel)
|
|
|
* Context-sensitive coverage tracking
|
|
|
To see the full list of fuzzing-enhancing code transformations that ZAFL currently supports, run `zafl.sh --help` (or for Docker-based installs, `docker run git.zephyr-software.com:4567/opensrc/zafl/zafl:latest`).
|
|
|
|
|
|
**We welcome any community contributions, and ideas for improvements and new fuzzing transformations!** To open an issue or merge request, please contact one of the developers (`hiser@virginia.edu`, `an7s@virginia.edu`, `jwd@virginia.edu`, or `snagy2@vt.edu`).
|
|
|
|
|
|
## Installation
|
|
|
* For building the ZAFL core from Docker or source, see: https://git.zephyr-software.com/opensrc/zafl.
|
|
|
* For installing the libzafl support library, see: https://git.zephyr-software.com/opensrc/libzafl.
|
|
|
|
|
|
## Troubleshooting
|
|
|
For common issues and workarounds, see [troubleshooting](Troubleshooting).
|
|
|
|
|
|
## Licensing
|
|
|
Please see our current [licensing](Licensing) terms. If the current license does not fit your need, please contact us (contact: jwd@zephyr-software.com). Our goal is to get ZAFL in use by the community and we will be glad to work with you.
|
|
|
|
|
|
## Acknowledgement
|
|
|
We thank our United States government sponsors for supporting our work and publications:
|
|
|
![afrl](uploads/afrl.png)
|
|
|
![darpa](uploads/darpa.jpeg)
|
|
|
![nsf](uploads/nsf.png) |
|
|
\ No newline at end of file |