MuttFuzz doggedly fuzzes for you, mutating the executable as it goes!
<img src="muttfuzz.png" alt="drawing" width="200"/>
---------------------------------
**FAQ**
**Q**: Is this a mutation testing tool?
**A**: No. MuttFuzz is only mutating your code in order to fuzz it better. You don't need to care about the mutants, you'll never see them. Coverage and bugs will be for your fuzzed program.
**Q**: What fuzzing algorithm does MuttFuzz use?
**A**: MuttFuzz doesn't use a fuzzing algorithm. MuttFuzz is a *meta-fuzzer*. This means you tell MuttFuzz what fuzzer you're using (and how you call it), and where your executable is, and MuttFuzz will orchestrate a fuzzing campaign, doing some behind-the-scenes work on the fuzzed executable that is likely to improve the effectiveness of that fuzzing. MuttFuzz should work with most popular fuzzing tools.
**Q**: What are major limitations of MuttFuzz?
**A**: Right now, MuttFuzz only works for x86 Linux, and MuttFuzz may not work well if 1) your fuzzer needs two executables (like Angora) or 2) your target program disassembles poorly using _objdump_. That's it. Also, of course, if you are fuzzing a library you'll need to statically link it into your executable. Alternatively, just provide the dynamically linked library as the filename argument, since MuttFuzz doesn't assume the filename is a full executable.
**Q: How do I install MuttFuzz?**
**A**:
~~~
pip3 install muttfuzz
~~~
(perhaps with `--user`)
should do the trick. Right now, there are no serious dependencies.
**Q: How do I use MuttFuzz?**
**A**: Let's say you want to use AFL to fuzz a program whose compiled and AFL-instrumented executable is named `target` and which takes its input from `stdin`:
~~~
export AFL_SKIP_CRASHES=TRUE
muttfuzz "afl-fuzz -i- -o fuzz_target -d ./target @@" target --initial_fuzz_cmd "afl-fuzz -i in -o fuzz_target -d ./target @@" --initial_budget 1800 --budget 86400 --post_mutant_cmd "cp fuzz_target/crashes.*/id* fuzz_target/queue/; rm -rf fuzz_target/crashes.*"
~~~
That will 1) create a directory `fuzz_target` and use AFL to fuzz `target` for 30 minutes, then 2) switch to fuzzing a series of mutants of `target` for five minutes each before 3) finally switching back to fuzzing using AFL on the original `target`. The total time spent fuzzing will be 24 hours, and MuttFuzz will spend half that time fuzzing mutants. The `--post_mutant_cmd` and `AFL_SKIP_CRASHES` setting handles the fact that things that crash some mutants may not crash the real `target` and vice versa. When you're done fuzzing, you'll want to look in both `crashes` and `queue` for possible crashing inputs for `target`, due to the same issue.
```muttfuzz --help``` will give details on other options. One nice thing is to print out status (e.g., cat the AFL stats file, or ls | wc -l on crashes/queue) after each fuzzing run.
This example shows how to use MuttFuzz with AFL (or AFLplusplus) but using it with libFuzzer or Honggfuzz should be approximately as easy, or easier.
**Q**: How good is MuttFuzz?
**A**: We're not sure yet, experiments are pending. We know that a source-based variant of the same technique, somewhat less tuned, outperformed AFLplusplus on FuzzBench, so we're optimistic that this is both easier to use and even more effective than that. In our limited experiments thus far, it is dramatically improving fuzzing a toy benchmark using AFL, much more than the source-based approach did.
**Q**: Why is fuzzing mutants helpful?
**A**: For more information on that, and on the source-based version of this idea, see [our paper in submission to ACM TOSEM, the final version of our FUZZING'22 registered report](https://github.com/agroce/fuzzing22report/blob/master/tosem/currentdraft.pdf). Long story short, we speculate that some mutants remove common barriers to fuzzing, and/or allow fuzzing to find branches "non-chronologically."
**Q**: Why "MuttFuzz"?
**A**: When I (Alex) created the repo, I made a typo, but I liked it. Certainly memorable compared to "mutfuzz" for "mutant fuzzer".
-------------------------------
Thanks to: Peter Goodman @ Trail of Bits, Kush Jain, and Richard Hipp.
Also thanks to kosak, scottd, and roc.
Raw data
{
"_id": null,
"home_page": "https://github.com/agroce/muttfuzz",
"name": "muttfuzz",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "fuzzing mutation",
"author": "",
"author_email": "",
"download_url": "",
"platform": null,
"description": "MuttFuzz doggedly fuzzes for you, mutating the executable as it goes!\n\n<img src=\"muttfuzz.png\" alt=\"drawing\" width=\"200\"/>\n\n---------------------------------\n\n**FAQ**\n\n**Q**: Is this a mutation testing tool?\n\n**A**: No. MuttFuzz is only mutating your code in order to fuzz it better. You don't need to care about the mutants, you'll never see them. Coverage and bugs will be for your fuzzed program.\n\n**Q**: What fuzzing algorithm does MuttFuzz use?\n\n**A**: MuttFuzz doesn't use a fuzzing algorithm. MuttFuzz is a *meta-fuzzer*. This means you tell MuttFuzz what fuzzer you're using (and how you call it), and where your executable is, and MuttFuzz will orchestrate a fuzzing campaign, doing some behind-the-scenes work on the fuzzed executable that is likely to improve the effectiveness of that fuzzing. MuttFuzz should work with most popular fuzzing tools.\n\n**Q**: What are major limitations of MuttFuzz?\n\n**A**: Right now, MuttFuzz only works for x86 Linux, and MuttFuzz may not work well if 1) your fuzzer needs two executables (like Angora) or 2) your target program disassembles poorly using _objdump_. That's it. Also, of course, if you are fuzzing a library you'll need to statically link it into your executable. Alternatively, just provide the dynamically linked library as the filename argument, since MuttFuzz doesn't assume the filename is a full executable.\n\n**Q: How do I install MuttFuzz?**\n\n**A**:\n\n~~~\npip3 install muttfuzz\n~~~\n\n(perhaps with `--user`)\n\nshould do the trick. Right now, there are no serious dependencies.\n\n**Q: How do I use MuttFuzz?** \n\n**A**: Let's say you want to use AFL to fuzz a program whose compiled and AFL-instrumented executable is named `target` and which takes its input from `stdin`:\n\n~~~\nexport AFL_SKIP_CRASHES=TRUE\nmuttfuzz \"afl-fuzz -i- -o fuzz_target -d ./target @@\" target --initial_fuzz_cmd \"afl-fuzz -i in -o fuzz_target -d ./target @@\" --initial_budget 1800 --budget 86400 --post_mutant_cmd \"cp fuzz_target/crashes.*/id* fuzz_target/queue/; rm -rf fuzz_target/crashes.*\"\n~~~\n\nThat will 1) create a directory `fuzz_target` and use AFL to fuzz `target` for 30 minutes, then 2) switch to fuzzing a series of mutants of `target` for five minutes each before 3) finally switching back to fuzzing using AFL on the original `target`. The total time spent fuzzing will be 24 hours, and MuttFuzz will spend half that time fuzzing mutants. The `--post_mutant_cmd` and `AFL_SKIP_CRASHES` setting handles the fact that things that crash some mutants may not crash the real `target` and vice versa. When you're done fuzzing, you'll want to look in both `crashes` and `queue` for possible crashing inputs for `target`, due to the same issue.\n\n```muttfuzz --help``` will give details on other options. One nice thing is to print out status (e.g., cat the AFL stats file, or ls | wc -l on crashes/queue) after each fuzzing run.\n\nThis example shows how to use MuttFuzz with AFL (or AFLplusplus) but using it with libFuzzer or Honggfuzz should be approximately as easy, or easier.\n\n**Q**: How good is MuttFuzz?\n\n**A**: We're not sure yet, experiments are pending. We know that a source-based variant of the same technique, somewhat less tuned, outperformed AFLplusplus on FuzzBench, so we're optimistic that this is both easier to use and even more effective than that. In our limited experiments thus far, it is dramatically improving fuzzing a toy benchmark using AFL, much more than the source-based approach did.\n\n**Q**: Why is fuzzing mutants helpful?\n\n**A**: For more information on that, and on the source-based version of this idea, see [our paper in submission to ACM TOSEM, the final version of our FUZZING'22 registered report](https://github.com/agroce/fuzzing22report/blob/master/tosem/currentdraft.pdf). Long story short, we speculate that some mutants remove common barriers to fuzzing, and/or allow fuzzing to find branches \"non-chronologically.\"\n\n**Q**: Why \"MuttFuzz\"?\n\n**A**: When I (Alex) created the repo, I made a typo, but I liked it. Certainly memorable compared to \"mutfuzz\" for \"mutant fuzzer\".\n\n-------------------------------\n\nThanks to: Peter Goodman @ Trail of Bits, Kush Jain, and Richard Hipp.\nAlso thanks to kosak, scottd, and roc.\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Fuzzing with mutants",
"version": "0.6.2",
"project_urls": {
"Homepage": "https://github.com/agroce/muttfuzz"
},
"split_keywords": [
"fuzzing",
"mutation"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "eed57cfd8cf9388c7ddbbd86728207ca90cb2ce7fc41d8ff533a4007097c7441",
"md5": "bd602d6a708f7f4729659d824bff64d0",
"sha256": "6331363ba2460367d194be34403530808e32fb146316449e43c39f8323b84744"
},
"downloads": -1,
"filename": "muttfuzz-0.6.2-py2-none-any.whl",
"has_sig": false,
"md5_digest": "bd602d6a708f7f4729659d824bff64d0",
"packagetype": "bdist_wheel",
"python_version": "py2",
"requires_python": null,
"size": 7532,
"upload_time": "2024-03-01T16:10:54",
"upload_time_iso_8601": "2024-03-01T16:10:54.687777Z",
"url": "https://files.pythonhosted.org/packages/ee/d5/7cfd8cf9388c7ddbbd86728207ca90cb2ce7fc41d8ff533a4007097c7441/muttfuzz-0.6.2-py2-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "266a09a772bccd7688bf1e5cc37d6a560e22d32c4d4bf5c1d69aa4fc64084f3e",
"md5": "2041c247c8739d9ea5816569bbfa3ce1",
"sha256": "9a6c35b50fedcf3c5c5c1142bd48d87b251b5ffd781a6780628d6f371bf64c18"
},
"downloads": -1,
"filename": "muttfuzz-0.6.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2041c247c8739d9ea5816569bbfa3ce1",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 7532,
"upload_time": "2024-03-01T16:10:56",
"upload_time_iso_8601": "2024-03-01T16:10:56.078309Z",
"url": "https://files.pythonhosted.org/packages/26/6a/09a772bccd7688bf1e5cc37d6a560e22d32c4d4bf5c1d69aa4fc64084f3e/muttfuzz-0.6.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-01 16:10:54",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "agroce",
"github_project": "muttfuzz",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "muttfuzz"
}
JSON
