BandFuzz is an AI-powered Collaborative Fuzzing Framework. BandFuzz++ is its enhanced version, optimized for real-world competition.
BandFuzz++ secured first place in the SBFT 2024 Fuzzing Competition. BandFuzz contributed to team 42-b3yond-6ug's achievement of multiple "fist bug discovery" badges during the AIxCC semi-final competition.
For users, please go for our Docker image bugbusterofficial/bandfuzzplusplus. See the document below.
For developers and contributors, please use devcontainer.
docker pull bugbusterofficial/bandfuzzplusplus| File | Required? | Description |
|---|---|---|
/repo |
required | Refers to the project directory. |
/builder |
required | A build script. |
/out |
required | Specifies the directory where fuzzing outcomes are stored. |
/slicing_result |
optional | The slicing result from SliceFuzz. |
/seeds |
optional | A directory containing initial seed data. |
- The build script is required to accept the
CCandCXXenvironment variables for setting compilers.
| Environment Variable | Required? | Description |
|---|---|---|
TARGET |
required | Denotes the name of the binary file subject to fuzz testing. |
CORES |
optional | Multiple core number. Default as 0 to use all available cores. |
RANDOM_SEEDS |
optional | If set RANDOM_SEEDS=1, generate 2500 random seeds. |
SEEDS_URL |
optional | If set SEEDS_URL, download zip compressed seeds. |
BANDFUZZ_SLICE |
optional | If set BANDFUZZ_SLICE=1, use compile time selective instrument. |
RT_SLICE |
optional | (experimental) If set RT_SLICE=1, use runtime selective fuzzing. |
USE_CWESAN |
optional | If set USE_CWESAN=1, use CWE-sanitizer to check extra bugs. |
- If
SEEDS_URLandRANDOM_SEEDSnot set, built-in seeds (about 57000 seeds) will be used. - If
BANDFUZZ_SLICEorRT_SLICEis set,/slicing_resultmust be provided. - Currently, we don't allow
BANDFUZZ_SLICEandRT_SLICEat the same time.
Execute the command to build and fuzz the target.
docker run -v ${REPO}:/repo \
-v ${BUILDER}:/builder \
-v ${SEEDS}:/seeds \
-v ${OUT}:/out \
-e "TARGET=${TARGET}" \
bugbusterofficial/bandfuzzplusplusAnother example with slicing result. Use 16 cores.
docker run -v ${REPO}:/repo \
-v ${BUILDER}:/builder \
-v ${SEEDS}:/seeds \
-v ${OUT}:/out \
-v ${SLICING}:/slicing_result \
-e "TARGET=${TARGET}" \
-e "BANDFUZZ_SLICE=1" \
-e "CORES=16" \
bugbusterofficial/bandfuzzplusplusTo demonstrate how to initiate BandFuzz++ using libjpeg-turbo as an example, follow these steps.
Clone the libjpeg-turbo repository and set up the build script with executable permissions:
git clone https://github.com/libjpeg-turbo/libjpeg-turbo.git libjpeg-turbo
cp libjpeg-turbo/fuzz/build.sh . && chmod +x build.shWith the repository and build script in place, it's time to create a simple initial seed file:
mkdir seeds
echo "hi" > seeds/defaultNext, create a directory for storing fuzzing output:
mkdir outFinally, run BandFuzz++ on this target:
docker run -v $PWD/libjpeg-turbo:/repo -v $PWD/build.sh:/builder -v $PWD/seeds:/seeds -v $PWD/out:/out -e "TARGET=libjpeg_turbo_fuzzer" -e "MODE=LIB" -e "CORES=4" whexy/bandfuzzplusplusMost fuzzers support an allowlist to customize their instrumentations. They skip some instrumentations in the program so fuzzers are more focused on the target.
BandFuzz supports slicing_result to customize the instrumentations. Documents about how to generate a slicing_result will be released soon.
- AFL++
- RedQueen (cmplog in AFL++)
- MOpt (mutation mode in AFL++)
- Radamsa (customized mutator in AFL++)
- AFL (american fuzzy lop)
- Honggfuzz
The following fuzzers are supported in original BandFuzz, but haven't been upgraded with latest BandFuzz++ support.