playbooks

home / skills / plurigrid / asi / libafl

libafl skill

/skills/libafl

This skill helps you configure and manage LibAFL fuzzing campaigns for custom security testing, optimizing coverage and efficiency.

npx playbooks add skill plurigrid/asi --skill libafl

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.2 KB
---
name: libafl
description: Fuzzing framework LibAFL for custom fuzzing campaigns.
category: testing-handbook-skills
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Libafl Skill

**Trit**: -1 (MINUS)
**Category**: testing-handbook-skills
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Fuzzing framework LibAFL for custom fuzzing campaigns.

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 2. Domain-Specific Languages

**Concepts**: DSL, wrapper, pattern-directed, embedding

### GF(3) Balanced Triad

```
libafl (−) + SDF.Ch2 (−) + [balancer] (−) = 0
```

**Skill Trit**: -1 (MINUS - verification)


### Connection Pattern

DSLs embed domain knowledge. This skill defines domain-specific operations.

Overview

This skill provides a LibAFL-based fuzzing framework for designing and running custom fuzzing campaigns. It exposes components to build harnesses, define mutators and feedback, manage corpora, and orchestrate distributed or targeted fuzz runs. The goal is practical, extensible fuzzing workflows for security testing and bug discovery.

How this skill works

The skill wires together core LibAFL primitives: executors to run test cases, mutators to generate inputs, feedback and monitors to evaluate interestingness and detect crashes, and corpus managers to store seeds. It supports custom harnesses in Python, instrumentation hooks, and campaign orchestration including restarts and checkpoints. You can plug in coverage, sanitizer output, or custom crash classifiers to guide mutation selection.

When to use it

  • When you need a flexible fuzzing pipeline for testing custom binaries or interpreters.
  • When existing fuzzers miss domain-specific input structure and you require custom mutators or grammars.
  • When you want to integrate coverage-guided feedback or sanitizer-based crash detection into CI.
  • When running distributed or long-running campaigns that require checkpointing and restart.
  • When developing target-specific harnesses, emulators, or symbolic execution integrations.

Best practices

  • Start with a small, representative seed corpus and iteratively add seeds that exercise new behaviors.
  • Instrument the target for lightweight coverage feedback to speed exploration before adding heavy sanitizers.
  • Build modular harnesses: isolate input parsing, execution, and crash classification to simplify debugging.
  • Use deterministic replay and checkpoints to triage crashes and reproduce findings reliably.
  • Monitor resource usage and set sensible timeouts to prevent hang-driven campaign stalls.

Example use cases

  • Fuzzing a custom file parser by creating a harness that feeds generated byte streams and checks parsing outcomes.
  • Testing an embedded interpreter by mutating AST-like structures and using coverage feedback to reach deep code paths.
  • Running a distributed fuzzing campaign across multiple workers with shared corpus synchronization and periodic checkpoints.
  • Integrating sanitizer outputs (ASAN, UBSAN) to prioritize crashes for triage and bug reporting.
  • Extending mutators with grammar-aware operators to preserve high-level structure when fuzzing structured inputs.

FAQ

Do I need C/C++ knowledge to use this skill?

No — you can write harnesses and compose campaigns in Python, though understanding target internals helps design effective mutators and feedback.

Can I use this for networked services?

Yes — design a harness that sends mutated inputs over sockets and use timeouts and monitors to detect hangs and crashes.