Awesome
afl-cve
A collection of vulnerabilities discovered by the AFL fuzzer (afl-fuzz)
Introduction
afl-cve
is a collection of known vulnerabilities that can be attributed to the
AFL fuzzer afl-fuzz. All vulnerabilities in
this list either already have a CVE assigned, or a CVE has been requested from a
CVE Numbering Authority.
Why is This Necessary?
Because CVE descriptions are not generally being written to mention AFL as the
tool that enabled particular bugs to be found. This is primarily due to the fact
that CVE descriptions do not require the underlying discovery tool or technique
to be disclosed. Nor should it necessarily - many security researchers have their
own methods, and it might hurt the vulnerability reporting process if researchers
were required to disclose such techniques. Further, most security researchers do
acknowledge AFL in some form (twitter post, afl-users mailing list, etc.) when
it finds a bug, and afl-cve
attempts to track this more formally.
Also, the afl-fuzz
website does a great job of tracking bugs found by AFL.
But not all bugs get assigned a CVE, and hence there is a need to specifically
track those that do because having a CVE is at least a tacit acknowledgment of
potential exploitability. So, the bugs AFL has found are therefore frequently
important for anyone concerned about security.
Fuzzing Revisited
AFL has discovered a huge number of bugs in all sorts of projects from compilers to image processing libraries. AFL seems to be succeeding where other fuzzers have failed, or at least not been generally embraced or made operational by the security community for whatever reason. Another way to see this is to try to determine which fuzzer has the most CVE's. Is there a different fuzzing project that comes close to AFL in terms of the number of vulnerabilities found? It would be instructive to see which fuzzer comes in second place and by how much.
The Vulnerabilities
This is likely a partial list, but please send a pull request or contact me below to include any CVE that is not included below:
Contact
All updates to the above list of CVE's are managed through any of three methods: github issues tracking, email contact (michael.rash_AT_gmail.com), or reaching me through Twitter (@michaelrash).