Move fuzzers around some more (#2566)

* Move fuzzers around some more

* back to baby

* this was missing..

* shuffeling shuffeling

* shuffeling

* md

* cleanup

* oops

* Move foldername to underscore

* more doc

.github/workflows/build_and_test.yml

@@ -205,7 +205,7 @@ jobs:
       - name: Run a maturin build
         run: export LLVM_CONFIG=llvm-config-${{env.MAIN_LLVM_VERSION}} && cd ./bindings/pylibafl && python3 -m venv .env && . .env/bin/activate && pip install --upgrade --force-reinstall . && ./test.sh
       - name: Run python test
-        run: . ./bindings/pylibafl/.env/bin/activate # && cd ./fuzzers/binary-only/python_qemu/ && python3 fuzzer.py 2>&1 | grep "Bye"
+        run: . ./bindings/pylibafl/.env/bin/activate # && cd ./fuzzers/binary_only/python_qemu/ && python3 fuzzer.py 2>&1 | grep "Bye"
 
   cargo-fmt:
     runs-on: ubuntu-24.04
@@ -255,20 +255,12 @@ jobs:
         os: [ ubuntu-24.04 ]
         fuzzer:
           # Baby
-          - ./fuzzers/baby/baby_fuzzer_with_forkexecutor
-          - ./fuzzers/baby/baby_no_std
           - ./fuzzers/baby/baby_fuzzer_swap_differential
-          - ./fuzzers/baby/baby_fuzzer_grimoire
+          - ./fuzzers/baby/tutorial
-          - ./fuzzers/baby/baby_fuzzer_gramatron
           - ./fuzzers/baby/baby_fuzzer
-          - ./fuzzers/baby/baby_fuzzer_custom_input
-          - ./fuzzers/baby/baby_fuzzer_nautilus
           # - ./fuzzers/baby/backtrace_baby_fuzzers
           - ./fuzzers/baby/baby_fuzzer_unicode
-          - ./fuzzers/baby/baby_fuzzer_multi
-          - ./fuzzers/baby/baby_fuzzer_wasm
           - ./fuzzers/baby/baby_fuzzer_minimizing
-          - ./fuzzers/baby/baby_fuzzer_tokens
           - ./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor
           - ./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor
           - ./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor
@@ -277,12 +269,12 @@ jobs:
           - ./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor
 
           # Binary-only
-          - ./fuzzers/binary-only/fuzzbench_fork_qemu
+          - ./fuzzers/binary_only/fuzzbench_fork_qemu
-          - ./fuzzers/binary-only/frida_executable_libpng
+          - ./fuzzers/binary_only/frida_executable_libpng
-          - ./fuzzers/binary-only/frida_gdiplus
+          - ./fuzzers/binary_only/frida_gdiplus
-          - ./fuzzers/binary-only/frida_libpng
+          - ./fuzzers/binary_only/frida_libpng
-          - ./fuzzers/binary-only/fuzzbench_qemu
+          - ./fuzzers/binary_only/fuzzbench_qemu
-          - ./fuzzers/binary-only/tinyinst_simple
+          - ./fuzzers/binary_only/tinyinst_simple
 
           # Forkserver
           - ./fuzzers/forkserver/forkserver_simple
@@ -290,16 +282,23 @@ jobs:
           - ./fuzzers/forkserver/fuzzbench_forkserver
           - ./fuzzers/forkserver/fuzzbench_forkserver_cmplog
           - ./fuzzers/forkserver/libafl-fuzz
+          - ./fuzzers/forkserver/baby_fuzzer_with_forkexecutor
 
           # Full-system
-          - ./fuzzers/full-system/nyx_libxml2_standalone
+          - ./fuzzers/full_system/nyx_libxml2_standalone
-          - ./fuzzers/full-system/nyx_libxml2_parallel
+          - ./fuzzers/full_system/nyx_libxml2_parallel
 
-          # Grammar-aware
+          # Structure-aware
-          - ./fuzzers/grammar-aware/nautilus_sync
+          - ./fuzzers/structure_aware/nautilus_sync
+          - ./fuzzers/structure_aware/baby_fuzzer_grimoire
+          - ./fuzzers/structure_aware/baby_fuzzer_gramatron
+          - ./fuzzers/structure_aware/baby_fuzzer_tokens
+          - ./fuzzers/structure_aware/baby_fuzzer_multi
+          - ./fuzzers/structure_aware/baby_fuzzer_custom_input
+          - ./fuzzers/structure_aware/baby_fuzzer_nautilus
 
           # In-process
-          - ./fuzzers/inprocess/cargo_fuzz
+          - ./fuzzers/fuzz_anything/cargo_fuzz
           # - ./fuzzers/inprocess/dynamic_analysis
           - ./fuzzers/inprocess/fuzzbench
           - ./fuzzers/inprocess/fuzzbench_text
@@ -314,15 +313,17 @@ jobs:
           # - ./fuzzers/inprocess/libfuzzer_libpng_tcp_manager
           - ./fuzzers/inprocess/libfuzzer_stb_image_sugar
           - ./fuzzers/inprocess/libfuzzer_stb_image
-          # - ./fuzzers/inprocess/libfuzzer_stb_image_concolic
+          # - ./fuzzers/structure_aware/libfuzzer_stb_image_concolic
           # - ./fuzzers/inprocess/libfuzzer_windows_asan
-          - ./fuzzers/inprocess/push_harness
-          - ./fuzzers/inprocess/push_stage_harness
           # - ./fuzzers/inprocess/sqlite_centralized_multi_machine
-          - ./fuzzers/inprocess/tutorial
 
-          # Others
+          # Fuzz Anything
-          - ./fuzzers/others/libafl_atheris
+          - ./fuzzers/fuzz_anything/push_harness
+          - ./fuzzers/fuzz_anything/push_stage_harness
+          - ./fuzzers/fuzz_anything/libafl_atheris
+          - ./fuzzers/fuzz_anything/baby_no_std
+          - ./fuzzers/fuzz_anything/baby_fuzzer_wasm
+
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -362,14 +363,14 @@ jobs:
         os: [ubuntu-24.04]
         fuzzer:
           # Binary only
-          - ./fuzzers/binary-only/qemu_cmin
+          - ./fuzzers/binary_only/qemu_cmin
-          - ./fuzzers/binary-only/qemu_coverage
+          - ./fuzzers/binary_only/qemu_coverage
-          - ./fuzzers/binary-only/qemu_launcher
+          - ./fuzzers/binary_only/qemu_launcher
 
           # Full-system
-          - ./fuzzers/full-system/qemu_baremetal
+          - ./fuzzers/full_system/qemu_baremetal
-          # - ./fuzzers/full-system/qemu_linux_kernel
+          # - ./fuzzers/full_system/qemu_linux_kernel
-          #- ./fuzzers/full-system/qemu_linux_process
+          #- ./fuzzers/full_system/qemu_linux_process
 
     runs-on: [ self-hosted, qemu ]
     container: registry.gitlab.com/qemu-project/qemu/qemu/ubuntu2204:latest
@@ -392,9 +393,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
       - name: Build aarch64-unknown-none
-        run: cd ./fuzzers/baby/baby_no_std && cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --release && cd ../..
+        run: cd ./fuzzers/fuzz_anything/baby_no_std && cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --release && cd ../..
       - name: run x86_64 until panic!
-        run: cd ./fuzzers/baby/baby_no_std && cargo +nightly run || test $? -ne 0 || exit 1
+        run: cd ./fuzzers/fuzz_anything/baby_no_std && cargo +nightly run || test $? -ne 0 || exit 1
       - name: no_std tests
         run: cd ./libafl && cargo test --no-default-features
 
@@ -436,8 +437,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/workflows/windows-tester-prepare
-      - name: Build fuzzers/binary-only/frida_libpng
+      - name: Build fuzzers/binary_only/frida_libpng
-        run: cd fuzzers/binary-only/frida_libpng/ && cargo make test
+        run: cd fuzzers/binary_only/frida_libpng/ && cargo make test
 
   windows-frida-libfuzzer-stb-image:
     runs-on: windows-latest
@@ -456,8 +457,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/workflows/windows-tester-prepare
-      - name: Build fuzzers/binary-only/frida_gdiplus
+      - name: Build fuzzers/binary_only/frida_gdiplus
-        run: cd fuzzers/binary-only/frida_gdiplus/ && cargo make test && cargo make test_cmplog
+        run: cd fuzzers/binary_only/frida_gdiplus/ && cargo make test && cargo make test_cmplog
 
   windows-tinyinst-simple:
     runs-on: windows-latest
@@ -468,8 +469,8 @@ jobs:
         run: cargo install cxxbridge-cmd
       - uses: actions/checkout@v4
       - uses: ./.github/workflows/windows-tester-prepare
-      - name: Build fuzzers/binary-only/tinyinst_simple
+      - name: Build fuzzers/binary_only/tinyinst_simple
-        run: cd fuzzers/binary-only/tinyinst_simple/ && cargo make test
+        run: cd fuzzers/binary_only/tinyinst_simple/ && cargo make test
 
   windows-clippy:
     runs-on: windows-latest

.gitignore

@@ -42,7 +42,6 @@ test.dict
 AFLplusplus
 test_*
 *_fuzzer
-*_harness
 
 # Ignore common dummy and logfiles
 *.log
@@ -73,6 +72,5 @@ libafl_nyx/packer
 # common harness names
 harness
 program
-fuzzer
 fuzzer_libpng*
 forkserver_simple

docs/src/advanced_features/concolic.md

@@ -115,7 +115,7 @@ The `symcc_runtime` crate supports this use case and runtimes built with `symcc_
 
 ## Hybrid Fuzzing in LibAFL
 
-The LibAFL repository contains an [example hybrid fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/inprocess/libfuzzer_stb_image_concolic).
+The LibAFL repository contains an [example hybrid fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic).
 
 There are three main steps involved with building a hybrid fuzzer using LibAFL:
 
@@ -130,7 +130,7 @@ For example, we need to have a runtime ready before we can do instrumentation wi
 
 Building a custom runtime can be done easily using the `symcc_runtime` crate.
 Note, that a custom runtime is a separate shared object file, which means that we need a separate crate for our runtime.
-Check out the [example hybrid fuzzer's runtime](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/inprocess/libfuzzer_stb_image_concolic/runtime) and the [`symcc_runtime` docs](https://docs.rs/symcc_runtime/0.1/symcc_runtime) for inspiration.
+Check out the [example hybrid fuzzer's runtime](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/runtime) and the [`symcc_runtime` docs](https://docs.rs/symcc_runtime/0.1/symcc_runtime) for inspiration.
 
 ### Instrumentation
 
@@ -151,7 +151,7 @@ How exactly this is done does not matter.
 However, the SymCC compiler needs to be made aware of the location of the runtime that it should instrument against.
 This is done by setting the `SYMCC_RUNTIME_DIR` environment variable to the directory which contains the runtime (typically the `target/(debug|release)` folder of your runtime crate).
 
-The example hybrid fuzzer instruments the target in its [`build.rs` build script](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/inprocess/libfuzzer_stb_image_concolic/fuzzer/build.rs#L50).
+The example hybrid fuzzer instruments the target in its [`build.rs` build script](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/build.rs#L50).
 It does this by cloning and building a copy of SymCC and then using this version to instrument the target.
 The [`symcc_libafl` crate](https://docs.rs/symcc_libafl) contains helper functions for cloning and building SymCC.
 
@@ -169,7 +169,7 @@ No matter the instrumentation method, the interface between the fuzzer and the i
 The only difference between using SymCC and SymQEMU should be the binary that represents the target:
 In the case of SymCC it will be the binary that was build with instrumentation and with SymQEMU it will be the emulator binary (eg. `x86_64-linux-user/symqemu-x86_64`), followed by your uninstrumented target binary and its arguments.
 
-You can use the [`CommandExecutor`](https://docs.rs/libafl/latest/libafl/executors/command/struct.CommandExecutor.html) to execute your target ([example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/inprocess/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L244)).
+You can use the [`CommandExecutor`](https://docs.rs/libafl/latest/libafl/executors/command/struct.CommandExecutor.html) to execute your target ([example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L244)).
 When configuring the command, make sure you pass the `SYMCC_INPUT_FILE` environment variable (set to the input file path), if your target reads input from a file (instead of standard input).
 
 #### Serialization and Solving
@@ -184,4 +184,4 @@ It will attempt to solve all branches, like the original simple backend from Sym
 
 ### Example
 
-The example fuzzer shows how to use the [`ConcolicTracingStage` together with the `SimpleConcolicMutationalStage`](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/inprocess/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L222) to build a basic hybrid fuzzer.
+The example fuzzer shows how to use the [`ConcolicTracingStage` together with the `SimpleConcolicMutationalStage`](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L222) to build a basic hybrid fuzzer.

docs/src/advanced_features/frida.md

@@ -4,7 +4,7 @@ LibAFL supports different instrumentation engines for binary-only fuzzing.
 A potent cross-platform (Windows, MacOS, Android, Linux, iOS) option for binary-only fuzzing is Frida; the dynamic instrumentation tool.
 
 In this section, we will talk about the components in fuzzing with `libafl_frida`.
-You can take a look at a working example in our [`fuzzers/binary-only/frida_libpng`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary-only/frida_libpng) folder for Linux, and [`fuzzers/binary-only/frida_gdiplus`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary-only/frida_gdiplus) for Windows.
+You can take a look at a working example in our [`fuzzers/binary_only/frida_libpng`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/frida_libpng) folder for Linux, and [`fuzzers/binary_only/frida_gdiplus`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/frida_gdiplus) for Windows.
 
 ## Dependencies
 
@@ -84,4 +84,4 @@ You can then link this observer to `FridaInProcessExecutor` as follows:
 ```
 
 And finally you can run the fuzzer.
-See the `frida_` examples in [`./fuzzers/binary-only`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary-only/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary-only tracer.
+See the `frida_` examples in [`./fuzzers/binary_only`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary_only tracer.

docs/src/advanced_features/no_std.md

@@ -37,4 +37,4 @@ pub extern "C" fn external_current_millis() -> u64 {
 }
 ```
 
-See [./fuzzers/baby/baby_no_std](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/baby_no_std) for an example.
+See [./fuzzers/fuzz_anything/baby_no_std](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/fuzz_anything/baby_no_std) for an example.

docs/src/advanced_features/nyx.md

@@ -24,7 +24,7 @@ For binary-only fuzzing, Nyx uses intel-PT(Intel® Processor Trace). You can fin
 
 ## Preparing the Nyx working directory
 
-This step is used to pack the target into Nyx's kernel. Don't worry, we have a template shell script in our [example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full-system/nyx_libxml2_parallel/setup_libxml2.sh):
+This step is used to pack the target into Nyx's kernel. Don't worry, we have a template shell script in our [example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_parallel/setup_libxml2.sh):
 
 the parameter's meaning is listed below:
 
@@ -49,7 +49,7 @@ python3 ./packer/packer/nyx_config_gen.py /tmp/nyx_libxml2/ Kernel || exit
 
 ## Standalone fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full-system/nyx_libxml2_standalone/src/main.rs) you first need to run `./setup_libxml2.sh`. It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start to write your code.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_standalone/src/main.rs) you first need to run `./setup_libxml2.sh`. It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start to write your code.
 
 First, to create `Nyxhelper`:
 
@@ -71,7 +71,7 @@ Finally, use them normally and pass them into `fuzzer.fuzz_loop(&mut stages, &mu
 
 ## Parallel fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full-system/nyx_libxml2_parallel/src/main.rs) you first need to run `./setup_libxml2.sh` as described before.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_parallel/src/main.rs) you first need to run `./setup_libxml2.sh` as described before.
 
 Parallel fuzzing relies on [`Launcher`](../message_passing/spawn_instances.md), so spawn logic should be written in the scoop of anonymous function `run_client`:
 

docs/src/tutorial/intro.md

@@ -5,4 +5,4 @@
 > This section is under construction.
 > Please check back later (or open a PR)
 >
-> In the meantime, find the final Lain-based fuzzer in [the fuzzers folder](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/inprocess/tutorial)
+> In the meantime, find the final Lain-based fuzzer in [the fuzzers folder](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/tutorial)

fuzzers/README.md

@@ -2,17 +2,29 @@
 
 ## Example fuzzers
 
-You can find here all the example fuzzers built on top of LibAFL.
+You can find a large amount of example fuzzers built on top of LibAFL.
-They are sorted by fuzzer types:
+They are sorted by focus:
 
-- `baby`: Minimal fuzzers demonstrating a specific feature.
+- `baby`: Minimal fuzzers and fuzzers demonstrating specific features that don't fit anywhere else.
-- `binary-only`: Fuzzers for binary-only targets.
+- `inprocess`: Common In-process fuzzers. Most of the time, this is what you want.
-- `forkserver`: Fuzzers using a forkserver-style executor.
+- `binary_only`: Fuzzers for binary-only targets.
-- `full-system`: Fuzzers for full-system targets (kernels, firmwares, etc...).
+- `forkserver`: Fuzzers that use a forkserver-style executor.
+- `full_system`: Fuzzers for full-system targets (kernels, firmwares, etc...).
 - `fuzzbench`: Fuzzbench fuzzers.
-- `grammar-aware`: Grammar-aware fuzzers.
+- `structure_aware`: Grammar fuzzers, fuzzers for certain languages, fuzzers with custom inputs, and more.
-- `inprocess`: In-process fuzzers, whn they don't fit another more specific type.
+- `fuzz-anything`: Fuzzers for advanced targets like WASM or python, and other fuzzers that can be used for anything.
-- `others`: Fuzzers for specific / specialized things, that do not go in a specific category.
+
+(Some fuzzers may fit into multiple categories, in which case we sort them as it makes sense, for example `structure_aware > full_system > binary_only > the rest`)
+
+## Fully-feature Fuzzers
+
+Some rather complete fuzzers worth looking at are:
+
+- [`Libfuzzer_Libpng_Launcher`](./inprocess//): That's what most people want to use: our InProcess fuzzer with a lot of features like ASAn on some cores, multi threading (a better libfuzzer).
+- [`LibAFL-fuzz`](./forkserver/libafl-fuzz/): A reimplementation of afl-fuzz, the traditional forkserver fuzzer that tries to emulate the command line and behavior.
+- [`LibAFL-QEMU-Launcher`](./binary_only/qemu_launcher/): A full-featured QEMU-mode fuzzer that runs on multiple cores
+
+They may not be the best starting point for your own custom fuzzer, but they might be easy enough to just use.
 
 ## Paper Artifacts
 

fuzzers/baby/baby_fuzzer_wasm/pkg/.gitignore

@@ -1 +0,0 @@
-*

fuzzers/baby/baby_fuzzer_wasm/pkg/index.html

@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <title>libafl_wasm test</title>
-</head>
-<body>
-<script type="module">
-    import libafl_wasm from './libafl_wasm.js'
-
-    libafl_wasm().then(wasm => wasm.fuzz())
-</script>
-</body>
-</html>

fuzzers/baby/baby_fuzzer_wasm/pkg/package.json

@@ -1,17 +0,0 @@
-{
-  "name": "baby_fuzzer_wasm",
-  "collaborators": [
-    "Addison Crump <research@addisoncrump.info>"
-  ],
-  "version": "0.1.0",
-  "files": [
-    "baby_fuzzer_wasm_bg.wasm",
-    "baby_fuzzer_wasm.js",
-    "baby_fuzzer_wasm.d.ts"
-  ],
-  "module": "baby_fuzzer_wasm.js",
-  "types": "baby_fuzzer_wasm.d.ts",
-  "sideEffects": [
-    "./snippets/*"
-  ]
-}