gazagnaire.org / ocaml-crow
Crowbar campaign orchestrator for AFL fuzzing - run long-lived AFL fuzzing campaigns across multiple fuzz targets in parallel
fork atom
OCaml 97.7%
Dune 0.8%
Other 1.6%
44 1 0

Clone this repository

https://tangled.org/gazagnaire.org/ocaml-crow https://tangled.org/did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-crow
git@git.recoil.org:gazagnaire.org/ocaml-crow git@git.recoil.org:did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-crow

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

Crow#

Crowbar campaign orchestrator for AFL fuzzing.

Crow orchestrates long-lived AFL fuzzing campaigns across multiple Crowbar fuzz targets in parallel. It discovers fuzz targets in your workspace, allocates CPU cores across them, and provides a unified interface for monitoring progress.

Installation#

opam install crow

Quick Start#

# Discover and list fuzz targets
crow list

# Start a campaign with 8 CPUs
crow start --cpus=8

# Monitor progress
crow status

# View crashes
crow crashes

# Stop the campaign
crow stop

Commands#

crow list#

Discovers all Crowbar fuzz targets in your workspace. Targets are identified by looking for executables built from fuzz_*.ml files with Crowbar.

crow start [--cpus=N] [--duration=SECS] [--targets=T1,T2,...]#

Starts a new fuzzing campaign. Uses MAB-style scheduling to rotate targets based on coverage progress - targets finding new paths get higher priority.

Options:

  • --cpus: Number of CPU cores to use (default: all available)
  • --duration: Maximum campaign duration in seconds
  • --targets: Comma-separated list of targets (default: all)
  • --output: Output directory (default: _fuzz)

crow status#

Shows real-time status of all targets including:

  • Execution speed (execs/sec)
  • Total executions
  • Paths discovered
  • Crashes and hangs found

crow crashes#

Lists all unique crashes found across all targets with their input files.

crow stop#

Gracefully stops all running fuzzers.

Workspace Setup#

Crow requires a dune-workspace file with an afl profile for instrumented builds. If missing, crow start will create one:

(context
 (default
  (name afl)
  (profile afl)))

(env
 (afl
  (ocamlopt_flags (:standard -afl-instrument))))

Library API#

(* List targets *)
let targets = Crow.list_targets ~fs in

(* Build with AFL instrumentation *)
let* () = Crow.build_targets ~sw ~process_mgr ~stdout ~stderr ~verbose targets in

(* Start campaign *)
let campaign, processes =
  Crow.start_campaign ~sw ~process_mgr ~fs ~stdout ~stderr
    ~verbose ~cpus:8 ()
in

(* Get status *)
let status = Crow.status ~fs () in
Fmt.pr "%a@." Crow.pp_target_table status;

(* Stop *)
Crow.stop_campaign processes

Licence#

ISC License. See LICENSE.md for details.