{"id":35887455,"url":"https://github.com/ant4g0nist/Sloth","last_synced_at":"2026-01-15T06:00:50.617Z","repository":{"id":68070424,"uuid":"385688213","full_name":"ant4g0nist/Sloth","owner":"ant4g0nist","description":"Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation","archived":false,"fork":false,"pushed_at":"2023-09-18T03:12:16.000Z","size":2399,"stargazers_count":123,"open_issues_count":4,"forks_count":14,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-21T01:47:00.815Z","etag":null,"topics":["android","fuzzing","libfuzzer","qemu","sloth"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ant4g0nist.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-13T17:43:11.000Z","updated_at":"2025-04-22T19:11:09.000Z","dependencies_parsed_at":"2025-06-21T01:42:40.552Z","dependency_job_id":"eb03d392-3d10-41c5-ad3c-66e72f4207dd","html_url":"https://github.com/ant4g0nist/Sloth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ant4g0nist/Sloth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ant4g0nist%2FSloth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ant4g0nist%2FSloth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ant4g0nist%2FSloth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ant4g0nist%2FSloth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ant4g0nist","download_url":"https://codeload.github.com/ant4g0nist/Sloth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ant4g0nist%2FSloth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28444124,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T05:05:00.929Z","status":"ssl_error","status_checked_at":"2026-01-15T05:04:58.515Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","fuzzing","libfuzzer","qemu","sloth"],"created_at":"2026-01-08T22:00:44.426Z","updated_at":"2026-01-15T06:00:50.610Z","avatar_url":"https://github.com/ant4g0nist.png","language":"C++","funding_links":[],"categories":["C++"],"sub_categories":[],"readme":"# Sloth 🦥\n   Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (`qemu/linux-user`) on x86_64/aarch64 host to emulate aarch64 Android libraries to fuzz the target Android native library.\n\n# Introduction\nSloth makes use of libFuzzer and QEMU’s user-mode emulation (`qemu/linux-user`) on x86_64/aarch64 host to emulate aarch64 Android libraries to fuzz the target Android native library. Internals of why and how about Sloth are available at : [https://fuzzing.science/blog/Fuzzing-Android-Native-libraries-with-libFuzzer-Qemu](https://fuzzing.science/blog/Fuzzing-Android-Native-libraries-with-libFuzzer-Qemu)\n\nHigh level execution flow of QEMU user-mode emulation:\n\n![QEMU linux-user flow](./resources/qemu_linux-user_main.png)\n\n# Build Instructions\n\nTo build and launch the docker container:\n~~~sh\nexport image=\"sloth:v1\"\ndocker build -t $image .\ndocker run --rm -v `pwd`/resources/rootfs:/rootfs -v `pwd`/resources/examples:/examples -it $image bash\n~~~\n\nCheck `resources/examples` folder to build an example android native library.\n\n## Usage:\n\nYou can copy the /system/ from a rooted Android device into `resources/rootfs` directory.\n\nIn the examples folder, check the signature of `libQemuFuzzerTestOneInput` function in `jni/lib/fuzz.cpp` file. This function is equivalent to `LLVMFuzzerTestOneInput` function that we define when creating any libFuzzer harness.\n\nTo compile the sample from examples:\n\n~~~\ncd examples/jni\nndk-build\n~~~\n\nThis builds and generates libBooFuzz.so and an executable boofuzz.\nCopy `libBooFuzz.so` to `rootfs/system/lib64/` and `boofuzz` to `/rootfs/`\n\n~~~sh\nroot@b7d9fb6a454e:/examples/jni# make\nroot@b7d9fb6a454e:/examples/jni# cp ../libs/arm64-v8a/libBooFuzz.so /rootfs/system/lib64/\nroot@b7d9fb6a454e:/examples/jni# cp ../libs/arm64-v8a/boofuzz /rootfs/\nroot@b7d9fb6a454e:/examples/jni# \n~~~\n\nAdd your target library path that exports `libQemuFuzzerTestOneInput` (libBooFuzz.so in our example) to `SLOTH_TARGET_LIBRARY` env variable.\n\nTo start fuzzing:\n~~~sh\nroot@45d7511a2802:/sloth/src# SLOTH_TARGET_LIBRARY=/rootfs/system/lib64/libBooFuzz.so ./sloth /rootfs/boofuzz test/\n==== SLOTH ====\nWARNING: Failed to find function \"__sanitizer_acquire_crash_state\".\nWARNING: Failed to find function \"__sanitizer_print_stack_trace\".\nWARNING: Failed to find function \"__sanitizer_set_death_callback\".\nINFO: Running with entropic power schedule (0xFF, 100).\nINFO: Seed: 557648595\nINFO: 65536 Extra Counters\nINFO:        1 files found in test/\nINFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes\nINFO: seed corpus: files: 1 min: 6b max: 6b total: 6b rss: 66Mb\n#2\tINITED ft: 3 corp: 1/6b exec/s: 0 rss: 66Mb\n#10\tREDUCE ft: 3 corp: 1/4b lim: 6 exec/s: 0 rss: 66Mb L: 4/4 MS: 3 CopyPart-CopyPart-CrossOver-\n#11\tREDUCE ft: 3 corp: 1/2b lim: 6 exec/s: 0 rss: 66Mb L: 2/2 MS: 1 EraseBytes-\n#12\tREDUCE ft: 3 corp: 1/1b lim: 6 exec/s: 0 rss: 66Mb L: 1/1 MS: 1 EraseBytes-\n#4655\tREDUCE ft: 5 corp: 2/37b lim: 48 exec/s: 0 rss: 66Mb L: 36/36 MS: 3 ShuffleBytes-ChangeBit-InsertRepeatedBytes-\n#4676\tREDUCE ft: 5 corp: 2/20b lim: 48 exec/s: 0 rss: 66Mb L: 19/19 MS: 1 EraseBytes-\n#4694\tREDUCE ft: 5 corp: 2/11b lim: 48 exec/s: 0 rss: 66Mb L: 10/10 MS: 3 ChangeBinInt-ChangeBinInt-EraseBytes-\n#4710\tREDUCE ft: 5 corp: 2/7b lim: 48 exec/s: 0 rss: 66Mb L: 6/6 MS: 1 EraseBytes-\n#4736\tREDUCE ft: 5 corp: 2/5b lim: 48 exec/s: 0 rss: 66Mb L: 4/4 MS: 1 EraseBytes-\n#4830\tREDUCE ft: 5 corp: 2/3b lim: 48 exec/s: 0 rss: 66Mb L: 2/2 MS: 4 ChangeByte-CopyPart-ChangeByte-CrossOver-\n#4896\tREDUCE ft: 5 corp: 2/2b lim: 48 exec/s: 0 rss: 66Mb L: 1/1 MS: 1 EraseBytes-\n#36480\tREDUCE ft: 7 corp: 3/4b lim: 357 exec/s: 0 rss: 66Mb L: 2/2 MS: 4 ShuffleBytes-CrossOver-ShuffleBytes-ChangeByte-\n#89256\tNEW    ft: 9 corp: 4/26b lim: 877 exec/s: 0 rss: 66Mb L: 22/22 MS: 1 InsertRepeatedBytes-\n#89282\tREDUCE ft: 9 corp: 4/21b lim: 877 exec/s: 0 rss: 66Mb L: 17/17 MS: 1 EraseBytes-\n#89288\tREDUCE ft: 9 corp: 4/16b lim: 877 exec/s: 0 rss: 66Mb L: 12/12 MS: 1 EraseBytes-\n#89407\tREDUCE ft: 9 corp: 4/14b lim: 877 exec/s: 0 rss: 66Mb L: 10/10 MS: 4 ChangeBinInt-InsertByte-ChangeBinInt-EraseBytes-\n#89458\tREDUCE ft: 9 corp: 4/13b lim: 877 exec/s: 0 rss: 66Mb L: 9/9 MS: 1 EraseBytes-\n#89480\tREDUCE ft: 9 corp: 4/11b lim: 877 exec/s: 0 rss: 66Mb L: 7/7 MS: 2 ShuffleBytes-EraseBytes-\n#89496\tREDUCE ft: 9 corp: 4/10b lim: 877 exec/s: 0 rss: 66Mb L: 6/6 MS: 1 EraseBytes-\n#89647\tREDUCE ft: 9 corp: 4/8b lim: 877 exec/s: 0 rss: 66Mb L: 4/4 MS: 1 EraseBytes-\n#92983\tREDUCE ft: 9 corp: 4/7b lim: 904 exec/s: 0 rss: 66Mb L: 3/3 MS: 1 EraseBytes-\n#350518\tREDUCE ft: 11 corp: 5/77b lim: 3458 exec/s: 350518 rss: 66Mb L: 70/70 MS: 2 ShuffleBytes-InsertRepeatedBytes-\n#350594\tREDUCE ft: 11 corp: 5/44b lim: 3458 exec/s: 350594 rss: 66Mb L: 37/37 MS: 1 EraseBytes-\n#350611\tREDUCE ft: 11 corp: 5/28b lim: 3458 exec/s: 350611 rss: 66Mb L: 21/21 MS: 2 ChangeBinInt-EraseBytes-\n#350787\tREDUCE ft: 11 corp: 5/26b lim: 3458 exec/s: 350787 rss: 66Mb L: 19/19 MS: 1 EraseBytes-\n#350994\tREDUCE ft: 11 corp: 5/22b lim: 3458 exec/s: 350994 rss: 66Mb L: 15/15 MS: 2 InsertByte-EraseBytes-\n#351305\tREDUCE ft: 11 corp: 5/21b lim: 3458 exec/s: 351305 rss: 66Mb L: 14/14 MS: 1 EraseBytes-\n#351466\tREDUCE ft: 11 corp: 5/19b lim: 3458 exec/s: 351466 rss: 66Mb L: 12/12 MS: 1 EraseBytes-\n#351487\tREDUCE ft: 11 corp: 5/18b lim: 3458 exec/s: 351487 rss: 66Mb L: 11/11 MS: 1 EraseBytes-\n#351753\tREDUCE ft: 11 corp: 5/16b lim: 3458 exec/s: 351753 rss: 66Mb L: 9/9 MS: 1 EraseBytes-\n#351760\tREDUCE ft: 11 corp: 5/15b lim: 3458 exec/s: 351760 rss: 66Mb L: 8/8 MS: 2 ChangeBit-EraseBytes-\n#351867\tREDUCE ft: 11 corp: 5/13b lim: 3458 exec/s: 351867 rss: 66Mb L: 6/6 MS: 2 ChangeBit-EraseBytes-\n#352673\tREDUCE ft: 11 corp: 5/12b lim: 3458 exec/s: 352673 rss: 66Mb L: 5/5 MS: 1 EraseBytes-\n#524288\tpulse  ft: 11 corp: 5/12b lim: 4096 exec/s: 262144 rss: 66Mb\n#1048576\tpulse  ft: 11 corp: 5/12b lim: 4096 exec/s: 209715 rss: 66Mb\n==17== ERROR: libFuzzer: deadly signal\nNOTE: libFuzzer has rudimentary signal handlers.\n      Combine libFuzzer with AddressSanitizer or similar for better crash reports.\nSUMMARY: libFuzzer: deadly signal\nMS: 2 CMP-InsertRepeatedBytes- DE: \"\\x18\\xd6^\\x04U\\x00\\x00\\x00\"-; base unit: 4504839cf31d63eae201804d840610ae0ffcecea\n0xde,0xad,0xbe,0x6f,0xef,0x18,0xd6,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0x5e,0x4,0x55,0x0,0x0,0x0,\n\\xde\\xad\\xbeo\\xef\\x18\\xd6\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca\\xca^\\x04U\\x00\\x00\\x00\nartifact_prefix='./'; Test unit written to ./crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a\nBase64: 3q2+b+8Y1srKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKyl4EVQAAAA==\n\nroot@c4627f563a99:/rootfs/src# ls\nMakefile  crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a  fuzzer  qemu  sloth  sloth.c  test\n\nroot@45d7511a2802:/sloth/src# xxd crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a \n00000000: dead be6f ef18 d6ca caca caca caca caca  ...o............\n00000010: caca caca caca caca caca caca caca caca  ................\n00000020: caca caca caca caca caca caca caca caca  ................\n00000030: caca caca caca caca caca caca caca caca  ................\n00000040: caca caca caca caca caca caca caca caca  ................\n00000050: caca caca caca caca 5e04 5500 0000       ........^.U...\n~~~\n\n![](resources/demo.gif)\n\nHappy Fuzzing :)\n\n## TODO\n- [x] Fix signal handling in QEMU for libFuzzer to handle\n- [x] Use QEMU as a library\n- [ ] Fuzzing support for Android JNI libraries\n- [ ] Make sure this is thread safe since I moved some variables to global.\n- [ ] Add CMP coverage\n- [ ] Add ASAN\n\n## Credits\n- [aflplusplus team](https://github.com/aflplusplus)\n- [llvm](https://github.com/llvm)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fant4g0nist%2FSloth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fant4g0nist%2FSloth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fant4g0nist%2FSloth/lists"}