{"id":13546081,"url":"https://github.com/gamozolabs/fzero_fuzzer","last_synced_at":"2026-04-08T13:32:45.669Z","repository":{"id":41253051,"uuid":"223377930","full_name":"gamozolabs/fzero_fuzzer","owner":"gamozolabs","description":"A fast Rust-based safe and thead-friendly grammar-based fuzz generator","archived":false,"fork":false,"pushed_at":"2020-08-12T23:21:23.000Z","size":14,"stargazers_count":216,"open_issues_count":2,"forks_count":22,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-11-03T14:34:58.398Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gamozolabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-11-22T10:15:12.000Z","updated_at":"2024-10-29T12:35:52.000Z","dependencies_parsed_at":"2022-09-19T18:42:02.778Z","dependency_job_id":null,"html_url":"https://github.com/gamozolabs/fzero_fuzzer","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamozolabs%2Ffzero_fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamozolabs%2Ffzero_fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamozolabs%2Ffzero_fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gamozolabs%2Ffzero_fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gamozolabs","download_url":"https://codeload.github.com/gamozolabs/fzero_fuzzer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246860263,"owners_count":20845634,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:31.228Z","updated_at":"2026-04-08T13:32:45.654Z","avatar_url":"https://github.com/gamozolabs.png","language":"Rust","funding_links":[],"categories":["Vulnerability Assessment","Rust"],"sub_categories":["Fuzzing"],"readme":"# Intro\n\n`fzero` is a grammar-based fuzzer that generates a Rust application inspired\nby the paper \"Building Fast Fuzzers\" by Rahul Gopinath and Andreas Zeller.\nhttps://arxiv.org/pdf/1911.07707.pdf\n\nYou can find the F1 fuzzer here:\n\nhttps://github.com/vrthra/F1\n\n# Usage\n\nCurrently this only generates an application that does benchmarking, but with\nsome quick hacks you could easily get the input out and feed it to an\napplication.\n\n## Example usage\n\n```\nD:\\dev\\fzero_fuzz\u003ecargo run --release html.json test.rs test.exe 8\n    Finished release [optimized] target(s) in 0.02s\n     Running `target\\release\\fzero.exe html.json test.rs test.exe 8`\nLoaded grammar json\nConverted grammar to binary format\nOptimized grammar\nGenerated Rust source file\nCreated Rust binary!\n\nD:\\dev\\fzero_fuzz\u003etest.exe\nMiB/sec:    1773.3719\nMiB/sec:    1763.8357\nMiB/sec:    1756.8917\nMiB/sec:    1757.1934\nMiB/sec:    1758.9417\nMiB/sec:    1758.9122\nMiB/sec:    1758.7352\n```\n\n# Concept\n\nThis program takes in an input grammar specified by a JSON file. This JSON\ngrammar representation is converted to a binary-style grammar that is intended\nfor interpretation and optimization. A Rust application (source file) is\nproduced by the shape of the input grammar. This then is compiled using `rustc`\nto an application for the local machine.\n\nThis doesn't have any constraints on the random number generation as it uses an\ninfinite supply of random numbers. There is no limitation on the output size\nand the buffer will dynamically grow as the input is created.\n\n# Benchmarks\n\nAll tests on a single core of a `Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz` with a turbo clock rate of 4.3 GHz\n\nAll numbers in `MiB/second`.\n\n| Benchmark          | fzero fuzzer | F1 fuzzer | Speedup |\n|--------------------|--------------|-----------|---------|\n| html.json depth=4  |         5330 |      1295 |   4.11x |\n| html.json depth=8  |         1760 |       348 |   5.05x |\n| html.json depth=16 |          338 |       195 |   1.73x |\n| html.json depth=32 |          218 |       175 |   1.25x |\n| html.json depth=64 |          201 |       175 |   1.14x |\n| json.json depth=4  |           97 |        97 |   1.00x |\n| json.json depth=8  |           79 |        93 |   0.84x |\n| json.json depth=16 |           83 |        89 |   0.93x |\n| json.json depth=32 |           85 |        88 |   0.97x |\n| json.json depth=64 |           85 |        90 |   0.94x |\n\n# Unsafe code\n\nThis project uses a small amount of `unsafe` code to provide the same semantics\nof `extend_from_slice` but in a much faster way (over 4x faster). Not quite\nsure why it's much faster, but if you are uncomfortable with `unsafe` code,\nfeel free to set `SAFE_ONLY` to `true` at the top of `src/lib.rs`. This will\nrestrict this fuzzer to only generate safe code. I don't think this is\nnecessary but who knows :)\n\n# Performance\n\nThe performance of this tool is separated into multiple categories. One is the\ncode generation side, how long it takes for the JSON to be compiled into a Rust\napplication. The other is the code execution speeds, which is how fast the\nproduced application can generate inputs.\n\n## Code Generation\n\nCode generation vastly outperforms the \"Building Fast Fuzzers\" paper. For\nexample when generating the code based on the `html.json` grammar, the F1\nfuzzer took over 25 minutes to produce the code. This fuzzer is capable of\nproducing a Rust application in under 10 seconds.\n\n## Code execution\n\nThis project is on some performance metrics about 20-30% slower than the F1\nfuzzer, but these scenarios are rare. However, in most situations we've been\nabout to out-perform F1 by about 30-50%, and in extreme cases (html.json\ndepth=8) we've observed over a 4x speedup.\n\n# Differences from the F1 fuzzer\n\nThe F1 fuzzer mentions a technique that will resolve to the nearest terminal\ntokens when stack depth is exceeded. We haven't implemented this technique but\nI don't think it's a huge impact on the generated inputs. This is something I\nwill look into in the future.\n\nDue to not using globals this can easily be scaled out to multiple threads as\nall random state and input generation are done in a structure.\n\nThere is no use of assembly in this project, and thus it can produce\nhighly-performant fuzzers for any architecture or environment that Rust can\ncompile against (pretty much identical to LLVM's target list).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgamozolabs%2Ffzero_fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgamozolabs%2Ffzero_fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgamozolabs%2Ffzero_fuzzer/lists"}