skip to navigation
skip to content

fusil 1.4

Fuzzing framework

Latest Version: 1.5

Fusil is a Python library used to write fuzzing programs. It helps to start process with a prepared environment (limit memory, environment variables, redirect stdout, etc.), start network client or server, and create mangled files. Fusil has many probes to detect program crash: watch process exit code, watch process stdout and syslog for text patterns (eg. “segmentation fault”), watch session duration, watch cpu usage (process and system load), etc.

Fusil is based on a multi-agent system architecture. It computes a session score used to guess fuzzing parameters like number of injected errors to input files.

Available fuzzing projects: ClamAV, Firefox (contains an HTTP server), gettext, gstreamer, identify, libc_env, libc_printf, libexif, linux_syscall, mplayer, php, poppler, vim, xterm.



Fusil is a library and a set of fuzzers called “fusil-…”. To run a fuzzer, call it by its name. Example:

$ fusil-gettext
Fusil version 0.9.1 -- GNU GPL v2
[0][session 13] Start session
[0][session 13] ------------------------------------------------------------
[0][session 13] PID: 16989
[0][session 13] Signal: SIGSEGV
[0][session 13] Invalid read from 0x0c1086e0
[0][session 13] - instruction: CMP EDX, [EAX]
[0][session 13] - mapping: 0x0c1086e0 is not mapped in memory
[0][session 13] - register eax=0x0c1086e0
[0][session 13] - register edx=0x00000019
[0][session 13] ------------------------------------------------------------
[0][session 13] End of session: score=100.0%, duration=3.806 second
Success 1/1!
Project done: 13 sessions in 5.4 seconds (414.5 ms per session), total 5.9 seconds, aggresssivity: 19.0%
Total: 1 success
Keep non-empty directory: /home/haypo/prog/SVN/fusil/trunk/run-3


Why using Fusil instead your own hand made C script?

  • Fusil limits child process environment: limit memory, use timeout, make sure that process is killed on session end
  • Fusil waits until system load is load before starting a fuzzing session
  • Fusil creates a session directory used as the process current working directory and Fusil only creates files in this directory (and not in /tmp)
  • Fusil stores all actions in fusil.log but also session.log for all actions related of a session
  • Fusil has multiple available probes to compute session score: guess if a sessions is a succes or not
  • Fusil redirects process output to a file and searchs bug text patterns in the stdout/stderr (Fusil contains many text patterns to detect crashes and problems)


Read INSTALL documentation file.


Read doc/index.rst: documentation index.


Fusil 1.4 (2011-02-16)

  • Python 3 support
  • fusil-python:
    • improve function listing all Python modules: use sys.builtin_module_names and pkgutil.iter_modules()
    • blacklist more modules, classes and functions

Fusil 1.3.2 (2010-01-09)

  • set sys.path to ease the usage of Fusil without installing it
  • Fix fusil-gettext: ignore strace errors in locateMO()
  • fusil-python:
    • hide Python warnings
    • listAllModules() includes builtin modules
    • new option –only-c to test only modules written in C
    • fix memory leak: unload tested modules
    • fix getFunctions(): use also isclass() to detect classes
  • Disable Fusil process maximum memory limit

Fusil 1.3.1 (2009-11-09)

  • fusil-python: autodiscover all modules instead of using a static list of modules, catch any exception when loading a module, only fuzz public functions (use module.__all__)
  • FileWatch: ignore duplicate parts on session rename
  • Remove session name parts duplicate (eg. “pickle-error-error” => “picke-error”)
  • don’t redirect stdin to /dev/null if –ptrace is used
  • CPU probe: set max duration from 3 to 10 seconds (and rename the session on success)

Fusil 1.3 (2009-09-18)

  • Create fusil-gimp
  • Remove charset from WriteCode: use builtin open() instead because files created by open() are much faster
  • Optimize FileWatch: don’t recompile patterns at each session
  • fusil now depends on python-ptrace 0.6
  • Don’t use close_fds argument of subprocess.Popen() on Windows
  • Fix configuration reader: normal_calm_load, normal_calm_sleep, slow_calm_load, slow_calm_sleep keys global options are float, not integer
  • Project website moved to
  • FileWatch uses the pattern to rename the session

Fusil 1.2.1 (2009-02-06)

  • Fix mangle agent of the Image Magick fuzzer
  • Fix AttachProcessPID() probe: stop the probe at process exit

Fusil 1.2 (2009-02-04)

User visible changes:

  • Fusil now requires Python 2.5
  • Documentation: write an index (index.rst) and an user guide (usage.rst)
  • Replay script: copy HOME environment for GDB and catch setuid() error
  • fusil-firefox: support more file formats (bmp, gif, ico, png, svg), create –test command line option, write the HTML page into index.html file
  • fusil-python: write errors to stderr (instead of stdout) to avoid unicode error (especially with Python3)
  • FileWatch: rename the session with “long_output” if the program wrote more than max_nbline lines
  • fusil-python: blacklist posix.fork() to avoid false positive
  • If the process is killed by a signal, rename the session using the signal name (already worked if the debugger was disabled)

Developer changes:

  • MangleAgent supports multiple input files
  • Create DummyMangle: agent with MangleFile API but don’t touch file content to test the fuzzer
  • Network: close() method of NetworkClient and ServerClient use shutdown(SHUT_RDWR)
  • NetworkServer uses a backlog of 5 clients for socket.listen() (instead of 1)


  • Fix Directory.rmtree() and replay script for Python 3.0
  • Fix ServerClient.sendBytes(): use socket.send() result to get the next data offset

Fusil 1.1 (2008-10-22)

User visible changes:
  • ask confirmation if the fuzzer will not be running under a different user or as root
  • Even with –force-unsafe, show safety warning if the fuzzer is running as the root user
  • Close files for child processes (close_fds=True)
  • Fix directory.rmtree() for Python 3.0 final
Developer changes:
  • Create IntegerRangeGenerator in fusil.unicode_generator
  • Create EnvVarIntegerRange in fusil.process.env
  • Create fusil-wizzard fuzzer
  • Write timestamp in session.log
  • Add session() method to ProjectAgent
  • Add NAME attribute to a fuzzer, reused to choose the project directory name
  • Fix Debugger.processSignal(): use the process agent to send the message (session_rename) since the debugger agent may be disabled
  • Fix quote gdb arguments escape quote and antislash characters (eg. “text=”Hello\n”.”)
  • uses /dev/null for stdin as Fusil does
  • FileWatch: open file in binary mode to use bytes in Python3

Fusil 1.0 final (2008-09-13)

Visible changes:

  • Create fusil-zzuf fuzzer (use the zzuf library)
  • Create fusil-vlc fuzzer (VLC media player)
  • For each session, generate a Python script ( to replay the session. The script can run the target in gdb, valgrind or (python-ptrace debugger), with many options (–user, –limit, etc.)
  • Create –force-unsafe option, like –unsafe without the confirmation
  • CreateProcess is now a probe (with a score): if the debugger catchs a fatal signal, the session stops
  • Always use a null device as stdin for child processes to avoid blocking the fuzzer if the process reads stdin (eg. call getchar())
  • Write the created process identifier in the logs


  • Create EnvVarIntegerRange: environment variable with an integer value in a fixed range
  • Changes to get a minimal Windows support: disable “change user/group” feature on Windows; remove log file before removing the project directory; use “:NUL” instead of /dev/null for null input/output
  • On setupProject() error, make sure that the project is cleaned
  • Close stdout files (input and output) at process exit (fix needed by Windows)
  • Rename long2raw() to uint2bytes(), and bytes2long() to bytes2uint()
  • Normalize score that make sure that a probe score is in range [-1; +1] and so that score*weight is in range[-weight; +weight]
  • CodeC: remove method lines(), writeCode() is renamed writeIntoFile(), use unicode strings (instead of byte strings)
  • Remove StdoutFile class, code merged in CreateProcess
File Type Py Version Uploaded on Size
fusil-1.4.tar.gz (md5) Source 2011-02-16 130KB