Fusil is a Python library used to write fuzzing programs. It helps to start process with a prepared environment (limit memory, environment variables, redirect stdout, etc.), start network client or server, and create mangled files. Fusil has many probes to detect program crash: watch process exit code, watch process stdout and syslog for text patterns (eg. "segmentation fault"), watch session duration, watch cpu usage (process and system load), etc.

Fusil is based on a multi-agent system architecture. It computes a session score used to guess fuzzing parameters like number of injected errors to input files.

Available fuzzing projects: ClamAV, Firefox (contains an HTTP server), gettext, gstreamer, identify, libc_env, libc_printf, libexif, linux_syscall, mplayer, php, poppler, vim, xterm.

Website: http://bitbucket.org/haypo/fusil/wiki/Home


Fusil is a library and a set of fuzzers called "fusil-...". To run a fuzzer, call it by its name. Example:

$ fusil-gettext
Fusil version 0.9.1 -- GNU GPL v2
[0][session 13] Start session
[0][session 13] ------------------------------------------------------------
[0][session 13] PID: 16989
[0][session 13] Signal: SIGSEGV
[0][session 13] Invalid read from 0x0c1086e0
[0][session 13] - instruction: CMP EDX, [EAX]
[0][session 13] - mapping: 0x0c1086e0 is not mapped in memory
[0][session 13] - register eax=0x0c1086e0
[0][session 13] - register edx=0x00000019
[0][session 13] ------------------------------------------------------------
[0][session 13] End of session: score=100.0%, duration=3.806 second
Success 1/1!
Project done: 13 sessions in 5.4 seconds (414.5 ms per session), total 5.9 seconds, aggresssivity: 19.0%
Total: 1 success
Keep non-empty directory: /home/haypo/prog/SVN/fusil/trunk/run-3


Why using Fusil instead your own hand made C script?

  • Fusil limits child process environment: limit memory, use timeout, make sure that process is killed on session end
  • Fusil waits until system load is load before starting a fuzzing session
  • Fusil creates a session directory used as the process current working directory and Fusil only creates files in this directory (and not in /tmp)
  • Fusil stores all actions in fusil.log but also session.log for all actions related of a session
  • Fusil has multiple available probes to compute session score: guess if a sessions is a succes or not
  • Fusil redirects process output to a file and searchs bug text patterns in the stdout/stderr (Fusil contains many text patterns to detect crashes and problems)


Read INSTALL documentation file.


Read doc/index.rst: documentation index.