VMF contains a collection of different tools which attempts to build a unified experience for a given end user attempting to fuzz software. As such, there are numeous third party efforts being utilized by VMF. These are primarily included as source (a particular version verified to work with VMF), but a few come from the OS.
This document intends to track the included third party tools, and their associated licenses in order to ensure all license conditions are being met, and no incompatibly licensed tools are being included.
| Project | Version | License |
|---|---|---|
| googletest | release-1.8.0-2963-8d51dc50 | BSD Clause 3 New or Revised |
| json11 | head-2df9473f | MIT |
| Klee ktest | 1.0 | University of Illinois/NCSA Open Source License |
| plog | 1.1.9-d60df3a1 | MIT |
| restclient-cpp | 0.5.2-c4683b21 | MIT |
| uthash | 2.1.0 | BSD Revised |
| yaml-cpp | yaml-cpp-0.7.0-31-987a6042 | MIT |
| ziplib | 0.01 | zlib |
A classic example of this is the ln Linux tool for making links to files, or the stdio.h C header for enabling printing to STDOUT and reading from STDIN.
Note: VMF is compatible with compiler instrumentation from AFL++ 4.10c or earlier, due to an update in the forkserver interface that was introduced in 4.20c. VMF will be updated in a future release to fix this compatibility issue.
Enumeration of these installations is for record keeping only:
| Package | Installation type |
|---|---|
| afl++ | apt |
| afl++-clang | apt |
| afl++-doc | apt |
| ca-certificates | apt |
| libcurl-dev | apt |
| gdb | apt |
| gnupg | apt |
| libcurl-4-openssl-dev | apt |
| lsb-core | apt |
| lsb-release | apt |
| graphviz | apt |
| clang-12 | apt |
| doxygen | apt |
| llvm-12 | apt |
| python3-dev | apt |
| python3-pip | apt |
| python3-setuptools | apt |
| build-essential | apt |
| cmake | apt |
| lief | pip |
| zip | apt |
These packages need to be installed in order to build and run VMF.
klee must be installed and in your $PATH order to use the KleeInitialization
module, which generates an initial corpus/seeds using symbolic execution. The KLEE
team maintains instructions to build KLEE from source;
however, we have found that specific versions of requirements such as LLVM may be mutually
exclusive or difficult to manage in parallel with versions that are commonly available. As
a result, we suggest running KLEE in Docker with VMF
instead. See the docker/README.md for information for building VMF
with Klee in Docker.
The distributed fuzzing Campaign Data Management Server (CDMS) depends on many different packages and libraries. Similar to VMF dependencies, there are two kinds of inclusion currently being performed:
- Inclusion as a Java Archive (.jar) file
- Inclusion at a source level by copying portions of a third-party package into CDMS
Build artifacts for these dependencies are included as Java Archive (.jar) files
| Project | Version | License |
|---|---|---|
| Gson | gson-parent-2.10.1 | Apache 2.0 |
| ibatis | 2.5.0 | Apache 2.0 |
| sqlite-jdbc | 3.43.0.0 | Apache 2.0 |
| Project | Version | License |
|---|---|---|
| JQuery | 3.7.1 | MIT |
| JQuery UI | 1.8.1 | Dual licensed under the MIT and GPL licenses |
| JQuery UI | 1.13.2 | MIT |
| TableCSVExport | head | MIT |
| Tablesorter | 2.31.1 | Dual licensed under MIT or GPL licenses |
| W3 CSS | 4.15 | Public domain |
Note: For items where no license link is provided, the license statement is only included in file header comments and not as a separate file in the repository.