Atheris模糊测试器：Python代码和C扩展的覆盖引导式安全测试工具

atheris by trailofbits/skills

1,100 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill atheris

开发测试安全

🇨🇳中文介绍

Atheris

Atheris 是一个基于 libFuzzer 的覆盖引导式 Python 模糊测试器。它支持对纯 Python 代码和 Python C 扩展进行模糊测试，并集成了 AddressSanitizer 支持以检测内存损坏问题。

使用场景

模糊测试器	最佳适用场景	复杂度
Atheris	Python 代码和 C 扩展	低-中
Hypothesis	基于属性的测试	低
python-afl	AFL 风格的模糊测试	中

在以下情况选择 Atheris：

使用覆盖引导对纯 Python 代码进行模糊测试
测试 Python C 扩展是否存在内存损坏问题
需要与 libFuzzer 生态系统集成
需要 AddressSanitizer 支持

快速开始

import sys
import atheris

@atheris.instrument_func
def test_one_input(data: bytes):
    if len(data) == 4:
        if data[0] == 0x46:  # "F"
            if data[1] == 0x55:  # "U"
                if data[2] == 0x5A:  # "Z"
                    if data[3] == 0x5A:  # "Z"
                        raise RuntimeError("You caught me")

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Docker 环境（推荐）

要获得配置了所有依赖项的完整 Linux 运行环境：

# https://hub.docker.com/_/python
ARG PYTHON_VERSION=3.11

FROM python:$PYTHON_VERSION-slim-bookworm

RUN python --version

RUN apt update && apt install -y \
    ca-certificates \
    wget \
    && rm -rf /var/lib/apt/lists/*

# LLVM builds version 15-19 for Debian 12 (Bookworm)
# https://apt.llvm.org/bookworm/dists/
ARG LLVM_VERSION=19

RUN echo "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list
RUN echo "deb-src http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" >> /etc/apt/sources.list.d/llvm.list
RUN wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key > /etc/apt/trusted.gpg.d/apt.llvm.org.asc

RUN apt update && apt install -y \
    build-essential \
    clang-$LLVM_VERSION \
    && rm -rf /var/lib/apt/lists/*

ENV APP_DIR "/app"
RUN mkdir $APP_DIR
WORKDIR $APP_DIR

ENV VIRTUAL_ENV "/opt/venv"
RUN python -m venv $VIRTUAL_ENV
ENV PATH "$VIRTUAL_ENV/bin:$PATH"

# https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#step-1-compiling-your-extension
ENV CC="clang-$LLVM_VERSION"
ENV CFLAGS "-fsanitize=address,fuzzer-no-link"
ENV CXX="clang++-$LLVM_VERSION"
ENV CXXFLAGS "-fsanitize=address,fuzzer-no-link"
ENV LDSHARED="clang-$LLVM_VERSION -shared"
ENV LDSHAREDXX="clang++-$LLVM_VERSION -shared"
ENV ASAN_SYMBOLIZER_PATH="/usr/bin/llvm-symbolizer-$LLVM_VERSION"

# Allow Atheris to find fuzzer sanitizer shared libs
# https://github.com/google/atheris#building-from-source
RUN LIBFUZZER_LIB=$($CC -print-file-name=libclang_rt.fuzzer_no_main-$(uname -m).a) \
    python -m pip install --no-binary atheris atheris

# https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#option-a-sanitizerlibfuzzer-preloads
ENV LD_PRELOAD "$VIRTUAL_ENV/lib/python3.11/site-packages/asan_with_fuzzer.so"

# 1. Skip memory allocation failures for now, they are common, and low impact (DoS)
# 2. https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#leak-detection
ENV ASAN_OPTIONS "allocator_may_return_null=1,detect_leaks=0"

CMD ["/bin/bash"]

docker build -t atheris .
docker run -it atheris

python -c "import atheris; print(atheris.__version__)"

纯 Python 测试套件结构

import sys
import atheris

@atheris.instrument_func
def test_one_input(data: bytes):
    """
    模糊测试入口点。使用随机字节序列调用。

    参数：
        data: 模糊测试器生成的随机字节
    """
    # 如果需要，添加输入验证
    if len(data) < 1:
        return

    # 调用你的目标函数
    try:
        your_target_function(data)
    except ValueError:
        # 预期的异常应该被捕获
        pass
    # 让意外的异常崩溃（这正是我们要找的！）

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

应该做	不应该做
使用 `@atheris.instrument_func` 进行覆盖	忘记对目标代码进行插桩
捕获预期的异常	不加区分地捕获所有异常
对库使用 `atheris.instrument_imports()`	在 `atheris.Setup()` 之后导入模块
保持测试套件确定性	使用随机性或基于时间的行为

另请参阅： 有关详细的测试套件编写技术、处理复杂输入的模式和高级策略，请参阅 fuzz-harness-writing 技术技能。

模糊测试纯 Python 代码

要对应用程序或库的更广泛部分进行模糊测试，请使用插桩函数：

import atheris
with atheris.instrument_imports():
    import your_module
    from another_module import target_function

def test_one_input(data: bytes):
    target_function(data)

atheris.Setup(sys.argv, test_one_input)
atheris.Fuzz()

atheris.instrument_func - 用于单个函数插桩的装饰器
atheris.instrument_imports() - 用于对所有导入模块进行插桩的上下文管理器
atheris.instrument_all() - 对整个系统的所有 Python 代码进行插桩

模糊测试 Python C 扩展

Python C 扩展需要使用特定的标志进行编译以支持插桩和检测器。

如果使用提供的 Dockerfile，这些已经配置好了。对于本地设置：

export CC="clang"
export CFLAGS="-fsanitize=address,fuzzer-no-link"
export CXX="clang++"
export CXXFLAGS="-fsanitize=address,fuzzer-no-link"
export LDSHARED="clang -shared"

示例：模糊测试 cbor2

从源代码安装扩展：

CBOR2_BUILD_C_EXTENSION=1 python -m pip install --no-binary cbor2 cbor2==5.6.4

--no-binary 标志确保 C 扩展在本地使用插桩编译。

创建 cbor2-fuzz.py：

import sys
import atheris

# _cbor2 确保导入 C 库
from _cbor2 import loads

def test_one_input(data: bytes):
    try:
        loads(data)
    except Exception:
        # 我们正在寻找内存损坏，而不是 Python 异常
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

python cbor2-fuzz.py

重要提示： 在本地运行时（不在 Docker 中），你必须手动设置 LD_PRELOAD。

创建初始语料库

mkdir corpus
# 添加种子输入
echo "test data" > corpus/seed1
echo '{"key": "value"}' > corpus/seed2

使用语料库运行：

python fuzz.py corpus/

Atheris 从 libFuzzer 继承了语料库最小化功能：

python fuzz.py -merge=1 new_corpus/ old_corpus/

另请参阅： 有关语料库创建策略、字典和种子选择，请参阅 fuzzing-corpus 技术技能。

使用语料库目录

python fuzz.py corpus/

# 运行 10 分钟
python fuzz.py -max_total_time=600

# 限制输入大小
python fuzz.py -max_len=1024

# 使用多个工作进程运行
python fuzz.py -workers=4 -jobs=4

输出	含义
`NEW cov: X`	发现新的覆盖，语料库已扩展
`pulse cov: X`	周期性状态更新
`exec/s: X`	每秒执行次数（吞吐量）
`corp: X/Yb`	语料库大小：X 个输入，Y 字节总数
`ERROR: libFuzzer`	检测到崩溃

AddressSanitizer (ASan)

当使用提供的 Docker 环境或使用适当的标志编译时，AddressSanitizer 会自动集成。

对于本地设置：

export CFLAGS="-fsanitize=address,fuzzer-no-link"
export CXXFLAGS="-fsanitize=address,fuzzer-no-link"

配置 ASan 行为：

export ASAN_OPTIONS="allocator_may_return_null=1,detect_leaks=0"

对于原生扩展模糊测试：

export LD_PRELOAD="$(python -c 'import atheris; import os; print(os.path.join(os.path.dirname(atheris.__file__), "asan_with_fuzzer.so"))')"

另请参阅： 有关详细的检测器配置、常见问题和高级标志，请参阅 address-sanitizer 和 undefined-behavior-sanitizer 技术技能。

常见检测器问题

问题	解决方案
`LD_PRELOAD` 未设置	导出 `LD_PRELOAD` 指向 `asan_with_fuzzer.so`
内存分配失败	设置 `ASAN_OPTIONS=allocator_may_return_null=1`
泄漏检测噪音	设置 `ASAN_OPTIONS=detect_leaks=0`
缺少符号解析器	将 `ASAN_SYMBOLIZER_PATH` 设置为 `llvm-symbolizer`

技巧	为何有帮助
尽早使用 `atheris.instrument_imports()`	确保所有导入都进行了覆盖插桩
从小的 `max_len` 开始	初始模糊测试更快，逐渐增加
对结构化格式使用字典	帮助模糊测试器理解格式标记
运行多个并行实例	更好的覆盖探索

微调哪些部分进行插桩：

import atheris

# 仅对特定模块进行插桩
with atheris.instrument_imports():
    import target_module
# 不对测试套件代码进行插桩

def test_one_input(data: bytes):
    target_module.parse(data)

设置	影响
`-max_len=N`	值越小 = 执行越快
`-workers=N -jobs=N`	并行模糊测试以获得更快的覆盖
`ASAN_OPTIONS=fast_unwind_on_malloc=0`	更好的堆栈跟踪，执行更慢

UndefinedBehaviorSanitizer (UBSan)

添加 UBSan 以捕获更多错误：

export CFLAGS="-fsanitize=address,undefined,fuzzer-no-link"
export CXXFLAGS="-fsanitize=address,undefined,fuzzer-no-link"

注意：如果使用容器化设置，请修改 Dockerfile 中的标志。

示例：纯 Python 解析器

import sys
import atheris
import json

@atheris.instrument_func
def test_one_input(data: bytes):
    try:
        # 模糊测试 Python 的 JSON 解析器
        json.loads(data.decode('utf-8', errors='ignore'))
    except (ValueError, UnicodeDecodeError):
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

示例：HTTP 请求解析

import sys
import atheris

with atheris.instrument_imports():
    from urllib3 import HTTPResponse
    from io import BytesIO

def test_one_input(data: bytes):
    try:
        # 模糊测试 HTTP 响应解析
        fake_response = HTTPResponse(
            body=BytesIO(data),
            headers={},
            preload_content=False
        )
        fake_response.read()
    except Exception:
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

问题	原因	解决方案
没有覆盖增加	种子语料库不佳或目标未插桩	添加更好的种子，验证 `instrument_imports()`
执行缓慢	ASan 开销或输入过大	减少 `max_len`，使用 `ASAN_OPTIONS=fast_unwind_on_malloc=1`
导入错误	模块在插桩之前导入	将导入移到 `instrument_imports()` 上下文内
没有 ASan 输出的段错误	缺少 `LD_PRELOAD`	将 `LD_PRELOAD` 设置为 `asan_with_fuzzer.so` 路径
构建失败	错误的编译器或缺少标志	验证 `CC`、`CFLAGS` 和 clang 版本

技能	使用场景
fuzz-harness-writing	编写有效测试套件的详细指南
address-sanitizer	模糊测试期间的内存错误检测
undefined-behavior-sanitizer	捕获 C 扩展中的未定义行为
coverage-analysis	测量和改进代码覆盖
fuzzing-corpus	构建和管理种子语料库

技能	何时考虑
hypothesis	具有类型感知生成的基于属性的测试
python-afl	当 Atheris 不可用时，用于 Python 的 AFL 风格模糊测试

🇺🇸English

Atheris

Atheris is a coverage-guided Python fuzzer built on libFuzzer. It enables fuzzing of both pure Python code and Python C extensions with integrated AddressSanitizer support for detecting memory corruption issues.

When to Use

Fuzzer	Best For	Complexity
Atheris	Python code and C extensions	Low-Medium
Hypothesis	Property-based testing	Low
python-afl	AFL-style fuzzing	Medium

Choose Atheris when:

Fuzzing pure Python code with coverage guidance
Testing Python C extensions for memory corruption
Integration with libFuzzer ecosystem is desired
AddressSanitizer support is needed

Quick Start

import sys
import atheris

@atheris.instrument_func
def test_one_input(data: bytes):
    if len(data) == 4:
        if data[0] == 0x46:  # "F"
            if data[1] == 0x55:  # "U"
                if data[2] == 0x5A:  # "Z"
                    if data[3] == 0x5A:  # "Z"
                        raise RuntimeError("You caught me")

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

Run:

python fuzz.py

Installation

Atheris supports 32-bit and 64-bit Linux, and macOS. We recommend fuzzing on Linux because it's simpler to manage and often faster.

Prerequisites

Python 3.7 or later
Recent version of clang (preferably latest release)
For Docker users: Docker Desktop

Linux/macOS

uv pip install atheris

Docker Environment (Recommended)

For a fully operational Linux environment with all dependencies configured:

# https://hub.docker.com/_/python
ARG PYTHON_VERSION=3.11

FROM python:$PYTHON_VERSION-slim-bookworm

RUN python --version

RUN apt update && apt install -y \
    ca-certificates \
    wget \
    && rm -rf /var/lib/apt/lists/*

# LLVM builds version 15-19 for Debian 12 (Bookworm)
# https://apt.llvm.org/bookworm/dists/
ARG LLVM_VERSION=19

RUN echo "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list
RUN echo "deb-src http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" >> /etc/apt/sources.list.d/llvm.list
RUN wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key > /etc/apt/trusted.gpg.d/apt.llvm.org.asc

RUN apt update && apt install -y \
    build-essential \
    clang-$LLVM_VERSION \
    && rm -rf /var/lib/apt/lists/*

ENV APP_DIR "/app"
RUN mkdir $APP_DIR
WORKDIR $APP_DIR

ENV VIRTUAL_ENV "/opt/venv"
RUN python -m venv $VIRTUAL_ENV
ENV PATH "$VIRTUAL_ENV/bin:$PATH"

# https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#step-1-compiling-your-extension
ENV CC="clang-$LLVM_VERSION"
ENV CFLAGS "-fsanitize=address,fuzzer-no-link"
ENV CXX="clang++-$LLVM_VERSION"
ENV CXXFLAGS "-fsanitize=address,fuzzer-no-link"
ENV LDSHARED="clang-$LLVM_VERSION -shared"
ENV LDSHAREDXX="clang++-$LLVM_VERSION -shared"
ENV ASAN_SYMBOLIZER_PATH="/usr/bin/llvm-symbolizer-$LLVM_VERSION"

# Allow Atheris to find fuzzer sanitizer shared libs
# https://github.com/google/atheris#building-from-source
RUN LIBFUZZER_LIB=$($CC -print-file-name=libclang_rt.fuzzer_no_main-$(uname -m).a) \
    python -m pip install --no-binary atheris atheris

# https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#option-a-sanitizerlibfuzzer-preloads
ENV LD_PRELOAD "$VIRTUAL_ENV/lib/python3.11/site-packages/asan_with_fuzzer.so"

# 1. Skip memory allocation failures for now, they are common, and low impact (DoS)
# 2. https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#leak-detection
ENV ASAN_OPTIONS "allocator_may_return_null=1,detect_leaks=0"

CMD ["/bin/bash"]

Build and run:

docker build -t atheris .
docker run -it atheris

Verification

python -c "import atheris; print(atheris.__version__)"

Writing a Harness

Harness Structure for Pure Python

import sys
import atheris

@atheris.instrument_func
def test_one_input(data: bytes):
    """
    Fuzzing entry point. Called with random byte sequences.

    Args:
        data: Random bytes generated by the fuzzer
    """
    # Add input validation if needed
    if len(data) < 1:
        return

    # Call your target function
    try:
        your_target_function(data)
    except ValueError:
        # Expected exceptions should be caught
        pass
    # Let unexpected exceptions crash (that's what we're looking for!)

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

Harness Rules

Do	Don't
Use `@atheris.instrument_func` for coverage	Forget to instrument target code
Catch expected exceptions	Catch all exceptions indiscriminately
Use `atheris.instrument_imports()` for libraries	Import modules after `atheris.Setup()`
Keep harness deterministic	Use randomness or time-based behavior

See Also: For detailed harness writing techniques, patterns for handling complex inputs, and advanced strategies, see the fuzz-harness-writing technique skill.

Fuzzing Pure Python Code

For fuzzing broader parts of an application or library, use instrumentation functions:

import atheris
with atheris.instrument_imports():
    import your_module
    from another_module import target_function

def test_one_input(data: bytes):
    target_function(data)

atheris.Setup(sys.argv, test_one_input)
atheris.Fuzz()

Instrumentation Options:

atheris.instrument_func - Decorator for single function instrumentation
atheris.instrument_imports() - Context manager for instrumenting all imported modules
atheris.instrument_all() - Instrument all Python code system-wide

Fuzzing Python C Extensions

Python C extensions require compilation with specific flags for instrumentation and sanitizer support.

Environment Configuration

If using the provided Dockerfile, these are already configured. For local setup:

export CC="clang"
export CFLAGS="-fsanitize=address,fuzzer-no-link"
export CXX="clang++"
export CXXFLAGS="-fsanitize=address,fuzzer-no-link"
export LDSHARED="clang -shared"

Example: Fuzzing cbor2

Install the extension from source:

CBOR2_BUILD_C_EXTENSION=1 python -m pip install --no-binary cbor2 cbor2==5.6.4

The --no-binary flag ensures the C extension is compiled locally with instrumentation.

Create cbor2-fuzz.py:

import sys
import atheris

# _cbor2 ensures the C library is imported
from _cbor2 import loads

def test_one_input(data: bytes):
    try:
        loads(data)
    except Exception:
        # We're searching for memory corruption, not Python exceptions
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

Run:

python cbor2-fuzz.py

Important: When running locally (not in Docker), you must set LD_PRELOAD manually.

Corpus Management

Creating Initial Corpus

mkdir corpus
# Add seed inputs
echo "test data" > corpus/seed1
echo '{"key": "value"}' > corpus/seed2

Run with corpus:

python fuzz.py corpus/

Corpus Minimization

Atheris inherits corpus minimization from libFuzzer:

python fuzz.py -merge=1 new_corpus/ old_corpus/

See Also: For corpus creation strategies, dictionaries, and seed selection, see the fuzzing-corpus technique skill.

Running Campaigns

Basic Run

python fuzz.py

With Corpus Directory

python fuzz.py corpus/

Common Options

# Run for 10 minutes
python fuzz.py -max_total_time=600

# Limit input size
python fuzz.py -max_len=1024

# Run with multiple workers
python fuzz.py -workers=4 -jobs=4

Interpreting Output

Output	Meaning
`NEW cov: X`	Found new coverage, corpus expanded
`pulse cov: X`	Periodic status update
`exec/s: X`	Executions per second (throughput)
`corp: X/Yb`	Corpus size: X inputs, Y bytes total
`ERROR: libFuzzer`	Crash detected

Sanitizer Integration

AddressSanitizer (ASan)

AddressSanitizer is automatically integrated when using the provided Docker environment or when compiling with appropriate flags.

For local setup:

export CFLAGS="-fsanitize=address,fuzzer-no-link"
export CXXFLAGS="-fsanitize=address,fuzzer-no-link"

Configure ASan behavior:

export ASAN_OPTIONS="allocator_may_return_null=1,detect_leaks=0"

LD_PRELOAD Configuration

For native extension fuzzing:

export LD_PRELOAD="$(python -c 'import atheris; import os; print(os.path.join(os.path.dirname(atheris.__file__), "asan_with_fuzzer.so"))')"

See Also: For detailed sanitizer configuration, common issues, and advanced flags, see the address-sanitizer and undefined-behavior-sanitizer technique skills.

Common Sanitizer Issues

Issue	Solution
`LD_PRELOAD` not set	Export `LD_PRELOAD` to point to `asan_with_fuzzer.so`
Memory allocation failures	Set `ASAN_OPTIONS=allocator_may_return_null=1`
Leak detection noise	Set `ASAN_OPTIONS=detect_leaks=0`
Missing symbolizer	Set `ASAN_SYMBOLIZER_PATH` to `llvm-symbolizer`

Advanced Usage

Tips and Tricks

Tip	Why It Helps
Use `atheris.instrument_imports()` early	Ensures all imports are instrumented for coverage
Start with small `max_len`	Faster initial fuzzing, gradually increase
Use dictionaries for structured formats	Helps fuzzer understand format tokens
Run multiple parallel instances	Better coverage exploration

Custom Instrumentation

Fine-tune what gets instrumented:

import atheris

# Instrument only specific modules
with atheris.instrument_imports():
    import target_module
# Don't instrument test harness code

def test_one_input(data: bytes):
    target_module.parse(data)

Performance Tuning

Setting	Impact
`-max_len=N`	Smaller values = faster execution
`-workers=N -jobs=N`	Parallel fuzzing for faster coverage
`ASAN_OPTIONS=fast_unwind_on_malloc=0`	Better stack traces, slower execution

UndefinedBehaviorSanitizer (UBSan)

Add UBSan to catch additional bugs:

export CFLAGS="-fsanitize=address,undefined,fuzzer-no-link"
export CXXFLAGS="-fsanitize=address,undefined,fuzzer-no-link"

Note: Modify flags in Dockerfile if using containerized setup.

Real-World Examples

Example: Pure Python Parser

import sys
import atheris
import json

@atheris.instrument_func
def test_one_input(data: bytes):
    try:
        # Fuzz Python's JSON parser
        json.loads(data.decode('utf-8', errors='ignore'))
    except (ValueError, UnicodeDecodeError):
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

Example: HTTP Request Parsing

import sys
import atheris

with atheris.instrument_imports():
    from urllib3 import HTTPResponse
    from io import BytesIO

def test_one_input(data: bytes):
    try:
        # Fuzz HTTP response parsing
        fake_response = HTTPResponse(
            body=BytesIO(data),
            headers={},
            preload_content=False
        )
        fake_response.read()
    except Exception:
        pass

def main():
    atheris.Setup(sys.argv, test_one_input)
    atheris.Fuzz()

if __name__ == "__main__":
    main()

Troubleshooting

Problem	Cause	Solution
No coverage increase	Poor seed corpus or target not instrumented	Add better seeds, verify `instrument_imports()`
Slow execution	ASan overhead or large inputs	Reduce `max_len`, use `ASAN_OPTIONS=fast_unwind_on_malloc=1`
Import errors	Modules imported before instrumentation	Move imports inside `instrument_imports()` context
Segfault without ASan output	Missing `LD_PRELOAD`	Set to path

Related Skills

Technique Skills

Skill	Use Case
fuzz-harness-writing	Detailed guidance on writing effective harnesses
address-sanitizer	Memory error detection during fuzzing
undefined-behavior-sanitizer	Catching undefined behavior in C extensions
coverage-analysis	Measuring and improving code coverage
fuzzing-corpus	Building and managing seed corpora

Related Fuzzers

Skill	When to Consider
hypothesis	Property-based testing with type-aware generation
python-afl	AFL-style fuzzing for Python when Atheris isn't available

Resources

Key External Resources

Atheris GitHub Repository Official repository with installation instructions, examples, and documentation for fuzzing both pure Python and native extensions.

Native Extension Fuzzing Guide Comprehensive guide covering compilation flags, LD_PRELOAD setup, sanitizer configuration, and troubleshooting for Python C extensions.

Continuously Fuzzing Python C Extensions Trail of Bits blog post covering CI/CD integration, ClusterFuzzLite setup, and real-world examples of fuzzing Python C extensions in continuous integration pipelines.

ClusterFuzzLite Python Integration Guide for integrating Atheris fuzzing into CI/CD pipelines using ClusterFuzzLite for automated continuous fuzzing.

Video Resources

Videos and tutorials are available in the main Atheris documentation and libFuzzer resources.

Weekly Installs

1.1K

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 19, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

claude-code965

opencode919

gemini-cli902

codex896

cursor876

github-copilot846

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装

asan_with_fuzzer.so

Atheris模糊测试器：Python代码和C扩展的覆盖引导式安全测试工具

🇨🇳中文介绍

Atheris

使用场景

快速开始

相关 Skills

安装

先决条件

Linux/macOS

Docker 环境（推荐）

验证

编写测试套件

纯 Python 测试套件结构

测试套件规则

模糊测试纯 Python 代码

模糊测试 Python C 扩展

环境配置

示例：模糊测试 cbor2

语料库管理

创建初始语料库

语料库最小化

运行测试活动

基本运行

使用语料库目录

常用选项

解释输出

检测器集成

AddressSanitizer (ASan)

LD_PRELOAD 配置

常见检测器问题

高级用法

技巧与窍门

自定义插桩

性能调优

UndefinedBehaviorSanitizer (UBSan)

实际示例

示例：纯 Python 解析器

示例：HTTP 请求解析

故障排除

相关技能

技术技能

相关模糊测试器

资源

关键外部资源

视频资源

🇺🇸English

Atheris

When to Use

Quick Start

Installation

Prerequisites

Linux/macOS

Docker Environment (Recommended)

Verification

Writing a Harness

Harness Structure for Pure Python

Harness Rules

Fuzzing Pure Python Code

Fuzzing Python C Extensions

Environment Configuration

Example: Fuzzing cbor2

Corpus Management

Creating Initial Corpus

Corpus Minimization

Running Campaigns

Basic Run

With Corpus Directory

Common Options

Interpreting Output

Sanitizer Integration

AddressSanitizer (ASan)

LD_PRELOAD Configuration

Common Sanitizer Issues

Advanced Usage

Tips and Tricks

Custom Instrumentation

Performance Tuning

UndefinedBehaviorSanitizer (UBSan)

Real-World Examples

Example: Pure Python Parser