Shellphish CRS (Cybersecurity Reasoning System) integrated into the OSS-CRS framework.
Each pipeline is a self-contained CRS configuration. Deploy by copying its yaml to oss-crs/crs.yaml.
| Pipeline | CRS Name | Config | Doc | Description |
|---|---|---|---|---|
| AFL++ | crs-shellphish-c-fuzzers-aflpp |
crs-c-fuzzers-aflpp.yaml |
doc | AFL++ multi-instance fuzzing (all cores) |
| LibFuzzer | crs-shellphish-c-fuzzers-libfuzzer |
crs-c-fuzzers-libfuzzer.yaml |
doc | LibFuzzer with wrapper.py fork mode (all cores) |
| DiscoveryGuy | crs-shellphish-discoveryguy |
crs-discoveryguy.yaml |
doc | LLM-driven vulnerability discovery + AFL++ |
| AIJON | crs-shellphish-aijon |
crs-aijon.yaml |
doc | LLM-driven IJON instrumentation + AFL++ |
| Grammar | crs-shellphish-grammar |
crs-grammar.yaml |
doc | LLM grammar fuzzing + coverage-guided refinement |
| Pipeline | CRS Name | Config | Doc | Description |
|---|---|---|---|---|
| JVM Fuzzers | crs-shellphish-jvm-fuzzers |
crs-jvm-fuzzers.yaml |
doc | Jazzer (libFuzzer for JVM) + LOSAN sanitizers |
| QuickSeed | crs-shellphish-quickseed |
crs-quickseed.yaml |
doc | LLM-driven seed generation + Jazzer fuzzing |
Note: DiscoveryGuy, AIJON, Grammar pipelines are C/C++ only. backdoorguy (entropy-based suspicious function detection, feeds DiscoveryGuy) is not yet integrated.
# 1. Choose a pipeline
cp oss-crs/crs-c-fuzzers-aflpp.yaml oss-crs/crs.yaml # C AFL++
cp oss-crs/crs-c-fuzzers-libfuzzer.yaml oss-crs/crs.yaml # C LibFuzzer
cp oss-crs/crs-jvm-fuzzers.yaml oss-crs/crs.yaml # Java Jazzer
cp oss-crs/crs-quickseed.yaml oss-crs/crs.yaml # Java + QuickSeed (LLM)
# 2. Prepare (build prebuild images, first time only)
cd /project/oss-crs
uv run oss-crs prepare --compose-file example/crs-shellphish-c-fuzzers-aflpp/compose.yaml
# 3. For LLM pipelines (QuickSeed, DiscoveryGuy, Grammar), set API credentials:
export AIXCC_LITELLM_HOSTNAME=<litellm-url>
export LITELLM_KEY=<api-key>
# 4. Run
uv run oss-crs run --compose-file example/crs-shellphish-c-fuzzers-aflpp/compose.yaml \
--fuzz-proj-path <target> --target-source-path <source> \
--target-harness <harness> --timeout 1800Note: Large Java targets (e.g., activemq) may need
--timeout 3600for the build phase to complete.
| Language | Target | Source | Harness |
|---|---|---|---|
| C | c/sanity-mock-c-delta-01 |
sanity-mock-c |
fuzz_parse_buffer_section |
| C | c/afc-lcms-full-01 |
afc-lcms |
cmsIT8_load_fuzzer |
| C | c/asc-nginx-delta-01 |
asc-nginx |
pov_harness |
| JVM | jvm/sanity-mock-java-delta-01 |
sanity-mock-java |
OssFuzz1 |
| JVM | jvm/atlanta-imaging-delta-01 |
atlanta-imaging |
ImagingOne |
| JVM | jvm/atlanta-activemq-delta-01 |
atlanta-activemq |
ActivemqOne |