DAFF – Droid Application Fuzz Framework

  • 0

DAFF – Droid Application Fuzz Framework

Category : Blog

Droid Application Fuzz Framework

Droid Application Fuzz Framework (DAFF) helps to fuzz Android Browsers and PDF Readers for memory corruption bugs in real android devices. Everyone can use the inbuilt fuzzers or import fuzz files from one’s own custom fuzzers. DAFF consist of inbuilt fuzzers and crash monitor. 

Droid-FF is the very first Android fuzzing framework which helps researchers find memory corruption bugs written in c /c ++ – It comes as a VM which is ready to go and easy to work with.

Native code for Droid-FF is preferred over JIT languages due to their memory efficiency and speed, but security bugs within native code can result in exploits that can take over the Android system . The goal of the fuzzer is help researchers find security bugs by fuzzing Android.


Droid Application Fuzz Framework currently supports fuzzing the following applications:


  1. Google Chrome
  2. Mozilla Firefox
  3. Opera
  4. UC Browser




Data Generation

Currently includes Peach, with some pre-populated pit files, which helps in generating data be it “dex,ttf,png,avi,mp4” etc


a . Dumb fuzzing: From a large input section of valid data , the fuzzer generates new data with mutations in place.

Intelligent Fuzzing: File format representation of the target data and let the fuzzer generate data which is structurally valid, but has invalid data in sections.

Fuzzing System

The fuzzing system is an automated program which runs the dataset against the target program and deals with any error conditions that can possibly happen. It also maintains state so that we could resume the fuzzing from the right place in an event of a crash.


Advanced Triage System

In the event of a valid crash, the triage system collects the tombstone files which contains the dump of the registers and system state with detailed information. It also collects valid logs and the file responsible for the crash and moves it to the triage database. The triage database runs scripts on the data derived from crashes, like the type pf the crash, for eg : SIGSEGV, the PC address at this crash and checks for any duplicate, if found, the duplicate entry is removed and is moved to crashes for investigation.


Using during this lab:

The android system which we are going to fuzz is an Engineering build from AOSP which has symbols, thus in an event of a crash, it will be much easier to triage the crash. The system supports fuzzing real devices, emulators , and images running on virtual box.


Leave a Reply

Show Buttons
Hide Buttons