Basic coverage guided fuzzing

American Fuzzy Lop (AFL)

AFL compiler wrappers (if source code is available)

Comes with a number of compiler wrappers to add instrumentation in compiled code:

  • afl-gcc

  • afl-g++

  • afl-clang

  • afl-clang++

  • afl-clang-fast

  • afl-clang-fast++

AFL compilers will assign a unique random id and add _afl_maybe_log callbacks to every basic code blocks to trace block hit counts and determine code coverage.

# -ggdb -O0: generates a debug build used for crash analysis later on.

afl-gcc -fsanitize=address,undefined -ggdb -O0 <INPUT_CODE_FILE> -o <OUTPUT_BINARY>

Tests cases minimization with AFL

The AFL's afl-cmin utility can be used to minimize the tests cases / fuzzing corpus by finding the smallest subset of inputs files that will trigger the full range of instrumentation points in the targeted program.


AFL fuzzing

Information on the status screen can be found in the official AFL documention on the status screen.

# Example to generate a very basic img input corpus.
mkdir in && echo "IMG TEST" > in/1.img


If source code was not available and AFL callbacks couldn't be added to the targeted program, the qemu fuzzing mode should be used:

# Support to qemu mode should be enabled first.
sudo ./

# Blackbox fuzzing of the targeted program.

AFL can run in a multi-cores / distributed mode, with a master and one or more slave instances. The instances will then synchronize on the execution paths found.

screen -S <MASTER_ID>

# Can be repeated to add more slave instances.
screen -S <SLAVE_ID>

AFL crashes analysis with GDB


# The targeted program should be compiled with no code optimization (with -ggdb -O0 for example).

# Crach file name example: id:000000,sig:06,src:000000,op:havoc,rep:16
(gdb) r <AFL_CRASH_FILE>

Last updated