afl-fuzz
afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]
Required
parameters:
-i dir - input directory with test cases (or ’-’
to resume, also see AFL_AUTORESUME)
-o dir - output directory for fuzzer findings
Execution
control settings:
-p schedule - power schedules compute a seed’s
performance score:
fast(default), explore, exploit, seek, rare, mmopt, coe, lin
quad -- see docs/FAQ.md for more information
-f file - location read by the fuzzed program (default:
stdin or @@)
-t msec - timeout for each run (auto-scaled, default 1000
ms). Add a ’+’
to auto-calculate the timeout, the value being the maximum.
-m megs - memory limit for child process (0 MB, 0 = no limit
[default])
-O - use binary-only instrumentation (FRIDA mode)
-Q - use binary-only instrumentation (QEMU mode)
-U - use unicorn-based instrumentation (Unicorn mode)
-W - use qemu-based instrumentation with Wine (Wine mode)
-X - use VM fuzzing (NYX mode - standalone mode)
-Y - use VM fuzzing (NYX mode - multiple instances mode)
Mutator
settings:
-g minlength - set min length of generated fuzz input
(default: 1)
-G maxlength - set max length of generated fuzz input
(default: 1048576)
-D - enable deterministic fuzzing (once per queue entry)
-L minutes - use MOpt(imize) mode and set the time limit for
entering the
pacemaker mode (minutes of no new finds). 0 = immediately,
-1 = immediately and together with normal mutation.
-c program - enable CmpLog by specifying a binary compiled
for it.
if using QEMU/FRIDA or the fuzzing target is compiled
for CmpLog then just use -c 0.
-l cmplog_opts - CmpLog configuration values (e.g.
"2ATR"):
1=small files, 2=larger files (default), 3=all files,
A=arithmetic solving, T=transformational solving,
R=random colorization bytes.
Fuzzing behavior
settings:
-Z - sequential queue selection instead of weighted random
-N - do not unlink the fuzzing input file (for devices etc.)
-n - fuzz without instrumentation (non-instrumented mode)
-x dict_file - fuzzer dictionary (see README.md, specify up
to 4 times)
Test settings:
-s seed - use a fixed seed for the RNG
-V seconds - fuzz for a specified time then terminate
-E execs - fuzz for an approx. no. of total executions then
terminate
Note: not precise and can have several more executions.
Other stuff:
-M/-S id - distributed mode (-M sets -Z and disables
trimming)
see docs/fuzzing_in_depth.md#c-using-multiple-cores
for effective recommendations for parallel fuzzing.
-F path - sync to a foreign fuzzer queue directory (requires
-M, can
be specified up to 32 times)
-T text - text banner to show on the screen
-I command - execute this command/script when a new crash is
found
-C - crash exploration mode (the peruvian rabbit thing)
-b cpu_id - bind the fuzzing process to the specified CPU
core (0-...)
-e ext - file extension for the fuzz test input file (if
needed)
Environment
variables used:
LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
ASAN_OPTIONS: custom settings for ASAN
(must contain abort_on_error=1 and symbolize=0)
MSAN_OPTIONS: custom settings for MSAN
(must contain exitcode=86 and symbolize=0)
AFL_AUTORESUME: resume fuzzing if directory specified by -o
already exists
AFL_BENCH_JUST_ONE: run the target just once
AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing
input has been found
AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases
(good for resumes!)
AFL_CRASH_EXITCODE: optional child exit code to be
interpreted as crash
AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to
mutate inputs
AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++’s internal
mutators
AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a
different -p schedule
AFL_DEBUG: extra debugging output for Python mode trimming
AFL_DEBUG_CHILD: do not suppress stdout/stderr from target
AFL_DISABLE_TRIM: disable the trimming of test cases
AFL_DUMB_FORKSRV: use fork server without feedback from
target
AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new
finds are found
AFL_EXIT_ON_TIME: exit when no new coverage is found within
the specified time
AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode
(default: after 60
minutes and a cycle without finds)
AFL_FAST_CAL: limit the calibration stage to three cycles
for speedup
AFL_FORCE_UI: force showing the status screen (for virtual
consoles)
AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver
during startup (in ms)
AFL_HANG_TMOUT: override timeout value (in milliseconds)
AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don’t warn
about core dump handlers
AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect
setup is detected
AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to
AFL_IGNORE_PROBLEMS - also
ignore those libs for coverage
AFL_IGNORE_TIMEOUTS: do not process or save any timeouts
AFL_IGNORE_UNKNOWN_ENVS: don’t warn on unknown env
vars
AFL_IMPORT_FIRST: sync and import test cases from other
fuzzer instances first
AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max
fuzz length produced
AFL_PIZZA_MODE: 1 - enforce pizza mode, 0 - disable for
April 1st
AFL_KILL_SIGNAL: Signal ID delivered to child processes on
timeout, etc.
(default: SIGKILL)
AFL_FORK_SERVER_KILL_SIGNAL: Kill signal for the fork server
on termination
(default: SIGTERM). If unset and AFL_KILL_SIGNAL is
set, that value will be used.
AFL_MAP_SIZE: the shared memory size for that target. must
be >= the size
the target was compiled for
AFL_MAX_DET_EXTRAS: if more entries are in the dictionary
list than this value
then they are randomly selected instead all of them being
used. Defaults to 200.
AFL_NO_AFFINITY: do not check for an unused cpu core to use
for fuzzing
AFL_TRY_AFFINITY: try to bind to an unused core, but
don’t fail if unsuccessful
AFL_NO_ARITH: skip arithmetic mutations in deterministic
stage
AFL_NO_AUTODICT: do not load an offered auto dictionary
compiled into a target
AFL_NO_CPU_RED: avoid red color for showing very high cpu
usage
AFL_NO_FORKSRV: run target via execve instead of using the
forkserver
AFL_NO_SNAPSHOT: do not use the snapshot feature (if the
snapshot lkm is loaded)
AFL_NO_STARTUP_CALIBRATION: no initial seed calibration,
start fuzzing at once
AFL_NO_UI: switch status screen off
AFL_PATH: path to AFL support binaries
AFL_PYTHON_MODULE: mutate and trim inputs with the specified
Python module
AFL_QUIET: suppress forkserver status messages
AFL_POST_PROCESS_KEEP_ORIGINAL: save the file as it was
prior post-processing to the queue,
but execute the post-processed one
AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for
target
AFL_TARGET_ENV: pass extra environment variables to target
AFL_SHUFFLE_QUEUE: reorder the input queue randomly on
startup
AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also
disables auto map size
AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
AFL_STATSD: enables StatsD metrics collection
AFL_STATSD_HOST: change default statsd host (default
127.0.0.1)
AFL_STATSD_PORT: change default statsd port (default: 8125)
AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default:
disable tags)
Supported formats are: ’dogstatsd’,
’librato’,
’signalfx’ and ’influxdb’
AFL_SYNC_TIME: sync time between fuzzing instances (in
minutes)
AFL_NO_CRASH_README: do not create a README in the crashes
directory
AFL_TESTCACHE_SIZE: use a cache for testcases, improves
performance (in MB)
AFL_TMPDIR: directory to use for input file generation
(ramdisk recommended)
AFL_EARLY_FORKSERVER: force an early forkserver in an
afl-clang-fast/
afl-clang-lto/afl-gcc-fast target
AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in
a shared lib
AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT
is in a .so)
AFL_FUZZER_STATS_UPDATE_INTERVAL: interval to update
fuzzer_stats file in seconds, (default: 60, minimum: 1)
Compiled with
Python 3.11.6 module support, see docs/custom_mutators.md
Compiled without AFL_PERSISTENT_RECORD support.
Compiled with shmat support.
For additional help please consult docs/README.md :)
AFL++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <[email protected]>, Dominik Maier <[email protected]>, Andrea Fioraldi <[email protected]> and Heiko "hexcoder-" Eissfeldt <[email protected]> The homepage of AFL++ is: https://github.com/AFLplusplus/AFLplusplus
Apache License Version 2.0, January 2004