Repository files navigation

Release version:4.33c

GitHub version: 4.34a

Repository:https://github.com/AFLplusplus/AFLplusplus

AFL++ is maintained by:

• Marc "van Hauser" Heusemh@mh-sec.de
• Dominik Maiermail@dmnk.co
• Andrea Fioraldiandreafioraldi@gmail.com
• Heiko "hexcoder-" Eissfeldtheiko.eissfeldt@hexco.de
• frida_mode is maintained by @Worksbutnottested

Originally developed by Michal "lcamtuf" Zalewski.

AFL++ is a superior fork to Google's AFL - more speed, more and bettermutations, more and better instrumentation, custom module support, etc.

You are free to copy, modify, and distribute AFL++ with attribution under theterms of the Apache-2.0 License. See theLICENSE for details.

Here is some information to get you started:

• For an overview of the AFL++ documentation and a very helpful graphical guide,please visitdocs/README.md.
• To get you started with tutorials, go todocs/tutorials.md.
• For releases, see theReleases tab andbranches. The best branches to use are, however,stable ordev - depending on your risk appetite. Also take a look at the list ofimportant changes in AFL++ and the list offeatures.
• If you want to use AFL++ for your academic work, check thepapers page on the website.
• To cite our work, look at theCite section.
• For comparisons, use the fuzzbenchaflplusplus setup, or useafl-clang-fast withAFL_LLVM_CMPLOG=1. You can find theaflplusplusdefault configuration on Google'sfuzzbench.

To have AFL++ easily available with everything compiled, pull the image directlyfrom the Docker Hub (available for both x86_64 and arm64):

docker pull aflplusplus/aflplusplusdocker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus

This image is automatically published when a push to the stable branch happens(seebranches). If you use the command above, you will find yourtarget source code in/src in the container.

Note: you can also pullaflplusplus/aflplusplus:dev which is the most currentdevelopment state of AFL++.

To build AFL++ yourself -which we recommend - continue atdocs/INSTALL.md.

NOTE: Before you start, please read about thecommon sense risks of fuzzing.

This is a quick start for fuzzing targets with the source code available. Toread about the process in detail, seedocs/fuzzing_in_depth.md.

To learn about fuzzing other targets, see:

• Binary-only targets:docs/fuzzing_binary-only_targets.md
• Network services:docs/best_practices.md#fuzzing-a-network-service
• GUI programs:docs/best_practices.md#fuzzing-a-gui-program

Step-by-step quick start:

1. Compile the program or library to be fuzzed usingafl-cc. A common way todo this would be:

   CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-sharedmake clean all

2. Get a small but valid input file that makes sense to the program. Whenfuzzing verbose syntax (SQL, HTTP, etc.), create a dictionary as described indictionaries/README.md, too.

3. If the program reads from stdin, runafl-fuzz like so:

   ./afl-fuzz -i seeds_dir -o output_dir -- \/path/to/tested/program [...program's cmdline...]

   To add a dictionary, add-x /path/to/dictionary.txt to afl-fuzz.

   If the program takes input from a file, you can put@@ in the program'scommand line; AFL++ will put an auto-generated file name in there for you.

4. Investigate anything shown in red in the fuzzer UI by promptly consultingdocs/afl-fuzz_approach.md#understanding-the-status-screen.

5. You will find found crashes and hangs in the subdirectoriescrashes/ andhangs/ in the-o output_dir directory. You can replay the crashes byfeeding them to the target, e.g. if your target is using stdin:

   cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]

   You can generate cores or use gdb directly to follow up the crashes.

6. We cannot stress this enough - if you want to fuzz effectively, read thedocs/fuzzing_in_depth.md document!

Questions? Concerns? Bug reports?

• The contributors can be reached via (e.g., by creating an issue):https://github.com/AFLplusplus/AFLplusplus.
• Take a look at ourFAQ. If you find an interesting or importantquestion missing, submit it viahttps://github.com/AFLplusplus/AFLplusplus/discussions.
• Best: join theAwesome Fuzzing Discord server.
• There is a (not really used) mailing list for the AFL/AFL++ project(browse archive). To comparenotes with other users or to get notified about major new features, send anemail toafl-users+subscribe@googlegroups.com, but note that this is notmanaged by us.

The following branches exist:

• release: the latestrelease
• stable/trunk: stable state ofAFL++ - it is synced from dev from time to time when we are satisfied with itsstability
• dev: development stateof AFL++ - bleeding edge and you might catch a checkout which does not compileor has a bug.We only accept PRs (pull requests) for the 'dev' branch!
• (any other): experimental branches to work on specific features or testing newfunctionality or changes.

We have severalideas we would like to see in AFL++ to make iteven better. However, we already work on so many things that we do not have thetime for all the big ideas.

This can be your way to support and contribute to AFL++ - extend it to dosomething cool.

For everyone who wants to contribute (and send pull requests), please read ourcontributing guidelines before you submit.

Many of the improvements to the original AFL and AFL++ wouldn't be possiblewithout feedback, bug reports, or patches from our contributors.

Thank you! (For people sending pull requests - please add yourself to this list:-)

  Jann Horn                             Hanno Boeck  Felix Groebert                        Jakub Wilk  Richard W. M. Jones                   Alexander Cherepanov  Tom Ritter                            Hovik Manucharyan  Sebastian Roschke                     Eberhard Mattes  Padraig Brady                         Ben Laurie  @dronesec                             Luca Barbato  Tobias Ospelt                         Thomas Jarosch  Martin Carpenter                      Mudge Zatko  Joe Zbiciak                           Ryan Govostes  Michael Rash                          William Robinet  Jonathan Gray                         Filipe Cabecinhas  Nico Weber                            Jodie Cunningham  Andrew Griffiths                      Parker Thompson  Jonathan Neuschaefer                  Tyler Nighswander  Ben Nagy                              Samir Aguiar  Aidan Thornton                        Aleksandar Nikolich  Sam Hakim                             Laszlo Szekeres  David A. Wheeler                      Turo Lamminen  Andreas Stieger                       Richard Godbee  Louis Dassy                           teor2345  Alex Moneger                          Dmitry Vyukov  Keegan McAllister                     Kostya Serebryany  Richo Healey                          Martijn Bogaard  rc0r                                  Jonathan Foote  Christian Holler                      Dominique Pelle  Jacek Wielemborek                     Leo Barnes  Jeremy Barnes                         Jeff Trull  Guillaume Endignoux                   ilovezfs  Daniel Godas-Lopez                    Franjo Ivancic  Austin Seipp                          Daniel Komaromy  Daniel Binderman                      Jonathan Metzman  Vegard Nossum                         Jan Kneschke  Kurt Roeckx                           Marcel Boehme  Van-Thuan Pham                        Abhik Roychoudhury  Joshua J. Drake                       Toby Hutton  Rene Freingruber                      Sergey Davidoff  Sami Liedes                           Craig Young  Andrzej Jackowski                     Daniel Hodson  Nathan Voss                           Dominik Maier  Andrea Biondo                         Vincent Le Garrec  Khaled Yakdan                         Kuang-che Wu  Josephine Calliotte                   Konrad Welc  Thomas Rooijakkers                    David Carlier  Ruben ten Hove                        Joey Jiao  fuzzah                                @intrigus-lgtm  Yaakov Saxon                          Sergej Schumilo  Ziqiao Kong                           Ryan Berger  Sangjun Park                          Scott Guest

If you use AFL++ in scientific work, consider citingour paperpresented at WOOT'20:

Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.

@inproceedings {AFLplusplus-Woot20,author ={Andrea Fioraldi and Dominik Maier and Heiko Ei{\ss}feldt and Marc Heuse},title ={{AFL++}: Combining Incremental Steps of Fuzzing Research},booktitle ={14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},year ={2020},publisher ={{USENIX} Association},month = aug,}