AFL
American fuzzy lop (AFL) is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. AFLplusplus is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
Get Started with AFL++
Alternatively, we can just pull the docker image.
Get AFL++ source code.
Patch for AFL++ building script.
diff --git a/unicorn_mode/build_unicorn_support.sh b/unicorn_mode/build_unicorn_support.sh
index 53ec2481..7b633be8 100755
--- a/unicorn_mode/build_unicorn_support.sh
+++ b/unicorn_mode/build_unicorn_support.sh
@@ -230,7 +230,7 @@ cd ../samples/python_simple || echo "Cannot cd"
# Run afl-showmap on the sample application. If anything comes out then it must have worked!
unset AFL_INST_RATIO
# pwd; echo "echo 0 | ../../../afl-showmap -U -m none -t 2000 -o ./.test-instr0 -- $PYTHONBIN ./simple_test_harness.py ./sample_inputs/sample1.bin"
-echo 0 | ../../../afl-showmap -U -m none -t 2000 -o ./.test-instr0 -- $PYTHONBIN ./simple_test_harness.py ./sample_inputs/sample1.bin >/dev/null 2>&1 || echo "Showmap"
+echo 0 | ../../../afl-showmap -U -m none -t 2000 -i sample_inputs/ -o ./.test-instr0 -- $PYTHONBIN ./simple_test_harness.py ./sample_inputs/sample1.bin >/dev/null 2>&1 || echo "Showmap"
if [ -s ./.test-instr0 ]
then
@@ -248,6 +248,6 @@ else
fi
-rm -f ./.test-instr0
+rm -rf ./.test-instr0
Build according to the building documents.
Crash Report
AFL++ records unique crash input within the files like: id:000000,sig:06,src:000000,time:4638,execs:11155,op:havoc,rep:4
. Naming of the crash input can be concluded as the following:
Name | Description |
---|---|
sig | Unix Signals |
execs | How many times execve() is triggered |
op | Operations of how to mutate seed files |
rep | How many times the seed files is mutated |