1afl-fuzz(8) System Manager's Manual afl-fuzz(8)
2
6 afl-fuzz
7
10 afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]
11
14 Required parameters:
15 -i dir - input directory with test cases (or '-' to resume, also see
16 AFL_AUTORESUME)
17 -o dir - output directory for fuzzer findings
18 Execution control settings:
20 -P strategy - set fix mutation strategy: explore (focus on new coverage),
21 exploit (focus on triggering crashes). You can also set a
22 number of seconds after without any finds it switches to
23 exploit mode, and back on new coverage (default: 1000)
24 -p schedule - power schedules compute a seed's performance score:
25 fast(default), explore, exploit, seek, rare, mmopt, coe, lin
26 quad -- see docs/FAQ.md for more information
27 -f file - location read by the fuzzed program (default: stdin or @@)
28 -t msec - timeout for each run (auto-scaled, default 1000 ms). Add a '+'
29 to auto-calculate the timeout, the value being the maximum.
30 -m megs - memory limit for child process (0 MB, 0 = no limit [default])
31 -O - use binary-only instrumentation (FRIDA mode)
32 -Q - use binary-only instrumentation (QEMU mode)
33 -U - use unicorn-based instrumentation (Unicorn mode)
34 -W - use qemu-based instrumentation with Wine (Wine mode)
35 -X - use VM fuzzing (NYX mode - standalone mode)
36 -Y - use VM fuzzing (NYX mode - multiple instances mode)
37 Mutator settings:
39 -a - target input format, "text" or "binary" (default: generic)
40 -g minlength - set min length of generated fuzz input (default: 1)
41 -G maxlength - set max length of generated fuzz input (default: 1048576)
42 -D - enable deterministic fuzzing (once per queue entry)
43 -L minutes - use MOpt(imize) mode and set the time limit for entering the
44 pacemaker mode (minutes of no new finds). 0 = immediately,
45 -1 = immediately and together with normal mutation.
46 -c program - enable CmpLog by specifying a binary compiled for it.
47 if using QEMU/FRIDA or the fuzzing target is compiled
48 for CmpLog then use '-c 0'. To disable Cmplog use '-c -'.
49 -l cmplog_opts - CmpLog configuration values (e.g. "2ATR"):
50 1=small files, 2=larger files (default), 3=all files,
51 A=arithmetic solving, T=transformational solving,
52 X=extreme transform solving, R=random colorization bytes.
53 Fuzzing behavior settings:
55 -Z - sequential queue selection instead of weighted random
56 -N - do not unlink the fuzzing input file (for devices etc.)
57 -n - fuzz without instrumentation (non-instrumented mode)
58 -x dict_file - fuzzer dictionary (see README.md, specify up to 4 times)
59 Test settings:
61 -s seed - use a fixed seed for the RNG
62 -V seconds - fuzz for a specified time then terminate
63 -E execs - fuzz for an approx. no. of total executions then terminate
64 Note: not precise and can have several more executions.
65 Other stuff:
67 -M/-S id - distributed mode (-M sets -Z and disables trimming)
68 see docs/fuzzing_in_depth.md#c-using-multiple-cores
69 for effective recommendations for parallel fuzzing.
70 -F path - sync to a foreign fuzzer queue directory (requires -M, can
71 be specified up to 32 times)
72 -T text - text banner to show on the screen
73 -I command - execute this command/script when a new crash is found
74 -C - crash exploration mode (the peruvian rabbit thing)
75 -b cpu_id - bind the fuzzing process to the specified CPU core (0-...)
76 -e ext - file extension for the fuzz test input file (if needed)
77 Environment variables used:
79 LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
80 ASAN_OPTIONS: custom settings for ASAN
81 (must contain abort_on_error=1 and symbolize=0)
82 MSAN_OPTIONS: custom settings for MSAN
83 (must contain exitcode=86 and symbolize=0)
84 AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists
85 AFL_BENCH_JUST_ONE: run the target just once
86 AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found
87 AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)
88 AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash
89 AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs
90 AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators
91 AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule
92 AFL_DEBUG: extra debugging output for Python mode trimming
93 AFL_DEBUG_CHILD: do not suppress stdout/stderr from target
94 AFL_DISABLE_TRIM: disable the trimming of test cases
95 AFL_DUMB_FORKSRV: use fork server without feedback from target
96 AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found
97 AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time
98 AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60
99 minutes and a cycle without finds)
100 AFL_FAST_CAL: limit the calibration stage to three cycles for speedup
101 AFL_FORCE_UI: force showing the status screen (for virtual consoles)
102 AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in ms)
103 AFL_HANG_TMOUT: override timeout value (in milliseconds)
104 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers
105 AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected
106 AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also
107 ignore those libs for coverage
108 AFL_IGNORE_TIMEOUTS: do not process or save any timeouts
109 AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars
110 AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first
111 AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced
112 AFL_PIZZA_MODE: 1 - enforce pizza mode, -1 - disable for April 1st,
113 0 (default) - activate on April 1st
114 AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc.
115 (default: SIGKILL)
116 AFL_FORK_SERVER_KILL_SIGNAL: Kill signal for the fork server on termination
117 (default: SIGTERM). If unset and AFL_KILL_SIGNAL is
118 set, that value will be used.
119 AFL_MAP_SIZE: the shared memory size for that target. must be >= the size
120 the target was compiled for
121 AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value
122 then they are randomly selected instead all of them being
123 used. Defaults to 200.
124 AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing
125 AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful
126 AFL_NO_ARITH: skip arithmetic mutations in deterministic stage
127 AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target
128 AFL_NO_CPU_RED: avoid red color for showing very high cpu usage
129 AFL_NO_FORKSRV: run target via execve instead of using the forkserver
130 AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)
131 AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once
132 AFL_NO_UI: switch status screen off
133 AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.
134 Increase this value in case the crash reports are truncated.
135 Default value is 4096.
136 AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent)
137 AFL_NYX_LOG: output NYX hprintf messages to another file
138 AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot
139 AFL_PATH: path to AFL support binaries
140 AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module
141 AFL_QUIET: suppress forkserver status messages
142 AFL_POST_PROCESS_KEEP_ORIGINAL: save the file as it was prior post-processing to
143 the queue, but execute the post-processed one
144 AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
145 AFL_TARGET_ENV: pass extra environment variables to target
146 AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup
147 AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size
148 AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
149 AFL_STATSD: enables StatsD metrics collection
150 AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)
151 AFL_STATSD_PORT: change default statsd port (default: 8125)
152 AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)
153 suported formats: dogstatsd, librato, signalfx, influxdb
154 AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)
155 AFL_NO_CRASH_README: do not create a README in the crashes directory
156 AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)
157 AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)
158 AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/
159 afl-clang-lto/afl-gcc-fast target
160 AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib)
161 AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a shared lib)
162 AFL_FUZZER_STATS_UPDATE_INTERVAL: interval to update fuzzer_stats file in
163 seconds (default: 60, minimum: 1)
164 Compiled without Python module support.
166 Compiled without AFL_PERSISTENT_RECORD support.
167 Compiled with shmat support.
168 For additional help please consult docs/README.md :)
169
173 AFL++ was written by Michal "lcamtuf" Zalewski and is maintained by
174 Marc "van Hauser" Heuse <mh@mh-sec.de>, Dominik Maier
175 <domenukk@gmail.com>, Andrea Fioraldi <andreafioraldi@gmail.com> and
176 Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de> The homepage of
177 AFL++ is: https://github.com/AFLplusplus/AFLplusplus
178
181 Apache License Version 2.0, January 2004
182AFL++ 2023-08-29 afl-fuzz(8)