1afl-fuzz(8) System Manager's Manual afl-fuzz(8)
2
6 afl-fuzz
7
10 afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]
11
14 Required parameters:
15 -i dir - input directory with test cases
16 -o dir - output directory for fuzzer findings
17 Execution control settings:
19 -p schedule - power schedules compute a seed's performance score:
20 fast(default), explore, exploit, seek, rare, mmopt, coe, lin
21 quad -- see docs/power_schedules.md
22 -f file - location read by the fuzzed program (default: stdin or @@)
23 -t msec - timeout for each run (auto-scaled, default 1000 ms). Add a '+'
24 to auto-calculate the timeout, the value being the maximum.
25 -m megs - memory limit for child process (0 MB, 0 = no limit [default])
26 -O - use binary-only instrumentation (FRIDA mode)
27 -Q - use binary-only instrumentation (QEMU mode)
28 -U - use unicorn-based instrumentation (Unicorn mode)
29 -W - use qemu-based instrumentation with Wine (Wine mode)
30 Mutator settings:
32 -D - enable deterministic fuzzing (once per queue entry)
33 -L minutes - use MOpt(imize) mode and set the time limit for entering the
34 pacemaker mode (minutes of no new paths). 0 = immediately,
35 -1 = immediately and together with normal mutation.
36 See docs/README.MOpt.md
37 -c program - enable CmpLog by specifying a binary compiled for it.
38 if using QEMU, just use -c 0.
39 -l cmplog_opts - CmpLog configuration values (e.g. "2AT"):
40 1=small files, 2=larger files (default), 3=all files,
41 A=arithmetic solving, T=transformational solving.
42 Fuzzing behavior settings:
44 -Z - sequential queue selection instead of weighted random
45 -N - do not unlink the fuzzing input file (for devices etc.)
46 -n - fuzz without instrumentation (non-instrumented mode)
47 -x dict_file - fuzzer dictionary (see README.md, specify up to 4 times)
48 Test settings:
50 -s seed - use a fixed seed for the RNG
51 -V seconds - fuzz for a specified time then terminate
52 -E execs - fuzz for an approx. no. of total executions then terminate
53 Note: not precise and can have several more executions.
54 Other stuff:
56 -M/-S id - distributed mode (see docs/parallel_fuzzing.md)
57 -M auto-sets -D, -Z (use -d to disable -D) and no trimming
58 -F path - sync to a foreign fuzzer queue directory (requires -M, can
59 be specified up to 32 times)
60 -T text - text banner to show on the screen
61 -I command - execute this command/script when a new crash is found
62 -C - crash exploration mode (the peruvian rabbit thing)
63 -b cpu_id - bind the fuzzing process to the specified CPU core (0-...)
64 -e ext - file extension for the fuzz test input file (if needed)
65 Environment variables used:
67 LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
68 ASAN_OPTIONS: custom settings for ASAN
69 (must contain abort_on_error=1 and symbolize=0)
70 MSAN_OPTIONS: custom settings for MSAN
71 (must contain exitcode=86 and symbolize=0)
72 AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists
73 AFL_BENCH_JUST_ONE: run the target just once
74 AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found
75 AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)
76 AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash
77 AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs
78 AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators
79 AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule
80 AFL_DEBUG: extra debugging output for Python mode trimming
81 AFL_DEBUG_CHILD: do not suppress stdout/stderr from target
82 AFL_DISABLE_TRIM: disable the trimming of test cases
83 AFL_DUMB_FORKSRV: use fork server without feedback from target
84 AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found
85 AFL_EXIT_ON_TIME: exit when no new paths are found within the specified time period
86 AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)
87 AFL_FAST_CAL: limit the calibration stage to three cycles for speedup
88 AFL_FORCE_UI: force showing the status screen (for virtual consoles)
89 AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)
90 AFL_HANG_TMOUT: override timeout value (in milliseconds)
91 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers
92 AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars
93 AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first
94 AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)
95 AFL_MAP_SIZE: the shared memory size for that target. must be >= the size
96 the target was compiled for
97 AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value
98 then they are randomly selected instead all of them being
99 used. Defaults to 200.
100 AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing
101 AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful
102 AFL_NO_ARITH: skip arithmetic mutations in deterministic stage
103 AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target
104 AFL_NO_CPU_RED: avoid red color for showing very high cpu usage
105 AFL_NO_FORKSRV: run target via execve instead of using the forkserver
106 AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)
107 AFL_NO_UI: switch status screen off
108 AFL_PATH: path to AFL support binaries
109 AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module
110 AFL_QUIET: suppress forkserver status messages
111 AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
112 AFL_TARGET_ENV: pass extra environment variables to target
113 AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup
114 AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size
115 AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
116 AFL_STATSD: enables StatsD metrics collection
117 AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)
118 AFL_STATSD_PORT: change default statsd port (default: 8125)
119 AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)
120 Supported formats are: 'dogstatsd', 'librato',
121 'signalfx' and 'influxdb'
122 AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)
123 AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)
124 Compiled without python module support.
126 Compiled without AFL_PERSISTENT_RECORD support.
127 Compiled with shmat support.
128 For additional help please consult docs/README.md :)
129
133 afl++ was written by Michal "lcamtuf" Zalewski and is maintained by
134 Marc "van Hauser" Heuse <mh@mh-sec.de>, Heiko "hexcoder-" Eissfeldt
135 <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com>
136 and Dominik Maier <domenukk@gmail.com> The homepage of afl++ is:
137 https://github.com/AFLplusplus/AFLplusplus
138
141 Apache License Version 2.0, January 2004
142afl++ 2021-11-09 afl-fuzz(8)