Scroll to navigation

afl-fuzz(8) System Manager's Manual afl-fuzz(8)


afl-fuzz - afl-fuzz++2.68c based on afl by Michal Zalewski and a big online community


afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]


Required parameters:

-i dir - input directory with test cases
-o dir - output directory for fuzzer findings Execution control settings:
-p schedule - power schedules compute a seed's performance score. <explore
(default), fast, coe, lin, quad, exploit, mmopt, rare, seek>
see docs/
-f file - location read by the fuzzed program (default: stdin or @@)
-t msec - timeout for each run (auto-scaled, 50-1000 ms)
-m megs - memory limit for child process (75 MB)
-Q - use binary-only instrumentation (QEMU mode)
-U - use unicorn-based instrumentation (Unicorn mode)
-W - use qemu-based instrumentation with Wine (Wine mode) Mutator settings:
-L minutes - use MOpt(imize) mode and set the time limit for entering the
pacemaker mode (minutes of no new paths). 0 = immediately,
-1 = immediately and together with normal mutation).
See docs/
-c program - enable CmpLog by specifying a binary compiled for it.
if using QEMU, just use -c 0. Fuzzing behavior settings:
-N - do not unlink the fuzzing input file (for devices etc.)
-d - quick & dirty mode (skips deterministic steps)
-n - fuzz without instrumentation (non-instrumented mode)
-x dict_file - optional fuzzer dictionary (see, its really good!) Testing settings:
-s seed - use a fixed seed for the RNG
-V seconds - fuzz for a specific time then terminate
-E execs - fuzz for a approx. no of total executions then terminate
Note: not precise and can have several more executions. Other stuff:
-M/-S id - distributed mode (see docs/
use -D to force -S secondary to perform deterministic fuzzing
-F path - sync to a foreign fuzzer queue directory (requires -M, can
be specified up to 32 times)
-T text - text banner to show on the screen
-I command - execute this command/script when a new crash is found
-C - crash exploration mode (the peruvian rabbit thing)
-b cpu_id - bind the fuzzing process to the specified CPU core (0-...)
-e ext - file extension for the fuzz test input file (if needed) Environment variables used: LD_BIND_LAZY: do not set LD_BIND_NOW env var for target ASAN_OPTIONS: custom settings for ASAN
(must contain abort_on_error=1 and symbolize=0) MSAN_OPTIONS: custom settings for MSAN
(must contain exitcode=86 and symbolize=0) AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists AFL_BENCH_JUST_ONE: run the target just once AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule AFL_DEBUG: extra debugging output for Python mode trimming AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target AFL_DISABLE_TRIM: disable the trimming of test cases AFL_DUMB_FORKSRV: use fork server without feedback from target AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds) AFL_FAST_CAL: limit the calibration stage to three cycles for speedup AFL_FORCE_UI: force showing the status screen (for virtual consoles) AFL_HANG_TMOUT: override timeout value (in milliseconds) AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds) AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first AFL_MAP_SIZE: the shared memory size for that target. must be >= the size
the target was compiled for AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value
then they are randomly selected instead all of them being
used. Defaults to 200. AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing AFL_NO_ARITH: skip arithmetic mutations in deterministic stage AFL_NO_CPU_RED: avoid red color for showing very high cpu usage AFL_NO_FORKSRV: run target via execve instead of using the forkserver AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded) AFL_NO_UI: switch status screen off AFL_PATH: path to AFL support binaries AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module AFL_QUIET: suppress forkserver status messages AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs AFL_TMPDIR: directory to use for input file generation (ramdisk recommended) Compiled with Python 3.9.0+ module support, see docs/ For additional help please consult docs/


afl++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <>, Heiko "hexcoder-" Eissfeldt <>, Andrea Fioraldi <> and Dominik Maier <> The homepage of afl++ is:


Apache License Version 2.0, January 2004

2020-11-21 afl++