NAME¶

afl-fuzz - afl-fuzz++2.68c based on afl by Michal Zalewski and a big online community

SYNOPSIS¶

afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]

OPTIONS¶

Required parameters:


  -i dir        - input directory with test cases


  -o dir        - output directory for fuzzer findings
Execution control settings:


  -p schedule   - power schedules compute a seed's performance score. <explore


                  (default), fast, coe, lin, quad, exploit, mmopt, rare, seek>


                  see docs/power_schedules.md


  -f file       - location read by the fuzzed program (default: stdin or @@)


  -t msec       - timeout for each run (auto-scaled, 50-1000 ms)


  -m megs       - memory limit for child process (75 MB)


  -Q            - use binary-only instrumentation (QEMU mode)


  -U            - use unicorn-based instrumentation (Unicorn mode)


  -W            - use qemu-based instrumentation with Wine (Wine mode)
Mutator settings:


  -L minutes    - use MOpt(imize) mode and set the time limit for entering the


                  pacemaker mode (minutes of no new paths). 0 = immediately,


                  -1 = immediately and together with normal mutation).


                  See docs/README.MOpt.md


  -c program    - enable CmpLog by specifying a binary compiled for it.


                  if using QEMU, just use -c 0.
Fuzzing behavior settings:


  -N            - do not unlink the fuzzing input file (for devices etc.)


  -d            - quick & dirty mode (skips deterministic steps)


  -n            - fuzz without instrumentation (non-instrumented mode)


  -x dict_file  - optional fuzzer dictionary (see README.md, its really good!)
Testing settings:


  -s seed       - use a fixed seed for the RNG


  -V seconds    - fuzz for a specific time then terminate


  -E execs      - fuzz for a approx. no of total executions then terminate


                  Note: not precise and can have several more executions.
Other stuff:


  -M/-S id      - distributed mode (see docs/parallel_fuzzing.md)


                  use -D to force -S secondary to perform deterministic fuzzing


  -F path       - sync to a foreign fuzzer queue directory (requires -M, can


                  be specified up to 32 times)


  -T text       - text banner to show on the screen


  -I command    - execute this command/script when a new crash is found


  -C            - crash exploration mode (the peruvian rabbit thing)


  -b cpu_id     - bind the fuzzing process to the specified CPU core (0-...)


  -e ext        - file extension for the fuzz test input file (if needed)
Environment variables used:
LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
ASAN_OPTIONS: custom settings for ASAN


              (must contain abort_on_error=1 and symbolize=0)
MSAN_OPTIONS: custom settings for MSAN


              (must contain exitcode=86 and symbolize=0)
AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists
AFL_BENCH_JUST_ONE: run the target just once
AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found
AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs
AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators
AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule
AFL_DEBUG: extra debugging output for Python mode trimming
AFL_DEBUG_CHILD_OUTPUT: do not suppress stdout/stderr from target
AFL_DISABLE_TRIM: disable the trimming of test cases
AFL_DUMB_FORKSRV: use fork server without feedback from target
AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found
AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)
AFL_FAST_CAL: limit the calibration stage to three cycles for speedup
AFL_FORCE_UI: force showing the status screen (for virtual consoles)
AFL_HANG_TMOUT: override timeout value (in milliseconds)
AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)
AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers
AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first
AFL_MAP_SIZE: the shared memory size for that target. must be >= the size


              the target was compiled for
AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value


                    then they are randomly selected instead all of them being


                    used. Defaults to 200.
AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing
AFL_NO_ARITH: skip arithmetic mutations in deterministic stage
AFL_NO_CPU_RED: avoid red color for showing very high cpu usage
AFL_NO_FORKSRV: run target via execve instead of using the forkserver
AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)
AFL_NO_UI: switch status screen off
AFL_PATH: path to AFL support binaries
AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module
AFL_QUIET: suppress forkserver status messages
AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup
AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable
AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs
AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)
Compiled with Python 3.9.0+ module support, see docs/custom_mutator.md
For additional help please consult docs/README.md

AUTHOR¶

afl++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com> The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus

LICENSE¶

Apache License Version 2.0, January 2004