AFL is an industry standard fuzzing tool, which is widely used by practitioners. For most research tools on fuzzing, such as Angora(S&P’18) and CollAFL(S&P’18), the target is to make fuzzers explore the fuzzed program with higher coverage. These tools added new features to AFL, and were reported to be more effectively and efficiently on finding bugs.

In this post, I will introduce basic usages of AFL.

Download and Install

  • To download it, go to the official website or click here.
  • Uncompressed the file and run make at the source root.
  • If you want to install it, then run make install.

Let’s run it!

The most commonly used dataset for fuzzers is LAVA-M. With this dataset, we could test totally four projects: base64, md5sum, uniq and who. For fuzzing we need to compile the projects with afl-clang.

Use the following command to compile the projects:

$ cd lava_corpus/LAVA-M/base64/coreutils-8.24-lava-safe/
$ CC=/xx/afl-clang ./configure 
$ make
$ ls src/base64

Generally speaking, the commands compile base64 with code instrumented by afl. Then, type the following command to run afl-fuzz on base64:

$ /xx/afl-fuzz -i lava_corpus/LAVA-M/base64/fuzzer_input -o ../output -t 100 -- ./base64 -d @@

The line tells afl to fuzz base64 binary, with start inputs from a folder sepecified with -i, and to save all data (status, crashes, generated seeds, etc.) to the location by -o. And it is limited to run no longer than 100 ms for each input. We use @@ to fetch input from the file and feed it directly to the program.

If you could see the following screen, it means afl is running:

Fig 1. AFL Status Screen