afl-fuzz - Man Page
Synopsis
afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]
Options
Required parameters: -i dir - input directory with test cases (or '-' to resume, also see AFL_AUTORESUME) -o dir - output directory for fuzzer findings Execution control settings: -P strategy - set fix mutation strategy: explore (focus on new coverage), exploit (focus on triggering crashes). You can also set a number of seconds after without any finds it switches to exploit mode, and back on new coverage (default: 1000) -p schedule - power schedules compute a seed's performance score: explore(default), fast, exploit, seek, rare, mmopt, coe, lin quad -- see docs/FAQ.md for more information -f file - location read by the fuzzed program (default: stdin or @@) -t msec - timeout for each run (auto-scaled, default 1000 ms). Add a '+' to auto-calculate the timeout, the value being the maximum. -m megs - memory limit for child process (0 MB, 0 = no limit [default]) -O - use binary-only instrumentation (FRIDA mode) -Q - use binary-only instrumentation (QEMU mode) -U - use unicorn-based instrumentation (Unicorn mode) -W - use qemu-based instrumentation with Wine (Wine mode) -X - use VM fuzzing (NYX mode - standalone mode) -Y - use VM fuzzing (NYX mode - multiple instances mode) Mutator settings: -a type - target input format, "text" or "binary" (default: generic) -g minlength - set min length of generated fuzz input (default: 1) -G maxlength - set max length of generated fuzz input (default: 1048576) -L minutes - use MOpt(imize) mode and set the time limit for entering the pacemaker mode (minutes of no new finds). 0 = immediately, -1 = immediately and together with normal mutation. Note: this option is usually not very effective -c program - enable CmpLog by specifying a binary compiled for it. if using QEMU/FRIDA or the fuzzing target is compiled for CmpLog then use '-c 0'. To disable Cmplog use '-c -'. -l cmplog_opts - CmpLog configuration values (e.g. "2ATR"): 1=small files, 2=larger files (default), 3=all files, A=arithmetic solving, T=transformational solving, X=extreme transform solving, R=random colorization bytes. Fuzzing behavior settings: -Z - sequential queue selection instead of weighted random -N - do not unlink the fuzzing input file (for devices etc.) -n - fuzz without instrumentation (non-instrumented mode) -x dict_file - fuzzer dictionary (see README.md, specify up to 4 times) Test settings: -s seed - use a fixed seed for the RNG -V seconds - fuzz for a specified time then terminate (fuzz time only!) -E execs - fuzz for an approx. no. of total executions then terminate Note: not precise and can have several more executions. Other stuff: -M/-S id - distributed mode (-M sets -Z and disables trimming) see docs/fuzzing_in_depth.md#c-using-multiple-cores for effective recommendations for parallel fuzzing. -F path - sync to a foreign fuzzer queue directory (requires -M, can be specified up to 32 times) -z - skip the enhanced deterministic fuzzing (note that the old -d and -D flags are ignored.) -T text - text banner to show on the screen -I command - execute this command/script when a new crash is found -C - crash exploration mode (the peruvian rabbit thing) -b cpu_id - bind the fuzzing process to the specified CPU core (0-...) -e ext - file extension for the fuzz test input file (if needed) Environment variables used: LD_BIND_LAZY: do not set LD_BIND_NOW env var for target ASAN_OPTIONS: custom settings for ASAN (must contain abort_on_error=1 and symbolize=0) MSAN_OPTIONS: custom settings for MSAN (must contain exitcode=86 and symbolize=0) AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists AFL_BENCH_JUST_ONE: run the target just once AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!) AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule AFL_DEBUG: extra debugging output for Python mode trimming AFL_DEBUG_CHILD: do not suppress stdout/stderr from target AFL_DISABLE_REDUNDANT: disable any queue item that is redundant AFL_DISABLE_TRIM: disable the trimming of test cases AFL_DUMB_FORKSRV: use fork server without feedback from target AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds) AFL_FAST_CAL: limit the calibration stage to three cycles for speedup AFL_FORCE_UI: force showing the status screen (for virtual consoles) AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in ms) AFL_HANG_TMOUT: override timeout value (in milliseconds) AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also ignore those libs for coverage AFL_IGNORE_SEED_PROBLEMS: skip over crashes and timeouts in the seeds instead of exiting AFL_IGNORE_TIMEOUTS: do not process or save any timeouts AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced AFL_PIZZA_MODE: 1 - enforce pizza mode, -1 - disable for April 1st, 0 (default) - activate on April 1st AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL) AFL_FORK_SERVER_KILL_SIGNAL: Kill signal for the fork server on termination (default: SIGTERM). If unset and AFL_KILL_SIGNAL is set, that value will be used. AFL_MAP_SIZE: the shared memory size for that target. must be >= the size the target was compiled for AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value then they are randomly selected instead all of them being used. Defaults to 200. AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful AFL_NO_ARITH: skip arithmetic mutations in deterministic stage AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target AFL_NO_CPU_RED: avoid red color for showing very high cpu usage AFL_NO_FORKSRV: run target via execve instead of using the forkserver AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded) AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once AFL_NO_WARN_INSTABILITY: no warn about instability issues on startup calibration AFL_NO_UI: switch status screen off AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096. Increase this value in case the crash reports are truncated. Default value is 4096. AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent) AFL_NYX_LOG: output NYX hprintf messages to another file AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot AFL_PATH: path to AFL support binaries AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module AFL_QUIET: suppress forkserver status messages AFL_POST_PROCESS_KEEP_ORIGINAL: save the file as it was prior post-processing to the queue, but execute the post-processed one AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target AFL_TARGET_ENV: pass extra environment variables to target AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking AFL_STATSD: enables StatsD metrics collection AFL_STATSD_HOST: change default statsd host (default 127.0.0.1) AFL_STATSD_PORT: change default statsd port (default: 8125) AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags) suported formats: dogstatsd, librato, signalfx, influxdb AFL_NO_SYNC: disables all syncing AFL_SYNC_TIME: sync time between fuzzing instances (in minutes) AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!) AFL_NO_CRASH_README: do not create a README in the crashes directory AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB) AFL_TMPDIR: directory to use for input file generation (ramdisk recommended) AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/ afl-clang-lto/afl-gcc-fast target AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib) AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a shared lib) AFL_FUZZER_STATS_UPDATE_INTERVAL: interval to update fuzzer_stats file in seconds (default: 60, minimum: 1) Compiled without Python module support. Compiled without AFL_PERSISTENT_RECORD support. Compiled with shmat support. For additional help please consult docs/README.md :)
Author
AFL++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Dominik Maier <domenukk@gmail.com>, Andrea Fioraldi <andreafioraldi@gmail.com> and Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de> The homepage of AFL++ is: https://github.com/AFLplusplus/AFLplusplus
License
Apache License Version 2.0, January 2004
Info
2024-08-20 AFL++