afl-fuzz - Man Page

Synopsis

afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]

Options

Required parameters:
  -i dir        - input directory with test cases (or '-' to resume, also see 
                  AFL_AUTORESUME)
  -o dir        - output directory for fuzzer findings

Execution control settings:
  -P strategy   - set fix mutation strategy: explore (focus on new coverage),
                  exploit (focus on triggering crashes). You can also set a
                  number of seconds after without any finds it switches to
                  exploit mode, and back on new coverage (default: 1000)
  -p schedule   - power schedules compute a seed's performance score:
                  explore(default), fast, exploit, seek, rare, mmopt, coe, lin
                  quad -- see docs/FAQ.md for more information
  -f file       - location read by the fuzzed program (default: stdin or @@)
  -t msec       - timeout for each run (auto-scaled, default 1000 ms). Add a '+'
                  to auto-calculate the timeout, the value being the maximum.
  -m megs       - memory limit for child process (0 MB, 0 = no limit [default])
  -O            - use binary-only instrumentation (FRIDA mode)
  -Q            - use binary-only instrumentation (QEMU mode)
  -U            - use unicorn-based instrumentation (Unicorn mode)
  -W            - use qemu-based instrumentation with Wine (Wine mode)
  -X            - use VM fuzzing (NYX mode - standalone mode)
  -Y            - use VM fuzzing (NYX mode - multiple instances mode)

Mutator settings:
  -a type       - target input format, "text" or "binary" (default: generic)
  -g minlength  - set min length of generated fuzz input (default: 1)
  -G maxlength  - set max length of generated fuzz input (default: 1048576)
  -L minutes    - use MOpt(imize) mode and set the time limit for entering the
                  pacemaker mode (minutes of no new finds). 0 = immediately,
                  -1 = immediately and together with normal mutation.
                  Note: this option is usually not very effective
  -c program    - enable CmpLog by specifying a binary compiled for it.
                  if using QEMU/FRIDA or the fuzzing target is compiled
                  for CmpLog then use '-c 0'. To disable CMPLOG use '-c -'.
  -l cmplog_opts - CmpLog configuration values (e.g. "2ATR"):
                  1=small files, 2=larger files (default), 3=all files,
                  A=arithmetic solving, T=transformational solving,
                  X=extreme transform solving, R=random colorization bytes.

Fuzzing behavior settings:
  -Z            - sequential queue selection instead of weighted random
  -N            - do not unlink the fuzzing input file (for devices etc.)
  -n            - fuzz without instrumentation (non-instrumented mode)
  -x dict_file  - fuzzer dictionary (see README.md, specify up to 4 times)

Test settings:
  -s seed       - use a fixed seed for the RNG
  -V seconds    - fuzz for a specified time then terminate (fuzz time only!)
  -E execs      - fuzz for an approx. no. of total executions then terminate
                  Note: not precise and can have several more executions.

Other stuff:
  -M/-S id      - distributed mode (-M sets -Z and disables trimming)
                  see docs/fuzzing_in_depth.md#c-using-multiple-cores
                  for effective recommendations for parallel fuzzing.
  -F path       - sync to a foreign fuzzer queue directory (requires -M, can
                  be specified up to 32 times)
  -z            - skip the enhanced deterministic fuzzing
                  (note that the old -d and -D flags are ignored.)
  -T text       - text banner to show on the screen
  -I command    - execute this command/script when a new crash is found
  -C            - crash exploration mode (the peruvian rabbit thing)
  -b cpu_id     - bind the fuzzing process to the specified CPU core (0-...)
  -e ext        - file extension for the fuzz test input file (if needed)

Environment variables used:
LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
ASAN_OPTIONS: custom settings for ASAN
              (must contain abort_on_error=1 and symbolize=0)
MSAN_OPTIONS: custom settings for MSAN
              (must contain exitcode=86 and symbolize=0)
AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists
AFL_BENCH_JUST_ONE: run the target just once
AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found
AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)
AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash
AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs
AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators
AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule
AFL_DEBUG: extra debugging output for Python mode trimming
AFL_DEBUG_CHILD: do not suppress stdout/stderr from target
AFL_DISABLE_REDUNDANT: disable any queue item that is redundant
AFL_DISABLE_TRIM: disable the trimming of test cases
AFL_DUMB_FORKSRV: use fork server without feedback from target
AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found
AFL_EXIT_ON_TIME: exit when no new coverage is found within the specified time
AFL_EXIT_ON_SEED_ISSUES: exit on any kind of seed issues
AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60
                      minutes and a cycle without finds)
AFL_FAST_CAL: limit the calibration stage to three cycles for speedup
AFL_FORCE_UI: force showing the status screen (for virtual consoles)
AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in ms)
AFL_HANG_TMOUT: override timeout value (in milliseconds)
AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers
AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected
AFL_IGNORE_PROBLEMS_COVERAGE: if set in addition to AFL_IGNORE_PROBLEMS - also
                              ignore those libs for coverage
AFL_IGNORE_SEED_PROBLEMS: skip over crashes and timeouts in the seeds instead of
                          exiting
AFL_IGNORE_TIMEOUTS: do not process or save any timeouts
AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars
AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first
AFL_INPUT_LEN_MIN/AFL_INPUT_LEN_MAX: like -g/-G set min/max fuzz length produced
AFL_PIZZA_MODE: 1 - enforce pizza mode, -1 - disable for April 1st,
                0 (default) - activate on April 1st
AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc.
                 (default: SIGKILL)
AFL_FORK_SERVER_KILL_SIGNAL: Kill signal for the fork server on termination
                             (default: SIGTERM). If unset and AFL_KILL_SIGNAL is
                             set, that value will be used.
AFL_MAP_SIZE: the shared memory size for that target. must be >= the size
              the target was compiled for
AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value
                    then they are randomly selected instead all of them being
                    used. Defaults to 200.
AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing
AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful
AFL_NO_ARITH: skip arithmetic mutations in deterministic stage
AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target
AFL_NO_CPU_RED: avoid red color for showing very high cpu usage
AFL_NO_FORKSRV: run target via execve instead of using the forkserver
AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)
AFL_NO_STARTUP_CALIBRATION: no initial seed calibration, start fuzzing at once
AFL_NO_WARN_INSTABILITY: no warn about instability issues on startup calibration
AFL_NO_UI: switch status screen off
AFL_NYX_AUX_SIZE: size of the Nyx auxiliary buffer. Must be a multiple of 4096.
                  Increase this value in case the crash reports are truncated.
                  Default value is 4096.
AFL_NYX_DISABLE_SNAPSHOT_MODE: disable snapshot mode (must be supported by the agent)
AFL_NYX_LOG: output NYX hprintf messages to another file
AFL_NYX_REUSE_SNAPSHOT: reuse an existing Nyx root snapshot
AFL_PATH: path to AFL support binaries
AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module
AFL_QUIET: suppress forkserver status messages
AFL_POST_PROCESS_KEEP_ORIGINAL: save the file as it was prior post-processing to
                                the queue, but execute the post-processed one
AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
AFL_TARGET_ENV: pass extra environment variables to target
AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup
AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size
AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
AFL_STATSD: enables StatsD metrics collection
AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)
AFL_STATSD_PORT: change default statsd port (default: 8125)
AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)
                        suported formats: dogstatsd, librato, signalfx, influxdb
AFL_NO_FASTRESUME: do not read or write a fast resume file
AFL_NO_SYNC: disables all syncing
AFL_SYNC_TIME: sync time between fuzzing instances (in minutes)
AFL_FINAL_SYNC: sync a final time when exiting (will delay the exit!)
AFL_NO_CRASH_README: do not create a README in the crashes directory
AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)
AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)
AFL_EARLY_FORKSERVER: force an early forkserver in an afl-clang-fast/
                      afl-clang-lto/afl-gcc-fast target
AFL_PERSISTENT: enforce persistent mode (if __AFL_LOOP is in a shared lib)
AFL_DEFER_FORKSRV: enforced deferred forkserver (__AFL_INIT is in a shared lib)
AFL_FUZZER_STATS_UPDATE_INTERVAL: interval to update fuzzer_stats file in
                                  seconds (default: 60, minimum: 1)

Compiled without Python module support.
Compiled without AFL_PERSISTENT_RECORD support.
Compiled with shmat support.
For additional help please consult docs/README.md :)

Author

AFL++ was written by Michal "lcamtuf" Zalewski and is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>, Dominik Maier <domenukk@gmail.com>, Andrea Fioraldi <andreafioraldi@gmail.com> and Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de> The homepage of AFL++ is: https://github.com/AFLplusplus/AFLplusplus

License

Apache License Version 2.0, January 2004

Info

2024-12-03 AFL++