afl++

American Fuzzy Lop Plus (afl++) is a fork of the original AFL fuzzer. It employs compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary, substantially improving functional coverage. The compact synthesized corpora produced are useful for seeding other testing regimes.

AFL++ is designed to be practical with modest performance overhead, effective fuzzing strategies, no configuration needed, and handles complex real-world use cases like image parsing or file compression libraries seamlessly. It supports multiple instrumentation modes including LLVM, GCC plugins, and binary-only fuzzing with QEMU, Unicorn, and FRIDA.

Use cases include finding bugs in binary-only applications, improving code coverage for security testing, generating test corpora, and crash reproduction in software from parsers to network services.

AFL++ instruments the target binary at compile time using LLVM passes, GCC plugins, or binary-only modes (QEMU/FRIDA/Unicorn/Nyx). Instrumentation adds code to track edge coverage via a shared memory bitmap. During fuzzing, afl-fuzz mutates input seeds using genetic algorithms, prioritizing inputs that discover new coverage transitions. Queue management favors high-energy inputs (those finding new coverage), with strategies like power schedules and splicing. Crashes/hangs are detected via timeouts and exit codes, with deterministic fuzzing phases followed by havoc/exploit modes. Features like persistent mode, LAF comparisons, and CMPLOG enhance efficiency.