The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
! A new forkserver communication model is now introduced. afl-fuzz is backward compatible to old compiled targets if they are not built for CMPLOG/Redqueen, but new compiled targets will not work with old afl-fuzz versions! ! Recompile all targets that are instrumented for CMPLOG/Redqueen!
make PERFORMANCE=1
- this will enable special
CPU dependent optimizations that make everything more performant - but
the binaries will likely won't work on different platforms. Also
enables a faster hasher if the CPU requirements are met.-t xxx+
featureAFL_LLVM_LTO_CALLER=1
. You can set a max depth to go through single
block functions with AFL_LLVM_LTO_CALLER_DEPTH
(default 0)instrumentation/README.injections.md
how to activate/use/expand.AFL_FINAL_SYNC
which forces a final fuzzer sync (also for -F
)
before terminating.afl-fuzz:
-P
. Also input mode for the target can be defined with -a
to
be text
or binary
(defaults to generic
)afl-cmin/afl-cmin.bash:
afl-cc:
frida_mode:
qemu_mode:
AFL_POST_PROCESS_KEEP_ORIGINAL
to keep the orignal
data before post process on finds (for atnwalk custom mutator)AFL_IGNORE_PROBLEMS_COVERAGE
to ignore coverage from
loaded libs after forkserver initialization (required by Mozilla)AFL_LLVM_LTO_SKIPINIT
to support the AFL++ based WASM
(https://github.com/fgsect/WAFL) project-I filelist
option, an alternative to -i in_dir
-T threads
parallel task support, can be a huge speedup!AFL_NO_WARN_INSTABILITY
-p mmopt
now also selects new queue items more oftenAFL_FRIDA_STATS_INTERVAL
-t none
now translates to -t 120000
(120 seconds)