AFL++: Superior Fuzzer Fork with Enhanced Speed and Coverage
AFL++ outperforms original AFL via community patches for faster mutations, collision-free coverage, QEMU 5.1, LAF-Intel, RedQueen, AFLfast++ schedules, MOpt mutators, and Unicorn mode for source-free binary fuzzing.
Key Enhancements for Effective Fuzzing
AFL++ delivers superior performance over Google's AFL through targeted upgrades: collision-free coverage prevents bitmap overlaps for precise edge detection; enhanced LAF-Intel and RedQueen improve hardware feedback for complex control flow; AFLfast++ power schedules prioritize high-value test cases; MOpt mutators generate diverse inputs faster. Additional modes like QEMU (emulates binaries without source recompilation), Unicorn (fuzzes emulated binaries remotely), NYX (hardware-accelerated fuzzing), Frida (dynamic instrumentation), and Coresight (ARM tracing) expand targets beyond compilable source code. These yield more crashes and hangs by sustaining higher execs/sec—use afl-cc for instrumentation during compilation to trigger edge coverage.
Practical Fuzzing Workflow
Start with source-available targets: compile using afl-cc or afl-c++ (e.g., CC=/path/to/afl-cc ./configure --disable-shared && make clean all) to insert instrumentation. Provide seed inputs in -i seeds_dir and run afl-fuzz -i seeds_dir -o output_dir -- /path/to/program @@ (use @@ for file inputs or stdin piping). Boost efficiency with dictionaries (-x /path/to/dict) for protocols like HTTP/SQL. Monitor UI for red flags like stalled execs/sec; crashes save to output_dir/crashes/, hangs to hangs/—replay via cat crashes/id:* | /program. For binaries, switch to qemu_mode or unicorn_mode. Parallelize across cores with multiple afl-fuzz instances sharing -o synchtemp. Read docs/fuzzing_in_depth.md for risks like CPU spikes and optimal seed selection.
Setup and Community Resources
Pull Docker aflplusplus/aflplusplus:stable (auto-updates on stable pushes; mount /src for targets) or build from source per docs/INSTALL.md (supports GCC/LLVM plugins). Branches: stable (4.40c release), dev (4.41a GitHub), aflplusplus (LLVM-fast), specialized like AFL_LLVM_CMPLOG=1 for cmp-log. Cite WOOT'20 paper for academic use. Contribute via CONTRIBUTING.md; ideas in docs/ideas.md. Tools like afl-plot visualize progress, afl-whatsup monitors clusters, afl-cmin minimizes corpora. Pair with cov-analysis for coverage reports. Maintained post-Zalewski by Fioraldi et al., with 100+ contributors.