mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-08 16:21:32 +00:00
95b794744b
Changes: - Move advanced content to docs/. - Add links. - Fix links. - Restructure content.
37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
# The afl-fuzz approach
|
|
|
|
American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple
|
|
but rock-solid instrumentation-guided genetic algorithm. It uses a modified
|
|
form of edge coverage to effortlessly pick up subtle, local-scale changes to
|
|
program control flow.
|
|
|
|
Simplifying a bit, the overall algorithm can be summed up as:
|
|
|
|
1) Load user-supplied initial test cases into the queue,
|
|
|
|
2) Take the next input file from the queue,
|
|
|
|
3) Attempt to trim the test case to the smallest size that doesn't alter
|
|
the measured behavior of the program,
|
|
|
|
4) Repeatedly mutate the file using a balanced and well-researched variety
|
|
of traditional fuzzing strategies,
|
|
|
|
5) If any of the generated mutations resulted in a new state transition
|
|
recorded by the instrumentation, add mutated output as a new entry in the
|
|
queue.
|
|
|
|
6) Go to 2.
|
|
|
|
The discovered test cases are also periodically culled to eliminate ones that
|
|
have been obsoleted by newer, higher-coverage finds; and undergo several other
|
|
instrumentation-driven effort minimization steps.
|
|
|
|
As a side result of the fuzzing process, the tool creates a small,
|
|
self-contained corpus of interesting test cases. These are extremely useful
|
|
for seeding other, labor- or resource-intensive testing regimes - for example,
|
|
for stress-testing browsers, office applications, graphics suites, or
|
|
closed-source tools.
|
|
|
|
The fuzzer is thoroughly tested to deliver out-of-the-box performance far
|
|
superior to blind fuzzing or coverage-only tools. |