95b794744b
Changes: - Move advanced content to docs/. - Add links. - Fix links. - Restructure content.
1.5 KiB
The afl-fuzz approach
American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. It uses a modified form of edge coverage to effortlessly pick up subtle, local-scale changes to program control flow.
Simplifying a bit, the overall algorithm can be summed up as:
-
Load user-supplied initial test cases into the queue,
-
Take the next input file from the queue,
-
Attempt to trim the test case to the smallest size that doesn't alter the measured behavior of the program,
-
Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies,
-
If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue.
-
Go to 2.
The discovered test cases are also periodically culled to eliminate ones that have been obsoleted by newer, higher-coverage finds; and undergo several other instrumentation-driven effort minimization steps.
As a side result of the fuzzing process, the tool creates a small, self-contained corpus of interesting test cases. These are extremely useful for seeding other, labor- or resource-intensive testing regimes - for example, for stress-testing browsers, office applications, graphics suites, or closed-source tools.
The fuzzer is thoroughly tested to deliver out-of-the-box performance far superior to blind fuzzing or coverage-only tools.