Awesome-AFL
Welcome to Awesome AFL
A curated list of different AFL forks and AFL inspired fuzzers with detailed equivalent academic papers with AFL-fuzzing tutorials
Projects
-
- Original & first versions of AFL fuzzer, american fuzzy lop is a free security-oriented fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it helped in detection of significant software bugs in dozens of major free software projects, including X.Org Server, PHP, OpenSSL, pngcrush, bash, Firefox, BIND, Qt, and SQLite.
-
AFL++ by van Hauser
- afl++ is afl 2.56b with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode and a lot more!
-
- A fork of AFL for fuzzing Windows binaries
-
afl-dyninst by Cisco Talos Lab
- American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries
-
TriforceAFL by Jesse Hertz and Tim Newsham of nccgroup
- This is a patched version of AFL that supports full-system fuzzing using QEMU. The included QEMU has been updated to allow tracing of branches when running a system emulator for x86_64. Extra instructions have been added to start AFL's forkserver, make fuzz settings, and mark the start and stop of test cases.
-
- Improved version of AFL-Qemu mode (https://abiondo.me/2018/09/21/improving-afl-qemu-mode/)
-
- Smart Greybox Fuzzing (https://thuanpv.github.io/publications/TSE19_aflsmart.pdf)
-
- Coverage-based Greybox Fuzzing as Markov Chain (https://mboehme.github.io/paper/CCS16.pdf)
-
WineAFLplusplusDEMO by Andrea Fioraldi
- A set of helpers and examples to fuzz Win32 binaries with AFL++ QEMU
-
- Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing (https://www.cs.ucr.edu/~heng/pubs/afl-sensitive.pdf)
-
Redqueen by Syssec lab of Ruhr university of germany
- REDQUEEN: Fuzzing with Input-to-State Correspondence (http://synthesis.to/papers/NDSS19-Redqueen.pdf)
-
- run AFL with pintool
-
Driller by Shellphish team of University of Santa Barbara
- Augmenting AFL with Symbolic execution, a powerful symbolic execution engine aims at hybrid fuzzing
-
- Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution. Angora: Efficient Fuzzing by Principled Search (https://arxiv.org/abs/1803.01307)
-
VUzzer by Systems and Network Security Group at VU Amsterdam
- VUzzer: Application-aware Evolutionary Fuzzing (https://www.cs.vu.nl/~giuffrida/papers/vuzzer-ndss-2017.pdf)
-
- Manul is a coverage-guided parallel fuzzer for open-source and blackbox binaries on Windows, Linux and MacOS (https://www.slideshare.net/MaximShudrak/shudrak-zero-bugs-found-hold-my-beer-afl-how-to-improve-coverageguided-fuzzing-and-find-new-zerodays-in-tough-targets)
-
QSym by SSLab of Georgia Tech University
- QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
-
- winAFL patch to enable network-based apps fuzzing
-
Unicorefuzz by The Computer Security Group at Berlin University of Technology
- Fuzzing the Kernel using AFL Unicorn. For details, skim through the WOOT paper or watch this talk at CCCamp19 (https://www.usenix.org/system/files/woot19-paper_maier.pdf)
-
SharpFuzz: AFL-based fuzz testing for .NET by Nemanja Mijailovic
- SharpFuzz is a tool that brings the power of afl-fuzz to .NET platform (https://mijailovic.net/2019/01/03/sharpfuzz/)
-
Nautilus - a grammar based feedback fuzzer by Syssec lab of Ruhr university of germany
-
UnTracer-AFL by Stefan Nagy (snagy2@vt.edu) and Matthew Hicks (mdhicks2@vt.edu)
-
- Seeding fuzzers with symbolic execution
-
AFLGo Maintained by @mboehme, @thuanpv, and @strongcourage
- AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo generates inputs specifically with the objective to exercise these target locations (https://mboehme.github.io/paper/CCS17.pdf)
-
afl-dyninst Maintained by van Hauser
- American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries
-
afl-dynamorio Maintained by van Hauser
- run AFL with dynamorio - binary-only fuzzing with dynamorio and afl
-
FairFuzz Maintained by Caroline Lemieux
- An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested structure (packet analyzers, xmllint, programs compiled with laf-inte, etc) (http://www.carolemieux.com/fairfuzz-ase18.pdf)
-
- Superion is a fuzzer which extends the famous AFL to support structured inputs such as JavaScript and XML (https://2019.icse-conferences.org/track/icse-2019-Technical-Papers#event-overview)
-
UnTracer-AFL Maintained by FoRTE-Research
- An AFL implementation with UnTracer (our coverage-guided tracer)
-
neuzz Maintained by Dongdongshe
- neural network assisted fuzzer (https://arxiv.org/abs/1807.05620)
-
FuzzFactory Maintained by Rohan Padhye
- FuzzFactory is an extension of AFL that generalizes coverage-guided fuzzing to domain-specific testing goals. FuzzFactory allows users to guide the fuzzer's search process without having to modify anything in AFL's search algorithm (https://dl.acm.org/doi/10.1145/3360600)
-
grimoire Maintained by RUB-SysSec
- Grimoire is coverage-guided fuzzer for structured input languages. It is built upon Redqueen (https://www.usenix.org/system/files/sec19-blazytko.pdf)
-
kAFL Maintained by RUB-SysSec
- Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS and Windows (https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schumilo.pdf)
Tutorials
-
- Materials of the "Fuzzing with AFL" workshop by Michael Macnair (@michael_macnair)
-
- an awesome AFL coverage improvement idea by Brendan Dolan-Gavitt aka moyix of Computer Science and Engineering Department at NYU-Poly
-
Advanced usage of American Fuzzy Lop with real world examples
-
Advanced AFL usage with real-world examples -- preeny and dictionaries
-
Advanced AFL usage with real-world examples -- Persistent mode
-
More advanced usage of AFL with real world examples -- Fuzzing libraries
-
Investigating Windows Graphics Vulnerabilities: A Reverse Engineering and Fuzzing Story