AFLFast (extends AFL with Power Schedules)
C Shell Makefile C++ Other
Pull request Compare This branch is 17 commits ahead, 6 commits behind mirrorer:master.
Latest commit 501617c Sep 21, 2016 root Update config.h
Failed to load latest commit information.
dictionaries 2.28b Aug 7, 2016
docs Update docs about parallel fuzzing w/ schedules Sep 13, 2016
experimental 2.27b Aug 7, 2016
libdislocator 2.28b Aug 7, 2016
libtokencap 2.28b Aug 7, 2016
llvm_mode 2.33b Sep 7, 2016
qemu_mode 2.07b May 21, 2016
testcases 2.28b Aug 7, 2016
.gitignore Add .gitignore May 22, 2016
Makefile 2.28b Aug 7, 2016
QuickStartGuide.txt 1.87b Aug 26, 2015
README 0.47b Dec 2, 2014 Updated Sep 21, 2016
afl-analyze.c 2.26b Aug 3, 2016
afl-as.c 1.94b Sep 12, 2015
afl-as.h 2.19b Jul 24, 2016
afl-cmin 1.94b Sep 12, 2015
afl-fuzz.c More tweaks Sep 21, 2016
afl-gcc.c 2.32b Aug 25, 2016
afl-gotcpu.c 2.11b May 21, 2016
afl-plot 1.60b Apr 10, 2015
afl-showmap.c 2.26b Aug 3, 2016
afl-tmin.c 2.26b Aug 3, 2016
afl-whatsup 2.13b May 21, 2016
alloc-inl.h 1.94b Sep 12, 2015
config.h Update config.h Sep 21, 2016
debug.h 2.03b Mar 2, 2016
hash.h 2.15b Jul 24, 2016
khash.h Initial Commit of AFLFast and port to AFL 2.28b Aug 12, 2016
test-instr.c 0.47b Dec 2, 2014
types.h 2.24b Aug 3, 2016


Power schedules implemented by Marcel Böhme <>. AFLFast is an extension of AFL which is written and maintained by Michal Zalewski <>.

AFLFast is a fork of AFL that has been shown to outperform AFL 1.96b by an order of magnitude! It helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took 2nd place in terms of #POVs proven (see red bar at AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes.

Note: In parallel mode, we suggest to run the master using the exploit schedule (-p exploit) and the slaves with a combination of cut-off-exponential (-p coe), exponential (-p fast; default), and explore (-p explore) schedules. In single mode, the default settings will do.

Essentially, we observed that most generated inputs exercise the same few "high-frequency" paths and developed strategies to gravitate towards low-frequency paths, to stress significantly more program behavior in the same amount of time. We devised several search strategies that decide in which order the seeds should be fuzzed and power schedules that smartly regulate the number of inputs generated from a seed (i.e., the time spent fuzzing a seed). We call the number of inputs generated from a seed, the seed's energy.

We find that AFL's exploitation-based constant schedule assigns too much energy to seeds exercising high-frequency paths (e.g., paths that reject invalid inputs) and not enough energy to seeds exercising low-frequency paths (e.g., paths that stress interesting behaviors). Technically, we modified the computation of a seed's performance score (calculate_score), which seed is marked as favourite (update_bitmap_score), and which seed is chosen next from the circular queue (main). We implemented the following schedules (in the order of their effectiveness, best first):

AFL flag Power Schedule
-p fast (default) FAST
-p coe COE
-p explore EXPLORE
-p quad QUAD
-p lin LIN
-p exploit (AFL) LIN

where α(i) is the performance score that AFL uses to compute for the seed input i, β(i)>1 is a constant, s(i) is the number of times that seed i has been chosen from the queue, f(i) is the number of generated inputs that exercise the same path as seed i, and μ is the average number of generated inputs exercising a path.

More details can be found in our paper that was recently accepted at the 23rd ACM Conference on Computer and Communications Security (CCS'16).

PS: The most recent version of AFL (2.33b) implements the explore schedule which yielded a significance performance boost. We are currently conducting experiments with a hybrid version between AFLFast and 2.33b and report back soon.

Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. Released under terms and conditions of Apache License, Version 2.0.