life_pro_tips.txt

# ===================
# AFL "Life Pro Tips"
# ===================
#
# Bite-sized advice for those who understand the basics, but can't be bothered
# to read or memorize every other piece of documentation for AFL.
#

%

Get more bang for your buck by using fuzzing dictionaries.
See dictionaries/README.dictionaries to learn how.

%

You can get the most out of your hardware by parallelizing AFL jobs.
See docs/parallel_fuzzing.txt for step-by-step tips.

%

Improve the odds of spotting memory corruption bugs with libdislocator.so!
It's easy. Consult libdislocator/README.dislocator for usage tips.

%

Want to understand how your target parses a particular input file?
Try the bundled afl-analyze tool; it's got colors and all!

%

You can visually monitor the progress of your fuzzing jobs.
Run the bundled afl-plot utility to generate browser-friendly graphs.

%

Need to monitor AFL jobs programmatically? Check out the fuzzer_stats file
in the AFL output dir or try afl-whatsup.

%

Puzzled by something showing up in red or purple in the AFL UI?
It could be important - consult docs/status_screen.txt right away!

%

Know your target? Convert it to persistent mode for a huge performance gain!
Consult section #5 in llvm_mode/README.llvm for tips.

%

Using clang? Check out llvm_mode/ for a faster alternative to afl-gcc!

%

Did you know that AFL can fuzz closed-source or cross-platform binaries?
Check out qemu_mode/README.qemu for more.

%

Did you know that afl-fuzz can minimize any test case for you?
Try the bundled afl-tmin tool - and get small repro files fast!

%

Not sure if a crash is exploitable? AFL can help you figure it out. Specify
-C to enable the peruvian were-rabbit mode. See section #10 in README for more.

%

Trouble dealing with a machine uprising? Relax, we've all been there.
Find essential survival tips at http://lcamtuf.coredump.cx/prep/.

%

AFL-generated corpora can be used to power other testing processes.
See section #2 in README for inspiration - it tends to pay off!

%

Want to automatically spot non-crashing memory handling bugs?
Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.

%

Good selection of input files is critical to a successful fuzzing job.
See section #5 in README (or docs/perf_tips.txt) for pro tips.

%

You can improve the odds of automatically spotting stack corruption issues.
Specify AFL_HARDEN=1 in the environment to enable hardening flags.

%

Bumping into problems with non-reproducible crashes? It happens, but usually
isn't hard to diagnose. See section #7 in README for tips.

%

Fuzzing is not just about memory corruption issues in the codebase. Add some
sanity-checking assert() / abort() statements to effortlessly catch logic bugs.

%

Hey kid... pssst... want to figure out how AFL really works?
Check out docs/technical_details.txt for all the gory details in one place!

%

There's a ton of third-party helper tools designed to work with AFL!
Be sure to check out docs/sister_projects.txt before writing your own.

%

Need to fuzz the command-line arguments of a particular program?
You can find a simple solution in experimental/argv_fuzzing.

%

Attacking a format that uses checksums? Remove the checksum-checking code or
use a postprocessor! See experimental/post_library/ for more.

%

Dealing with a very slow target or hoping for instant results? Specify -d
when calling afl-fuzz!

%
	# ===================
	# AFL "Life Pro Tips"
	# ===================
	#
	# Bite-sized advice for those who understand the basics, but can't be bothered
	# to read or memorize every other piece of documentation for AFL.
	#

	%

	Get more bang for your buck by using fuzzing dictionaries.
	See dictionaries/README.dictionaries to learn how.

	%

	You can get the most out of your hardware by parallelizing AFL jobs.
	See docs/parallel_fuzzing.txt for step-by-step tips.

	%

	Improve the odds of spotting memory corruption bugs with libdislocator.so!
	It's easy. Consult libdislocator/README.dislocator for usage tips.

	%

	Want to understand how your target parses a particular input file?
	Try the bundled afl-analyze tool; it's got colors and all!

	%

	You can visually monitor the progress of your fuzzing jobs.
	Run the bundled afl-plot utility to generate browser-friendly graphs.

	%

	Need to monitor AFL jobs programmatically? Check out the fuzzer_stats file
	in the AFL output dir or try afl-whatsup.

	%

	Puzzled by something showing up in red or purple in the AFL UI?
	It could be important - consult docs/status_screen.txt right away!

	%

	Know your target? Convert it to persistent mode for a huge performance gain!
	Consult section #5 in llvm_mode/README.llvm for tips.

	%

	Using clang? Check out llvm_mode/ for a faster alternative to afl-gcc!

	%

	Did you know that AFL can fuzz closed-source or cross-platform binaries?
	Check out qemu_mode/README.qemu for more.

	%

	Did you know that afl-fuzz can minimize any test case for you?
	Try the bundled afl-tmin tool - and get small repro files fast!

	%

	Not sure if a crash is exploitable? AFL can help you figure it out. Specify
	-C to enable the peruvian were-rabbit mode. See section #10 in README for more.

	%

	Trouble dealing with a machine uprising? Relax, we've all been there.
	Find essential survival tips at http://lcamtuf.coredump.cx/prep/.

	%

	AFL-generated corpora can be used to power other testing processes.
	See section #2 in README for inspiration - it tends to pay off!

	%

	Want to automatically spot non-crashing memory handling bugs?
	Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.

	%

	Good selection of input files is critical to a successful fuzzing job.
	See section #5 in README (or docs/perf_tips.txt) for pro tips.

	%

	You can improve the odds of automatically spotting stack corruption issues.
	Specify AFL_HARDEN=1 in the environment to enable hardening flags.

	%

	Bumping into problems with non-reproducible crashes? It happens, but usually
	isn't hard to diagnose. See section #7 in README for tips.

	%

	Fuzzing is not just about memory corruption issues in the codebase. Add some
	sanity-checking assert() / abort() statements to effortlessly catch logic bugs.

	%

	Hey kid... pssst... want to figure out how AFL really works?
	Check out docs/technical_details.txt for all the gory details in one place!

	%

	There's a ton of third-party helper tools designed to work with AFL!
	Be sure to check out docs/sister_projects.txt before writing your own.

	%

	Need to fuzz the command-line arguments of a particular program?
	You can find a simple solution in experimental/argv_fuzzing.

	%

	Attacking a format that uses checksums? Remove the checksum-checking code or
	use a postprocessor! See experimental/post_library/ for more.

	%

	Dealing with a very slow target or hoping for instant results? Specify -d
	when calling afl-fuzz!

	%