README.md
1# American Fuzzy Lop plus plus (AFL++)
2
3<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/master/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">
4
5Release version: [4.00c](https://github.com/AFLplusplus/AFLplusplus/releases)
6
7GitHub version: 4.01a
8
9Repository:
10[https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
11
12AFL++ is maintained by:
13
14* Marc "van Hauser" Heuse <mh@mh-sec.de>
15* Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de>
16* Andrea Fioraldi <andreafioraldi@gmail.com>
17* Dominik Maier <mail@dmnk.co>
18* Documentation: Jana Aydinbas <jana.aydinbas@gmail.com>
19
20Originally developed by Michał "lcamtuf" Zalewski.
21
22AFL++ is a superior fork to Google's AFL - more speed, more and better
23mutations, more and better instrumentation, custom module support, etc.
24
25You are free to copy, modify, and distribute AFL++ with attribution under the
26terms of the Apache-2.0 License. See the [LICENSE](LICENSE) for details.
27
28## Getting started
29
30Here is some information to get you started:
31
32* For an overview of the AFL++ documentation and a very helpful graphical guide,
33 please visit [docs/README.md](docs/README.md).
34* To get you started with tutorials, go to
35 [docs/tutorials.md](docs/tutorials.md).
36* For releases, see the
37 [Releases tab](https://github.com/AFLplusplus/AFLplusplus/releases) and
38 [branches](#branches). The best branches to use are, however, `stable` or
39 `dev` - depending on your risk appetite. Also take a look at the list of
40 [important changes in AFL++](docs/important_changes.md) and the list of
41 [features](docs/features.md).
42* If you want to use AFL++ for your academic work, check the
43 [papers page](https://aflplus.plus/papers/) on the website.
44* To cite our work, look at the [Cite](#cite) section.
45* For comparisons, use the fuzzbench `aflplusplus` setup, or use
46 `afl-clang-fast` with `AFL_LLVM_CMPLOG=1`. You can find the `aflplusplus`
47 default configuration on Google's
48 [fuzzbench](https://github.com/google/fuzzbench/tree/master/fuzzers/aflplusplus).
49
50## Building and installing AFL++
51
52To have AFL++ easily available with everything compiled, pull the image directly
53from the Docker Hub (available for x86_64 and arm64):
54
55```shell
56docker pull aflplusplus/aflplusplus
57docker run -ti -v /location/of/your/target:/src aflplusplus/aflplusplus
58```
59
60This image is automatically generated when a push to the stable repo happens
61(see [branches](#branches)). If you use the command above, you will find your
62target source code in `/src` in the container.
63
64To build AFL++ yourself - *which we recommend* - continue at
65[docs/INSTALL.md](docs/INSTALL.md).
66
67## Quick start: Fuzzing with AFL++
68
69*NOTE: Before you start, please read about the
70[common sense risks of fuzzing](docs/fuzzing_in_depth.md#0-common-sense-risks).*
71
72This is a quick start for fuzzing targets with the source code available. To
73read about the process in detail, see
74[docs/fuzzing_in_depth.md](docs/fuzzing_in_depth.md).
75
76To learn about fuzzing other targets, see:
77* Binary-only targets:
78 [docs/fuzzing_binary-only_targets.md](docs/fuzzing_binary-only_targets.md)
79* Network services:
80 [docs/best_practices.md#fuzzing-a-network-service](docs/best_practices.md#fuzzing-a-network-service)
81* GUI programs:
82 [docs/best_practices.md#fuzzing-a-gui-program](docs/best_practices.md#fuzzing-a-gui-program)
83
84Step-by-step quick start:
85
861. Compile the program or library to be fuzzed using `afl-cc`. A common way to
87 do this would be:
88
89 ```
90 CC=/path/to/afl-cc CXX=/path/to/afl-c++ ./configure --disable-shared
91 make clean all
92 ```
93
942. Get a small but valid input file that makes sense to the program. When
95 fuzzing verbose syntax (SQL, HTTP, etc.), create a dictionary as described in
96 [dictionaries/README.md](dictionaries/README.md), too.
97
983. If the program reads from stdin, run `afl-fuzz` like so:
99
100 ```
101 ./afl-fuzz -i seeds_dir -o output_dir -- \
102 /path/to/tested/program [...program's cmdline...]
103 ```
104
105 To add a dictionary, add `-x /path/to/dictionary.txt` to afl-fuzz.
106
107 If the program takes input from a file, you can put `@@` in the program's
108 command line; AFL++ will put an auto-generated file name in there for you.
109
1104. Investigate anything shown in red in the fuzzer UI by promptly consulting
111 [docs/afl-fuzz_approach.md#understanding-the-status-screen](docs/afl-fuzz_approach.md#understanding-the-status-screen).
112
1135. You will find found crashes and hangs in the subdirectories `crashes/` and
114 `hangs/` in the `-o output_dir` directory. You can replay the crashes by
115 feeding them to the target, e.g. if your target is using stdin:
116
117 ```
118 cat output_dir/crashes/id:000000,* | /path/to/tested/program [...program's cmdline...]
119 ```
120
121 You can generate cores or use gdb directly to follow up the crashes.
122
1236. We cannot stress this enough - if you want to fuzz effectively, read the
124 [docs/fuzzing_in_depth.md](docs/fuzzing_in_depth.md) document!
125
126## Contact
127
128Questions? Concerns? Bug reports?
129
130* The contributors can be reached via (e.g., by creating an issue):
131 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).
132* Take a look at our [FAQ](docs/FAQ.md). If you find an interesting or important
133 question missing, submit it via
134 [https://github.com/AFLplusplus/AFLplusplus/discussions](https://github.com/AFLplusplus/AFLplusplus/discussions).
135* Best: join the [Awesome Fuzzing](https://discord.gg/gCraWct) Discord server.
136* There is a (not really used) mailing list for the AFL/AFL++ project
137 ([browse archive](https://groups.google.com/group/afl-users)). To compare
138 notes with other users or to get notified about major new features, send an
139 email to <afl-users+subscribe@googlegroups.com>, but note that this is not
140 managed by us.
141
142## Branches
143
144The following branches exist:
145
146* [release](https://github.com/AFLplusplus/AFLplusplus/tree/release): the latest
147 release
148* [stable/trunk](https://github.com/AFLplusplus/AFLplusplus/): stable state of
149 AFL++ - it is synced from dev from time to time when we are satisfied with its
150 stability
151* [dev](https://github.com/AFLplusplus/AFLplusplus/tree/dev): development state
152 of AFL++ - bleeding edge and you might catch a checkout which does not compile
153 or has a bug. **We only accept PRs (pull requests) for the 'dev' branch!**
154* (any other): experimental branches to work on specific features or testing new
155 functionality or changes.
156
157## Help wanted
158
159We have several [ideas](docs/ideas.md) we would like to see in AFL++ to make it
160even better. However, we already work on so many things that we do not have the
161time for all the big ideas.
162
163This can be your way to support and contribute to AFL++ - extend it to do
164something cool.
165
166For everyone who wants to contribute (and send pull requests), please read our
167[contributing guidelines](CONTRIBUTING.md) before you submit.
168
169## Special thanks
170
171Many of the improvements to the original AFL and AFL++ wouldn't be possible
172without feedback, bug reports, or patches from our contributors.
173
174Thank you! (For people sending pull requests - please add yourself to this list
175:-)
176
177<details>
178
179 <summary>List of contributors</summary>
180
181 ```
182 Jann Horn Hanno Boeck
183 Felix Groebert Jakub Wilk
184 Richard W. M. Jones Alexander Cherepanov
185 Tom Ritter Hovik Manucharyan
186 Sebastian Roschke Eberhard Mattes
187 Padraig Brady Ben Laurie
188 @dronesec Luca Barbato
189 Tobias Ospelt Thomas Jarosch
190 Martin Carpenter Mudge Zatko
191 Joe Zbiciak Ryan Govostes
192 Michael Rash William Robinet
193 Jonathan Gray Filipe Cabecinhas
194 Nico Weber Jodie Cunningham
195 Andrew Griffiths Parker Thompson
196 Jonathan Neuschaefer Tyler Nighswander
197 Ben Nagy Samir Aguiar
198 Aidan Thornton Aleksandar Nikolich
199 Sam Hakim Laszlo Szekeres
200 David A. Wheeler Turo Lamminen
201 Andreas Stieger Richard Godbee
202 Louis Dassy teor2345
203 Alex Moneger Dmitry Vyukov
204 Keegan McAllister Kostya Serebryany
205 Richo Healey Martijn Bogaard
206 rc0r Jonathan Foote
207 Christian Holler Dominique Pelle
208 Jacek Wielemborek Leo Barnes
209 Jeremy Barnes Jeff Trull
210 Guillaume Endignoux ilovezfs
211 Daniel Godas-Lopez Franjo Ivancic
212 Austin Seipp Daniel Komaromy
213 Daniel Binderman Jonathan Metzman
214 Vegard Nossum Jan Kneschke
215 Kurt Roeckx Marcel Boehme
216 Van-Thuan Pham Abhik Roychoudhury
217 Joshua J. Drake Toby Hutton
218 Rene Freingruber Sergey Davidoff
219 Sami Liedes Craig Young
220 Andrzej Jackowski Daniel Hodson
221 Nathan Voss Dominik Maier
222 Andrea Biondo Vincent Le Garrec
223 Khaled Yakdan Kuang-che Wu
224 Josephine Calliotte Konrad Welc
225 Thomas Rooijakkers David Carlier
226 Ruben ten Hove Joey Jiao
227 fuzzah @intrigus-lgtm
228 ```
229
230</details>
231
232## Cite
233
234If you use AFL++ in scientific work, consider citing
235[our paper](https://www.usenix.org/conference/woot20/presentation/fioraldi)
236presented at WOOT'20:
237
238 Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. “AFL++: Combining incremental steps of fuzzing research”. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020.
239
240<details>
241
242<summary>BibTeX</summary>
243
244 ```bibtex
245 @inproceedings {AFLplusplus-Woot20,
246 author = {Andrea Fioraldi and Dominik Maier and Heiko Ei{\ss}feldt and Marc Heuse},
247 title = {{AFL++}: Combining Incremental Steps of Fuzzing Research},
248 booktitle = {14th {USENIX} Workshop on Offensive Technologies ({WOOT} 20)},
249 year = {2020},
250 publisher = {{USENIX} Association},
251 month = aug,
252 }
253 ```
254
255</details>
256
