The performance fuzzer is designed to identify performance hot spots. This fuzzer is built on top of AFL, which was originally developed by Michal Zalewski [email protected].
See Refactoring Logs if you want to understand the implementation details. In section , we also present an overall on the core implementation.
Here is a general installation guide on the fuzzer. You should also check out our cheatsheet that summarizes the overall workflow of the fuzzer. The steps are the following:
- Compile the fuzzer with
make - Compile the
llvmmode withmake - Compile the program to be fuzzed using
afl-clang-fast - Create initial tests
- Run
afl-fuzzon the tested program - Analyze the output
$ make
See LLVM README for more details.
$ cd llvm && make
If the compilation is successful, this should generate a binary afl-clang-fast in the parent directory.
The next step is to run to compile the program to be fuzzed from its source code. A common way is to assign the CC and CXX variables when running configure. This helps to select our compiled afl-clang-fast as the C compiler.
CC="/path_to_afl/afl-clang-fast" ./configure --disable-shared
make clean all
For C code, be sure to also include the CXX variable (e.g., CXX="/path_to_afl/afl-clang-fast ").
Setup a basic input file as a starting point for the fuzzer. This input file will serve as seed to the program. Make sure the program will accept this input as a valid parameter.
For programs that reads from stdin, run afl-fuzz as following:
/path_to_afl/afl-fuzz -p -i ./seeds -o seeds_out -- ./path_to_program [program cmdline]
For programs that take input from a file, you can use the @@ annotation. This will automatically replace it by the content of the file from the test case directory (i.e., ./seeds in our example below).
/path_to_afl/afl-fuzz -p -i ./seeds -o seeds_out -- ./path_to_program @@
See Workflow for more details on how afl-fuzz is implemented.
Below, we summarize in form of cheatsheet the core components that are essential for understanding the workflow in afl-fuzz.
