1# Sister projects 2 3This doc lists some of the projects that are inspired by, derived from, 4designed for, or meant to integrate with AFL. See README.md for the general 5instruction manual. 6 7!!! 8!!! This list is outdated and needs an update, missing: e.g. Angora, FairFuzz 9!!! 10 11## Support for other languages / environments: 12 13### Python AFL (Jakub Wilk) 14 15Allows fuzz-testing of Python programs. Uses custom instrumentation and its 16own forkserver. 17 18http://jwilk.net/software/python-afl 19 20### Go-fuzz (Dmitry Vyukov) 21 22AFL-inspired guided fuzzing approach for Go targets: 23 24https://github.com/dvyukov/go-fuzz 25 26### afl.rs (Keegan McAllister) 27 28Allows Rust features to be easily fuzzed with AFL (using the LLVM mode). 29 30https://github.com/kmcallister/afl.rs 31 32### OCaml support (KC Sivaramakrishnan) 33 34Adds AFL-compatible instrumentation to OCaml programs. 35 36https://github.com/ocamllabs/opam-repo-dev/pull/23 37http://canopy.mirage.io/Posts/Fuzzing 38 39### AFL for GCJ Java and other GCC frontends (-) 40 41GCC Java programs are actually supported out of the box - simply rename 42afl-gcc to afl-gcj. Unfortunately, by default, unhandled exceptions in GCJ do 43not result in abort() being called, so you will need to manually add a 44top-level exception handler that exits with SIGABRT or something equivalent. 45 46Other GCC-supported languages should be fairly easy to get working, but may 47face similar problems. See https://gcc.gnu.org/frontends.html for a list of 48options. 49 50## AFL-style in-process fuzzer for LLVM (Kostya Serebryany) 51 52Provides an evolutionary instrumentation-guided fuzzing harness that allows 53some programs to be fuzzed without the fork / execve overhead. (Similar 54functionality is now available as the "persistent" feature described in 55[the llvm_mode readme](../instrumentation/README.llvm.md)) 56 57http://llvm.org/docs/LibFuzzer.html 58 59## TriforceAFL (Tim Newsham and Jesse Hertz) 60 61Leverages QEMU full system emulation mode to allow AFL to target operating 62systems and other alien worlds: 63 64https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/june/project-triforce-run-afl-on-everything/ 65 66## WinAFL (Ivan Fratric) 67 68As the name implies, allows you to fuzz Windows binaries (using DynamoRio). 69 70https://github.com/ivanfratric/winafl 71 72Another Windows alternative may be: 73 74https://github.com/carlosgprado/BrundleFuzz/ 75 76## Network fuzzing 77 78### Preeny (Yan Shoshitaishvili) 79 80Provides a fairly simple way to convince dynamically linked network-centric 81programs to read from a file or not fork. Not AFL-specific, but described as 82useful by many users. Some assembly required. 83 84https://github.com/zardus/preeny 85 86## Distributed fuzzing and related automation 87 88### roving (Richo Healey) 89 90A client-server architecture for effortlessly orchestrating AFL runs across 91a fleet of machines. You don't want to use this on systems that face the 92Internet or live in other untrusted environments. 93 94https://github.com/richo/roving 95 96### Distfuzz-AFL (Martijn Bogaard) 97 98Simplifies the management of afl-fuzz instances on remote machines. The 99author notes that the current implementation isn't secure and should not 100be exposed on the Internet. 101 102https://github.com/MartijnB/disfuzz-afl 103 104### AFLDFF (quantumvm) 105 106A nice GUI for managing AFL jobs. 107 108https://github.com/quantumvm/AFLDFF 109 110### afl-launch (Ben Nagy) 111 112Batch AFL launcher utility with a simple CLI. 113 114https://github.com/bnagy/afl-launch 115 116### AFL Utils (rc0r) 117 118Simplifies the triage of discovered crashes, start parallel instances, etc. 119 120https://github.com/rc0r/afl-utils 121 122### AFL crash analyzer (floyd) 123 124Another crash triage tool: 125 126https://github.com/floyd-fuh/afl-crash-analyzer 127 128### afl-extras (fekir) 129 130Collect data, parallel afl-tmin, startup scripts. 131 132https://github.com/fekir/afl-extras 133 134### afl-fuzzing-scripts (Tobias Ospelt) 135 136Simplifies starting up multiple parallel AFL jobs. 137 138https://github.com/floyd-fuh/afl-fuzzing-scripts/ 139 140### afl-sid (Jacek Wielemborek) 141 142Allows users to more conveniently build and deploy AFL via Docker. 143 144https://github.com/d33tah/afl-sid 145 146Another Docker-related project: 147 148https://github.com/ozzyjohnson/docker-afl 149 150### afl-monitor (Paul S. Ziegler) 151 152Provides more detailed and versatile statistics about your running AFL jobs. 153 154https://github.com/reflare/afl-monitor 155 156### FEXM (Security in Telecommunications) 157 158Fully automated fuzzing framework, based on AFL 159 160https://github.com/fgsect/fexm 161 162## Crash triage, coverage analysis, and other companion tools: 163 164### afl-crash-analyzer (Tobias Ospelt) 165 166Makes it easier to navigate and annotate crashing test cases. 167 168https://github.com/floyd-fuh/afl-crash-analyzer/ 169 170### Crashwalk (Ben Nagy) 171 172AFL-aware tool to annotate and sort through crashing test cases. 173 174https://github.com/bnagy/crashwalk 175 176### afl-cov (Michael Rash) 177 178Produces human-readable coverage data based on the output queue of afl-fuzz. 179 180https://github.com/mrash/afl-cov 181 182### afl-sancov (Bhargava Shastry) 183 184Similar to afl-cov, but uses clang sanitizer instrumentation. 185 186https://github.com/bshastry/afl-sancov 187 188### RecidiVM (Jakub Wilk) 189 190Makes it easy to estimate memory usage limits when fuzzing with ASAN or MSAN. 191 192http://jwilk.net/software/recidivm 193 194### aflize (Jacek Wielemborek) 195 196Automatically build AFL-enabled versions of Debian packages. 197 198https://github.com/d33tah/aflize 199 200### afl-ddmin-mod (Markus Teufelberger) 201 202A variant of afl-tmin that uses a more sophisticated (but slower) 203minimization algorithm. 204 205https://github.com/MarkusTeufelberger/afl-ddmin-mod 206 207### afl-kit (Kuang-che Wu) 208 209Replacements for afl-cmin and afl-tmin with additional features, such 210as the ability to filter crashes based on stderr patterns. 211 212https://github.com/kcwu/afl-kit 213 214## Narrow-purpose or experimental: 215 216### Cygwin support (Ali Rizvi-Santiago) 217 218Pretty self-explanatory. As per the author, this "mostly" ports AFL to 219Windows. Field reports welcome! 220 221https://github.com/arizvisa/afl-cygwin 222 223### Pause and resume scripts (Ben Nagy) 224 225Simple automation to suspend and resume groups of fuzzing jobs. 226 227https://github.com/bnagy/afl-trivia 228 229### Static binary-only instrumentation (Aleksandar Nikolich) 230 231Allows black-box binaries to be instrumented statically (i.e., by modifying 232the binary ahead of the time, rather than translating it on the run). Author 233reports better performance compared to QEMU, but occasional translation 234errors with stripped binaries. 235 236https://github.com/vanhauser-thc/afl-dyninst 237 238### AFL PIN (Parker Thompson) 239 240Early-stage Intel PIN instrumentation support (from before we settled on 241faster-running QEMU). 242 243https://github.com/mothran/aflpin 244 245### AFL-style instrumentation in llvm (Kostya Serebryany) 246 247Allows AFL-equivalent instrumentation to be injected at compiler level. 248This is currently not supported by AFL as-is, but may be useful in other 249projects. 250 251https://code.google.com/p/address-sanitizer/wiki/AsanCoverage#Coverage_counters 252 253### AFL JS (Han Choongwoo) 254 255One-off optimizations to speed up the fuzzing of JavaScriptCore (now likely 256superseded by LLVM deferred forkserver init - see README.llvm.md). 257 258https://github.com/tunz/afl-fuzz-js 259 260### AFL harness for fwknop (Michael Rash) 261 262An example of a fairly involved integration with AFL. 263 264https://github.com/mrash/fwknop/tree/master/test/afl 265 266### Building harnesses for DNS servers (Jonathan Foote, Ron Bowes) 267 268Two articles outlining the general principles and showing some example code. 269 270https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop 271https://goo.gl/j9EgFf 272 273### Fuzzer shell for SQLite (Richard Hipp) 274 275A simple SQL shell designed specifically for fuzzing the underlying library. 276 277http://www.sqlite.org/src/artifact/9e7e273da2030371 278 279### Support for Python mutation modules (Christian Holler) 280 281now integrated in AFL++, originally from here 282https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt 283 284### Support for selective instrumentation (Christian Holler) 285 286now integrated in AFL++, originally from here 287https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt 288 289### Syzkaller (Dmitry Vyukov) 290 291A similar guided approach as applied to fuzzing syscalls: 292 293https://github.com/google/syzkaller/wiki/Found-Bugs 294https://github.com/dvyukov/linux/commit/33787098ffaaa83b8a7ccf519913ac5fd6125931 295http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf 296 297 298### Kernel Snapshot Fuzzing using Unicornafl (Security in Telecommunications) 299 300https://github.com/fgsect/unicorefuzz 301 302### Android support (ele7enxxh) 303 304Based on a somewhat dated version of AFL: 305 306https://github.com/ele7enxxh/android-afl 307 308### CGI wrapper (floyd) 309 310Facilitates the testing of CGI scripts. 311 312https://github.com/floyd-fuh/afl-cgi-wrapper 313 314### Fuzzing difficulty estimation (Marcel Boehme) 315 316A fork of AFL that tries to quantify the likelihood of finding additional 317paths or crashes at any point in a fuzzing job. 318 319https://github.com/mboehme/pythia 320