NAME

SYNOPSIS

OPTIONS

Required parameters:
  -i dir        - input directory with test cases
  -o dir        - output directory for fuzzer findings
Execution control settings:
  -p schedule   - power schedules compute a seed's performance score:
                  fast(default), explore, exploit, seek, rare, mmopt, coe, lin
                  quad -- see docs/FAQ.md for more information
  -f file       - location read by the fuzzed program (default: stdin or @@)
  -t msec       - timeout for each run (auto-scaled, default 1000 ms). Add a '+'
                  to auto-calculate the timeout, the value being the maximum.
  -m megs       - memory limit for child process (0 MB, 0 = no limit [default])
  -O            - use binary-only instrumentation (FRIDA mode)
Mutator settings:
  -D            - enable deterministic fuzzing (once per queue entry)
  -L minutes    - use MOpt(imize) mode and set the time limit for entering the
                  pacemaker mode (minutes of no new finds). 0 = immediately,
                  -1 = immediately and together with normal mutation.
                  See docs/README.MOpt.md
  -c program    - enable CmpLog by specifying a binary compiled for it.
                  if using QEMU, just use -c 0.
  -l cmplog_opts - CmpLog configuration values (e.g. "2AT"):
                  1=small files, 2=larger files (default), 3=all files,
                  A=arithmetic solving, T=transformational solving.
Fuzzing behavior settings:
  -Z            - sequential queue selection instead of weighted random
  -N            - do not unlink the fuzzing input file (for devices etc.)
  -n            - fuzz without instrumentation (non-instrumented mode)
  -x dict_file  - fuzzer dictionary (see README.md, specify up to 4 times)
Test settings:
  -s seed       - use a fixed seed for the RNG
  -V seconds    - fuzz for a specified time then terminate
  -E execs      - fuzz for an approx. no. of total executions then terminate
                  Note: not precise and can have several more executions.
Other stuff:
  -M/-S id      - distributed mode (see docs/parallel_fuzzing.md)
                  -M auto-sets -D, -Z (use -d to disable -D) and no trimming
  -F path       - sync to a foreign fuzzer queue directory (requires -M, can
                  be specified up to 32 times)
  -T text       - text banner to show on the screen
  -I command    - execute this command/script when a new crash is found
  -C            - crash exploration mode (the peruvian rabbit thing)
  -b cpu_id     - bind the fuzzing process to the specified CPU core (0-...)
  -e ext        - file extension for the fuzz test input file (if needed)
Environment variables used:
LD_BIND_LAZY: do not set LD_BIND_NOW env var for target
ASAN_OPTIONS: custom settings for ASAN
              (must contain abort_on_error=1 and symbolize=0)
MSAN_OPTIONS: custom settings for MSAN
              (must contain exitcode=86 and symbolize=0)
AFL_AUTORESUME: resume fuzzing if directory specified by -o already exists
AFL_BENCH_JUST_ONE: run the target just once
AFL_BENCH_UNTIL_CRASH: exit soon when the first crashing input has been found
AFL_CMPLOG_ONLY_NEW: do not run cmplog on initial testcases (good for resumes!)
AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash
AFL_CUSTOM_MUTATOR_LIBRARY: lib with afl_custom_fuzz() to mutate inputs
AFL_CUSTOM_MUTATOR_ONLY: avoid AFL++'s internal mutators
AFL_CYCLE_SCHEDULES: after completing a cycle, switch to a different -p schedule
AFL_DEBUG: extra debugging output for Python mode trimming
AFL_DEBUG_CHILD: do not suppress stdout/stderr from target
AFL_DISABLE_TRIM: disable the trimming of test cases
AFL_DUMB_FORKSRV: use fork server without feedback from target
AFL_EXIT_WHEN_DONE: exit when all inputs are run and no new finds are found
AFL_EXIT_ON_TIME: exit when no new coverage finds are made within the specified time period
AFL_EXPAND_HAVOC_NOW: immediately enable expand havoc mode (default: after 60 minutes and a cycle without finds)
AFL_FAST_CAL: limit the calibration stage to three cycles for speedup
AFL_FORCE_UI: force showing the status screen (for virtual consoles)
AFL_FORKSRV_INIT_TMOUT: time spent waiting for forkserver during startup (in milliseconds)
AFL_HANG_TMOUT: override timeout value (in milliseconds)
AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: don't warn about core dump handlers
AFL_IGNORE_UNKNOWN_ENVS: don't warn on unknown env vars
AFL_IGNORE_PROBLEMS: do not abort fuzzing if an incorrect setup is detected during a run
AFL_IMPORT_FIRST: sync and import test cases from other fuzzer instances first
AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)
AFL_MAP_SIZE: the shared memory size for that target. must be >= the size
              the target was compiled for
AFL_MAX_DET_EXTRAS: if more entries are in the dictionary list than this value
                    then they are randomly selected instead all of them being
                    used. Defaults to 200.
AFL_NO_AFFINITY: do not check for an unused cpu core to use for fuzzing
AFL_TRY_AFFINITY: try to bind to an unused core, but don't fail if unsuccessful
AFL_NO_ARITH: skip arithmetic mutations in deterministic stage
AFL_NO_AUTODICT: do not load an offered auto dictionary compiled into a target
AFL_NO_CPU_RED: avoid red color for showing very high cpu usage
AFL_NO_FORKSRV: run target via execve instead of using the forkserver
AFL_NO_SNAPSHOT: do not use the snapshot feature (if the snapshot lkm is loaded)
AFL_NO_UI: switch status screen off
AFL_PATH: path to AFL support binaries
AFL_PYTHON_MODULE: mutate and trim inputs with the specified Python module
AFL_QUIET: suppress forkserver status messages
AFL_PRELOAD: LD_PRELOAD / DYLD_INSERT_LIBRARIES settings for target
AFL_TARGET_ENV: pass extra environment variables to target
AFL_SHUFFLE_QUEUE: reorder the input queue randomly on startup
AFL_SKIP_BIN_CHECK: skip afl compatibility checks, also disables auto map size
AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking
AFL_STATSD: enables StatsD metrics collection
AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)
AFL_STATSD_PORT: change default statsd port (default: 8125)
AFL_STATSD_TAGS_FLAVOR: set statsd tags format (default: disable tags)
                        Supported formats are: 'dogstatsd', 'librato',
                        'signalfx' and 'influxdb'
AFL_TESTCACHE_SIZE: use a cache for testcases, improves performance (in MB)
AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)
Compiled with Python 3.8.13 module support, see docs/custom_mutator.md
Compiled without AFL_PERSISTENT_RECORD support.
Compiled with shmat support.
For additional help please consult docs/README.md :)

AUTHOR

LICENSE