Aflpp
Automate AFL++ fuzzing workflows and integrate advanced security vulnerability discovery into your code
Aflpp is a community skill for using AFL++ (American Fuzzy Lop plus plus) to discover software vulnerabilities through fuzz testing, covering instrumentation setup, corpus management, crash triage, custom mutators, and persistent mode fuzzing for efficient bug discovery.
What Is This?
Overview
Aflpp provides patterns for using AFL++ to find bugs in C and C++ programs through coverage-guided fuzzing. It covers instrumentation setup that compiles target programs with AFL++ compilers to track code coverage during fuzzing, corpus management that organizes and minimizes seed inputs for effective exploration of program paths, crash triage that analyzes fuzzer-discovered crashes for uniqueness and severity classification, custom mutators that extend AFL++ mutation strategies for format-aware or protocol-aware fuzzing, and persistent mode fuzzing that runs target functions in a loop without process restart for dramatically higher execution speed. The skill enables security researchers and developers to discover memory corruption and logic bugs through automated testing.
Who Should Use This
This skill serves security researchers finding vulnerabilities in C and C++ libraries and applications, developers testing parser and protocol implementations for robustness, and QA teams integrating fuzz testing into continuous security testing workflows.
Why Use It?
Problems It Solves
Manual testing cannot explore the enormous input space of programs that process complex data formats. Unit tests only cover anticipated edge cases while fuzzing discovers unexpected failure modes. Memory corruption bugs like buffer overflows and use-after-free are difficult to trigger with handwritten test cases. Coverage plateaus with random input generation that does not use feedback from program execution.
Core Highlights
Coverage-guided fuzzing uses instrumentation feedback to evolve inputs that explore new code paths. Persistent mode achieves thousands of executions per second by avoiding process restart overhead. Corpus minimization reduces seed sets to the smallest inputs that maintain full coverage. Custom mutators enable structure-aware fuzzing for protocol and format parsers.
How to Use It?
Basic Usage
// Persistent mode harness
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// AFL++ persistent mode
__AFL_FUZZ_INIT();
int main() {
// Deferred forkserver
__AFL_INIT();
unsigned char *buf =
__AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(10000)) {
int len =
__AFL_FUZZ_TESTCASE_LEN;
if (len < 4) continue;
// Call target function
// with fuzzed input
parse_input(
buf, len);
}
return 0;
}
// Compile:
// afl-clang-fast -o fuzz
// harness.c target.c
// -fsanitize=address
// Run:
// afl-fuzz -i corpus/
// -o findings/ -- ./fuzzReal-World Examples
export CC=afl-clang-fast
export CXX=afl-clang-fast++
export CFLAGS="\
-fsanitize=address \
-fno-omit-frame-pointer"
cd target-project
./configure
make clean && make
afl-cmin -i raw_seeds/ \
-o corpus/ \
-- ./target @@
afl-fuzz -i corpus/ \
-o findings/ \
-M fuzzer01 \
-- ./target @@
afl-fuzz -i corpus/ \
-o findings/ \
-S fuzzer02 \
-- ./target @@
afl-tmin -i findings/\
fuzzer01/crashes/id:000000 \
-o minimized_crash \
-- ./target @@Advanced Tips
Use AFL++ CMPLOG mode with -c 0 to solve complex comparisons like magic bytes and checksum validation that block coverage progress. Run multiple fuzzer instances with different mutation strategies using -M for the primary and -S for secondary instances to maximize coverage diversity. Combine AFL++ with ASan and UBSan in the same build to catch both memory errors and undefined behavior during fuzzing.
When to Use It?
Use Cases
Fuzz a C image parsing library to discover buffer overflows in malformed input handling. Test a network protocol parser with structure-aware mutators for protocol-specific fuzzing. Integrate AFL++ into CI to run nightly fuzz testing on security-critical code paths.
Related Topics
Fuzz testing, AFL++, coverage-guided fuzzing, vulnerability discovery, and memory safety.
Important Notes
Requirements
AFL++ installed with afl-clang-fast compiler wrappers. Target source code compiled with AFL++ instrumentation. Initial seed corpus with valid inputs for the target program format.
Usage Recommendations
Do: use persistent mode for targets that can process inputs without global state corruption between iterations. Minimize your seed corpus before fuzzing to reduce redundant coverage. Enable ASan alongside AFL++ to detect memory violations during fuzzing.
Don't: use excessively large seed files that slow down mutation and execution speed. Run fuzzers without sanitizers as many bugs produce no visible crash without ASan. Ignore unique crash reports even if the program handles them gracefully in release builds.
Limitations
AFL++ requires source code access for instrumented compilation and cannot fuzz closed-source binaries as effectively. Persistent mode harnesses must ensure the target function does not leak state between iterations. Fuzzing throughput decreases significantly for targets with slow initialization or heavy filesystem operations.
More Skills You Might Like
Explore similar skills to enhance your workflow
Pagerduty Automation
Automate PagerDuty tasks via Rube MCP (Composio): manage incidents, services, schedules, escalation policies, and on-call rotations. Always search too
N8n Workflow Patterns
Design and automate complex n8n workflow patterns for seamless business process integration and data synchronization
Dock Certs Automation
Automate Dock Certs operations through Composio's Dock Certs toolkit
Labs64 Netlicensing Automation
Automate Labs64 Netlicensing tasks via Rube MCP (Composio)
Senior Devops
Professional automation of cloud infrastructure and integration of continuous delivery pipelines for DevOps
Websocket Engineer
Automate and integrate WebSocket Engineer tools for real-time communication