You should read docs/README. It's pretty short. If you really can't, here's how to hit the ground running:
-
Compile AFL with
make. If build fails, see docs/INSTALL for tips. -
find/write a simple program with input via stdin or a file, processes it and exits. if its a network service - mod it to run in foreground and read stdin. if format uses checksums, remove the verification codes Program must crash when fault is encountered - look for SIGEGV andd SIGABRT handlers and bg processes.
-
compile via afl-gcc, i.e.
CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared
make clean all
-
use small and valid input file that is logical to the program. learn about dictionaries and use them in verbose syntax scenarios
-
If the program reads from stdin, run 'afl-fuzz' like so:
./afl-fuzz -i testcase_dir -o findings_dir --
/path/to/tested/program [...program's cmdline...]
if test program takes input from a file - put "@@" in the program's cmd line. (afl will put in an auto-generated name for you)
-
investigate anything in RED and consult docs
- docs/README - A general introduction to AFL,
- docs/perf_tips.txt - Simple tips on how to fuzz more quickly,
- docs/status_screen.txt - An explanation of the tidbits shown in the UI,
- docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores.