Fuzzing

Fuzzing (or fuzz testing) is an automated software testing technique that feeds invalid, unexpected, or random data as inputs to a program and monitors for crashes, hangs, failed assertions, memory leaks, or other undesirable behavior. If, for example, a program expects the user to provide an integer, and you provide 10 MB of raw binary data instead, what happens to the program?

Fuzzing is an excellent way to discover bugs, trigger exceptions, find crashes, and uncover security vulnerabilities. It is widely used by both security researchers and software developers as part of a defense-in-depth strategy.

How Fuzzing Works

Modern fuzzers typically follow a feedback loop:

Input generation — The fuzzer generates or mutates test inputs, either from scratch (generation-based) or by modifying a seed corpus (mutation-based).
Execution — The target program is run with the generated input.
Instrumentation/Feedback — The fuzzer observes what code paths were exercised, typically via compile-time instrumentation (e.g., LLVM sanitizer coverage), binary instrumentation (e.g., QEMU, DynamoRIO, FRIDA), or hardware-assisted tracing (e.g., Intel PT).
Corpus management — Inputs that trigger new code coverage are saved and used as the basis for further mutations. Inputs that do not improve coverage are discarded.
Crash triage — When a crash or hang is detected, the fuzzer saves the crashing input for later analysis, often with deduplication to avoid storing duplicate crashes.

Key components of a fuzzing pipeline include:

Instrumentation — Code inserted at compile time or runtime to track edge coverage, basic blocks, or comparisons.
Sanitizers — Tools like AddressSanitizer (ASan), UndefinedBehaviorSanitizer (UBSan), and MemorySanitizer (MSan) that catch memory errors at runtime.
Corpus minimization — Reducing the set of interesting inputs to the smallest set that achieves the same code coverage.
Crash deduplication — Grouping crashes by root cause (e.g., by stack hash) so each unique bug is reported once.

Types of Fuzzing

Fuzzers can be categorized along several axes:

By Input Generation Strategy

Mutation-based fuzzing — Starts with valid seed inputs and applies random mutations (bit flips, byte flips, arithmetic operations, dictionary-based substitutions, splicing). Fast and easy to set up. Examples: AFL, AFL++, honggfuzz, Radamsa, zzuf.
Generation-based fuzzing — Generates inputs from scratch based on a grammar, protocol specification, or file format definition. Produces structurally valid inputs that reach deeper code paths. Examples: Domato, Peach Fuzzer, boofuzz, Fuzzilli.
Grammar-aware fuzzing — Uses a formal grammar (e.g., ANTLR, context-free grammar) to generate or mutate inputs that respect the target's syntax. Examples: Grammarinator, Domato.

By Feedback Mechanism

Dumb fuzzing — No feedback; generates random inputs blindly. Simple but shallow. Examples: zzuf, Radamsa (standalone).
Coverage-guided fuzzing (greybox) — Uses code coverage as a fitness function to guide mutations. Examples: AFL, AFL++, libFuzzer, honggfuzz.
Directed fuzzing (whitebox) — Targets specific code locations (e.g., a patch or a suspected buggy function). Examples: AFLGo, directed libFuzzer.

By Target Type

File format fuzzers — Fuzz parsers for formats like PDF, PNG, JSON, XML, etc. Examples: AFL, Binspector.
Network protocol fuzzers — Fuzz network services by sending malformed packets. Examples: boofuzz, Mutiny, Fuzzotron, AFLNet.
Kernel fuzzers — Fuzz operating system kernels via syscall sequences. Example: syzkaller.
Browser/DOM fuzzers — Fuzz browser rendering engines and JavaScript runtimes. Examples: Domato, Fuzzilli, FreeDom.
API fuzzers — Fuzz function or library APIs. Examples: libFuzzer, DeepState.
Smart contract fuzzers — Fuzz blockchain smart contracts. Example: Echidna.

Tools

AFL++ (AFLplusplus)

Website: https://aflplus.plus/
GitHub: https://github.com/AFLplusplus/AFLplusplus

AFL++ is the community-maintained fork and successor to the original American Fuzzy Lop (AFL). It incorporates years of fuzzing research and improvements, making it one of the most widely used fuzzers today.

Key features:

Multiple instrumentation backends: LLVM (clang), GCC plugin, QEMU user-mode, Unicorn (emulation), and FRIDA (dynamic binary instrumentation).
Custom mutators: Supports pluggable custom mutation engines via a C API or Python (libprotobuf-mutator, custom mutators).
Power schedules: Multiple seed scheduling strategies — explore, fast, coe, lin, quad, exploit, rare.
MOpt mutators: Machine-learning-optimized mutation operators.
RedQueen and laf-intel: Comparison splitting to overcome magic-byte and checksum barriers.
Collision-free coverage: Improved edge coverage tracking with no hash collisions.
CmpLog: Comparison logging for solving multi-byte comparisons.
Sanitizer integration: Works with ASan, UBSan, MSan, TSan.

Supports Linux, macOS, Android, and (via QEMU/FRIDA) binary-only targets on various platforms.

American Fuzzy Lop (AFL) — Legacy

Website: https://lcamtuf.coredump.cx/afl/
Readme: https://lcamtuf.coredump.cx/afl/README.txt
Quickstart: https://afl-1.readthedocs.io/en/latest/quick_start.html

The original AFL by Michał Zalewski (lcamtuf) is a pioneering coverage-guided fuzzer that employs compile-time instrumentation and genetic algorithms. It can automatically discover clean, interesting test cases that trigger internal state changes in the target binary. AFL is designed to be practical, with modest overhead and a variety of highly effective fuzzing strategies. It requires minimal configuration.

Note: AFL is no longer actively maintained. Users should prefer AFL++ for new projects. The original AFL is retained here for historical reference.

Instructions for installing: https://afl-1.readthedocs.io/en/latest/INSTALL.html Guide to instrumenting programs: https://afl-1.readthedocs.io/en/latest/instrumenting.html Guide to fuzzing: https://afl-1.readthedocs.io/en/latest/fuzzing.html

libFuzzer

Website: https://llvm.org/docs/LibFuzzer.html

libFuzzer is an in-process, coverage-guided, evolutionary fuzzing engine that ships with LLVM. It is linked directly into the target (a "fuzz target" function) and mutates inputs in memory, avoiding the overhead of process creation for each test case.

Key features:

In-process fuzzing: Extremely fast — millions of executions per second.
Sanitizer integration: Tightly integrated with ASan, UBSan, MSan, TSan.
Corpus management: Automatic corpus minimization and merging.
LibFuzzer + AFL: Can run in a libFuzzer-AFL hybrid mode.
Fuzzbench support: Regularly evaluated in Google FuzzBench.

Typically used via LLVM's -fsanitize=fuzzer flag. Commonly paired with sanitizers via -fsanitize=fuzzer,address,undefined.

honggfuzz

Website: https://honggfuzz.dev/
GitHub: https://github.com/google/honggfuzz

A security-oriented, feedback-driven evolutionary fuzzer. Features:

Multi-process and multi-threaded.
Supports multiple feedback-driven fuzzing modes (code coverage via hardware counters, Intel BTS, Intel PT, and sanitizer coverage).
Low-level interfaces for process monitoring.
Works on Linux, FreeBSD, macOS, and Android.
Can expand and improve a seed corpus over time.
Supports both persistent (in-process) and fork-server execution modes.

Docker environments: https://github.com/skysider/honggfuzz_docker_apps

OSS-Fuzz

Website: https://google.github.io/oss-fuzz/
GitHub: https://github.com/google/oss-fuzz

OSS-Fuzz is Google's continuous fuzzing service for open-source software. It integrates with ClusterFuzz to run fuzz targets at scale and report bugs directly to maintainers.

Key facts:

Supports C, C++, Go, Python, Rust, Java, and other languages.
Integrates with libFuzzer, AFL++, honggfuzz, and other engines.
Has found tens of thousands of bugs across thousands of open-source projects.
Automatic bug filing with a 90-day disclosure deadline.
Free for any critical open-source project.

syzkaller

GitHub: https://github.com/google/syzkaller

syzkaller is an unsupervised, coverage-guided kernel fuzzer developed by Google. It generates random sequences of syscalls and executes them inside virtual machines, monitoring for crashes, hangs, memory errors (via KASAN/KCSAN), and other anomalies.

Key features:

Primarily targets the Linux kernel, with experimental support for other OS kernels (FreeBSD, NetBSD, OpenBSD, macOS, Windows).
Uses KCOV (kernel coverage) for feedback.
Supports declarative syscall descriptions (syzlang) that encode argument types, structures, and flags.
Manages fleets of VMs for parallel fuzzing.
Includes tools for crash reproduction (syz-repro) and bisection.
Has found thousands of kernel bugs, including many exploitable vulnerabilities.

boofuzz

Website: https://boofuzz.readthedocs.io/
GitHub: https://github.com/jtpereyda/boofuzz

Boofuzz is a fork and the active successor to the Sulley fuzzing framework. It is a Python framework for network protocol fuzzing, providing:

Protocol definition: Define message structures with fields, lengths, checksums, and block primitives.
Session management: Graph-based protocol state tracking to fuzz complex multi-step protocols.
Target monitoring: Process/network health monitoring to detect crashes.
Extensibility: Pluggable monitors, callbacks, and serializers.

Boofuzz is the de facto standard for custom network protocol fuzzing in Python.

cargo-fuzz

GitHub: https://github.com/rust-fuzz/cargo-fuzz
Documentation: https://rust-fuzz.github.io/book/cargo-fuzz.html

cargo-fuzz is the standard tool for fuzz testing Rust code. It provides a cargo fuzz subcommand that invokes libFuzzer on Rust fuzz targets. Features:

Seamless integration with Cargo build system.
Leverages libFuzzer and LLVM sanitizers (ASan, UBSan).
Supports corpus management, minimization, and coverage reporting.
Cross-platform (Linux, macOS, Windows).

Jazzer

GitHub: https://github.com/CodeIntelligenceTesting/jazzer

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform. Based on libFuzzer, it brings instrumentation-powered mutation features to Java and other JVM languages (Kotlin, Scala, etc.).

Key features:

libFuzzer integration: Uses the same mutation engine as libFuzzer.
Coverage instrumentation: Instrumented at the bytecode level via a Java agent.
Sanitizer-like hooks: Detects issues like SQL injection, command injection, and insecure deserialization.
OSS-Fuzz support: Integrated into Google's OSS-Fuzz for fuzzing Java projects.

Atheris

GitHub: https://github.com/google/atheris
PyPI: https://pypi.org/project/atheris/

Atheris is a coverage-guided fuzzer for Python, built on libFuzzer. It supports fuzzing both pure Python code and native CPython extensions.

Key features:

pip-installable (pip install atheris).
Coverage guidance for Python bytecode.
Supports fuzzing native extensions with ASan/UBSan.
Simple API: decorate a function with @atheris.instrument_func and call atheris.Fuzz().

Go Fuzzing (Native)

Documentation: https://go.dev/doc/security/fuzz/

Starting with Go 1.18, Go includes built-in fuzzing support via go test -fuzz. Fuzz tests are written as functions following the FuzzXxx(*testing.F) naming convention and are run as part of the standard Go test suite.

Key features:

Native integration: No external tools required.
Coverage-guided: Uses Go's internal coverage instrumentation.
Corpus management: Automatic corpus seeding from seed inputs.
Minimization: Automatic test case minimization on crash.

For pre-1.18 users, the original go-fuzz by Dmitry Vyukov remains available.

Fuzzilli

GitHub: https://github.com/googleprojectzero/fuzzilli

Fuzzilli is a coverage-guided fuzzer for JavaScript engines, developed by Google Project Zero. It uses an intermediate representation (FuzzIL) to mutate JavaScript programs in a semantics-aware manner.

Key features:

Grammar-aware mutation: Operates on a structured IR, not raw text, enabling valid JS mutations.
Coverage-guided: Uses engine instrumentation (e.g., V8, JavaScriptCore, SpiderMonkey) to guide mutations.
Multi-engine support: Targets V8, JavaScriptCore, SpiderMonkey, and other JS runtimes.
Has found hundreds of vulnerabilities in major JavaScript engines.

Domato

GitHub: https://github.com/googleprojectzero/domato

Domato is a DOM fuzzer by Google Project Zero. It is a grammar-based generator that uses a context-free grammar description to generate valid HTML, CSS, and JavaScript inputs that exercise browser DOM engines.

Key features:

Generative: Generates samples from scratch using grammars.
Grammar format: Simple, human-readable grammar definition language.
Template system: Supports parameterized templates for generating structured layouts.
Has been used to find numerous bugs in Chrome, Firefox, Safari, and Edge.

A descendant project, FreeDom, adds coverage guidance.

WinAFL

GitHub: https://github.com/googleprojectzero/winafl

WinAFL is a fork of AFL adapted for fuzzing Windows binaries. It uses DynamoRIO (dynamic binary instrumentation) for coverage feedback, enabling fuzzing of closed-source Windows applications.

Key features:

DynamoRIO instrumentation: Collects edge coverage from black-box binaries.
Persistent mode: Loop-based persistent fuzzing for Windows targets.
DLL fuzzing: Can fuzz specific functions within DLLs.
Works with both 32-bit and 64-bit Windows binaries.

Note: AFL++ now supports Windows fuzzing via its own DynamoRIO and FRIDA backends, which are generally preferred for new work.

Centipede

GitHub: https://github.com/google/fuzztest (merged into FuzzTest)

Centipede is a distributed fuzzing engine developed by Google, now merged into the FuzzTest framework. It is designed for large-scale, server-side fuzzing with features for:

Distributed fuzzing: Sharding across many machines; each shard maintains its own corpus.
Customizable mutators: Pluggable mutation engines.
Corpus distillation: Efficiently prunes and merges corpora from distributed shards.
Continuous operation: Designed for 24/7 fuzzing campaigns.

OneFuzz

GitHub: https://github.com/microsoft/onefuzz

OneFuzz is Microsoft's self-hosted fuzzing-as-a-service platform. It replaces Microsoft's older Security Risk Detection service and is open-source under the MIT license.

Key features:

Multi-platform: Fuzz on Windows and Linux.
Composable workflows: Define custom fuzzing pipelines.
Built-in ensemble fuzzing: Run multiple fuzzers on the same target simultaneously.
Programmatic triage: Automatic crash deduplication and analysis.
Crash notification: Callbacks to Azure DevOps, Microsoft Teams, and custom webhooks.
On-demand live debugging: Debug crashing inputs in place.
Custom hypervisor support: Fuzz with custom OS builds or nested hypervisors.

Binspector

GitHub: https://github.com/binspector/binspector

Binspector is built around the idea of exposing the guts of binary formats and files. It uses Binary File Format Templates (BFFTs) — formalized descriptions of binary formats — to:

Verify a binary meets format requirements.
Analyze and interpret raw data in binary files.
Inspect binary values with context.
Intelligently fuzz binaries at potential weak points and auto-generate files containing attack vectors.

Build system uses CMake.

Cluster-Related Tools

CloudFuzzer

GitHub: https://github.com/ouspg/cloudfuzzer

CloudFuzzer is a framework for running a fuzzing cluster in the cloud. FuzzVM instances consist of one swarm master and N swarm nodes. A bastion instance works as an SSH gateway between the outside world and the fuzzing cluster, and is used to deliver Docker images and store fuzzing results.

ClusterFuzz

Website: https://google.github.io/clusterfuzz/
GitHub: https://github.com/google/clusterfuzz

ClusterFuzz is a scalable fuzzing infrastructure framework used by Google to fuzz the Chrome browser and as the backend for OSS-Fuzz. It manages pools of fuzzers, automatically triages crashes, and files bugs.

Nightmare

GitHub: https://github.com/joxeankoret/nightmare

Nightmare is a distributed fuzzing testing suite with web administration. It supports network fuzzing and was originally created for LaCon 2013, then enhanced for SYSCAN 2014. It is actively maintained.

DeepState

GitHub: https://github.com/trailofbits/deepstate

DeepState provides a unit test-like interface for fuzzing and symbolic execution. It allows you to write test harnesses that can be run as either a fuzzer (backed by libFuzzer, AFL, or honggfuzz) or a symbolic execution engine (backed by Manticore or angr), from the same source code.

FuzzBench

Website: https://google.github.io/fuzzbench/
GitHub: https://github.com/google/FuzzBench

FuzzBench is a free service from Google that evaluates fuzzers against real-world benchmarks. It provides:

Standardized benchmarking across many fuzzers.
24-hour fuzzing trials with statistically rigorous comparisons.
Coverage and bug-finding metrics.
A public leaderboard comparing fuzzer performance.

This makes it easier to rigorously evaluate fuzzing research and promotes reproducible fuzzing experiments.

Fuzzotron

GitHub: https://github.com/denandz/fuzzotron

A TCP/UDP based network daemon fuzzer. Uses Radamsa and Blab for test case generation. Supports multi-threaded fuzzing.

Mutiny

GitHub: https://github.com/Cisco-Talos/mutiny-fuzzer

Mutiny is a network fuzzer from Cisco Talos that operates by replaying PCAPs through a mutational fuzzer. The goal is to begin network fuzzing as quickly as possible, at the expense of being thorough. It takes a sample of legitimate traffic (e.g., a browser request), feeds it into a prep script to generate a .fuzzer file, then uses Radamsa to perform mutations.

Peach Fuzzer (Legacy)

GitLab: https://gitlab.com/peachtech/peach-fuzzer-community

Peach Fuzzer is a cross-platform fuzzer capable of both smart (generation-based) and dumb (mutation-based) fuzzing. It includes a robust monitoring system and is adaptable to fuzz any form of data consumer — commonly used for file formats, network protocols, and APIs.

Note: Peach Fuzzer Community Edition is no longer maintained (last release in 2014). The project has been succeeded by Protocol Fuzzer.

Protocol Fuzzer

GitLab: https://gitlab.com/gitlab-org/security-products/protocol-fuzzer-ce

This is the community edition of GitLab's protocol fuzzing framework, based on Peach Fuzzer Professional with some features removed. It has limited documentation and no pre-built binaries.

Radamsa

GitLab: https://gitlab.com/akihe/radamsa

Radamsa reads sample files of valid data and generates "interestingly different outputs" from them. It is easily scriptable, quick to set up, and used as a test-case generator by other fuzzing tools like Fuzzotron and Mutiny.

Rmadair

Website: https://rmadair.github.io/fuzzer/
GitHub: https://github.com/rmadair/fuzzer

A file fuzzer that uses mutation fuzzing and pydbg to monitor for signals of interest. Client-server architecture allows running multiple clients on a single box:

Client connects to server, gets copy of input file, possible mutations, and path to executable.
Client enters loop, asks server for next mutation; server responds with offset into file and mutation index.
Client creates mutated file, executes with pydbg.
If crash occurs, client sends crash info to server; server creates a local copy of the file.

Zzuf

Website: http://caca.zoy.org/wiki/zzuf
GitHub: https://github.com/samhocevar/zzuf
Tutorial: https://fuzzing-project.org/tutorial1.html

Zzuf is an application fuzzer implemented in C. It works by intercepting file operations and changing random bits in the program's input. Zzuf behavior is deterministic, so bugs are easily reproduced.

Resources

Google Fuzzing Documentation: https://github.com/google/fuzzing/tree/master/docs
Awesome Fuzzing (curated list): https://github.com/secfigo/Awesome-Fuzzing
Extensive fuzzing resources: https://github.com/alphaSeclab/fuzzing-stuff/blob/master/Readme_en.md
Fuzzing in Depth (AFL++): https://aflplus.plus/docs/fuzzing_in_depth/
Rust Fuzz Book: https://rust-fuzz.github.io/book/
OSS-Fuzz Documentation: https://google.github.io/oss-fuzz/
Fuzzing Project (Linux/open-source): https://fuzzing-project.org/

Fuzzing

From charlesreid1

Contents

How Fuzzing Works

Types of Fuzzing

By Input Generation Strategy

By Feedback Mechanism

By Target Type

Tools

AFL++ (AFLplusplus)

American Fuzzy Lop (AFL) — Legacy

libFuzzer

honggfuzz

OSS-Fuzz

syzkaller

boofuzz

cargo-fuzz

Jazzer

Atheris

Go Fuzzing (Native)

Fuzzilli

Domato

WinAFL

Centipede

OneFuzz

Binspector

Cluster-Related Tools

CloudFuzzer

ClusterFuzz

Nightmare

DeepState

FuzzBench

Fuzzotron

Mutiny

Peach Fuzzer (Legacy)

Protocol Fuzzer

Radamsa

Rmadair

Zzuf

Resources