Glossary

AFL++

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

AFL++ is a fork of Michal Zalewski's AFL that incorporates years of research improvements: LLVM-based instrumentation modes (LTO, PCGUARD, classic), custom mutators via a plugin API, CmpLog to solve comparison checks, MOpt mutation scheduling, and persistent-mode for dramatically higher execution throughput. It operates by instrumenting the target at compile time, tracking branch-pair (edge) coverage via a shared-memory bitmap, and evolving a corpus of test cases that collectively maximize coverage. AFL++ supports both source-instrumented and binary-only (QEMU, Unicorn, Frida) targets. It is the default choice for file-format and protocol parsers where you can supply a small seed corpus; its parallel mode (`-M`/`-S`) allows scaling across multiple CPU cores with a shared corpus directory.

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

libFuzzer

An in-process, coverage-guided fuzzing library built into LLVM that links directly into the target binary.

Honggfuzz

A security-oriented multi-process fuzzer from Google with hardware performance-counter coverage and a compact codebase.

Instrumentation

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

Corpus

The evolving collection of test inputs a fuzzer maintains, used as the base for generating new mutations.

AFL++

Related