American Fuzzy Lop (software)

American Fuzzy Lop
Developer(s)Michał Zalewski
Initial releaseNovember 12, 2013; 10 years ago (2013-11-12)
Stable release
2.57b / June 30, 2020; 4 years ago (2020-06-30)[1]
Repository
Written inC, assembly
Operating systemCross-platform
TypeFuzzer
LicenseApache License 2.0
Websitelcamtuf.coredump.cx/afl/ Edit this on Wikidata

American Fuzzy Lop (AFL), stylized in all lowercase as american fuzzy lop, is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it has detected dozens of significant software bugs in major free software projects, including X.Org Server,[2] PHP,[3] OpenSSL,[4][5] pngcrush, bash,[6] Firefox,[7] BIND,[8][9] Qt,[10] and SQLite.[11]

For many years after its release, AFL has been considered a "state of the art" fuzzer.[12] AFL is considered "a de-facto standard for fuzzing",[13] and the release of AFL contributed significantly to the development of fuzzing as a research area.[14] AFL is widely used in academia; academic fuzzers are often forks of AFL, and AFL is commonly used as a baseline to evaluate new techniques.[15][16]

The source code of American fuzzy lop is published on GitHub. Its name is a reference to a breed of rabbit, the American Fuzzy Lop.

American Fuzzy Lop (AFL), stylized in all lowercase as american fuzzy lop, is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. Initially released in November 2013, AFL[17] quickly became one of the most widely used fuzzers in security research.

  1. ^ "Releases - google/AFL". Retrieved January 19, 2021 – via GitHub.
  2. ^ "Advisory-2015-03-17". x.org.
  3. ^ "NVD - Detail". nist.gov.
  4. ^ "NVD - Detail". nist.gov.
  5. ^ "NVD - Detail". nist.gov.
  6. ^ "CVE - CVE-2014-6278". mitre.org.
  7. ^ "CVE - CVE-2014-8637". mitre.org.
  8. ^ "How to fuzz a server with American Fuzzy Lop". Fastly. July 21, 2015.
  9. ^ "CVE - CVE-2015-5477". mitre.org.
  10. ^ "[Announce] Qt Project Security Advisory - Multiple Vulnerabilities in Qt Image Format Handling". qt-project.org. April 13, 2015.
  11. ^ "How SQLite Is Tested # 4.1.1. SQL Fuzz Using The American Fuzzy Lop Fuzzer". sqlite.org.
  12. ^ Poncelet, Clement; Sagonas, Konstantinos; Tsiftes, Nicolas (January 5, 2023). "So Many Fuzzers, So Little Time✱". Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. ASE '22. New York, NY, USA: Association for Computing Machinery. pp. 1–12. doi:10.1145/3551349.3556946. ISBN 978-1-4503-9475-8. S2CID 253456740.
  13. ^ Fioraldi et al. 2023, p. 2.
  14. ^ Fioraldi, Andrea; Maier, Dominik Christian; Zhang, Dongjia; Balzarotti, Davide (November 7, 2022). "LibAFL". Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. CCS '22. New York, NY, USA: Association for Computing Machinery. pp. 1051–1065. doi:10.1145/3548606.3560602. ISBN 978-1-4503-9450-5. S2CID 253410747.. "The release of AFL marked an important milestone in the area of software security testing, revitalizing fuzzing as a major research topic".
  15. ^ Hazimeh, Ahmad; Herrera, Adrian; Payer, Mathias (June 15, 2021). "Magma: A Ground-Truth Fuzzing Benchmark". Proceedings of the ACM on Measurement and Analysis of Computing Systems. 4 (3): 49:1–49:29. arXiv:2009.01120. doi:10.1145/3428334. S2CID 227230949.
  16. ^ Metzman et al. 2021.
  17. ^ "Test Management and Reporting Software". www.aflglobal.com. Retrieved August 13, 2024.