AFL-Unicorn: fuzz any architecture supported by Unicorn

afl-unicorn let’s you fuzz any piece of binary that can be emulated by Unicorn Engine.

Click to access p2313-xuA.pdf

[…]Unicorn Mode works by implementing the block-edge instrumentation that AFL’s QEMU Mode normally does into Unicorn Engine. Basically, AFL will use block coverage information from any emulated code snippet to drive its input generation. The whole idea revolves around proper construction of a Unicorn-based test harness, as shown in the figure below:

WinAFL: AFL fork for Windows

Excerpt from readme:

Original AFL code written by Michal Zalewski <>
Windows fork written and maintained by Ivan Fratric <>
Copyright 2016 Google Inc. All Rights Reserved.
[…] Unfortunately, the original AFL does not work on Windows due to very *nix-specific design (e.g. instrumentation, forkserver etc). This project is a fork of AFL that uses different instrumentation approach which works on Windows even for black box binary fuzzing. […] The WinAFL approach: Instead of instrumenting the code at compilation time, WinAFL relies on dynamic instrumentation using DynamoRIO to measure and extract target coverage. This approach has been found to introduce an overhead about 2x compared to the native execution speed, which is comparable to the original AFL in binary instrumentation mode. To improve the process startup time, WinAFL relies heavily on persistant fuzzing mode, that is, executing multiple input samples without restarting the target process. This is accomplished by selecting a target function (that the user wants to fuzz) and instrumenting it so that it runs in a loop. […]

More info:


AFL support added to Linux Kernel

The Linux kernel just got a patch to add AFL support! I don’t believe FreeBSD has such a feature, yet…. 😐

[PATCH] kcov: add AFL-style tracing

AFL uses a fixed-size buffer (typically 64 KiB) where each byte is a counter representing how many times an A -> B branch was taken. Of course, since the buffer is fixed size, it’s a little imprecise in that e.g. two different branches could map to the same counter, but in practice it works well.

See afl:docs/technical_details.txt for more information.

fuzzing tool: afl

Hanno Böck has an article on on the fuzzing tool afl, American Fuzzy Lop, created by Michał Zalewski of the Google security team:

AFL is a powerful fuzzer, and the above article is a good introduction. There are some more extensive tutorials on afl site, as well as the Fuzzing Project site. Hanno created the Fuzzing Project, which uses FOSS fuzzers to find and fix defects in core FOSS projects. Besides afl, there’s a Python attempt at a version, for those that prefer Python.

(I wish there was more widespread usage of AFL in coreboot, tianocore, U-Boot, SeaBIOS, especially now that SMM is inside OVMF now…)