This article relies excessively on references to primary sources. Please improve this by adding secondary or tertiary sources. Find sources: "American fuzzy lop" fuzzer – news · newspapers · books · scholar · JSTOR (May 2016) (Learn how and when to remove this template message)
American fuzzy lop
Developer(s)Michał Zalewski
Initial release12 November 2013; 8 years ago (2013-11-12)
Stable release
2.57b / 30 June 2020; 2 years ago (2020-06-30)[1]
Written inC, assembly
Operating systemCross-platform
LicenseApache License 2.0 Edit this on Wikidata

American fuzzy lop (AFL), stylized in lowercase as american fuzzy lop, is a free software fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. So far it has detected dozens of significant software bugs in major free software projects, including X.Org Server,[2] PHP,[3] OpenSSL,[4][5] pngcrush, bash,[6] Firefox,[7] BIND,[8][9] Qt,[10] and SQLite.[11]

The source code of American fuzzy lop is published on GitHub. Its name is a reference to a breed of rabbit, the American Fuzzy Lop.

Typical usage

The program requires the user to provide a sample command that runs the tested application and at least one small example input file. For example, in case of an audio player, American fuzzy lop can be instructed to open a short sound file with it. Then, the fuzzer attempts to actually execute the specified command and if that succeeds, it tries to reduce the input file to the smallest one that triggers the same behavior.

After this initial phase, AFL begins the actual process of fuzzing by applying various modifications to the input file. When the tested program crashes or hangs, this usually implies the discovery of a new bug, possibly a security vulnerability. In this case, the modified input file is saved for further user inspection.

In order to maximize the fuzzing performance, American fuzzy lop expects the tested program to be compiled with the aid of a utility program that instruments the code with helper functions which track control flow. This allows the fuzzer to detect when the target's behavior changes in response to the input. In cases when this is not possible, black-box testing is supported as well.


Fuzzing engine

AFL's logo from fuzzed input stitched together as a single animation.[12]
AFL's logo from fuzzed input stitched together as a single animation.[12]

The fuzzing engine of American fuzzy lop uses several algorithms whose goal is to trigger unexpected behavior, including bit flips or replacing bytes of input file with various integers that can trigger edge cases.[13] Apart from that, it can generate test cases based on sample keywords, which helps during fuzzing of programs that employed text-based grammar, such as SQLite.[14] Generated test cases that exercise different parts of the program's code can later be used as input for more specialized diagnostic programs. While performing the fuzzing, a hang can be detected when the process does not exit within the specified timeout and crash is assumed when a signal handler kills the process.

The fuzzed input can be fed to the tested program either via standard input or as an input file specified in the process command line. Fuzzing networked programs is currently not directly supported, although in some cases there are feasible solutions to this problem.[15]

Performance features

One of the challenges American fuzzy lop had to solve involved an efficient spawning of hundreds of processes per second. Apart from the original engine that spawned every process from scratch, American fuzzy lop offers the default engine that relies heavily on the fork system call.[16] This can further be sped up by leveraging LLVM deferred fork server mode or the similar persistent mode, but this comes at the cost of having to modify the tested program.[17] Also, American fuzzy lop supports fuzzing the same program over the network.

User interface

American fuzzy lop features a colorful command line interface that displays real-time statistics about the fuzzing process. Various settings may be triggered by either command line options or environment variables. Apart from that, programs may read runtime statistics from files in a machine-readable format.

Utility programs

In addition to afl-fuzz and tools that can be used for binary instrumentation, American fuzzy lop features utility programs meant for monitoring of the fuzzing process. Apart from that, there is afl-cmin and afl-tmin, which can be used for test case and test corpus minimization. This can be useful when the test cases generated by afl-fuzz would be used by other fuzzers.


Initial release2.52c / 5 June 2019; 3 years ago (2019-06-05)
Stable release
4.00c / 26 January 2022; 9 months ago (2022-01-26)[18]
Repository Edit this on Wikidata

AFL++ (AFLplusplus)[19] is a community-maintained fork of AFL created due to the relative inactivity of Google's upstream AFL development since September 2017. It includes new features and speedups.[20]

Google's OSS-Fuzz initiative, which provides free fuzzing services to open source software, replaced its AFL option with AFL++ in January 2021.[21]


  1. ^ "Releases - google/AFL". Retrieved 19 January 2021 – via GitHub.
  2. ^ "Advisory-2015-03-17".
  3. ^ "NVD - Detail".
  4. ^ "NVD - Detail".
  5. ^ "NVD - Detail".
  6. ^ "CVE - CVE-2014-6278".
  7. ^ "CVE - CVE-2014-8637".
  8. ^ "How to fuzz a server with American Fuzzy Lop". Fastly.
  9. ^ "CVE - CVE-2015-5477".
  10. ^ "[Announce] Qt Project Security Advisory - Multiple Vulnerabilities in Qt Image Format Handling".
  11. ^ "How SQLite Is Tested # 4.1.1. SQL Fuzz Using The American Fuzzy Lop Fuzzer".
  12. ^ Zalewski, Michał (2015-02-27). "Logo for afl-fuzz". afl-users | Google Groups. Retrieved 2019-07-25.
  13. ^ "Binary fuzzing strategies: what works, what doesn't".
  14. ^ "Finding bugs in SQLite, the easy way".
  15. ^ Technion. "Fuzzing nginx - Hunting vulnerabilities with afl-fuzz".
  16. ^ "Fuzzing random programs without execve()".
  17. ^ "New in AFL: persistent mode". lcamtuf's blog. 11 June 2015.
  18. ^ "Releases - AFLplusplus/AFLplusplus". Retrieved 19 June 2022 – via GitHub.
  19. ^ Fioraldi, Andrea; Maier, Dominik; Eißfeldt, Heiko; Heuse, Marc (August 2020). AFL++: Combining incremental steps of fuzzing research. 14th USENIX Workshop on Offensive Technologies (WOOT 20).
  20. ^ "The AFL++ fuzzing framework". AFLplusplus.
  21. ^ metzman, jonathan. "[afl++] Use AFL++ instead of AFL for fuzzing. by jonathanmetzman · Pull Request #5046 · google/oss-fuzz". GitHub.

Further reading