I am using AFL (version 2.57b) in a docker container (on Ubuntu 20.04) to fuzz several C programs. But the problem is, whenever I fuzz a program it does not explore more than 1 path and the output is something like this:
In this case, I am using this command specifically:
AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i corpus/ -o afl_out -- ./afl-main @@
Where afl-main
is the name of the program compiled with afl-clang
and corpus
is the name of a directory containing input files.
In this specific case, the main.c
is as follows:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main (int argc, char* argv[]) {
if (argc < 1)
return 1;
if (strcmp(argv[1],"-s")==0)
printf("girls\n");
else if(strcmp(argv[1],"-k")==0)
printf("boys!\n");
else
printf("OMG!!\n");
return 0;
}
But, as I have already mentioned, switching to other programs does not change anything in the output.
There is also a similar question here, but I have applied the proposed solution there and my binary is working fine when I provide an input from the corpus
directory in my current working directory.
I tried several C programs to see whether there is a problem with the way of implementation or the way I pass the inputs (through standard input), but the afl-fuzz
output is still the same.
I appreciate any help and comment in advance.
@@
in your afl command line means the position, where afl will place the input filename. Afl will run your executable like this -./afl-main inputfile
. Your program compares this filename with"-s"
and"-k"
.Afl fuzzes the contents of the input, not the filenames. You should read the contents of the input and compare it instead of the filenames. This should solve your problem.
Also note - you provide an argument to your executable, thus the condition
if (argc < 1)
should not be entered. The remaining part of the program has only 3 paths - one for each if case. The time afl needs to find all these paths depends on your seed (initial input files in corpus folder), the more close it is to"-s"
and"-k"
, the faster afl will find these. The provided screenshot says you ran afl only for 2 minutes. In general case this is too few to analyze the fuzzing results.