E9AFL inserts American Fuzzy Lop (AFL) instrumentation into x86_64 Linux binaries. This allows binaries to be fuzzed without the need for recompilation.

E9AFL uses E9Patch to insert the AFL instrumentation via static binary rewriting.

Pre-built packages for E9AFL can be downloaded here:

• https://github.com/GJDuck/e9afl/releases

To build E9AFL, simply run the build.sh script:

    $ ./build.sh

To build the Debian package, simply run the install.sh script:

    $ ./install.sh

First, install afl-fuzz:

    $ sudo apt-get install afl

To use E9AFL, simply run the command:

    $ ./e9afl /path/to/binary

This will generate an AFL-instrumented binary.afl which can be used with afl-fuzz.

For more information on tool usage, see the man page:

    $ man -l doc/e9afl.l

To fuzz the binutils readelf program:

    $ ./e9afl readelf
    $ mkdir -p input
    $ mkdir -p output
    $ head -n 1 `which ls` > input/exe
    $ afl-fuzz -m none -i input/ -o output/ -- ./readelf.afl -a @@

If all goes well the output should look something like this:

E9AFL can be combined with RedFat for enhanced memory error detection during fuzzing. RedFat detects memory errors (bounds overflows and use-after-free) that would not otherwise crash the program.

To enable, first install RedFat v0.3.0:

• https://github.com/GJDuck/RedFat/releases

Next, pass the --redfat option into E9AFL:

    $ ./e9afl --redfat readelf

This will instrument the binary with both AFL and RedFat instrumentation.

To use, preload the libredfat.so runtime library into AFL:

    $ AFL_PRELOAD=/usr/share/redfat/libredfat.so afl-fuzz -m none -i input/ -o output/ -- ./readelf.afl -a @@

Some instrumented binaries may crash during AFL initialization:

    PROGRAM ABORT : Fork server crashed ...

This is often caused by an insufficient memory limit. See AFL's -m option for more information.

• Xiang Gao, Gregory J. Duck, Abhik Roychoudhury, Scalable Fuzzing of Program Binaries with E9AFL, Automated Software Engineering (ASE), 2021

Please report bugs here.

GLPv3