afl-fuzz: black-box binary fuzzing, perf improvements, and more

I had quite a few posts about afl-fuzz recently, mostly focusing on individual, newly-shipping features (say, the fork server, the crash explorer, or the grammar reconstruction logic). But this probably gets boring for people not interested in the tool, and doesn't necessarily add up to a coherent picture for those who do.

To trim down on AFL-themed posts, I decided to write down a technical summary of all the internals and maintain it as a part of the AFL home page. The document talks about quite a few different things, including:

• The newly-added support for guided fuzzing of black-box, closed-source binaries (yes, it finally happened!),

  
  

• Info about effector maps - a new feature that offers significant performance improvements for many types of fuzzing jobs,

  
  

• Some hard data comparing the efficiency of evolutionary fuzzing and AFL-style instrumentation versus more traditional tools,

  
  

• Discussion of many other details that have not been documented in depth until now - queue culling, file minimization, etc.
  

I'll try to show a bit more restraint with AFL-related news on this blog from now on, so if you want to stay in the loop on key developments, consider signing up for the afl-users@ mailing list.