AFL vs. LibFuzzer input generation & evolutionary fuzzer differences?

1,701 views
Skip to first unread message

Smone

unread,
Apr 3, 2020, 4:37:16 PM4/3/20
to libfuzzer
Hi,

Since both fuzzers identify as evotionary fuzzers, and both are from Google, what exactly is the difference between LibFuzzer and AFL?

I know that libFuzzer requires a corpus to be used, whereas AFL can fuzz based on file inputs, but is this the only difference?

How about input generation? Is this random as well? How does the feedback mechanism work to determine program coverage? Is this block-based (just like AFL)?

Konstantin Serebryany

unread,
Apr 9, 2020, 9:15:40 PM4/9/20
to Smone, libfuzzer
Hi Smone! 

On Fri, Apr 3, 2020 at 1:37 PM Smone <maik...@gmail.com> wrote:
Hi,

Since both fuzzers identify as evotionary fuzzers, and both are from Google, what exactly is the difference between LibFuzzer and AFL?

Some of the notable differences: 
* libFuzzer is fully integrated with the rest of LLVM (sanitizers and coverage instrumentation)
* AFL supports both in-process and out-of-process fuzzing, while libFuzzer is strictly in-process
* AFL supports more flavors of coverage instrumentation (but for most use cases when the source code is available it doesn't matter much) 
* libFuzzer supports custom mutators, allowing structure-aware-fuzzing, but IIRC some clones of AFL support that too,
* There are lots of subtle difference in various heuristics.
* The two engines have very different user interface (command lines parameters, output, etc) and are plug-compatible in one directly: 
anything that can be fuzzed with libFuzzer can also be fuzzed by AFL. 
(But since libFuzzer doesn't support out-of-process fuzzing the opposite direction may not work) 

there are differences wrt availability on specific platforms. 
 

I know that libFuzzer requires a corpus to be used, whereas AFL can fuzz based on file inputs, but is this the only difference?

There is no difference here. 
AFL requires a corpus on disk, libFuzzer can work w/o a corpus but most real-life uses will still use a corpus. 


How about input generation? Is this random as well?

Input generation is a random process, but in libFuzzer it is partially guided by information collected in previous runs. 
I am not aware of such feedback in AFL (but e.g. honggfuzz does that, see e.g. the recent discussion at https://groups.google.com/g/fuzzing-discuss/c/mkqEVv3JVZ8)
 
How does the feedback mechanism work to determine program coverage?
 
Is this block-based (just like AFL)?

The main coverage feedback in libFuzzer is based on CFG edges: 
It is conceptually similar to what AFL does with its coverage bit map, 
but has different trade-offs. Again, we've just discussed it in the thread  linked above)

--
You received this message because you are subscribed to the Google Groups "libfuzzer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/f3fe1d1b-9510-4601-9ea1-c93115b05c8b%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages