# AFL++: A Vulnerability Discovery and Reproduction Framework

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

- (1)
- By optimizing the distance calculation formula and employing a heuristic energy scheduling algorithm, seeds not only possess more accurate distances but also, during continuous execution, trigger more paths and unearth additional vulnerabilities.
- (2)
- We introduce a distance-guided symbolic execution technique. When fuzzing fails to trigger new states for an extended period, symbolic execution is initiated. A shortest-path search algorithm is employed to mitigate path explosion and reduce overhead. Seeds generated through symbolic execution are incorporated into the fuzzing queue, and subsequent mutations are performed to generate higher-quality seeds that trigger new states, thereby enhancing the efficiency of vulnerability discovery.
- (3)
- We propose the American Fuzz Lop Plus (AFL++) framework for vulnerability discovery based on directed greybox fuzzing and symbolic execution. Comparative experiments with American Fuzz Lop (AFL) and American Fuzz Lop Go (AFLGo) on eight real open-source programs and the LAVA-M dataset demonstrate that AFL++ effectively increases code coverage and improves the efficiency of vulnerability discovery.

## 2. Related Work

#### 2.1. Directed Greybox Fuzzing

#### 2.2. Symbolic Execution

## 3. The Proposed AFL++ Method

#### 3.1. Distance-Guided Fuzzing Technique

#### 3.1.1. Optimization Algorithm for Basic Block Distance Calculation

#### 3.1.2. Energy Distribution Method Based on Newton Interpolation

#### 3.1.3. PSO-Based Heuristic Energy Scheduling Algorithm

#### Design of Fitness Function

#### Velocity and Position Updates

#### 3.2. Distance-Guided Symbolic Execution Technique

#### 3.2.1. Hybrid Symbolic Execution

Algorithm 1: Hybrid Symbolic Execution Process | |

Data: Arbitrary seed Result: Symbolic | |

1: | create struct concrete Input |

2: | defined concrete Value |

3: | defined operand Index |

4: | defined Value sptr |

5: | symbolic parameters |

6: | create Value Expression |

7: | If values is Constant then |

8: | get computation’s last Instruction |

9: | add concrete values to be stored in the symbolic-concrete array |

10: | get Symbolic operand () and smt |

11: | return symbolic Expressions and save it |

#### 3.2.2. Distance-Oriented Path Search Algorithm

#### 3.3. System Framework

## 4. Experiment

#### 4.1. Experimental Environment

#### 4.2. Experimental Design

#### 4.3. Vulnerability Mining Performance Evaluation

#### 4.4. Vulnerability Reproduction Experiment Evaluation

## 5. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Böhme, M.; Pham, V.; Nguyen, M.; Roychoudhury, A. Directed greybox fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–3 November 2017; Thuraisingham, B., Evans, D., Malkin, T., Xu, D., Eds.; ACM: Dallas, TX, USA, 2017; pp. 2329–2344. [Google Scholar]
- Cardinale, Y.; Freites, G.; Valderrama, E.; Aguilera, A.I.; Angsuchotmetee, C. Semantic framework of event detection in emergency situations for smart buildings. Digit. Commun. Networks
**2022**, 8, 64–79. [Google Scholar] [CrossRef] - Wu, S.; Shen, S.; Xu, X.; Chen, Y.; Zhou, X.; Liu, D.; Xue, X.; Qi, L. Popularityaware and diverse web apis recommendation based on correlation graph. IEEE Trans. Comput. Soc. Syst.
**2023**, 10, 771–782. [Google Scholar] [CrossRef] - Mousavi, S.N.; Chen, F.; Abbasi, M.; Khosravi, M.R.; Rafiee, M. Efficient pipelined flow classification for intelligent data processing in iot. Digit. Commun. Networks
**2022**, 8, 561–575. [Google Scholar] [CrossRef] - Kim, J.; Yun, J. Poster: Directed hybrid fuzzing on binary code. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, UK, 11–15 November 2019; Cavallaro, L., Kinder, J., Wang, X., Katz, J., Eds.; ACM: London, UK, 2019; pp. 2637–2639. [Google Scholar]
- Dong, L.; Li, R. Optimal chunk caching in network coding-based qualitative communication. Digit. Commun. Networks
**2022**, 8, 44–50. [Google Scholar] [CrossRef] - Qi, L.; Lin, W.; Zhang, X.; Dou, W.; Xu, X.; Chen, J. A correlation graph based approach for personalized and compatible web apis recommendation in mobile APP development. IEEE Trans. Knowl. Data Eng.
**2023**, 35, 5444–5457. [Google Scholar] [CrossRef] - Dai, H.; Yu, J.; Li, M.; Wang, W.; Liu, A.X.; Ma, J.; Qi, L.; Chen, G. Bloom filter with noisy coding framework for multi-set membership testing. IEEE Trans. Knowl. Data Eng.
**2023**, 35, 6710–6724. [Google Scholar] [CrossRef] - Chen, H.; Xue, Y.; Li, Y.; Chen, B.; Xie, X.; Wu, X.; Liu, Y. Hawkeye: Towards a desired directed grey-box fuzzer. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018; Lie, D., Mannan, M., Backes, M., Wang, X., Eds.; ACM: Toronto, ON, Canada, 2018; pp. 2095–2108. [Google Scholar]
- Liang, H.; Zhang, Y.; Yu, Y.; Xie, Z.; Jiang, L. Sequence coverage directed greybox fuzzing. In Proceedings of the 27th International Conference on Program Comprehension, ICPC 2019, Montreal, QC, Canada, 25–31 May 2019; Gu’eh’eneuc, Y., Khomh, F., Sarro, F., Eds.; IEEE/ACM: Montreal, QC, Canada, 2019; pp. 249–259. [Google Scholar]
- Zheng, Y.; Li, Z.; Xu, X.; Zhao, Q. Dynamic defenses in cyber security: Techniques, methods and challenges. Digit. Commun. Networks
**2022**, 8, 422–435. [Google Scholar] [CrossRef] - Wang, F.; Wang, L.; Li, G.; Wang, Y.; Lv, C.; Qi, L. Edge-cloud-enabled matrix factorization for diversified apis recommendation in mashup creation. World Wide Web
**2022**, 25, 1809–1829. [Google Scholar] [CrossRef] - Li, J.; Luo, X.; Zhang, Y.; Zhang, P.; Yang, C.; Liu, F. Extracting embedded messages using adaptive steganography based on optimal syndrome-trellis decoding paths. Digit. Commun. Networks
**2022**, 8, 455–465. [Google Scholar] [CrossRef] - Liang, H.; Jiang, L.; Ai, L.; Wei, J. Sequence directed hybrid fuzzing. In Proceedings of the 27th IEEE International Conference on Software Analysis, Evolution and Reengineering, SANER 2020, London, ON, Canada, 18–21 February 2020; Kontogiannis, K., Khomh, F., Chatzigeorgiou, A., Fokaefs, M., Zhou, M., Eds.; IEEE: London, ON, Canada, 2020; pp. 127–137. [Google Scholar]
- Osterlund, S.; Razavi, K.; Bos, H.; Giuffrida, C. Parmesan: Sanitizer-guided greybox fuzzing. In Proceedings of the 29th USENIX Security Symposium, USENIX Security 2020, Boston, MA, USA, 12–14 August 2020; Capkun, S., Roesner, F., Eds.; USENIX Association: Boston, MA, USA, 2020; pp. 2289–2306. [Google Scholar]
- Zhu, X.; Liu, S.; Li, X.; Wen, S.; Zhang, J.; Ҫamtepe, S.A.; Xiang, Y. Defuzz: Deep learning guided directed fuzzing. arXiv
**2020**, arXiv:2010.12149. [Google Scholar] - Zhao, J. Constructing more complete control flow graphs utilizing directed graybox fuzzing. Appl. Sci.
**2021**, 11, 1351. [Google Scholar] [CrossRef] - Lee, G.; Shim, W.; Lee, B. Constraint-guided directed greybox fuzzing. In Proceedings of the 30th USENIX Security Symposium, USENIX Security 2021, Vancouver, BC, Canada, 11–13 August 2021; Bailey, M., Greenstadt, R., Eds.; USENIX Association: Vancouver, BC, Canada, 2021; pp. 3559–3576. [Google Scholar]
- Zhu, X.; Böhme, M. Regression greybox fuzzing. In Proceedings of the CCS ’21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, 15–19 November 2021; Kim, Y., Kim, J., Vigna, G., Shi, E., Eds.; ACM: Icheon-si, Republic of Korea, 2021; pp. 2169–2182. [Google Scholar]
- Wang, S.; Jiang, X.; Yu, X.; Sun, S. Kcfuzz: Directed fuzzing based on keypoint coverage. In Proceedings of the Artificial Intelligence and Security—7th International Conference, ICAIS 2021, Dublin, Ireland, 19–23 July 2021; Proceedings, Part I; Lecture Notes in Computer Science. Sun, X., Zhang, X., Xia, Z., Bertino, E., Eds.; Springer: Dublin, Republic of Ireland, 2021; Volume 12736, pp. 312–325. [Google Scholar]
- Pham, V.; Nguyen, M.; Ta, Q.; Murray, T.; Rubinstein, B.I.P. Towards systematic and dynamic task allocation for collaborative parallel fuzzing. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering, ASE 2021, Melbourne, Australia, 15–19 November 2021; IEEE: Melbourne, Australia, 2021; pp. 1337–1341. [Google Scholar]
- Huang, H.; Guo, Y.; Shi, Q.; Yao, P.; Wu, R.; Zhang, C. BEACON: Directed greybox fuzzing with provable path pruning. In Proceedings of the 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, CA, USA, 22–26 May 2022; IEEE: San Francisco, CA, USA, 2022; pp. 36–50. [Google Scholar]
- Du, Z.; Li, Y.; Liu, Y.; Mao, B. Windranger: A directed greybox fuzzer driven by deviation basic blocks. In Proceedings of the 44th IEEE/ACM 44th International Conference on Software Engineering, ICSE 2022, Pittsburgh, PA, USA, 25–27 May 2022; pp. 2440–2451. [Google Scholar]
- Canakci, S.; Matyunin, N.; Graffi, K.; Joshi, A.; Egele, M. Targetfuzz: Using darts to guide directed greybox fuzzers. In Proceedings of the ASIA CCS ’22: ACM Asia Conference on Computer and Communications Security, Nagasaki, Japan, 30 May–3 June 2022; Suga, Y., Sakurai, K., Ding, X., Sako, K., Eds.; ACM: Nagasaki, Japan, 2022; pp. 561–573. [Google Scholar]
- Sen, K. DART: Directed automated random testing. In Proceedings of the Hardware and Software: Verification and Testing—5th International Haifa Verification Conference, HVC 2009, Haifa, Israel, 19–22 October 2009; Revised Selected Papers. Lecture Notes in Computer, Science. Namjoshi, K.S., Zeller, A., Ziv, A., Eds.; Springer: Haifa, Israe, 2009; Volume 6405, p. 4. [Google Scholar]
- Ma, K.; Khoo, Y.P.; Foster, J.S.; Hicks, M. Directed symbolic execution. In Proceedings of the Static Analysis—18th International Symposium, SAS 2011, Venice, Italy, 14–16 September 2011; Proceedings. Lecture Notes in Computer, Science. Yahav, E., Ed.; Springer: Venice, Italy, 2011; Volume 6887, pp. 95–111. [Google Scholar]
- Rustamov, F.; Kim, J.; Yu, J.; Kim, H.; Yun, J. Bugminer: Mining the hard-to-reach software vulnerabilities through the target-oriented hybrid fuzzer. Electronics
**2020**, 10, 62. [Google Scholar] [CrossRef] - Poeplau, S.; Francillon, A. Symbolic execution with symcc: Don’t interpret, compile! In Proceedings of the 29th USENIX Security Symposium, USENIX Security 2020, Boston, MA, USA, 12–14 August 2020; Capkun, S., Roesner, F., Eds.; USENIX Association: Boston, MA, USA, 2020; pp. 181–198. [Google Scholar]
- Poeplau, S.; Francillon, A. Symqemu: Compilation-based symbolic execution for binaries. In Proceedings of the 28th Annual Network and Distributed System Security Symposium, NDSS 2021, Virtually, 21–25 February 2021; The Internet Society: Reston, VI, USA, 2021. [Google Scholar]

**Figure 3.**Number of vulnerabilities. (

**a**) Number of vulnerabilities in base64. (

**b**) Number of vulnerabilities in md5sum. (

**c**) Number of vulnerabilities in uniq. (

**d**) Number of vulnerabilities in who.

${\mathit{x}}_{\mathit{k}}$ | $\mathit{f}\left({\mathit{x}}_{\mathit{k}}\right)$ | 1st Order Difference Quotient | 2nd Order Difference Quotient | … | n Order Difference Quotient |
---|---|---|---|---|---|

${x}_{0}$ | f(${x}_{0}$) | ||||

${x}_{1}$ | f(${x}_{1}$) | f[${x}_{0}$,${x}_{1}$] | |||

${x}_{2}$ | f(${x}_{2}$) | f[${x}_{1}$,${x}_{2}$] | f[${x}_{0}$,${x}_{1},{x}_{2}$] | ||

${x}_{3}$ | f(${x}_{3}$) | f[${x}_{2}$,${x}_{3}$] | f[${x}_{1}$,${x}_{2},{x}_{3}$] | ||

… | … | … | … | … | |

${x}_{n}$ | f(${x}_{n}$) | f[${x}_{n-1}$,${x}_{n}$] | f[${x}_{n-2}$,${x}_{n-1},{x}_{n}$] | … | f[${x}_{0}$,${x}_{1},...$,${x}_{n}$] |

Category | Configuration |
---|---|

Operating system | Ubuntu 16.04 |

Kernel version | 4.15.0 |

Core | 8 |

Memory | 16 GB |

Hard drive capacity | 2TB |

Development environment | AFL2.52b, KLEE, LLVM11.0 |

Processor | Inter^{®}Core(TM)i5-10400 USA |

Program | Vulnerabilities | Complex Command |
---|---|---|

base64 | 44 | ./base64-d@@ |

md5sum | 57 | ./md5sum-c@@ |

uniq | 44 | ./uniq@@ |

who | 2136 | ./who@@ |

Method | base64 | md5sum | uniq | who | Total |
---|---|---|---|---|---|

AFL | 3 | 2 | 3 | 2 | 10 |

AFLGo | 5 | 3 | 2 | 3 | 13 |

AFL++ | 11 | 4 | 4 | 7 | 26 |

Method | Libxml2 | Libming | gdb | xpdf | libexif | giflib | jasper | lrzip |
---|---|---|---|---|---|---|---|---|

AFL | 4818 | 5296 | 3231 | 4209 | 1107 | 233 | 1 | 1151 |

AFLGo | 5812 | 5411 | 3562 | 5579 | 1425 | 188 | 163 | 1403 |

AFL++ | 7324 | 6573 | 4517 | 8662 | 3237 | 316 | 233 | 2282 |

Method | Libxml2 | Libming | gdb | xpdf | libexif | giflib | jasper | lrzip |
---|---|---|---|---|---|---|---|---|

AFL | 0 | 19 | 0 | 58 | 0 | 0 | 0 | 27 |

AFLGo | 0 | 18 | 0 | 71 | 0 | 0 | 0 | 36 |

AFL++ | 0 | 36 | 0 | 110 | 0 | 3 | 0 | 61 |

CVE Number | Method | Time | TTE |
---|---|---|---|

2018-8807 | AFL | 20 | 13m |

AFLGo | 20 | 3m33s | |

AFL++ | 20 | 1m55s | |

2018-8962 | AFL | 20 | 8m |

AFLGo | 20 | 3m21s | |

AFL++ | 20 | 1m32s |

CVE Number | Method | Time | TTE |
---|---|---|---|

2016-4487 | AFL | 20 | 4m |

AFLGo | 20 | 3m | |

Hawkeye | 20 | 2m57s | |

AFL-Ant | 20 | 2m41s | |

Beacon | - | 2m31s | |

AFL++ | 20 | 2m1s | |

2016-4491 | AFL | 5 | 6h38m |

AFLGo | 7 | 5h46m | |

Hawkeye | 9 | 5h12m | |

AFL-Ant | 10 | 6h25m | |

Beacon | - | 1h23m | |

AFL++ | 15 | 4h47m | |

2016-4489 | AFL | 20 | 7m |

AFLGo | 20 | 3m | |

Hawkeye | 20 | 3m26s | |

AFL-Ant | 20 | 3m10s | |

Beacon | - | 3m | |

AFL++ | 20 | 2m23s | |

2016-4492 | AFL | 20 | 16m |

AFLGo | 20 | 9m | |

Hawkeye | 20 | 7m57s | |

AFL-Ant | 20 | 8m51s | |

Beacon | - | 6m25s | |

AFL++ | 20 | 3m47s | |

2016-4490 | AFL | 20 | 59s |

AFLGo | 20 | 1m33s | |

Hawkeye | 20 | 1m43s | |

AFL-Ant | 20 | 1m30s | |

Beacon | - | 1m22s | |

AFL++ | 20 | 1m27s | |

2016-6131 | AFL | 3 | 7h19m |

AFLGo | 5 | 5h53m | |

Hawkeye | 9 | 4h48m | |

AFL-Ant | 7 | 5h35m | |

Beacon | - | 50m13s | |

AFL++ | 12 | 3h31m |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

He, G.; Xin, Y.; Cheng, X.; Yin, G.
AFL++: A Vulnerability Discovery and Reproduction Framework. *Electronics* **2024**, *13*, 912.
https://doi.org/10.3390/electronics13050912

**AMA Style**

He G, Xin Y, Cheng X, Yin G.
AFL++: A Vulnerability Discovery and Reproduction Framework. *Electronics*. 2024; 13(5):912.
https://doi.org/10.3390/electronics13050912

**Chicago/Turabian Style**

He, Guofeng, Yichen Xin, Xiuchuan Cheng, and Guangqiang Yin.
2024. "AFL++: A Vulnerability Discovery and Reproduction Framework" *Electronics* 13, no. 5: 912.
https://doi.org/10.3390/electronics13050912