Skip to content
STIMSMITH

Bitflip Mutation

Technique

Bitflip mutation is a fuzzing mutation that flips bits in test vectors. In AFL, it is one of the notable mutation classes used to discover new behaviors through coverage feedback; in a RISC-V processor-verification setting, bitflips were used to cover possible instruction arguments and uncover unknown instructions.

First seen 5/26/2026
Last seen 5/28/2026
Evidence 2 chunks
Wiki v1

WIKI

Overview

Bitflip mutation is a mutation technique used in fuzzing in which bits in an input or test vector are flipped. In the AFL context described by Bruns et al., bitflip mutations are listed among AFL's notable mutation classes, alongside arithmetic mutations and havoc mutation. AFL uses mutations to discover new behaviors, with new behavior detection realized through edge coverage. [C1]

Role in AFL-style fuzzing

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

2 connections
AFL ← uses 100% 2e
AFL uses bitflip mutation to flip bits in the test input.
Fast Exploration Mutation ← uses 85% 1e
The Fast Exploration mutation uses bitflip mutation as part of its prephase.

LINKED ENTITIES

1 links
Coverage-Guided Fuzzing used_in The evidence states that AFL is coverage-guided, uses mutations to discover new behaviors, and detects new behaviors through edge coverage.

CITATIONS

4 sources
4 citations — click to collapse
[1] AFL is an out-of-process coverage-guided grey-box fuzzer that uses mutations to discover new behaviors through edge coverage; bitflip mutation flips a variety of bits. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] In the RISC-V fuzzing workflow, bitflip mutation is used after instruction insertion to cover possible arguments and uncover unknown instructions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] Instruction insertion and bitflip mutation are iteratively repeated until no new test vectors are found, enabling broad RISC-V instruction-sequence state-space coverage without scalability problems or dependence on a lucky random seed. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] The bitflip prephase is described as low-overhead because RV32I has 40 instructions, the operations apply only to coverage-increasing test vectors, and bitflip was moved from a later phase rather than added as new overhead. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing