AFL

Tool

AFL is described in the provided evidence as a state-of-the-art coverage-guided fuzzer. It appears as a representative coverage-guided fuzzing tool alongside libFuzzer, and a processor-verification study compared unmodified AFL 2.56b, called Vanilla AFL, with an Enhanced AFL variant using problem-specific mutations.

First seen 5/25/2026

Last seen 6/9/2026

Evidence 15 chunks

Wiki v3

WIKI

Overview

AFL is described in the evidence as a coverage-guided fuzzer and as a notable representative of coverage-guided fuzzing alongside LLVM-based libFuzzer. The cited ISS-verification paper characterizes mutation-based fuzzing as a technique that mutates randomly created data and is guided by code coverage, avoiding the need to create an input model. [AFL as coverage-guided fuzzer]

A later cross-level processor-verification study refers to AFL as a state-of-the-art coverage-guided fuzzer and uses the unmodified AFL 2.56b release as its baseline, calling it Vanilla AFL. [AFL 2.56b baseline]

READ FULL ARTICLE →

NEIGHBORHOOD

2 nodes · 1 edges

graph · AFL · depth=1

RELATIONSHIPS

13 connections

Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing ← uses 100% 4e

The paper uses AFL as the base coverage-guided fuzzer, extended with custom mutations.

Fast Exploration Mutation ← extends 90% 4e

Fast Exploration Mutation is a custom mutation designed to enhance AFL's fuzzing performance for processor verification.

Coverage-Guided Fuzzing implements → 100% 3e

AFL is a representative of coverage-guided fuzzing tools.

Coverage-guided Fuzzing implements → 100% 3e

AFL is a coverage-guided grey box fuzzer.

Arithmetic Mutation uses → 100% 2e

AFL uses arithmetic mutation to add/subtract integers in the test input.

Havoc Mutation uses → 100% 2e

AFL uses havoc mutation as a combination of multiple individual mutations.

Edge Coverage uses → 100% 2e

AFL uses edge coverage to discover new behaviors.

Coverage-based Greybox Fuzzing implements → 98% 2e

AFL is a widely-used coverage-based greybox fuzzer

Code Coverage uses → 98% 2e

AFL uses code coverage as its primary feedback metric

Enhanced Havoc Mutation ← extends 90% 2e

Enhanced Havoc Mutation is a custom mutation designed to enhance AFL's fuzzing performance for processor verification.

Bitflip Mutation uses → 100% 2e

AFL uses bitflip mutation to flip bits in the test input.

Examiner: Automatically Locating Inconsistent Instructions between Real Devices and CPU Emulators for ARM ← mentions 95% 1e

The paper mentions AFL as a fuzzing tool that uses QEMU mode and is relevant to emulator-based analysis.

Energy Assignment uses → 95% 1e

AFL assigns energy to seeds to determine mutation count

LINKED ENTITIES

2 links

Coverage-Guided Fuzzing IMPLEMENTS Extracted graph relationship

AFL HAS_DERIVATIVE The provided GitHub context describes AFL++ as afl with community patches.

CITATIONS

9 sources

9 citations — click to expand

[1] AFL is a representative coverage-guided fuzzer and mutation-based CGF mutates randomly created data guided by code coverage. Verifying Instruction Set Simulators using Coverage-guided Fuzzing

[2] The cross-level processor-verification study used unmodified AFL 2.56b as Vanilla AFL and compared it with Enhanced AFL. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[3] The study configured VexRiscv for RV32IM, used random seeds, used a 32-bit corpus value of 0x0000, and set a 24-hour runtime limit. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[4] The study defined #Queue as coverage-increasing non-mismatch test vectors and #Unique-Crash as unique mismatch-causing test vectors. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[5] Enhanced AFL used problem-specific mutations named Fast Exploration and Enhanced Havoc; Fast Exploration inserts each RISC-V instruction at the beginning of test vectors with x0 and immediate 0 arguments. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[6] The execution controller prevents infinite loops, detects processor-core mismatches, and applies a hard limit of 10,000 ISS instruction executions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[7] The execution controller synchronizes comparisons on register-value changes and can stop simulation after detecting an ISS/RTL mismatch. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[8] Enhanced AFL generated fewer queue test vectors on average, but the Mann–Whitney U result for #Queue was not statistically significant at the stated 95% threshold. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[9] AFL++ is described as afl with community patches and additional features including QEMU 5.1 upgrade, collision-free coverage, enhanced laf-intel and redqueen, AFLfast++ power schedules, MOpt mutators, and unicorn_mode. AFLplusplus/AFLplusplus