Welcome to RSA Dark Arts Village 2022

This talk is aimed at providing hands on details on how to fuzz open source softwares on linux OS with AFL.

What will be covered

  1. How does a coverage guided fuzzer works?
  2. How to install AFL on linux based systems?
  3. How to fuzz a simple C program using AFL?
  4. How to fuzz TcpDump using AFL.
  5. Reporting crashes and bug bounties
  6. Conclusion

What is needed

  1. A laptop/desktop with atleast 8gb RAM and 40GB storage.
  2. Vmware/virtualbox installed.
  3. Internet connection.
  4. willingness to learn :)

Training VM Download

Click Here

Zip File password: infected

user name: kali

password: kali

Current: Principal Researcher @ Sophos, Bangalore, India

Past: Senior Security Researcher @ McAfee, Bangalore,India

Past: Security Researcher @ Symantec, Pune, India

Hardik Shah

What I do?

Official Blogs: https://news.sophos.com/en-us/author/hardik-shah/

Past Blogs: https://www.mcafee.com/blogs/author/hardik-shah/

Twitter: @hardik05

Bug Hunting

Problem with the manual approach?



Fuzzing is the process of automated bug finding. A fuzzer will generate or provide crafted input to a program and will monitor its behaviour. if its crashes then test case can be saved to further analysis and reproduction.


Coverage guideded fuzzers

Monitors program execution using compile time or runtime instrumentation and can generate new input files based on the paths taken.

Example: AFL,Honggfuzz,libfuzzer

Very useful and successful in finding bugs.

Interesting case study:

pulling jpeg out of thin air: https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html

$ mkdir in_dir
$ echo 'hello' >in_dir/hello
$ ./afl-fuzz -i in_dir -o out_dir ./jpeg-9a/djpeg

Basic blocks, Instrumentation and Code Coverage

1. Basic block

Consider following code:

basic block

What it looks like in IDA: basic block IDA

2. Code Coverage

3. Instrumentation?

compile time instrumentation

If source code is not available.

runtime instrumentation

What Is AFL?

Fuzzing strategies

AFL uses following fuzzing strategies:

Fuzzing Strategy


Bit Flip

Flips a bit i.e. 1 becomes 0, 0 becomes 1 - this can be done in steps of 1⁄1,2⁄1,4⁄1,8⁄8 ....32⁄8 (same strategy will be used for byteflip as well)

Byte Flip

Flips a byte - this can be done in steps of 1⁄1,2⁄1,4⁄1,8⁄8 ....32⁄8


Random arithmetic like addition/substraction of random values


Random strategy - anythings from bit/bytes/interest/splice/addition/subtraction


User provided dictionary or auto discovered tokens.


Replace content in original file with interesting values like: 0xff,0x7f etc – 8⁄8,16⁄8..


Splits and combine two or more files to get a new file.



Steps involved in the fuzzing:

fuzzing Steps

Corpus Collection


Corpus Mimization

Why do we need to Minimize input corpus?


afl-cmin –i input –o mininput -- ./program @@

Fuzzing the program

Crash Triaging and Minimisation

Root cause analysis

We found a crash by running fuzzer – now what?

$ git clone https://github.com/google/AFL.git
$ cd AFL
$ make
$ cd llvm_mode
$ make
$ cd ..
$ make install

This will install various compiler wrappers and utilities like:

you can install it by typing following command:

$ sudo apt install clang llvm

santizers helps in finding bugs at the eary stages of program execution.

There are various types of sanitizers which can be enabled at compile time by passing required options. you need to add following flags at compile time if you want to enable any of the sanitizers below:

1. ASAN (-fsanitize=address)
2. MSAN (-fsanitize=memory)
3. UBSAN (-fsanitize=undefined)
4. TSAN (-fsanitize=thread)


AFL has various environment variables like AFL_HARDEN, AFL_USE_ASAN and AFL_USE_MSAN etc. which can be used to enable support for this sanitizers as well as to do various fuzzing related customization. check here: https://github.com/mirrorer/afl/blob/master/docs/env_variables.txt






Goal: learning how to fuzz a program with AFL.

Fuzzing Damn vulnerable C program with AFL

Lets download it first:

$ git clone https://github.com/hardik05/Damn_Vulnerable_C_Program.git

Let's compile it using afl-gcc/afl-clang(when nothing works, use afl-gcc,afl-g++) :

$ afl-gcc -fsanitize=address,undefined -ggdb -O0 imgRead.c -o imgRead_afl

Generate some seed corpus

$ mkdir in
$ echo "IMG" > in/1.img

Fuzz it

$ afl-fuzz -i in -o out -m none -- ./imgRead_afl @@

you should see a screen like below: afl run

It has various status messages.

not all are needed. you can read more about them here: https://github.com/google/AFL/blob/master/docs/status_screen.txt

Get the source code of tcpdump and libpcap.

git clone https://github.com/the-tcpdump-group/tcpdump.git
cd tcpdump
git clone https://github.com/the-tcpdump-group/libpcap.git
cd libpcap

Compile it using AFL

CC=afl-gcc CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure
sudo make && make install

it will complain about some missing dependencies, run following commands:

sudo apt install flex bison

your compilation should be succssfull.

How to get test corpus?

How to minimize it?

use afl-cmin, run following command:

afl-cmin –i tests –o mincorpus –m none -- ./tcpdump –vv –ee –nnr @@

You should see a screenshot something like below: afl-cmin

Lets, Fuzz it!

afl-fuzz –i mincorpus –o fuzzoutput –m none -- ./tcpdump –vv –ee –nnr @@

you should see something like this:

✅ Always report to vendor first.generally vendor have security@vendor.com email id. you can also check their website for security contact.

✅ Dont disclose anything until vendor releases the patch.

✅ Vendors may reward you with bug bounty for your work!

My youtube channel on fuzzing: Click here

Twitter: @hardik05

email: hardik05[AT]gmail[DOT]com

Website: fuzzing.in

Thanks everyone, hope you have enjoyed this workshop as much as I have enjoyed delivering it and creating contents and various excericses for it.