Fuzz Testing: Choosing a Seed File for AFL

Mutational fuzzers such as AFL require an initial input file — this file will be mutated many times by the fuzzer in an effort to find bugs by forcing the execution of unexpected paths through the target application.

While AFL is very good at finding new paths through a target, the right seed file can make the fuzz run much more efficient.

Here are some guidelines for choosing/creating a seed file:

• The seed file should be a valid input file for the target application. While invalid input can sometimes yield interesting bugs and crashes, valid input will find more paths, sooner.
• As it usually take less time for an program to process smaller input files, the seed file should be small — under 1 KB. This will result in more executions per second.
• Existing unit test suites often include input files — these can be useful seed files.
• Using multiple seed files can be inefficient if there is a lot of code coverage or functionality overlap. AFL includes corpus minimization tools called afl-cmin and afl-tmin which will reduce the size of a multiple file seed corpus.
• Use the AFL included seed files under the testcases\ directory for common file and data formats.

To help optimize a seed file run afl-analyze — this tool runs the target application repeatedly while modifying bytes from the seed file.

For information on Fuzz Stati0n’s scalable, cloud based continuous fuzz testing solution, please see our website.