After completing this exercise, you will know the basis of fuzzing with AFL, such as:

Compiling a target application with instrumentation
Running a fuzzer (afl-fuzz)
Triaging crashes with a debugger (GDB)

export LLVM_CONFIG="llvm-config-11"
CC=$HOME/Fuzz/AFL++/afl-clang-fast CXX=$HOME/Fuzz/AFL++/afl-clang-fast++ ./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install

@@:

这是 AFL++ 中的一个特殊占位符。在模糊测试过程中,AFL++ 会将 @@ 替换为当前生成或变异的测试用例文件的路径。
每次 AFL++ 运行一次测试迭代时，它会用一个生成的 PDF 文件路径来替换 @@，以模拟实际输入提供给 pdftotext。

在每次模糊测试迭代中,pdftotext 将：

接收 @@ 替代的 PDF 文件作为输入，
将内容转换为文本，
并将结果保存到 $HOME/fuzzing_xpdf/output。

afl-fuzz -i $HOME/fuzzing_xpdf/pdf_examples/ -o $HOME/fuzzing_xpdf/out/ -s 123 -- $HOME/fuzzing_xpdf/install/bin/pdftotext @@ $HOME/fuzzing_xpdf/output

rm -r $HOME/fuzzing_xpdf/install
cd $HOME/fuzzing_xpdf/xpdf-3.02/
make clean
CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix="$HOME/fuzzing_xpdf/install/"
make
make install

gdb --args $HOME/fuzzing_xpdf/install/bin/pdftotext $HOME/fuzzing_xpdf/out/default/crashes/<your_filename> $HOME/fuzzing_xpdf/output
run
bt

Once you complete this exercise you will know how:

To fuzz a library using an external application
To use afl-clang-lto, a collision free instrumentation that is faster and provides better results than afl-clang-fast
To use Eclipse IDE as an easy alternative to GDB console for triaging

Once you complete this exercise you will know:

What is ASan (Address Sanitizer), a runtime memory error detection tool
How to use ASAN to fuzz a target
How much easy is to triage the crashes using ASan

AddressSanitizer (ASan) is a fast memory error detector for C and C++. It consists of a compiler instrumentation module and a run-time library. 
The tool is capable of finding out-of-bounds accesses to heap, stack, and global objects, as well as use-after-free, double-free and memory leaks bugs.

cd $HOME/fuzzing_tcpdump/tcpdump-4.9.2/
AFL_USE_ASAN=1 CC=afl-clang-lto ./configure --prefix="$HOME/fuzzing_tcpdump/install/"
AFL_USE_ASAN=1 make
AFL_USE_ASAN=1 make install

Once you complete this exercise you will know:

How to measure code coverage using LCOV
How to use code coverage data to improve the effectiveness of fuzzing

Once you complete this exercise you will know how:

To use custom dictionaries for helping the fuzzer to find new execution paths
To parallelize the fuzzing job accross multiple cores

#You will usually have only one master instance at a time:

./afl-fuzz -i afl_in -o afl_out -M Master -- ./program @@
#and N-1 number of slaves:

./afl-fuzz -i afl_in -o afl_out -S Slave1 -- ./program @@
./afl-fuzz -i afl_in -o afl_out -S Slave2 -- ./program @@
#...
./afl-fuzz -i afl_in -o afl_out -S SlaveN -- ./program @@

-x ./dictionaries/xml.dict 

"GET"
"POST"
"{"
"}"
"username"
"password"

"{"
"}"
"["
"]"
":"
","
"true"
"false"
"null"

afl-fuzz -i input_dir -o output_dir -x json.dict -- target_program @@