AFL Runner is built around the AFL++ multi-core fuzzing guide and automates the most tedious parts: distributing power schedules across instances, assigning CMPLOG and CMPCOV binaries to the right runners, and wiring everything into a managed tmux or screen session. This walkthrough takes you from a bare target source tree to a fully instrumented, 16-core fuzzing campaign running under the built-in TUI.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
AFL Runner focuses on the campaign-execution stage. Selecting a good seed corpus, writing a harness, and debugging crashes are outside its scope — have those ready before you begin.
Compile the target in multiple instrumentation flavors
AFL++ extracts the most coverage when each instance of Only the main (
afl-fuzz runs a binary compiled with a different instrumentation strategy. Build four variants:-t) binary is strictly required. The sanitizer, CMPLOG, and CMPCOV binaries are optional but strongly recommended for deep campaigns.Prepare a minimal seed corpus
AFL++ needs at least one valid input to bootstrap mutation. A small but representative seed corpus dramatically outperforms a single dummy file.For file-format targets (XML, PDF, PNG, …) drop a few real-world samples into
./corpus instead. AFL Runner will verify the directory is non-empty before starting and will create a placeholder if it is.(Optional) Create an aflr config file
For campaigns you run repeatedly, storing all options in a TOML file is cleaner than long CLI invocations. Place the file in your working directory as Command-line flags always override config file values, so you can tweak individual runs without editing the file.
aflr_cfg.toml and AFL Runner will pick it up automatically — no --config flag needed.Preview the generated commands
Use The output shows each
aflr gen to print the AFL++ invocations without executing anything. This is the safest way to verify that runner counts, binary assignments, and power schedules look correct before committing to a long campaign.afl-fuzz invocation in full, including the -M/-S designators, power schedules (-p), mutation modes (-P), and which runners carry the -c (CMPLOG) flag.Launch the campaign
Replace AFL Runner will prompt once for confirmation, then create the tmux session, write a PID file to
gen with run to create the tmux session and start all fuzzers. Add --tui to open the built-in monitoring TUI immediately after the session starts./tmp/.my_campaign_<pid>.pids, and — because --tui was passed — launch the TUI overlay rather than attaching to the raw tmux session.Monitor campaign progress
The AFL Runner TUI aggregates data from all fuzzer instances in a single terminal view. Its panels mirror the information in
You can also launch the TUI independently against any existing output directory:This makes
afl-whatsup but update live:| Panel | What it shows |
|---|---|
| Process timing | Runtime, last find time, last crash/hang time per instance |
| Overall results | Aggregate execs/sec, corpus entries, crashes, hangs |
| Stage progress | Current mutation stage and cycle depth |
| Nerd stats | Stability, bitmap coverage, path counts |
| Crashes / Hangs | Running totals with timestamps |
| Logs | Live stderr output from each afl-fuzz process |
aflr tui a full drop-in replacement for afl-whatsup.How AFL Runner distributes strategies across runnersIn
multiple-cores mode (the default), AFL Runner implements the AFL++ best-practice distribution automatically:- Instance 0 is always the main fuzzer (
-M), running with no special mutation modifiers. - Power schedules cycle across all instances in order:
fast → explore → coe → lin → quad → exploit → rare, then repeat. - Mutation modes (
-P explore/-P exploit) are assigned probabilistically: ~40 % of secondaries get explore, ~20 % get exploit. - CMPLOG (
-c) is assigned to roughly 30 % of runners, split across Standard (-l 2), Extended (-l 3), and Transforms (-l 2AT) modes. - CMPCOV (Laf-intel binary) replaces the target binary on up to 2–3 secondary runners depending on total runner count.
- MOpt mutator (
-L 0) and sequential queue cycling (-Z) are sprinkled in at ~10 % probability each.