Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/AdithyaaSivamal/Agentic-AFL/llms.txt

Use this file to discover all available pages before exploring further.

Agentic-AFL is an asynchronous, neuro-symbolic fuzzing orchestration framework that runs alongside AFL++ as an intelligent co-process. When AFL++ stalls on a cryptographic or arithmetic check — such as a CRC validation or protocol checksum — the agent extracts a Ghidra P-Code slice from the stall site, uses an LLM to translate it into a Z3 SMT script, solves the constraint, and injects the resulting payload back into AFL++ without ever pausing fuzzer execution.

Quickstart

Run your first Agentic-AFL campaign in minutes with a pre-compiled harness

How It Works

Understand the Extract → Translate → Solve → Inject pipeline

CLI Reference

Full flag reference for the agentic-afl fuzz and plot commands

Python API

Embed Agentic-AFL in your own tooling with the CampaignRunner API

What Agentic-AFL Does

Standard AFL++ is highly effective at discovering shallow bugs but stalls when a code path is gated by a mathematical invariant — a CRC-16 check, a protocol sequence number, a HMAC digest. Agentic-AFL detects these stalls and solves them automatically.

P-Code Extraction

Ghidra headless analysis extracts a taint-bounded backward P-Code slice from the binary at the stall address

Z3 Synthesis

An LLM translates the P-Code into a Z3Py SMT script. K-way voting and a ReAct self-repair loop maximize solve rate

Payload Injection

Solved payloads are written atomically to AFL++‘s sync directory — zero impact on fuzzer throughput

Key Features

  • K-way voting — generates K Z3 scripts in parallel, picks the first SAT result; mitigates LLM syntax error rates
  • ReAct self-repair — feeds Z3 error messages back to the LLM for up to N iterative repair attempts
  • CARM retrieval — Jaccard similarity search over PostgreSQL retrieves past successful Z3 templates for similar stalls
  • Harvest mode — autonomously builds a CARM corpus by verifying solves with AFL++ edge-coverage deltas
  • Multi-architecture — ARM32, ARM64, x86, x86_64, MIPS32, PPC32
  • Rich TUI — live braille-dot coverage sparkline, pipeline stage tracker, and event log

Get Started

1

Install dependencies

Install AFL++, Ghidra, Z3, and the Python package. Set your LLM API key in .env.
2

Compile your harness

Build your target with afl-cc instrumentation so AFL++ can measure coverage.
3

Run the campaign

agentic-afl fuzz ./harness -i ./seeds --duration 1h --tui
4

Review results

Campaign results are written to JSON in --log-dir. Use agentic-afl plot to visualize coverage over time.
Agentic-AFL requires AFL++ 4.x, Ghidra 11.x, Python 3.11+, and a PostgreSQL instance for the CARM spec store. See the Quickstart for full prerequisites.

Build docs developers (and LLMs) love

Get started for freeTalk to us