Symposium sur la sécurité des technologies de l'information et des communications

afl-cov-fast is a tool to generate code coverage from AFL test cases. It aims to efficiently generate a "zero coverage" report of functions and lines never covered by a fuzzing campaign, both when code is available and in binary-only mode via the QEMU and Frida backends.

A typical use-case is to run an AFL++ campaign to find bugs. After running the fuzzer for a while, one wants to know if the code has been properly covered. If not, it is interesting to understand why (are patches required? should a wider variety of samples be added to the corpus? should the configuration be modified?).

There are existing projects to help with this endeavor:

• afl-cov,
• aflq_fast_cov,
• pyafl_qemu_trace.

However, they have various limitations:

• Support for limited backends (only when source code is available, or only for binary targets with the QEMU backend),
• They are sometimes difficult to maintain (based on a fork of QEMU, usually not kept up to date),
• Performance doesn't always scale on large campaigns.

afl-cov-fast aims to offer a unified interface for source-code and binary-only fuzzing via various backends implemented in AFL++. In addition, it improves performance by reducing Python overhead and by implementing multi-processing. Authors also upstreamed contributions to AFL++ and qemuafl, which reduces maintenance efforts.