Binary & Protocol Fuzzing
AFL++, libFuzzer, Honggfuzz, Boofuzz — finding bugs by feeding garbage in.
Fuzzing is the highest-leverage way to find memory-safety and logic bugs in code you don't want to read. Coverage-guided fuzzing (AFL family) revolutionised the field; differential / structure-aware fuzzers are now mainstream. For web / HTTP-shaped fuzzing see Web Fuzzing & Content Discovery. For SAST see Security Scanning.
Coverage-guided fuzzers (the core)
- ★ AFL++ — community fork that rolled together every AFL improvement (LLVM mode, QEMU-mode, frida-mode, persistent-mode, redqueen, lafintel). The 2024–26 default. Free.
- ★ libFuzzer — in-process fuzzer that ships with Clang / LLVM; trivial to integrate into a C/C++ codebase via
LLVMFuzzerTestOneInput. Pairs with sanitizers. Free. - ★ Honggfuzz (Google) — coverage-guided; software / hardware (Intel PT) feedback; multi-process; fast at process-spawn workloads. Free.
- AFL.rs / cargo-fuzz — Rust integration over libFuzzer / honggfuzz.
- go-fuzz / native Go fuzz (1.18+) —
go test -fuzz=; built into the Go toolchain. - jazzer — Java / JVM coverage-guided fuzzer; libFuzzer-compatible.
- Atheris — Python libFuzzer port (Google).
- fuzzilli — JavaScript-engine fuzzer (V8, JSC, SpiderMonkey).
- OSS-Fuzz (Google) — free continuous fuzzing for OSS projects; runs your harnesses against AFL++ / libFuzzer / honggfuzz / centipede.
Structure-aware / grammar-based
- Centipede (Google) — distributed coverage-guided; OSS-Fuzz uses it.
- Nautilus / Grimoire — grammar-aware mutators on top of AFL.
- libprotobuf-mutator — protobuf-aware mutations; pairs with libFuzzer.
- Domato (Google) — DOM / HTML grammar fuzzer.
- Peach Fuzzer Community — protocol fuzzer; legacy.
Network / protocol fuzzers
- Boofuzz — Python network protocol fuzzer; spike / sulley successor. Free.
- AFLNet — AFL extension for stateful network protocols.
- mutiny-fuzzer (Cisco Talos) — replay-and-mutate from .pcap.
- Frida-fuzzer — instrument any binary, fuzz with Frida hooks.
Web / API fuzzing (link section)
- See Web Fuzzing & Content Discovery — ffuf, feroxbuster, Gobuster, dirsearch, wfuzz.
- RESTler (Microsoft) — stateful REST API fuzzer.
- Schemathesis — property-based OpenAPI fuzzer; finds security issues incidentally. See OpenAPI Tooling.
Symbolic execution / hybrid
- angr — Python symbolic execution; pair with AFL via driller.
- KLEE — academic symbolic exec for LLVM bitcode.
- Manticore (Trail of Bits) — symbolic / concolic for x86, ARM, EVM.
- fuzzgen / SymCC / SymQEMU — concolic add-ons to coverage fuzzers.
Sanitizers (the multiplier)
- ★ AddressSanitizer (ASan) — heap / stack out-of-bounds; turn on for every fuzz harness.
- UndefinedBehaviorSanitizer (UBSan) — undefined behaviour.
- MemorySanitizer (MSan) — uninit reads.
- ThreadSanitizer (TSan) — data races.
- HWASan — ARM hardware-tagged ASan; cheaper.
- libcheck / Valgrind — older equivalents.
Corpus & seed handling
- AFL_TMIN / afl-tmin — minimise crashing inputs.
- afl-cmin — minimise corpus to coverage-equivalent set.
- fuzzbench (Google) — benchmark fuzzers against each other.
-x dictionaries/— token dictionaries for AFL/libFuzzer dramatically improve discovery.- Magic value strings — ship dicts for PNG / JPEG / PDF / HTML / SQL / your protocol.
Continuous fuzzing in CI
- ★ OSS-Fuzz (Google) — free, continuous, for OSS projects — open an issue if you maintain a C / C++ / Rust / Go / Java / Python library.
- ClusterFuzzLite — self-hosted; sit beside your CI for closed-source / private code.
- Mayhem (ForAllSecure) — paid commercial fuzzing platform.
- Code Intelligence CI Sense — paid; CI-native fuzzing.
Pick this if…
- C / C++ library, default modern fuzzer: AFL++ + libFuzzer harnesses + ASan.
- Continuous OSS fuzzing, free: OSS-Fuzz.
- Network protocol black-box: Boofuzz or AFLNet.
- Rust / Go: built-in fuzz support (
cargo-fuzz/go test -fuzz). - REST API: Schemathesis or RESTler.
- Closed source binary: AFL++ qemu-mode or frida-mode.
- Burn extra coverage: add Centipede + structure-aware mutators.