AFL_SKIP_BIN_CHECK

export AFL_SKIP_BIN_CHECK=1 is an environment variable setting that tells AFL++ to stop complaining that your target program doesn’t look like it was compiled with AFL.

By default, AFL++ checks your target binary for specific “instrumentation” markers before it starts. If it doesn’t find them, it assumes you made a mistake (like compiling with gcc instead of afl-cc) and refuses to run to save you from wasting time.

When should you use this?

You generally should not use this unless you know exactly why. However, here are the valid scenarios where it is required:

1. You are fuzzing a script (Python, Bash, etc.)
AFL++ is designed for compiled binaries (C/C++). If you are using a wrapper to fuzz a Python script, AFL checks the wrapper (e.g., /usr/bin/python), sees it wasn’t compiled with afl-cc, and errors out.

• Solution: Set AFL_SKIP_BIN_CHECK=1 so AFL++ ignores that the python binary isn’t instrumented, trusting that your wrapper handles the fuzzing logic.

2. You are using “Blackbox” Fuzzing (QEMU/Frida mode)
Sometimes when using QEMU mode (-Q) or Frida mode to fuzz a binary you don’t have source code for, AFL++ might still fail the initial check because the binary looks “weird” or stripped.

• Solution: Setting this bypasses the check so QEMU can handle the instrumentation dynamically.

3. You are using a custom wrapper
If you wrote a C program that calls another program, or a shell script that pipes input to a binary, AFL++ might not detect the instrumentation in the final target.

The Danger

If you set this variable when you are NOT in one of the above special scenarios, AFL++ will run, but it will not find any bugs.

• It will run the program blindly.
• It will not receive coverage feedback (it won’t know which inputs are “good”).
• It will effectively be a random number generator throwing garbage at your program, which is extremely inefficient.

Summary: Only use export AFL_SKIP_BIN_CHECK=1 if AFL++ refuses to run and you are sure you are using a special fuzzing mode (like scripts or binary-only) where standard instrumentation is not expected.

---

The specific “instrumentation” markers AFL++ checks

AFL++ checks for two types of markers: Static Symbols (variables in the binary) and Runtime Behavior (the forkserver handshake).

When you set AFL_SKIP_BIN_CHECK=1, you are telling AFL++ to ignore the absence of both.

1. Static Markers (Symbols)

AFL++ inspects your binary (roughly equivalent to running nm or readelf) to see if specific variables injected by the compiler exist. If they are missing, it assumes the binary was compiled with standard gcc instead of afl-cc.

The most critical symbols it looks for are:

• __afl_area_ptr: This is a pointer to the “Shared Memory” map where code coverage is stored. It is the single most important variable for AFL.
• __afl_prev_loc: A thread-local variable that stores the ID of the previous basic block executed (used to calculate edge coverage: A -> B).
• __afl_map_size: Stores the size of the coverage map (usually 64KB).

If you strip your binary (using strip), these symbols might be removed from the symbol table, causing AFL++ to think the binary is not instrumented, even if it actually is.

2. Runtime Markers (The Forkserver Handshake)

This is the functionality check. When afl-fuzz starts, it tries to “wake up” the instrumentation inside your target.

1. The Handshake: AFL++ sends a signal to your target program via a specific file descriptor (Control Pipe, usually FD 198).
2. The Response: It expects the target to pause immediately (before main typically starts) and send exactly 4 bytes back via another file descriptor (Status Pipe, usually FD 199).

If the program just runs normally and doesn’t send those 4 bytes back, AFL++ concludes: “This program doesn’t have the forkserver built-in,” and aborts.

Summary

When you use export AFL_SKIP_BIN_CHECK=1:

• It skips the symbol check: It won’t complain if __afl_area_ptr is missing.
• It skips the handshake requirement: It will run the program blindly (using execve every time instead of the forkserver), which is much slower and provides no coverage feedback unless you are using QEMU (-Q) or Frida mode.