Nyx is a full system emulation fuzzing mode that supports snapshotting and works with both source code instrumentation and binary-only targets. It’s built on KVM and QEMU for high performance.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/AFLplusplus/AFLplusplus/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Nyx mode is recommended when the target cannot be fuzzed in persistent mode and requires default fork mode fuzzing. It provides full system emulation with efficient snapshotting. Platform Support: Linux only Architectures: x86_64 (aarch64 support in development) Kernel Requirements:- Source instrumentation: Linux kernel 5.11+
- Binary-only (Intel PT): Special 5.10 kernel with KVM-Nyx
Building Nyx Mode
Install all packages from the main installation guide.
Preparing Targets
Source Instrumentation
You can use any afl-cc mode. LTO mode even supports auto-dictionary:CMPLOG is not currently supported in Nyx mode.
Packaging the Target
Nyx requires targets to be specially packaged for full system emulation.python3 nyx_mode/packer/packer/nyx_packer.py \
/PATH/TO/TARGET \
PACKAGE-DIRECTORY \
afl \
instrumentation \
--fast_reload_mode \
--purge
python3 nyx_mode/packer/packer/nyx_packer.py \
/PATH/TO/TARGET \
PACKAGE-DIRECTORY \
afl \
processor_trace \
--fast_reload_mode \
--purge
python3 nyx_mode/packer/packer/nyx_packer.py \
/PATH/TO/TARGET \
PACKAGE-DIRECTORY \
afl \
instrumentation \
-file /path/to/input.file \
-args "--file /path/to/input.file --other-args" \
--fast_reload_mode \
--purge
Fuzzing with Nyx Mode
Load KVM Modules
Before fuzzing, load the required kernel modules:Standalone Fuzzing
For single-instance fuzzing:If you get a forkserver error, ensure KVM kernel modules are loaded (see above).
Parallel Fuzzing
Nyx mode requires a special parallel fuzzing setup:AFL++ Companion Tools
All AFL++ tools support Nyx mode with the-X flag.
afl-tmin
Minimize a crashing input:afl-analyze
Analyze input structure:afl-showmap
Display coverage for inputs:afl-cmin
Minimize corpus:Performance Optimization
Reusing Snapshots
Nyx tools perform bootstrapping on each startup, which is slow. Reuse existing snapshots for better performance:Fast Reload Mode
Enable fast snapshots by including--fast_reload_mode when packing (shown in examples above).
To disable fast snapshots at runtime:
Nyx Share Directories
Nyx packages (share directories) contain:- Target binary and dependencies
- Bootstrap script:
fuzz.sh(for KVM-Nyx) orfuzz_no_pt.sh(for standard kernel) - Configuration files and setup scripts
Bootstrap Tools
The bootstrap scripts have access to special hypercall-based tools:| Tool | Description |
|---|---|
hcat | Copy string to host |
hget | Request file from host’s share directory |
hget_bulk | Transfer large files (>100MB) efficiently |
habort | Send abort signal to host |
hpush | Transfer file to host (saved in dump/ folder) |
packer/nyx.h.
Crash Reports
Nyx can provide detailed crash information:Automatic Crash Logs
For each saved crash, AFL++ creates a.log file containing:
- Faulting address
- Signal number
- AddressSanitizer reports (if compiled with ASan)
Auxiliary Buffer Size
Crash reports use the Nyx Auxiliary Buffer (default 4096 bytes):- Header: 1408 bytes reserved
- Crash report: 2688 bytes by default
Real-World Example: libxml2
This example is based on the libxml2 tutorial.git clone https://gitlab.gnome.org/GNOME/libxml2
cd libxml2
./autogen.sh
./configure --enable-shared=no
make CC=afl-clang-fast CXX=afl-clang-fast++ LD=afl-clang-fast
cd ~/AFLplusplus/nyx_mode/packer/packer
python3 ./nyx_packer.py \
~/libxml2/xmllint \
/tmp/nyx_libxml2 \
afl \
instrumentation \
-args "/tmp/input" \
-file "/tmp/input" \
--fast_reload_mode \
--purge
Expected Output
Custom Harnesses
For custom fuzzing harnesses or direct hypercall implementation:cd ~/AFLplusplus/packer/packer/linux_x86_64-userspace/
sh compile_64.sh
cp bin64/h* /tmp/nyx_custom_agent/
Environment Variables
| Variable | Description |
|---|---|
AFL_NYX_REUSE_SNAPSHOT | Path to existing snapshot for faster tool startup |
AFL_NYX_DISABLE_SNAPSHOT_MODE | Disable fast snapshots (except for crashes) |
AFL_NYX_AUX_SIZE | Size of auxiliary buffer for crash reports (must be multiple of 4096) |
Advantages Over Other Modes
- Full system emulation: Supports complex targets requiring OS interactions
- Efficient snapshotting: Fast state restoration between executions
- Source and binary: Works with both instrumented and binary-only targets
- Intel PT support: Binary-only fuzzing on modern Intel processors
- Low memory footprint: Especially in distributed mode
- Detailed crash reports: Comprehensive crash information including ASan output
Limitations
- Linux only: No Windows or macOS support
- x86_64 only: Currently limited to x86_64 (aarch64 coming)
- Kernel requirements: Needs modern kernel (5.11+) or special 5.10 kernel for Intel PT
- Slower startup: Bootstrapping overhead (mitigated by snapshot reuse)
- No CMPLOG: CMPLOG mode not yet supported
When to Use Nyx Mode
Nyx mode is ideal when:- Target requires full system emulation
- Persistent mode is not feasible
- You need efficient snapshotting for fork-mode fuzzing
- You’re fuzzing complex applications with OS dependencies
- Binary-only fuzzing on Intel processors (with Intel PT)
- You want low memory usage in parallel fuzzing