I am looking on understanding how AFL implements its seed selection. To my understanding,afl-fuzz.c has a function called has_new_bits which returns values in identifying if the result of input creates a new path, new edge or if it is not an interesting branch we are considering. So my question is this, given that I am able to insert some lines of codes that allowed me to insert variables such as a counter, which I can insert other line of codes that will increment it in a given branch, how do I modify the AFL such that it is able to detect this?
In AFL++, you can affect the coverage bitmap directly using __afl_coverage_interesting. You can for instance compute the val parameter using the value of your counter (but remind that val is u8).
Another way, is to use FuzzFactory, a modified version of AFL that allow the user to define custom coverage metrics. In their paper the authors discuss one of the possible coverage metrics that FuzzFactory can use, that is validity. With validity, the fuzzer select with more probability valid inputs. You can hack around it and make a FuzzFactory version that focus on inputs triggering unsafe code instead of valid inputs.