diff options
| author | van Hauser <vh@thc.org> | 2020-08-08 20:29:56 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2020-08-08 20:29:56 +0200 |
| commit | d8f5502d83ec530bcc1ad15b2d23b2660cd6ce58 (patch) | |
| tree | ebf3ba5feaad460ede82932b205451839aa8a574 /qemu_taint/README.md | |
| parent | ebc6f528683c47b92ab08b469fc0b235ecce1062 (diff) | |
| download | afl++-d8f5502d83ec530bcc1ad15b2d23b2660cd6ce58.tar.gz | |
initial integration
Diffstat (limited to 'qemu_taint/README.md')
| -rw-r--r-- | qemu_taint/README.md | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/qemu_taint/README.md b/qemu_taint/README.md index e78e918d..c842da0e 100644 --- a/qemu_taint/README.md +++ b/qemu_taint/README.md @@ -1,9 +1,11 @@ # qemu_taint + First level taint implementation with qemu for linux user mode **THIS IS NOT WORKING YET** **WIP** ## What is this for + On new queue entries (newly discovered paths into the target) this tainter is run with the new input and the data gathered which bytes in the input file are actually touched. @@ -11,17 +13,21 @@ file are actually touched. Only touched bytes are then fuzzed by afl-fuzz ## How to build + ./build_qemu_taint.sh ## How to use + Add the -T flag to afl-fuzz ## Caveats + For some targets this is amazing and improves fuzzing a lot, but if a target copies all input bytes first (e.g. for creating a crc checksum or just to safely work with the data), then this is not helping at all. ## Future + Two fuzz modes for a queue entry which will be switched back and forth: 1. fuzz all touched bytes |