about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--nyx_mode/README.md18
1 files changed, 9 insertions, 9 deletions
diff --git a/nyx_mode/README.md b/nyx_mode/README.md
index 646cba5a..f975c764 100644
--- a/nyx_mode/README.md
+++ b/nyx_mode/README.md
@@ -38,7 +38,7 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 ./build_nyx_support.sh
 ```
 
-5. Optional, for binary-only fuzzing: setup the required 5.10 kernel, see
+5. Optionally, for binary-only fuzzing: set up the required 5.10 kernel, see
    [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx). 
 
 ## Preparing to fuzz a target with Nyx mode
@@ -126,7 +126,7 @@ git clone https://gitlab.gnome.org/GNOME/libxml2
 cd libxml2
 ```
 
-Remember that currently only classic AFL instrumented is supported!
+Remember that currently only classic AFL instrumentation is supported!
 
 ``` 
 export AFL_LLVM_INSTRUMENT=AFL
@@ -137,7 +137,7 @@ make CC=afl-clang-fast CXX=afl-clang-fast++ LD=afl-clang-fast
 
 #### Nyx share directories
 
-Nyx expects that the target is provided in a certain format. More specifically, the target is passed as a so-called „share directory“ to a Nyx-frontend implementation. The share directory contains the target as wells as a folder containing all dependencies and other files that are copied over to the guest. But more importantly, this share directory also contains a bootstrap script (`fuzz.sh`if you are using `KVM-Nyx`otherwise `fuzz_no_pt.sh`) that is also executed right after launching the fuzzer. Both bootstrap scripts use several tools to communicate with the "outer world":
+Nyx expects that the target is provided in a certain format. More specifically, the target is passed as a so-called „share directory“ to a Nyx-frontend implementation. The share directory contains the target as well as a folder containing all dependencies and other files that are copied over to the guest. But more importantly, this share directory also contains a bootstrap script (`fuzz.sh`if you are using `KVM-Nyx`otherwise `fuzz_no_pt.sh`) that is also executed right after launching the fuzzer. Both bootstrap scripts use several tools to communicate with the "outer world":
 
 - `hcat` - this tool copies a given string to the host 
 - `hget` - this program requests a file from the host's share directory 
@@ -149,7 +149,7 @@ Those tools are all using hypercalls which are defined in `packer/nyx.h`. We wil
 
 ### Pack libxml2 into Nyx sharedir format
 
-To turn a given linux target into the Nyx  format, you can simply use `nyx_packer.py`. To do so, move to the following directory:
+To turn a given linux target into the Nyx format, you can simply use `nyx_packer.py`. To do so, move to the following directory:
 
 ```
 cd nyx_mode/packer/packer
@@ -169,11 +169,11 @@ python3 ./nyx_packer.py \
 	--purge 
 ```
 
-In this example, the packer will take `xmllint`, recursively get all dependencies and put both into the specified share directory (`/tmp/nyx_libxml2` in this case). Because we have selected the `afl` option, an `ld_preload`-based agent is also automatically built and put into the sharedir. Another option would be `spec`. Without going into too much detail here, the `spec`mode is only used by Nyx's [spec-fuzzer](https://github.com/nyx-fuzz/spec-fuzzer) implementation. Next, since our target is built with compile-time instrumentations, we must select the `instrumentation` option, othwise we could also use `processor-trace` option to enable Intel-PT fuzzing on targets without instrumentation. 
+In this example, the packer will take `xmllint`, recursively get all dependencies and put both into the specified share directory (`/tmp/nyx_libxml2` in this case). Because we have selected the `afl` option, an `ld_preload`-based agent is also automatically built and put into the sharedir. Another option would be `spec`. Without going into too much detail here, the `spec`mode is only used by Nyx's [spec-fuzzer](https://github.com/nyx-fuzz/spec-fuzzer) implementation. Next, since our target is built with compile-time instrumentations, we must select the `instrumentation` option, otherwise we could also use `processor-trace` option to enable Intel-PT fuzzing on targets without instrumentation. 
 
 To specify that the input generated by the fuzzer is passed as a seperate file to the target, we need to set the `-file` option. Otherwise, the input will be passed over to the target via `stdin`. To specify any required `argv` options you can use the `-args`parameter. 
 
-In case you want to fuzz the target only with fast snapshots enabled, you can also set the ` --fast_reload_mode`option to improve performance.
+In case you want to fuzz the target only with fast snapshots enabled, you can also set the `--fast_reload_mode` option to improve performance.
 
 Finally, we need to generate a Nyx configuration file. Simply run the following command and you're good to proceed:
 
@@ -236,9 +236,9 @@ If you want to disable fast snapshots (except for crashes), you can simply set t
 
 ### Run AFL++Nyx with a custom agent
 
-Most of the common use-cases for linux userland targets are already handled by our general purpose [agent](https://github.com/nyx-fuzz/packer/blob/main/packer/linux_x86_64-userspace/src/ld_preload_fuzz.c) implementation. But in case you want to build your own agent, or write a custom harness for a specific target or you just want implement all the hypercall and shared memory communication on your own, you can use our custom harness example as a starting point for that. You can find the code [here](custom_harness/)
+Most of the common use-cases for linux userland targets are already handled by our general purpose [agent](https://github.com/nyx-fuzz/packer/blob/main/packer/linux_x86_64-userspace/src/ld_preload_fuzz.c) implementation. But in case you want to build your own agent, or write a custom harness for a specific target or you just want to implement all the hypercall and shared memory communication on your own, you can use our custom harness example as a starting point for that. You can find the code [here](custom_harness/)
 
-This custom harness can be statically compiled with by gcc or clang. There is no need to use an AFL compiler, becaues this agent implements its own very basic coverage tracking by simply setting specific bytes in the "coverage" bitmap after specific branches have been covered. 
+This custom harness can be statically compiled with by gcc or clang. There is no need to use an AFL compiler, because this agent implements its own very basic coverage tracking by simply setting specific bytes in the "coverage" bitmap after specific branches have been covered. 
 
 To prepare this target, we must first create a new folder that will later become the sharedir.
 
@@ -259,7 +259,7 @@ cp fuzz.sh /tmp/nyx_custom_agent
 cp fuzz_no_pt.sh /tmp/nyx_custom_agent
 ```
 
-Copy all `htools` executable into the sharedir: 
+Copy all `htools` executables into the sharedir: 
 
 ```
 cd ~/AFLplusplus/packer/packer/linux_x86_64-userspace/
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-21 20:40:35 +0000