3 files changed, 45 insertions, 0 deletions

diff --git a/qemu_taint/README.md b/qemu_taint/README.md
new file mode 100644
index 00000000..e78e918d
--- /dev/null
+++ b/qemu_taint/README.md
@@ -0,0 +1,36 @@
+# qemu_taint
+First level taint implementation with qemu for linux user mode
+
+**THIS IS NOT WORKING YET** **WIP**
+
+## What is this for
+On new queue entries (newly discovered paths into the target) this tainter
+is run with the new input and the data gathered which bytes in the input
+file are actually touched.
+
+Only touched bytes are then fuzzed by afl-fuzz
+
+## How to build
+./build_qemu_taint.sh
+
+## How to use
+Add the -T flag to afl-fuzz
+
+## Caveats
+For some targets this is amazing and improves fuzzing a lot, but if a target
+copies all input bytes first (e.g. for creating a crc checksum or just to
+safely work with the data), then this is not helping at all.
+
+## Future
+Two fuzz modes for a queue entry which will be switched back and forth:
+
+  1. fuzz all touched bytes
+  2. fuzz only bytes that are newly touched (compared to the one this queue
+     entry is based on)
+
+## TODO
+
+  * Direct trim: trim to highest touched byte, that is all we need to do
+  * add 5-25% dummy bytes to the queue entries? (maybe create a 2nd one?)
+  * Disable trim?
+
diff --git a/qemu_taint/build.sh b/qemu_taint/build.sh
new file mode 100755
index 00000000..c3fbe198
--- /dev/null
+++ b/qemu_taint/build.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+test -d qemu ||  git clone https://github.com/vanhauser-thc/qemu_taint qemu || exit 1
+cd qemu || exit 1
+test -d .git || { git stash ; git pull ; }
+./build.sh
+cp -f ./afl-qemu-taint ../..
diff --git a/qemu_taint/clean.sh b/qemu_taint/clean.sh
new file mode 100755
index 00000000..0046c6c0
--- /dev/null
+++ b/qemu_taint/clean.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+rm -f afl-qemu-taint
+test -d qemu && rm -f qemu