diff options
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/README.md b/README.md index 79b495d3..2b9bc588 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,34 @@ +# qemu_taint variant. + +## HOWTO + +cd qemu_taint && ./build_qemu_taint.sh + +afl-fuzz -A ... + +## CAVEATS + + * segfaults ~10-15 minutes in ... + + * shmem persistent mode does not work + * custom mutators? dunno if they work or not + * MOpt works but totally ignores the taint information + * not tested with qemu_mode + * if all seed entries are fully touched it might not work + +## THE TAINT + +taint can be seen in out/taint/ + +the id:000 mirrors the out/queue entry, except the content it 0x00 for +untainted bytes and '!' for tainted bytes. +If a file has new tainted bytes compared to from which previous entry it +was created then there is a id:000[...].new file where the new bytes are +marked '!'. + +the mutation switches between fuzzing all tainted bytes in one cycle and +only new bytes in the other cycle. + # American Fuzzy Lop plus plus (afl++) <img align="right" src="https://raw.githubusercontent.com/andreafioraldi/AFLplusplus-website/master/static/logo_256x256.png" alt="AFL++ Logo"> |