about summary refs log tree commit diff
path: root/qemu_taint/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'qemu_taint/README.md')
-rw-r--r--qemu_taint/README.md36
1 files changed, 36 insertions, 0 deletions
diff --git a/qemu_taint/README.md b/qemu_taint/README.md
new file mode 100644
index 00000000..e78e918d
--- /dev/null
+++ b/qemu_taint/README.md
@@ -0,0 +1,36 @@
+# qemu_taint
+First level taint implementation with qemu for linux user mode
+
+**THIS IS NOT WORKING YET** **WIP**
+
+## What is this for
+On new queue entries (newly discovered paths into the target) this tainter
+is run with the new input and the data gathered which bytes in the input
+file are actually touched.
+
+Only touched bytes are then fuzzed by afl-fuzz
+
+## How to build
+./build_qemu_taint.sh
+
+## How to use
+Add the -T flag to afl-fuzz
+
+## Caveats
+For some targets this is amazing and improves fuzzing a lot, but if a target
+copies all input bytes first (e.g. for creating a crc checksum or just to
+safely work with the data), then this is not helping at all.
+
+## Future
+Two fuzz modes for a queue entry which will be switched back and forth:
+
+  1. fuzz all touched bytes
+  2. fuzz only bytes that are newly touched (compared to the one this queue
+     entry is based on)
+
+## TODO
+
+  * Direct trim: trim to highest touched byte, that is all we need to do
+  * add 5-25% dummy bytes to the queue entries? (maybe create a 2nd one?)
+  * Disable trim?
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-29 02:07:29 +0000