diff options
Diffstat (limited to 'qemu_taint/README.md')
| -rw-r--r-- | qemu_taint/README.md | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/qemu_taint/README.md b/qemu_taint/README.md index e78e918d..c842da0e 100644 --- a/qemu_taint/README.md +++ b/qemu_taint/README.md @@ -1,9 +1,11 @@ # qemu_taint + First level taint implementation with qemu for linux user mode **THIS IS NOT WORKING YET** **WIP** ## What is this for + On new queue entries (newly discovered paths into the target) this tainter is run with the new input and the data gathered which bytes in the input file are actually touched. @@ -11,17 +13,21 @@ file are actually touched. Only touched bytes are then fuzzed by afl-fuzz ## How to build + ./build_qemu_taint.sh ## How to use + Add the -T flag to afl-fuzz ## Caveats + For some targets this is amazing and improves fuzzing a lot, but if a target copies all input bytes first (e.g. for creating a crc checksum or just to safely work with the data), then this is not helping at all. ## Future + Two fuzz modes for a queue entry which will be switched back and forth: 1. fuzz all touched bytes |