3 files changed, 52 insertions, 0 deletions

diff --git a/qemu_taint/README.md b/qemu_taint/README.md
new file mode 100644
index 00000000..6a7d19af
--- /dev/null
+++ b/qemu_taint/README.md
@@ -0,0 +1,42 @@
+# qemu_taint
+
+First level taint implementation with qemu for linux user mode
+
+**THIS IS NOT WORKING YET** **WIP**
+
+## What is this for
+
+On new queue entries (newly discovered paths into the target) this tainter
+is run with the new input and the data gathered which bytes in the input
+file are actually touched.
+
+Only touched bytes are then fuzzed by afl-fuzz
+
+## How to build
+
+./build_qemu_taint.sh
+
+## How to use
+
+Add the -A flag to afl-fuzz
+
+## Caveats
+
+For some targets this is amazing and improves fuzzing a lot, but if a target
+copies all input bytes first (e.g. for creating a crc checksum or just to
+safely work with the data), then this is not helping at all.
+
+## Future
+
+Two fuzz modes for a queue entry which will be switched back and forth:
+
+  1. fuzz all touched bytes
+  2. fuzz only bytes that are newly touched (compared to the one this queue
+     entry is based on)
+
+## TODO
+
+  * Direct trim: trim to highest touched byte, that is all we need to do
+  * add 5-25% dummy bytes to the queue entries? (maybe create a 2nd one?)
+  * Disable trim?
+
diff --git a/qemu_taint/build_qemu_taint.sh b/qemu_taint/build_qemu_taint.sh
new file mode 100755
index 00000000..b54c3e04
--- /dev/null
+++ b/qemu_taint/build_qemu_taint.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+test -d qemu ||  git clone https://github.com/vanhauser-thc/qemu_taint qemu || exit 1
+cd qemu || exit 1
+test -d .git && { git stash ; git pull ; }
+cp -fv ../../include/config.h ../../include/types.h . || exit 1
+./build.sh || exit 1
+cp -fv ./afl-qemu-taint ../..
diff --git a/qemu_taint/clean.sh b/qemu_taint/clean.sh
new file mode 100755
index 00000000..10c44cac
--- /dev/null
+++ b/qemu_taint/clean.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+rm -f afl-qemu-taint qemu/afl-qemu-taint ../afl-qemu-taint
+test -d qemu && { cd qemu ; ./clean.sh ; }