blob: e78e918d0c42358b115df87295b2d2e3be6ca594 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
# qemu_taint
First level taint implementation with qemu for linux user mode
**THIS IS NOT WORKING YET** **WIP**
## What is this for
On new queue entries (newly discovered paths into the target) this tainter
is run with the new input and the data gathered which bytes in the input
file are actually touched.
Only touched bytes are then fuzzed by afl-fuzz
## How to build
./build_qemu_taint.sh
## How to use
Add the -T flag to afl-fuzz
## Caveats
For some targets this is amazing and improves fuzzing a lot, but if a target
copies all input bytes first (e.g. for creating a crc checksum or just to
safely work with the data), then this is not helping at all.
## Future
Two fuzz modes for a queue entry which will be switched back and forth:
1. fuzz all touched bytes
2. fuzz only bytes that are newly touched (compared to the one this queue
entry is based on)
## TODO
* Direct trim: trim to highest touched byte, that is all we need to do
* add 5-25% dummy bytes to the queue entries? (maybe create a 2nd one?)
* Disable trim?
|
