How to record each output during fuzzing?
126 views
Skip to first unread message
shaw wu
Jul 19, 2023, 3:13:30 AM7/19/23
to afl-users
Hi!
I would like to record the output corresponding to each input during fuzzing, and when it is not equal to a specific value (instead of crashing) is to raise the fitness of the corresponding input. However, I have searched for the current mainstream tools like AFL, AFL++, etc. and found that they seem to focus more on program crashes. If I want to implement such a feature, but not develop a new fuzzer from scratch, what should I do?
Thanks a lot!
Nikolay Shaplov
Jul 20, 2023, 4:03:21 PM7/20/23
to afl-users, shaw wu
В письме от среда, 19 июля 2023 г. 10:13:30 MSK пользователь shaw wu написал:
When I needed to know what fuzzer passes to my program, I just opened a file
(i.e. based on unix timestamp), and wrote it to the file, right inside a
program. If I would ever need the output of the program, I would probably
somehow override STDOUT file descriptor and save it to the file too.
But all this for experiments, not for production.
Fuzzing should be extremely fast. Writing a file for each iteration would
gravely slow it down.
So I guess if you want it this way in production, you are probably moving
wrong direction.
--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su
(i.e. based on unix timestamp), and wrote it to the file, right inside a
program. If I would ever need the output of the program, I would probably
somehow override STDOUT file descriptor and save it to the file too.
But all this for experiments, not for production.
Fuzzing should be extremely fast. Writing a file for each iteration would
gravely slow it down.
So I guess if you want it this way in production, you are probably moving
wrong direction.
--
Nikolay Shaplov aka Nataraj
Fuzzing Engineer at Postgres Professional
Matrix IM: @dhyan:nataraj.su
Richo Healey
Jul 21, 2023, 12:24:31 AM7/21/23
to afl-...@googlegroups.com
Rather than doing all that IO, I would just hash your output and enter that into the coverage bitmap. Conceptually though what I'm describing ~is the algorithm of AFL, and I would naively expect it to be happening under the scenes anyway, since presumably different output implies different branches. If you're able to to produce different output with the same paths shown in the bitmap I would start by screwing with the instrumentation.
--You received this message because you are subscribed to the Google Groups "afl-users" group.To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/afl-users/24d68311-7acc-4aa7-9bd9-2255bf35ec29n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages