Hi Ben,
If speed isn't a problem, I don't think there's any glaring reason to desocket if you already have a good way to get the fuzzed payload to the target server. These libraries give you a direct way to dynamically load into the web server binary, which makes it easy to intercept stdin and route it through a network connection to yourself, but it sounds like you've got this part figured out.
Your 'docker kill' solution sounds like a good way to enable/disable instrumentation collection. Another idea, if you're interested: Each of the 26 different HTTP servers first must read the bytes from the socket using some system call (read(), recv(), etc.). Could you write an LD_PRELOAD library that overrides this system call (using
dlsym()) and runs some extra code that, if the conditions are correct, calls __AFL_COVERAGE_ON()? You would also need to override some commonly-called system call
after parsing, to run __AFL_COVERAGE_OFF(). This makes the server itself the one responsible for enabling/disabling its instrumentation, at a time
it decides. This may be a little more accurate than delivering a process signal in terms of
when the instrumentation collection should begin.
As for live coverage extraction, I'm not familiar with any features that do this, but someone else may be. Modifying afl-showmap.c looks like a good way to do this, although you may want to instead modify afl-fuzz itself to collect this for you after each test case execution.
Thanks,
Connor