Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Fuzz: Round 2 #110
Fuzz: Round 2 #110
Comments
|
I feel like trying Angora, a fuzzer with very promising algorithms (also written in Rust!), and isn't our friend goblin a trusty good target?! Stay tuned! The insight of AFL/LibFuzzer is that a little smart (coverage guiding) combined with speed beats full smart, symbolic approaches like KLEE. Angora shows it can be combined with a little more smart (taint guiding). Two instrumented executables are produced for coverage and taint, run taint a little (it's slow!), run coverage a lot, but do not mutate randomly but use taint info!, it all seems beautiful. Let's see how it works in practice. |
|
Super excited to see what you uncover here :) The mach-o and and PE backends could use some fuzz-love too :) |
|
In the meanwhile I've done a pass with plain old AFL. I've targeted the elf parser since it contains a suspicious amount of unsafe code. I've also thrown in some FreeBSD binaries as seeds. Here's the generated corpus that can be used for subsequent fuzzing: min-elf-corpus.zip Fuzzing harness targets ELF decoding specifically, this usually produces better results than all-in-one: https://github.com/Shnatsel/goblin/blob/master/fuzz-afl/src/main.rs |
I want to fuzz goblin's parser again, this time with:
4 is new but it's also very important. My guess is mach-o and PE will have the most issues, as they haven't been fuzzed at all yet.
I would love for someone to help set this up, and even just file issues as the errors start emerging :)