Question about how set model consume the afl_input

[dingiso]

I have a little question about set model. How emulator choose input if the size of set consequences is not power of 2. For example, when encountering this situation.

Set = [0,1,2,3,4,5]
afl_input = b110.....

According to the paper, 3 bits will be extracted from the input of AFL. Which value will be chosen if this extracted value is 6 ? Considering Set[6] is out of bound. Thanks.

[Scepticz]

Hi dingiso,

The logic for applying the set model is implemented here: https://github.com/fuzzware-fuzzer/fuzzware-emulator/blob/20a3deb9227606f2efd88baa345bc3ad695d34a2/harness/fuzzware_harness/native/native_hooks.c#L564. The set model entry is chosen modulo the number of choices available: https://github.com/fuzzware-fuzzer/fuzzware-emulator/blob/20a3deb9227606f2efd88baa345bc3ad695d34a2/harness/fuzzware_harness/native/native_hooks.c#L579

The (byte-oriented) implementation takes a full byte and chooses the index using the byte value. This reduces the bias in index choice introduced by the modulo as well.

Best, Tobi

[dingiso]

Hi Scepticz, Thanks for your explanation. I understood the meaning of byte-oriented and

result_val = config->values[fuzzer_val % config->num_vals];

Best, Dingisoul