Scepticz
commented
4 months ago Thank you for the pull request. As we discussed previously, I like the feature. Due to the number of changes I think we need some more testing. I am a bit strapped for time at the moment, so I would appreciate somebody help testing this.
Tobi
Currently, fuzzware supports the definition of a "target". A "target" is a point in the program that needs to be discovered once, and from then on, the fuzzing prefix to reach this point is prepended to all further fuzzing input in order to always pass that point in the program. This is very helpful to pass a boot process once and then continue fuzzing the actual application.
This approach hits its limits once this "target" is far enough into the program for the fuzzer to not reliably find that point in a given time. To improve upon this feature, fuzzware could implement a checkpoint system, that, in its simplest form, iteratively performs the "target" approach from above: First, the analyst defines a list of targets. Fuzzware then performs the "target" step for each entry in the list, until the last entry is found. From there on, it performs its regular exploration.