cglosner
commented
6 months ago Would it be possible to hook into how simics currently tracks coverage?
Open novafacing opened 6 months ago
cglosner
commented
6 months ago Would it be possible to hook into how simics currently tracks coverage?
novafacing
commented
6 months ago Likely! Especially for UEFI, we can probably use the FW tracker to pull debuginfo.
cglosner
commented
6 months ago After some very hackyish testing for UEFI, it is possible to get the relocations from simics by utilizing the existing debug info. As long as the program compiled in debug mode then even the function relocations are extracted and the granularity of the coverage info can be somewhat controlled.
I do the mapping post running the fuzzer with a python script, but it should be possible to add it internally. I currently use the fuzzer though to capture the relocations and output the info.
Several requests have been submitted to support a coverage percentage. This essentially requires taking the binary/driver/FW under test (or its debuginfo) as a parameter and doing relocation tracking to translate binary PC to loaded address to determine coverage.