nikic
commented
9 months ago Any particular use case you have in mind for this?
Open n-peugnet opened 9 months ago
nikic
commented
9 months ago Any particular use case you have in mind for this?
n-peugnet
commented
9 months ago Any particular use case you have in mind for this?
Exactly the one presented as the first example of the linked page: https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md#example-compression
This is a very simple target, yet traditional universal fuzzers (including libFuzzer) have virtually no chance of discovering the crash. Why? Because their mutations will operate on the compressed data, causing virtually all generated inputs to be invalid for uncompress.
nikic
commented
9 months ago This seems pretty simple on the surface -- but I'm not sure what the best way to handle cross-overs is. Naively this would end up crossing over between the uncompressed input of one entry with the compressed input on another. libFuzzer allows you to separately customize it via LLVMCustomCrossOver, in which case the mutator distribution looks pretty skewed though (if I'm reading the code right, it will use 50% custom mutator and 50% custom crossover, while usually crossover has much smaller weight).
n-peugnet
commented
9 months ago I figured that for my use case, I could simply compress the input in the target.
Something similar to what libFuzzer allows to do: https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md (https://llvm.org/docs/LibFuzzer.html#user-supplied-mutators)