Closed bennoli closed 5 years ago
rhelmot
commented
5 years ago It's based on AFL's metric of "interesting branches", and is invoked whenever AFL reports that it's stuck. Look at the shellphuzz script to see the top-level view of how driller is integrated into AFL.
bennoli
commented
5 years ago Dear @rhelmot ,
Thanks for your comments. For the last I just want to make sure, as I know from your code on shellphuzz, the interesting branch and also interesting input, those are decided by the AFL. Am I right? Do you guys use original AFL or you did some modification on AFL about this part? (to select the branch and the interesting input). Thanks
rhelmot
commented
5 years ago Yes, it's all AFL. no modifications. Our mechanism for building AFL can be found in the shellphish-afl repository.
Hey guys, I hope you can help me to fully understand this tools.
I'm using Driller now but I still cannot figure it out, technically, how Driller choose a certain path to run Angr on it. Is it just based on hit counts? Or do you have any way to select interesting branches? (Interesting means that branch which has unexplored arm)