![]() Here's where Frida comes in: we observe program execution, looking for basic block terminators (jumps, branches, etc.) and dynamically insert machine instructions on these basic block edges. However, in our closed-box example, we do not have the ability to AOT instrument binaries because we do not have perfect control flow to operate off of. The more code you reach, the more bugs you are likely to hit. The goal of this stochastic process is to maximize basic block coverage. Usefulness is based on a number of factors, with the primary one being how many basic blocks a specific input reaches. This provides a feedback mechanism to a generative algorithm which decides whether a mutated input was useful or not. In traditional coverage-guided fuzzing scenarios, the target binary is instrumented ahead-of-time (AOT) using, for example, a compiler plugin which inserts function calls on basic block edges to report binary coverage. The main hangup with fuzzing binaries is the lack of instrumentation. Details on the Frida Stalker can be found here (note that these examples are in JavaScript whereas this uses the C API which has little documentation.) How does this work? See LibAFLĬoverage-guided binary fuzzing powered by Frida StalkerĪ good introduction to the concept of coverage-guided fuzzing can be found on the AFL repo.
0 Comments
Leave a Reply. |