Tangent-ish question, I've seen some work on AFL for Rust[1], how much of this understanding maps to Rust? Is the instrumentation path pretty uniform for LLVM based binaries?
Alex, an SDE from AWS S3, recently added LibFuzzer fuzzing to s2n: https://github.com/awslabs/s2n/pull/263 . The integration has been very simple, very impressive, and it has already found an issue we hadn't triggered with afl (a small memory leak in an error case). The minimization step is a big help in improving the branch coverage.
LibFuzzer runs in the same process as the code you want to test, right? Doesn't that mean you have to take special care to recover from errors? I mean, if it messes up the heap, for example, it would be possible but tricky to continue running. And continue is what you want, because then you save a process restart when exploring the parameter space (which makes it very fast).
I've been fuzzing a target pretty judiciously, and I have seen all of these effects. Glad to see somebody do a writeup. The dictionary is a huge boon, especially for text-based files.
Tangent-ish question, I've seen some work on AFL for Rust[1], how much of this understanding maps to Rust? Is the instrumentation path pretty uniform for LLVM based binaries?
[1] https://github.com/frewsxcv/afl.rs