deepstate
deepstate copied to clipboard
trailofbits
Create "output-driven" fuzzer
Make an "output driven" fuzzing mode for DeepState that's not just brute force, but a GA-like mutation-based fuzzer where the "instrumentation" is the DeepState logging output, with various abstractions you can use to decide when an input is interesting/new.
"Has different output bytes" is simple, and then things like abstracting numeric output to sign or nearest power of two or...
Ignore ordering of lines... there's really been little done with using program output as an interestingness function. I think one of Mark Harman's students did years ago for web testing? TSTL has some experimental modes in that direction, but they aren't very much explored, and "output" is pool values, not logging
Because DeepState re-implements things like printf, and also implements stream-based logging, it seems reasonable to ignore the actual formatted output and add hooks directly into the logging implementation. This way, we get to treat the output more uniformly as a datastructure, or series of data structures, somewhat like the inputs.
