-
Hi all, I am attempting to fuzz an arbitrary binary by means of taking random branches. This means that the fuzzer will frequently end up at exits or at instruction that access invalid memory. Now, I managed to automatically put breakpoints at any exit points and stop the fuzzer properly with an ExitKind::Ok, but I am out of ideas on how to prevent or catch invalid memory access. The issue is that I do not care about this memory access (as in, it is not an objective). I have attempted to change the objective to (for example) TimeoutFeedback or ConstFeedback(false), but the fuzzer still always completely exits on segfaults (or on exits that I have not put a breakpoint on). I have also attempted to hook the read calls, which does indeed get me the instruction in each block that are about to access memory and the addresses accessed each time; but it seems like the crash happens before my hook gets called. I suspect that this is happening because I am using an InProcess executor but I am not sure about that. Is there any way of instrumenting memory accesses (and properly catching invalid ones) or to catch signals from Qemu? Or maybe there is a way to instruct LibAFL to mark these segfaults as uninteresting and to just start a new execution run? I am on the most current version of LibAFL (0.13.0) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Are you using a LlmpRestartingEventManager or the simple version? the simple manager won't restart automatically on crash, which may be needed here. @rmalmain wolud know if there's also another way to reset the emulator |
Beta Was this translation helpful? Give feedback.
Are you using a LlmpRestartingEventManager or the simple version? the simple manager won't restart automatically on crash, which may be needed here. @rmalmain wolud know if there's also another way to reset the emulator