CS419 Computer Security class project. Improve AFL performance with respect to baseline.
Project Description (taken from professor's slides):
- Improve AFL by any means
- Seed selection, using metrics other than coverage etc.
- Test on LAVA-M and Google test suite
- Compare AFL with your improved version
Unfortunately, fuzzing is also relatively shallow; blind, random mutations make it very unlikely to reach certain code paths in the tested code, leaving some vulnerabilities firmly outside the reach of this technique.
There have been numerous attempts to solve this problem. One of the early approaches - pioneered by Tavis Ormandy - is corpus distillation. The method relies on coverage signals to select a subset of interesting seeds from a massive, high-quality corpus of candidate files, and then fuzz them by traditional means. The approach works exceptionally well, but requires such a corpus to be readily available. 1
Often, no such corpus is available when fuzz testing a binary. Ready-made test cases may also not be available. Using Radamsa (or any other program that can function as a mutation engine), a single well-chosen initial test case can be mutated repeatedly to create a corpus tailored specifically to the program to be fuzzed. When combined with other techniques, such as using a custom dictionary, this can result in AFL discovering a greater number of unique crashes or bugs when fuzzing the target.
