Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option for continuous fuzzing #328

Closed
jeffythedragonslayer opened this issue Sep 10, 2019 · 3 comments
Closed

Option for continuous fuzzing #328

jeffythedragonslayer opened this issue Sep 10, 2019 · 3 comments

Comments

@jeffythedragonslayer
Copy link

jeffythedragonslayer commented Sep 10, 2019

Would be nice if there was a cmd line switch to tell the fuzzer to run continuously instead of stopping after a max number of tests.

@SR4ven
Copy link
Collaborator

SR4ven commented Sep 15, 2019

Boofuzz is a generation-based fuzzer, meaning that all data being send is predefined.
So when the predefined data has been exhausted, you could only start repeating test-cases to keep fuzzing.

Continuous fuzzing would require a algorithm performing mutations on the data. This would require a new primitive in boofuzz, or an additional option in the existing primitives to enable random mutations.

I'm not exactly sure if mutational fuzzing is what boofuzz aims for.
@jtpereyda what do you think about this?

@jtpereyda
Copy link
Owner

Yes, a lot of data types could be mutated indefinitely.

Perhaps more useful would be combinatorial fuzzing -- using more than one mutation at a time. Running two mutations at a time would for a lot of protocols result in an indeffintiely running fuzz test.

The best way to leverage that for quicker bugs is to add some kind of feedback mechanism, probably code coverage. Then the system could identify cases that cover more code, and use that mutation as the basis for another round of mutations.

For truly black box situations, another approach is to switch to a breadth-first approach when combining mutations. So instead of doing all 10k or so string mutations at once for the first string, then moving to the next, boofuzz would do a few mutations on each element and combine them with mutations on other elements.

See also #187

@SR4ven
Copy link
Collaborator

SR4ven commented Jun 7, 2021

Combinatorial fuzzing was implemented in #499. Code coverage will come in #508

@SR4ven SR4ven closed this as completed Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants