This is a first release, try it out and give me some feedback 
-
Show this thread
-
Replying to @taviso
6 mins to go from 240k of fuzzed output to 75 bytes is pretty solid. This was against domato or similar style grammar fuzzer output? Especially useful in those cases where diffs between samples are useless.
1 reply 0 retweets 2 likes -
Replying to @richinseattle
Yes, that was grammar output (although I've been testing it with a bunch of other stuff as well), there are still some optimizations I want to write and have some ideas for more strategies. I'm really pleased with results so far
1 reply 0 retweets 1 like -
Replying to @taviso
For mutational fuzz output I haven’t seen a tool that will index only modified bytes across a corpus of inputs and correlate them, which could be a lot more efficient than binary search. AFL is nice enough to keep provenance in the filename at least.
1 reply 0 retweets 1 like -
Replying to @richinseattle @taviso
Testing search strategies for diff input classes such as binary structures, hierarchical binary formats, loose text formats, strict text formats, etc would be useful for finding bugs too. Curious if you’ve thought much about patching out checksums or similar since flayer.
2 replies 0 retweets 1 like -
Replying to @richinseattle
An idea I'm excited about is automatically identifying offsets in binary formats, try decrementing and then testing if adjacent data can be moved closer. That seems like it will map onto my parallelization nicely too, but we'll see how it works when I'm done.
1 reply 0 retweets 1 like -
Replying to @taviso @richinseattle
Re checksums, I think the best solution I ever came up with was "sub instruction profiling", where we split comparisons into smaller units that instructions, this way we can provide enough feedback to fuzzers to get through checksum comparisons
2 replies 0 retweets 1 like -
Replying to @taviso
Yeah. That works well enough when you can execute really fast but you are wasting a lot of cpu to match a checksum that is blocking parsing of probably useless mutation anyway. In this tool you have scope narrowed to only crashing inputs, but I’m generalizing to bug finding
1 reply 0 retweets 1 like -
Replying to @richinseattle @taviso
It may be that a worker process should add recently fuzzed input to a queue to run under debugger, try to detect if it is doing a 16bit+ comparison in the last block and should be passed to solver, etc. right now selection strategy for the hybrid systems isn’t being optimized.
1 reply 0 retweets 0 likes -
Replying to @richinseattle @taviso
I’ve seen this before and will review, do you have anything else to act as documentation on your ideas or work in this space? Was DeepCover ever public? http://taviso.decsystem.org/making_software_dumber.pdf …
1 reply 0 retweets 0 likes
I never released it, I kept meaning to decouple it from internal stuff so that I could but never got around to it! I should revisit that, I think it's still useful and could still be relevant to some problems.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.