Currently only one target is supported but it should be possible to fuzz multiple e.g. bitcoinds at the same time (just like we do in the functional tests).
If the current approach is kept, then somehow the different targets need to write to a different range in the nyx agent's tracing map. Currently there is only one target that writes to the whole map:
|
key_t key = ftok("/tmp", 'T'); // 'T' for trace |
|
int shmid = shmget(key, agent_config.coverage_bitmap_size, IPC_CREAT | 0666); |
|
if (shmid == -1) { |
|
habort("Error: Failed to create shared memory segment for trace buffer"); |
|
} |
|
|
|
// Write trace buffer shmemid to __AFL_SHM_ID env variable |
|
char shmid_str[16]; |
|
memset(shmid_str, 0, sizeof(shmid_str)); |
|
snprintf(shmid_str, sizeof(shmid_str), "%d", shmid); |
|
setenv("__AFL_SHM_ID", shmid_str, 1); |
Alternatively, full-system coverage with intel-pt could be explored.
Currently only one target is supported but it should be possible to fuzz multiple e.g. bitcoinds at the same time (just like we do in the functional tests).
If the current approach is kept, then somehow the different targets need to write to a different range in the nyx agent's tracing map. Currently there is only one target that writes to the whole map:
fuzzamoto/src/nyx-agent.c
Lines 57 to 67 in f7ca464
Alternatively, full-system coverage with intel-pt could be explored.