-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Option for continuous fuzzing #328
Comments
Boofuzz is a generation-based fuzzer, meaning that all data being send is predefined. Continuous fuzzing would require a algorithm performing mutations on the data. This would require a new primitive in boofuzz, or an additional option in the existing primitives to enable random mutations. I'm not exactly sure if mutational fuzzing is what boofuzz aims for. |
Yes, a lot of data types could be mutated indefinitely. Perhaps more useful would be combinatorial fuzzing -- using more than one mutation at a time. Running two mutations at a time would for a lot of protocols result in an indeffintiely running fuzz test. The best way to leverage that for quicker bugs is to add some kind of feedback mechanism, probably code coverage. Then the system could identify cases that cover more code, and use that mutation as the basis for another round of mutations. For truly black box situations, another approach is to switch to a breadth-first approach when combining mutations. So instead of doing all 10k or so string mutations at once for the first string, then moving to the next, boofuzz would do a few mutations on each element and combine them with mutations on other elements. See also #187 |
Would be nice if there was a cmd line switch to tell the fuzzer to run continuously instead of stopping after a max number of tests.
The text was updated successfully, but these errors were encountered: