Fuzzing
Search…
πŸŒ€
Incremental Fuzzing
Re-use fuzzing corpuses
Instead of starting your fuzzing campaigns from scratch you can re-use existing fuzzing corpi to hit the ground running.

Corpus

One way to think about a fuzzer is an automatic test case generator. In fact, this is why many fuzzing and symbolic-execution approaches are referred to as "automatic test case generation techniques". While the fuzzer is running, it will find an increasing number of test cases that increase instruction-, branch- and path coverage. Over time, it will accumulate these cases, you'll use incremental fuzzing. You provide an existing corpus to the fuzzer in addition to the fuzzing seed. The fuzzer will then first run through all of the provided test cases, evaluating which test cases are still useful, and remembering them. Then fuzzing continues as it normally would. Except that it will get a huge head start! It'll be as if you've already been fuzzing for hours! te an impressive body of tests (also called a corpus) which is really useful.

Incremental Fuzzing

The accumulated corpus is instrumental in the fuzzing process itself, but also for continuous/incremental fuzzing campaigns. The main reason for this is that typically code doesn't change much between fuzzing campaigns. Bug fixes leave most of the code intact, and refactorings are usually confined to a small section of the codebase. Depending on the situation, more than 90% of the code might not change at all.
When that's the case, it doesn't make sense to start fuzzing from scratch; does it?
​
How much you gain with incremental fuzzing depends on the size of the previous corpus and the amount of changes since that time.

Set it up

Setting up incremental fuzzing is a breeze!
CLI
configuration
You can re-use analysis data (the corpus) from previous campaigns by passing in their id:
fuzz -c .fuzz.yml run --corpus cmp_<your_id>
If you pass in a project id then we'll use the corpus for the latest campaign in that project!
You can also setup a configuration to use a campaign by default
# .fuzz_token.yml
​
fuzz:
corpus_target: cmp_<your_project_id>
Tip: configure your campaign to always re-use the corpus from the project that it belongs to!

Project ID vs Campaign ID

Sometimes you want to re-use a corpus for a specific campaign. That's when you provide that campaign's ID to select its corpus.
However, in most cases, you'll likely want to re-use the corpus for the latest campaign in a project. That's why you can also provide project IDs to select corpuses from. Fuzzing will re-use the corpus from the latest campaign in the project you specified when you provide a project ID instead of an indiviual campaign ID.
Last modified 9mo ago