🌊Incremental Fuzzing

Reusing fuzzing corpuses

Instead of starting your fuzzing campaigns from scratch you can reuse existing fuzzing corpuses to hit the ground running.

Corpus

One way to think about a fuzzer is an automatic test-case generator. In fact, this is why many fuzzing and symbolic-execution approaches are referred to as "automatic test-case generation techniques". While the fuzzer is running, it will find an increasing number of test-cases that increase instruction-, branch- and path coverage. Over time, it will accumulate these tests, and incremental fuzzing allows you to use them for subsequent campaigns. You provide an existing corpus to the fuzzer in addition to the seed state. The fuzzer will then first run through all of the provided test-cases and add them to the new corpus if they are still useful (for instance, by increasing coverage). Then fuzzing continues as it normally would. Except that it will get a huge head start! It'll be as if you've already been fuzzing for hours!

Incremental fuzzing

The accumulated corpus is instrumental in the fuzzing process itself, but also for continuous/incremental fuzzing campaigns. The main reason for this is that typically code doesn't change much between fuzzing campaigns. Bug fixes leave most of the code unchanged, and refactorings are usually confined to a small region of the codebase. Depending on the situation, more than 90% of the code might not change at all.

When that's the case, it doesn't make sense to start fuzzing from scratch; does it?

How much you gain with incremental fuzzing depends on the size of the previous corpus and the amount of changes since that time.

Setting it up

Setting up incremental fuzzing is a breeze!

You can reuse the corpus from previous campaigns by passing in their ID:

fuzz -c .fuzz.yml run --corpus cmp_<your_id>

If you pass in a project ID then we'll use the corpus for the latest campaign in that project!

You can also set up a configuration to use a campaign by default

# .fuzz_token.yml

fuzz:
    corpus_target: cmp_<your_project_id>

Tip: configure your campaign to always reuse the corpus from the project that it belongs to!

Project ID vs campaign ID

Sometimes you want to reuse a corpus of a specific campaign. That's when you provide its campaign ID to select the corpus.

However, in most cases, you'll likely want to reuse the corpus for the latest campaign in a project. That's why you can also provide a project ID to select its corpus. Fuzzing will reuse the corpus from the latest campaign in the project you specified instead of the corpus of a specific campaign.

PreviousStatistics NextFuzzing Lessons

Last updated 1 year ago