Binary Coverage the Wrong Way
Comments
Some people would tell you there was a third option, which was "formally prove your program". They're lying to you. [^1]
In reality it's a bit more complicated; most fuzzers now actually use N-gram coverage, where you combine the last N branches together to calculate the bitmap entry to set in order to expose more path-dependent information. Having some weird coverage metric is still, to a first approximation, recording "what code was hit" though, so the distinction doesn't matter that much - and if you have some way of recording branch history, you can probably also compute N-gram coverage instead. [^2]
In fact, if you're using Windows 11, the "bare metal" Windows kernel you think you're running has actually been running as a virtualized guest this entire time. Isn't that kind of neat? [^3]
Yes, that Varnish. The HTTP cache. [^4]
[^1]: Some people would tell you there was a third option, which was "formally prove your program". They're lying to you.
[^2]: In reality it's a bit more complicated; most fuzzers now actually use N-gram coverage, where you combine the last N branches together to calculate the bitmap entry to set in order to expose more path-dependent information. Having some weird coverage metric is still, to a first approximation, recording "what code was hit" though, so the distinction doesn't matter that much - and if you have some way of recording branch history, you can probably also compute N-gram coverage instead.
[^3]: In fact, if you're using Windows 11, the "bare metal" Windows kernel you think you're running has actually been running as a virtualized guest this entire time. Isn't that kind of neat?
[^4]: Yes, that Varnish. The HTTP cache.
Comments
No comments yet. Start the discussion.