Hacker News

Binary Coverage the Wrong Way

Comments

Some people would tell you there was a third option, which was "formally prove your program". They're lying to you. [^1]

In reality it's a bit more complicated; most fuzzers now actually use N-gram coverage, where you combine the last N branches together to calculate the bitmap entry to set in order to expose more path-dependent information. Having some weird coverage metric is still, to a first approximation, recording "what code was hit" though, so the distinction doesn't matter that much - and if you have some way of recording branch history, you can probably also compute N-gram coverage instead. [^2]

In fact, if you're using Windows 11, the "bare metal" Windows kernel you think you're running has actually been running as a virtualized guest this entire time. Isn't that kind of neat? [^3]

Yes, that Varnish. The HTTP cache. [^4]

[^1]: Some people would tell you there was a third option, which was "formally prove your program". They're lying to you.
[^2]: In reality it's a bit more complicated; most fuzzers now actually use N-gram coverage, where you combine the last N branches together to calculate the bitmap entry to set in order to expose more path-dependent information. Having some weird coverage metric is still, to a first approximation, recording "what code was hit" though, so the distinction doesn't matter that much - and if you have some way of recording branch history, you can probably also compute N-gram coverage instead.
[^3]: In fact, if you're using Windows 11, the "bare metal" Windows kernel you think you're running has actually been running as a virtualized guest this entire time. Isn't that kind of neat?
[^4]: Yes, that Varnish. The HTTP cache.

Comments

No comments yet. Start the discussion.