Description
Currently, fuzzware supports the definition of a "target". A "target" is a point in the program that needs to be discovered once, and from then on, the fuzzing prefix to reach this point is prepended to all further fuzzing input in order to always pass that point in the program. This is very helpful to pass a boot process once and then continue fuzzing the actual application.
This approach hits its limits once this "target" is far enough into the program for the fuzzer to not reliably find that point in a given time. To improve upon this feature, fuzzware could implement a checkpoint system, that, in its simplest form, iteratively performs the "target" approach from above:
First, the analyst defines a list of targets. Fuzzware then performs the "target" step for each entry in the list, until the last entry is found. From there on, it performs its regular exploration.