Skip to content

Latest commit

 

History

History
13 lines (10 loc) · 640 Bytes

exploitation.md

File metadata and controls

13 lines (10 loc) · 640 Bytes

Exploitation

As BuzzFuzz, Angora supports finding which input bytes were processed by "attack point" we defined by taint tracking. You can add your custom "attack point" in llvm_mode/rules/exploitation_list.txt, and then recompile the tested program.

# the 2th(start from 0) argument of function memeset is an attack point
fun:memset:i2
# the 0th argument of instruction (LLVM IR) inttoptr is an attack point
ins:inttoptr=i0

Reference

  • Vijay Ganesh, Tim Leek, and Martin Rinard. “Taintbased directed whitebox fuzzing”. In: Proceedings of the 31st International Conference on Software Engineering. 2009, pp. 474–484.