As BuzzFuzz, Angora supports finding which input bytes were processed by "attack point" we defined by taint tracking. You can add your custom "attack point" in llvm_mode/rules/exploitation_list.txt
, and then recompile the tested program.
# the 2th(start from 0) argument of function memeset is an attack point
fun:memset:i2
# the 0th argument of instruction (LLVM IR) inttoptr is an attack point
ins:inttoptr=i0
- Vijay Ganesh, Tim Leek, and Martin Rinard. “Taintbased directed whitebox fuzzing”. In: Proceedings of the 31st International Conference on Software Engineering. 2009, pp. 474–484.