DDFuzz evaluated against the following five targets the authors thought would be amenable to data-flow-based fuzzing:
The links above are to the commit hashes used in the paper.
We instrument the targets with AFL++'s LTO instrumentation and with CmpLog instrumentation.
When fuzzing we disable the auto-dictionary with AFL_NO_AUTODICT=1.
We use Angora per their instructions.
We use DDFuzz per their instructions.
We instrument with different datAFLow configurations:
- "datAFLow (A/A)"
FUZZALLOC_DEF_SENSITIVITY=array
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=use
FUZZALLOC_INST=afl
- "datAFLow (A/O)"
FUZZALLOC_DEF_SENSITIVITY=array
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=offset
FUZZALLOC_INST=afl
- "datAFLow (A/V)"
FUZZALLOC_DEF_SENSITIVITY=array
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=value
FUZZALLOC_INST=afl
- "datAFLow (A+S/A)"
FUZZALLOC_DEF_SENSITIVITY=array:struct
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=use
FUZZALLOC_INST=afl
- "datAFLow (A+S/O)"
FUZZALLOC_DEF_SENSITIVITY=array:struct
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=offset
FUZZALLOC_INST=afl
- "datAFLow (A+S/V)"
FUZZALLOC_DEF_SENSITIVITY=array:struct
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=value
FUZZALLOC_INST=afl
We also use the custom memory allocation functions defined in
ddfuzz/mem-funcs, specified using the FUZZALLOC_DEF_MEM_FUNCS environment
variable. Finally, initial starting seeds are provided under the seeds
directory.