1. Idea

Consider a sample program which determines a command line parameter to be even or odd.

#include <stdio.h> #include <stdlib.h> #include <time.h> int main ( int arc , char * argv []) { (( atoi ( argv [ 1 ]) % 2 ) == 1 ) ? printf ( "Odd" ) : printf ( "Even" ); return 0 ; }

Coverage guided fuzzing requires the fuzzer to be aware of execution flow in the target in response to a certain input. One way to achieve it is to modify the source code in a way to trace the flow. Somewhat like

#include <stdio.h> #include <stdlib.h> #include <time.h> int main ( int arc , char * argv []) { notifyFuzzer ( "main starting" ) if (( atoi ( argv [ 1 ]) % 2 ) == 1 ) { notifyFuzzer ( "if condition taken" ) printf ( "Odd" ); } else { notifyFuzzer ( "else condition taken" ) printf ( "Even" ); } return 0 ; }

Question remains - How to instrument super huge code base in a language agnostic and collision resistant manner?

HINT: Compilers (language -> assembly), assembler (assembly -> object code), linker (object code -> executable/library)