Fuzzing targets that trigger and handle signals like SIGILL as part of normal operations

[fniksic]

Honggfuzz emphasizes its approach to signal monitoring as one of the key features:

Uses low-level interfaces to monitor processes (e.g. ptrace under Linux and NetBSD). As opposed to other fuzzers, it will discover and report hijacked/ignored signals from crashes (intercepted and potentially hidden by a fuzzed program).

But what of targets that trigger (and handle) signals like SIGILL as part of their normal operations? Admittedly, this is somewhat unusual, but such targets exist. Is there an option to override honggfuzz's default behavior, or is honggfuzz not suitable for fuzzing such targets?

[robertswiecki]

I guess you're talking about eg ffmpeg/mplayer which tries to figure out if certain instructions are supported on a given CPU?

There's no flag to ignore eg SIGKILL, but you can edit out the https://github.com/google/honggfuzz/blob/master/linux/trace.c#L367 line, and SIGILL will be then ignored when analyzing signals.

We can maybe add a flag to that, if it'd really help you, but otherwise this seems like a bit of a niche problem? I guess, up to you.