Feature Request: afl-cmin

[floyd-fuh]

The input corpus is the most important success factor of a properly configured fuzzer. Therefore, corpus has to be distilled, a minimized corpus can provide good code coverage while not including unnecessary files not resulting in new code paths being taken.

afl-cmin is very useful in this regard. I had situations where I ran afl-cmin for several days, but then the fuzzer found issues within a day.

Would it be possible to provide afl-cmin for jqf? And maybe also afl-tmin?

Probably missing timeout specification in #26 is a blocker for this one...

[rohanpadhye]

This should be fairly easy to implement, as it only requires supporting the afl-showmap style single-run execution.

[rohanpadhye]

Pushed scripts bin/jqf-afl-showmap and bin/jqf-afl-cmin, that are wrappers similar to jqf-afl-fuzz. Run without arguments to see usage.

The cmin script is going to be a bit slow, since it launches a new JVM for each test case in the directory. This is because internally afl-cmin does not use AFL's fork-server (which we piggy-back on to get good performance). In theory it is possible to re-implement the corpus minimization in Java, but I do not currently have time to implement that.

I am a bit reluctant to support afl-tmin as-is, because it will only be useful when the input to the fuzz method is of type InputStream or byte[], which I do not anticipate being the main use case for JQF. For other input types (such as HashMap or XMLDocument), the tmin algorithm will not work because deleting bytes in the input does not correspond to reducing the size of input data-structures.

[floyd-fuh]

Wow, that was quick, thanks!

I just tried jqf-afl-showmap with the tika example, it times out for me with the default -t value, but works with higher values.

I think it's fine if afl-cmin is rather slow and afl-tmin is not implemented for now, thanks for implementing!