I have a program that processes packets of certain size but require a large amount of them for any meaningful output.
I currently fuzz my program with AFL by receiving a packet from AFL and running it through the system the necessary amount of times.
This is not ideal, since I reuse the same deformed packet multiple times, so I switched to using AFL's persistent mode, wherein it sends me data through a pipe continuously.
The problem is that, AFAICT, this mode assumes that each input is run in isolation, and I want to create a crash that is dependent on a series of inputs.
What is the correct way to fuzz my program?
You should handle the data received from AFL as a sequence of packets. This is AFL persistent mode example (comments are stripped):
Modified example for your case would be:
AFL works bad for big input sizes - trying to modify all bits takes enormous time. When
FIXED_PACKET_SIZE*NUM_PACKETS_TO_RECEIVE
is big, you should try not to use fuzzed data for packet parts, that will unlikely result in errors.Another problem can arise when AFL modifies your test data size - it can do so for some input mutations. Your
read
call should handle these cases.