First level taint implementation with qemu for linux user mode
THIS IS NOT WORKING YET WIP
On new queue entries (newly discovered paths into the target) this tainter is run with the new input and the data gathered which bytes in the input file are actually touched.
Only touched bytes are then fuzzed by afl-fuzz
./build_qemu_taint.sh
Add the -A flag to afl-fuzz
For some targets this is amazing and improves fuzzing a lot, but if a target copies all input bytes first (e.g. for creating a crc checksum or just to safely work with the data), then this is not helping at all.
Two fuzz modes for a queue entry which will be switched back and forth: