Skip to content

tool for multi-execution jump coverage introspection

License

Notifications You must be signed in to change notification settings

fgsect/JMPscare

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JMPscare

Toolkit for multi-execution jump coverage introspection: Analyze your fuzzing results by inspecting which conditional jumps you are missing.

This repository includes the following components:

  • Collection
  • Analysis
    • tool to analyze multiple execution traces in order to find conditional jumps which are always/never taken
    • works on any simple execution trace (file with one address per line)
    • supports ARM32, x86_64 and MIPS32
    • Potential New Coverage Analysis (ARM-only for now): Evaluate the number of new basic blocks behind a uni-directional jump, reachable in N branches
  • Plugins
    • Binary Ninja plugin to visualize analysis results
      • concise overview of roadblock jumps
      • instruction highlighting
      • easy navigation and auto-patching (invert branch conditions for forced execution)
    • Ghidra plugin WIP

For further information, please confer to the READMEs within each directory.

JMPscare Binary Ninja Screenshot

For further information, refer to our paper at BAR 2021, "JMPscare: Introspection for Binary-Only Fuzzing" Read the paper preprint with in-depth details here.