googleprojectzero/Jackalope

Question: Would Jackalope be able to track code coverage for a child process spawned by the target?

dms1lva opened this issue · 2 comments

Would Jackalope be able to track code coverage for a child process spawned by the target?

Not in its current form, as it was designed with a single target process in mind.

Implementing support for the coverage of child process would depend on the OS. Currently, on Linux/MacOS after the fork(), both parent and child process start interacting with TinyInst, which only tracks state for a single process. Eventually, the state of the parent and the child process goes out of sync in some unexpected way and it causes crashes. Though a fork is something we can detect, at least on linux. See https://github.com/googleprojectzero/TinyInst/blob/master/Linux/debugger.cpp#L1798.
I'm not sure what the situation on Windows is, possibly the child simply won't get instrumented and the parent will continue to work normally but I'm not sure.

As usual, my recommendation is to try to find a way to fuzz the code you're interested in directly (by building a custom harness) rather than dealing with multiple processes etc. :)

Thank you!