- Idea
- Patch the beginning of every basic block of a target and trigger VM exit when a guest executes them
- When such VM exit occurs, remove the patch (replace a byte with an original byte) so that future execution does not cause VM exit
- VM exit due to the patch == execution of a new basic block == good input
- Implemented in a variety of fuzzers, eg, mesos, ImageIO, Hyntrospect, what the fuzz, KF/x
- Some of other ideas explained in the Putting the Hype in Hypervisor talk
- Intel Processor Trace
- Branch single stepping
- Interrupt/timer based sampling