logo
After creating your project, you’re ready to begin the fuzzing run. Follow the steps below to start and monitor the fuzzing process.

1. Create run

  1. Return to the Home Screen Once your project is created, navigate back to the home screen where your project is now listed.
Image without caption
  1. Select Your Project Click on the project you wish to fuzz. This will open the project details page.
  1. Set Number Of Instances Navigate to Settings on the left pane and adjust number of instances (cores) for parallelized fuzzing.
Image without caption
Max instance count is internally capped at half the total cores on your host machine.
Each instance (core) requires ~5GB RAM
💡
Parallelized fuzzing is “intelligent” in that knowledge is shared across instances to maximize overall effectiveness. Individual instances avoid duplicating work that has been performed by other instances.
  1. Initiate the Fuzzing Run
      2. On the project page, click the Start Run button:
Image without caption
  1. Run Initialization
      2. Within a few moments, your fuzzing run will appear in the project’s run list:
Image without caption

2. Monitor the Fuzzing Process

  1. Access the Live Fuzzing View Select the newly created run to open a live view of the fuzzing session:
Image without caption
  1. Status Indicator At the top of the live view, the status may display either Fuzzing or Booting.
The status at the top may either say Fuzzing or Booting at first depending on whether you provided a Fuzz Start Location when you created the project.
💡
The "booting state" is essentially the same as the "fuzzing state" except that while in "boot" mode the fuzzer stops the moment the target "boot address" is reached, takes a snapshot then resumes fuzzing from there. Defects will still be found and reported even during "boot”.
  1. Block Coverage Visualization Observe the block coverage plot to monitor how much of the firmware’s code is being exercised by the fuzzer. Block coverage is highly correlated with overall code coverage and gives you a visual indication of progress:
Image without caption

3. Detailed Metrics

Below the block coverage plot, two tables provide additional insights:
Function Coverage
This table displays how much compute time is being spent on each function within your firmware. It tracks the number of calls and blocks executed, which helps you ensure the fuzzer is efficiently targeting critical areas. You can adjust fuzzing behavior using the Binary Patching control (see the Settings section for more details).
Image without caption
Exit Stats
This table shows the distribution of exit reasons for each fuzzing execution. Since Metalware runs your firmware many times per second, various execution paths terminate for different reasons. The exit stats provide insight into the effectiveness of the fuzzing process.
Image without caption
Configure Project
Defect Reports
Powered by Notaku
metalware.com
Share
Content
Start Fuzzing
1. Create run
2. Monitor the Fuzzing Process
3. Detailed Metrics