After creating your project, you’re ready to begin the fuzzing run. Follow the steps below to start and monitor the fuzzing process.
1. Create run
- Return to the Home Screen Once your project is created, navigate back to the home screen where your project is now listed.
- Select Your Project Click on the project you wish to fuzz. This will open the project details page.
- Initiate the Fuzzing Run
On the project page, click the Start Run button:
- Run Initialization
Within a few moments, your fuzzing run will appear in the project’s run list:
2. Monitor the Fuzzing Process
- Access the Live Fuzzing View Select the newly created run to open a live view of the fuzzing session:
- Status Indicator At the top of the live view, the status may display either Fuzzing or Booting.
The status at the top may either say
Fuzzing or Booting at first depending on whether you provided a Fuzz Start Location when you created the project.The "booting state" is essentially the same as the "fuzzing state" except that while in "boot" mode the fuzzer stops the moment the target "boot address" is reached, takes a snapshot then resumes fuzzing from there. Defects will still be found and reported even during "boot”.
- Block Coverage Visualization Observe the block coverage plot to monitor how much of the firmware’s code is being exercised by the fuzzer. Block coverage is highly correlated with overall code coverage and gives you a visual indication of progress:
3. Detailed Metrics
Below the block coverage plot, two tables provide additional insights:
Function Coverage
This table displays how much compute time is being spent on each function within your firmware. It tracks the number of calls and blocks executed, which helps you ensure the fuzzer is efficiently targeting critical areas. You can adjust fuzzing behavior using the
Binary Patching control (see the Settings section for more details).
Exit Stats
This table shows the distribution of exit reasons for each fuzzing execution. Since Metalware runs your firmware many times per second, various execution paths terminate for different reasons. The exit stats provide insight into the effectiveness of the fuzzing process.
