FFW utilizes Honggfuzz to observe the target. Honggfuzz will identify crashes and also code coverage in the target. The communication between FFW and Honggfuzz is performed via a local unix socket:
Overall the following communication protocol is implemented:
Honggfuzz will start the target server. When it is ready it will send the "Fuzz" command to FFW.
FFW will then open a TCP connection to the target, and send its (fuzzed) stuff, and close the connection.
When finished, FFW will send "Okay" to Honggfuzz, indicating that Honggfuzz should perform code coverage analysis. A special case is if the target hangs (a hang is defined by FFW being unable to open a TCP connection to the target. A target crash or exit is usually already identified by HonggFuzz. A hang may occur if the target is not able to handle anymore new TCP connections, or going into an endless loop). In case of a hang, FFW sends "bad!" to HonggFuzz, which will then restart the target. Commits which implement this:
Anyway, HonggFuzz will give some information to FFW. It the target crashed, it will send "Cras" (I limit myself to 4 character commands...) to FFW, which will then store the sent fuzzed data into the out/ directory. If sent data reaches some new code, HonggFuzz will send "New!" to FFW. In that case FFW will add the sent data to the input corpus in the in/ directory.
Note that FFW will randomly select an input corpus from the in/ directory. Also all threads will be notified by filesystem event (inotify) if a fuzzing process identified a new input corpus.