oscura 0.5.0__py3-none-any.whl → 0.6.0__py3-none-any.whl

oscura/validation/fuzzer.py

@@ -0,0 +1,990 @@
+"""Advanced protocol fuzzer with coverage-guided mutation and structure-aware fuzzing.
+
+This module provides comprehensive fuzzing capabilities for protocol testing, including
+grammar-based mutation, coverage tracking, and crash detection. It integrates with the
+existing grammar test framework and supports AFL-style corpus minimization.
+
+Example:
+    >>> from oscura.validation import ProtocolFuzzer, FuzzingConfig
+    >>> from oscura.sessions import ProtocolSpec
+    >>>
+    >>> # Configure fuzzer
+    >>> config = FuzzingConfig(
+    ...     strategy="coverage_guided",
+    ...     max_iterations=1000,
+    ...     crash_detection=True,
+    ...     corpus_minimization=True
+    ... )
+    >>>
+    >>> # Run fuzzing campaign
+    >>> fuzzer = ProtocolFuzzer(config)
+    >>> result = fuzzer.fuzz_protocol(protocol_spec, seed_corpus)
+    >>>
+    >>> # Export results
+    >>> fuzzer.export_crashes(Path("crashes/"))
+    >>> fuzzer.export_corpus(Path("corpus/"))
+    >>> print(f"Found {len(result.crashes)} crashes")
+
+References:
+    AFL Technical Details: https://lcamtuf.coredump.cx/afl/technical_details.txt
+    Coverage-Guided Fuzzing: Efficient Vulnerability Discovery by Michal Zalewski
+    Grammar-Based Fuzzing: Nautilus Paper (NDSS 2019)
+"""
+
+from __future__ import annotations
+
+import hashlib
+import random
+from collections.abc import Callable
+from dataclasses import dataclass, field
+from enum import Enum, auto
+from pathlib import Path
+from typing import TYPE_CHECKING, Any, ClassVar, Literal
+
+if TYPE_CHECKING:
+    from oscura.sessions.blackbox import FieldHypothesis, ProtocolSpec
+
+
+class FuzzingStrategy(Enum):
+    """Fuzzing strategy enumeration.
+
+    Attributes:
+        RANDOM: Pure random mutation without feedback.
+        MUTATION: AFL-style mutation-based fuzzing.
+        GENERATION: Grammar-based generation from protocol spec.
+        COVERAGE_GUIDED: Coverage feedback-guided fuzzing (most effective).
+        STRUCTURAL: Structure-aware field-level fuzzing.
+    """
+
+    RANDOM = auto()
+    MUTATION = auto()
+    GENERATION = auto()
+    COVERAGE_GUIDED = auto()
+    STRUCTURAL = auto()
+
+
+class MutationOperator(Enum):
+    """Mutation operator types.
+
+    Attributes:
+        BIT_FLIP: Single bit flip.
+        BYTE_FLIP: Entire byte flip (XOR 0xFF).
+        ARITHMETIC: Arithmetic mutation (+1, -1, *2, /2).
+        BOUNDARY: Boundary value insertion (0, max, max+1).
+        SPECIAL: Special value insertion (0xFF, 0x00, 0x7F, 0x80).
+        INSERT: Byte insertion.
+        DELETE: Byte deletion.
+        DUPLICATE: Duplicate region.
+        SWAP: Swap two bytes.
+        CHECKSUM_CORRUPT: Intentionally corrupt checksum.
+        LENGTH_CORRUPT: Manipulate length fields.
+    """
+
+    BIT_FLIP = auto()
+    BYTE_FLIP = auto()
+    ARITHMETIC = auto()
+    BOUNDARY = auto()
+    SPECIAL = auto()
+    INSERT = auto()
+    DELETE = auto()
+    DUPLICATE = auto()
+    SWAP = auto()
+    CHECKSUM_CORRUPT = auto()
+    LENGTH_CORRUPT = auto()
+
+
+class TestResult(Enum):
+    """Test execution result.
+
+    Attributes:
+        PASS: Test passed without errors.
+        FAIL: Test failed validation.
+        CRASH: Parser crashed or raised exception.
+        HANG: Test timed out (if timeout detection enabled).
+        UNKNOWN: Unable to determine result.
+    """
+
+    PASS = auto()
+    FAIL = auto()
+    CRASH = auto()
+    HANG = auto()
+    UNKNOWN = auto()
+
+
+@dataclass
+class FuzzingConfig:
+    """Configuration for protocol fuzzing.
+
+    Attributes:
+        strategy: Fuzzing strategy to use.
+        max_iterations: Maximum number of fuzzing iterations.
+        timeout_ms: Timeout in milliseconds per test case.
+        crash_detection: Enable crash detection.
+        hang_detection: Enable hang/timeout detection.
+        corpus_minimization: Enable AFL-style corpus minimization.
+        coverage_tracking: Track code coverage (requires instrumentation).
+        mutation_operators: List of enabled mutation operators (None = all).
+        seed: Random seed for reproducibility (None = random).
+        export_crashes: Export crash-inducing inputs.
+        export_pcap: Export fuzzed packets as PCAP.
+        min_corpus_size: Minimum corpus size to maintain.
+        max_corpus_size: Maximum corpus size (for minimization).
+
+    Example:
+        >>> config = FuzzingConfig(
+        ...     strategy="coverage_guided",
+        ...     max_iterations=10000,
+        ...     crash_detection=True,
+        ...     corpus_minimization=True,
+        ...     seed=42
+        ... )
+    """
+
+    strategy: Literal["random", "mutation", "generation", "coverage_guided", "structural"] = (
+        "coverage_guided"
+    )
+    max_iterations: int = 1000
+    timeout_ms: int = 1000
+    crash_detection: bool = True
+    hang_detection: bool = True
+    corpus_minimization: bool = True
+    coverage_tracking: bool = True
+    mutation_operators: list[str] | None = None
+    seed: int | None = None
+    export_crashes: bool = True
+    export_pcap: bool = False
+    min_corpus_size: int = 10
+    max_corpus_size: int = 1000
+
+    def __post_init__(self) -> None:
+        """Validate configuration after initialization."""
+        if self.max_iterations <= 0:
+            raise ValueError(f"max_iterations must be positive, got {self.max_iterations}")
+        if self.timeout_ms <= 0:
+            raise ValueError(f"timeout_ms must be positive, got {self.timeout_ms}")
+        if self.strategy not in {
+            "random",
+            "mutation",
+            "generation",
+            "coverage_guided",
+            "structural",
+        }:
+            raise ValueError(f"Invalid strategy: {self.strategy}")
+        if self.min_corpus_size < 0:
+            raise ValueError(f"min_corpus_size must be non-negative, got {self.min_corpus_size}")
+        if self.max_corpus_size < self.min_corpus_size:
+            raise ValueError("max_corpus_size must be >= min_corpus_size")
+
+
+@dataclass
+class FuzzingResult:
+    """Result of a single fuzzing test case.
+
+    Attributes:
+        test_case: Input that was tested.
+        result: Test execution result (pass/fail/crash/hang).
+        coverage_delta: New coverage branches discovered (if tracking enabled).
+        mutation_applied: Mutation operator that was applied.
+        execution_time_ms: Execution time in milliseconds.
+        error_message: Error message if crash occurred.
+        stack_trace: Stack trace if crash occurred.
+
+    Example:
+        >>> result = FuzzingResult(
+        ...     test_case=b"\\xaa\\xff\\x00\\x12",
+        ...     result=TestResult.CRASH,
+        ...     mutation_applied=MutationOperator.CHECKSUM_CORRUPT,
+        ...     error_message="IndexError: list index out of range"
+        ... )
+    """
+
+    test_case: bytes
+    result: TestResult
+    coverage_delta: int = 0
+    mutation_applied: MutationOperator | None = None
+    execution_time_ms: float = 0.0
+    error_message: str = ""
+    stack_trace: str = ""
+
+
+@dataclass
+class FuzzingReport:
+    """Comprehensive fuzzing campaign report.
+
+    Attributes:
+        total_iterations: Total fuzzing iterations executed.
+        total_crashes: Number of unique crashes found.
+        total_hangs: Number of timeouts/hangs.
+        total_coverage_branches: Total code coverage branches discovered.
+        corpus_size: Final corpus size after minimization.
+        crashes: List of crash-inducing inputs.
+        interesting_inputs: Inputs that increased coverage.
+        mutation_stats: Statistics per mutation operator.
+        coverage_history: Coverage over time (for graphing).
+        execution_time_seconds: Total fuzzing campaign time.
+
+    Example:
+        >>> report = FuzzingReport(
+        ...     total_iterations=10000,
+        ...     total_crashes=5,
+        ...     corpus_size=127,
+        ...     coverage_history=[10, 25, 43, 68, 89]
+        ... )
+        >>> print(f"Crash rate: {report.total_crashes / report.total_iterations:.2%}")
+    """
+
+    total_iterations: int = 0
+    total_crashes: int = 0
+    total_hangs: int = 0
+    total_coverage_branches: int = 0
+    corpus_size: int = 0
+    crashes: list[bytes] = field(default_factory=list)
+    interesting_inputs: list[bytes] = field(default_factory=list)
+    mutation_stats: dict[str, int] = field(default_factory=dict)
+    coverage_history: list[int] = field(default_factory=list)
+    execution_time_seconds: float = 0.0
+
+    @property
+    def crash_rate(self) -> float:
+        """Calculate crash rate.
+
+        Returns:
+            Proportion of inputs that crashed (0.0 to 1.0).
+        """
+        if self.total_iterations == 0:
+            return 0.0
+        return self.total_crashes / self.total_iterations
+
+    @property
+    def unique_crashes(self) -> int:
+        """Get count of unique crashes.
+
+        Returns:
+            Number of unique crash-inducing inputs.
+        """
+        return len(set(self.crashes))
+
+
+class ProtocolFuzzer:
+    """Advanced protocol fuzzer with coverage-guided mutation.
+
+    Implements AFL-inspired fuzzing with structure-aware mutations for protocol
+    reverse engineering. Tracks code coverage, detects crashes, and maintains
+    a minimized corpus of interesting test cases.
+
+    Attributes:
+        config: Fuzzing configuration.
+
+    Example:
+        >>> fuzzer = ProtocolFuzzer(FuzzingConfig(max_iterations=5000))
+        >>> report = fuzzer.fuzz_protocol(protocol_spec, seed_corpus)
+        >>> print(f"Found {report.total_crashes} crashes")
+        >>> fuzzer.export_crashes(Path("crashes/"))
+    """
+
+    # Special byte values for boundary fuzzing
+    SPECIAL_BYTES: ClassVar[list[int]] = [0x00, 0x01, 0x7F, 0x80, 0xFF, 0x10, 0x20, 0x40]
+
+    def __init__(self, config: FuzzingConfig) -> None:
+        """Initialize protocol fuzzer.
+
+        Args:
+            config: Fuzzing configuration.
+        """
+        self.config = config
+        self._rng = random.Random(config.seed if config.seed is not None else None)
+        self._corpus: list[bytes] = []
+        self._coverage_map: set[int] = set()
+        self._crash_hashes: set[str] = set()
+        self._report = FuzzingReport()
+
+    def fuzz_protocol(
+        self,
+        spec: ProtocolSpec,
+        seed_corpus: list[bytes] | None = None,
+        target_function: Callable[[bytes], Any] | None = None,
+    ) -> FuzzingReport:
+        """Execute fuzzing campaign on protocol.
+
+        Args:
+            spec: Protocol specification for structure-aware fuzzing.
+            seed_corpus: Initial corpus of valid messages (None = generate from spec).
+            target_function: Target parser function to test (None = dry run).
+
+        Returns:
+            Comprehensive fuzzing report with crashes and coverage.
+
+        Example:
+            >>> def parse_message(data: bytes) -> dict:
+            ...     # Parser implementation
+            ...     return {"parsed": True}
+            >>>
+            >>> report = fuzzer.fuzz_protocol(spec, seed_corpus, parse_message)
+            >>> print(f"Coverage: {report.total_coverage_branches} branches")
+        """
+        import time
+
+        start_time = time.time()
+
+        # Initialize corpus
+        self._initialize_corpus(spec, seed_corpus)
+
+        # Run fuzzing iterations
+        for iteration in range(self.config.max_iterations):
+            # Select input from corpus
+            base_input = self._select_input()
+
+            # Mutate input based on strategy
+            mutated_input, mutation_op = self._mutate_input(base_input, spec)
+
+            # Execute target function
+            result = self._execute_target(mutated_input, target_function)
+
+            # Update corpus and coverage
+            self._update_corpus(mutated_input, result)
+
+            # Record statistics
+            self._update_statistics(result, mutation_op)
+
+            # Track coverage history periodically
+            if iteration % 100 == 0:
+                self._report.coverage_history.append(self._report.total_coverage_branches)
+
+        # Minimize corpus if enabled
+        if self.config.corpus_minimization:
+            self._minimize_corpus()
+
+        self._report.execution_time_seconds = time.time() - start_time
+        self._report.corpus_size = len(self._corpus)
+
+        return self._report
+
+    def _initialize_corpus(self, spec: ProtocolSpec, seed_corpus: list[bytes] | None) -> None:
+        """Initialize fuzzing corpus.
+
+        Args:
+            spec: Protocol specification.
+            seed_corpus: Optional seed corpus (None = generate from spec).
+        """
+        if seed_corpus:
+            self._corpus = list(seed_corpus)
+        else:
+            # Generate seed corpus from protocol spec
+            self._corpus = self._generate_seed_corpus(spec)
+
+    def _generate_seed_corpus(self, spec: ProtocolSpec) -> list[bytes]:
+        """Generate initial seed corpus from protocol specification.
+
+        Args:
+            spec: Protocol specification.
+
+        Returns:
+            List of valid seed messages.
+
+        Example:
+            >>> corpus = fuzzer._generate_seed_corpus(spec)
+            >>> all(isinstance(msg, bytes) for msg in corpus)
+            True
+        """
+        corpus: list[bytes] = []
+        num_seeds = max(self.config.min_corpus_size, 20)
+
+        for _ in range(num_seeds):
+            msg = bytearray()
+
+            for field_def in spec.fields:
+                field_bytes = self._generate_field_value(field_def)
+                msg.extend(field_bytes)
+
+            corpus.append(bytes(msg))
+
+        return corpus
+
+    def _generate_field_value(self, field_def: FieldHypothesis) -> bytes:
+        """Generate value for a single field.
+
+        Args:
+            field_def: Field definition.
+
+        Returns:
+            Field value as bytes.
+        """
+        if field_def.field_type == "constant":
+            const_val = field_def.evidence.get("value", 0)
+            return self._pack_value(const_val, field_def.length)
+
+        if field_def.field_type == "counter":
+            counter_val = self._rng.randint(0, (256**field_def.length) - 1)
+            return self._pack_value(counter_val, field_def.length)
+
+        if field_def.field_type == "checksum":
+            return b"\x00" * field_def.length
+
+        # Default: random data
+        return bytes(self._rng.randint(0, 255) for _ in range(field_def.length))
+
+    def _select_input(self) -> bytes:
+        """Select input from corpus for mutation.
+
+        Returns:
+            Selected input bytes.
+        """
+        if not self._corpus:
+            return b""
+
+        # For coverage-guided fuzzing, favor inputs with higher coverage
+        if self.config.strategy == "coverage_guided" and len(self._corpus) > 5:
+            # Simple heuristic: favor recent additions (likely higher coverage)
+            return self._rng.choice(self._corpus[-min(20, len(self._corpus)) :])
+
+        return self._rng.choice(self._corpus)
+
+    def _mutate_input(
+        self, input_data: bytes, spec: ProtocolSpec
+    ) -> tuple[bytes, MutationOperator]:
+        """Mutate input based on fuzzing strategy.
+
+        Args:
+            input_data: Original input.
+            spec: Protocol specification for structure-aware mutations.
+
+        Returns:
+            Tuple of (mutated_input, mutation_operator_applied).
+
+        Example:
+            >>> mutated, op = fuzzer._mutate_input(b"\\xaa\\x01\\x00", spec)
+            >>> isinstance(mutated, bytes)
+            True
+        """
+        if not input_data:
+            return b"\x00", MutationOperator.INSERT
+
+        # Select mutation operator
+        mutation_op = self._select_mutation_operator()
+
+        # Apply mutation
+        mutated = self._apply_mutation(input_data, mutation_op, spec)
+
+        return mutated, mutation_op
+
+    def _select_mutation_operator(self) -> MutationOperator:
+        """Select mutation operator based on configuration.
+
+        Returns:
+            Selected mutation operator.
+        """
+        # Filter operators based on config
+        if self.config.mutation_operators:
+            available = [op for op in MutationOperator if op.name in self.config.mutation_operators]
+        else:
+            available = list(MutationOperator)
+
+        return self._rng.choice(available)
+
+    def _apply_mutation(self, data: bytes, operator: MutationOperator, spec: ProtocolSpec) -> bytes:
+        """Apply mutation operator to data.
+
+        Args:
+            data: Original data.
+            operator: Mutation operator to apply.
+            spec: Protocol specification.
+
+        Returns:
+            Mutated data.
+
+        Example:
+            >>> mutated = fuzzer._apply_mutation(b"\\xaa\\x01", MutationOperator.BIT_FLIP, spec)
+            >>> len(mutated) > 0
+            True
+        """
+        msg = bytearray(data)
+
+        if not msg:
+            return bytes(msg)
+
+        # Map mutation operators to handler functions
+        mutation_handlers: dict[MutationOperator, Any] = {
+            MutationOperator.BIT_FLIP: self._mutate_bit_flip,
+            MutationOperator.BYTE_FLIP: self._mutate_byte_flip,
+            MutationOperator.ARITHMETIC: self._mutate_arithmetic,
+            MutationOperator.BOUNDARY: self._mutate_boundary,
+            MutationOperator.SPECIAL: self._mutate_special,
+            MutationOperator.INSERT: self._mutate_insert,
+            MutationOperator.DELETE: self._mutate_delete,
+            MutationOperator.DUPLICATE: self._mutate_duplicate,
+            MutationOperator.SWAP: self._mutate_swap,
+            MutationOperator.CHECKSUM_CORRUPT: lambda m: bytearray(
+                self._corrupt_checksum(bytes(m), spec)
+            ),
+            MutationOperator.LENGTH_CORRUPT: lambda m: bytearray(
+                self._corrupt_length_field(bytes(m), spec)
+            ),
+        }
+
+        handler = mutation_handlers.get(operator)
+        if handler:
+            msg = handler(msg)
+
+        return bytes(msg)
+
+    def _mutate_bit_flip(self, msg: bytearray) -> bytearray:
+        """Apply bit flip mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg) - 1)
+        bit = self._rng.randint(0, 7)
+        msg[pos] ^= 1 << bit
+        return msg
+
+    def _mutate_byte_flip(self, msg: bytearray) -> bytearray:
+        """Apply byte flip mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg) - 1)
+        msg[pos] ^= 0xFF
+        return msg
+
+    def _mutate_arithmetic(self, msg: bytearray) -> bytearray:
+        """Apply arithmetic mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg) - 1)
+        delta = self._rng.choice([-1, 1, -16, 16, -256, 256])
+        msg[pos] = (msg[pos] + delta) % 256
+        return msg
+
+    def _mutate_boundary(self, msg: bytearray) -> bytearray:
+        """Apply boundary value mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg) - 1)
+        msg[pos] = self._rng.choice([0x00, 0xFF, 0x7F, 0x80])
+        return msg
+
+    def _mutate_special(self, msg: bytearray) -> bytearray:
+        """Apply special value mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg) - 1)
+        msg[pos] = self._rng.choice(self.SPECIAL_BYTES)
+        return msg
+
+    def _mutate_insert(self, msg: bytearray) -> bytearray:
+        """Apply byte insertion mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        pos = self._rng.randint(0, len(msg))
+        msg.insert(pos, self._rng.randint(0, 255))
+        return msg
+
+    def _mutate_delete(self, msg: bytearray) -> bytearray:
+        """Apply byte deletion mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        if len(msg) > 1:
+            pos = self._rng.randint(0, len(msg) - 1)
+            del msg[pos]
+        return msg
+
+    def _mutate_duplicate(self, msg: bytearray) -> bytearray:
+        """Apply region duplication mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        if len(msg) >= 2:
+            start = self._rng.randint(0, len(msg) - 2)
+            length = self._rng.randint(1, min(8, len(msg) - start))
+            region = msg[start : start + length]
+            pos = self._rng.randint(0, len(msg))
+            msg[pos:pos] = region
+        return msg
+
+    def _mutate_swap(self, msg: bytearray) -> bytearray:
+        """Apply byte swap mutation.
+
+        Args:
+            msg: Message to mutate.
+
+        Returns:
+            Mutated message.
+        """
+        if len(msg) >= 2:
+            pos1 = self._rng.randint(0, len(msg) - 1)
+            pos2 = self._rng.randint(0, len(msg) - 1)
+            msg[pos1], msg[pos2] = msg[pos2], msg[pos1]
+        return msg
+
+    def _corrupt_checksum(self, data: bytes, spec: ProtocolSpec) -> bytes:
+        """Corrupt checksum field in message.
+
+        Args:
+            data: Original message.
+            spec: Protocol specification.
+
+        Returns:
+            Message with corrupted checksum.
+        """
+        # Find checksum field
+        checksum_offset = 0
+        checksum_length = 0
+        for field_def in spec.fields:
+            if field_def.field_type == "checksum":
+                checksum_length = field_def.length
+                break
+            checksum_offset += field_def.length
+
+        if checksum_length == 0:
+            return data  # No checksum field
+
+        msg = bytearray(data)
+        if checksum_offset + checksum_length <= len(msg):
+            for i in range(checksum_length):
+                msg[checksum_offset + i] ^= self._rng.randint(1, 255)
+
+        return bytes(msg)
+
+    def _corrupt_length_field(self, data: bytes, spec: ProtocolSpec) -> bytes:
+        """Manipulate length field (overflow/underflow).
+
+        Args:
+            data: Original message.
+            spec: Protocol specification.
+
+        Returns:
+            Message with corrupted length field.
+        """
+        # Find length-like fields (heuristic: fields named "length" or "len")
+        length_offset = 0
+        length_length = 0
+        for field_def in spec.fields:
+            field_name = field_def.name.lower()
+            if "length" in field_name or field_name == "len":
+                length_length = field_def.length
+                break
+            length_offset += field_def.length
+
+        if length_length == 0:
+            return data  # No length field
+
+        msg = bytearray(data)
+        if length_offset + length_length <= len(msg):
+            # Extract current length
+            length_bytes = msg[length_offset : length_offset + length_length]
+            current_len = int.from_bytes(length_bytes, byteorder="little")
+
+            # Corrupt with overflow/underflow
+            corruption = self._rng.choice(
+                [
+                    current_len + 1,  # Overflow
+                    max(0, current_len - 1),  # Underflow
+                    0,  # Zero length
+                    (256**length_length) - 1,  # Max value
+                ]
+            )
+
+            # Pack back
+            msg[length_offset : length_offset + length_length] = corruption.to_bytes(
+                length_length, byteorder="little"
+            )
+
+        return bytes(msg)
+
+    def _execute_target(
+        self, test_case: bytes, target_function: Callable[[bytes], Any] | None
+    ) -> FuzzingResult:
+        """Execute target function with test case.
+
+        Args:
+            test_case: Input to test.
+            target_function: Parser function to execute (None = dry run).
+
+        Returns:
+            Fuzzing result with execution outcome.
+
+        Example:
+            >>> def parser(data: bytes) -> dict:
+            ...     return {"valid": True}
+            >>> result = fuzzer._execute_target(b"\\xaa\\x01", parser)
+            >>> result.result in [TestResult.PASS, TestResult.FAIL, TestResult.CRASH]
+            True
+        """
+        import time
+        import traceback
+
+        result = FuzzingResult(test_case=test_case, result=TestResult.UNKNOWN)
+
+        if target_function is None:
+            # Dry run - assume pass
+            result.result = TestResult.PASS
+            return result
+
+        start_time = time.time()
+
+        try:
+            # Execute target with timeout (if hang detection enabled)
+            target_function(test_case)
+            result.result = TestResult.PASS
+
+            # Simulate coverage tracking (in real implementation, would use instrumentation)
+            coverage_hash = self._compute_coverage_hash(test_case)
+            if coverage_hash not in self._coverage_map:
+                self._coverage_map.add(coverage_hash)
+                result.coverage_delta = 1
+
+        except Exception as e:
+            # Crash detected
+            result.result = TestResult.CRASH
+            result.error_message = str(e)
+            result.stack_trace = traceback.format_exc()
+
+        finally:
+            result.execution_time_ms = (time.time() - start_time) * 1000
+
+        return result
+
+    def _compute_coverage_hash(self, data: bytes) -> int:
+        """Compute coverage hash for input (simulates code coverage).
+
+        In a real implementation, this would use instrumentation (e.g., AFL's edge coverage).
+        For now, we use a simple hash of the input as a proxy.
+
+        Args:
+            data: Input data.
+
+        Returns:
+            Coverage hash.
+        """
+        # Simple hash based on input characteristics
+        return hash((len(data), data[: min(4, len(data))], data[-min(4, len(data)) :]))
+
+    def _update_corpus(self, test_case: bytes, result: FuzzingResult) -> None:
+        """Update corpus based on fuzzing result.
+
+        Args:
+            test_case: Test case that was executed.
+            result: Execution result.
+        """
+        if result.result == TestResult.CRASH:
+            # Add to crashes (deduplicate by hash)
+            crash_hash = hashlib.sha256(test_case).hexdigest()
+            if crash_hash not in self._crash_hashes:
+                self._crash_hashes.add(crash_hash)
+                self._report.crashes.append(test_case)
+
+        if result.coverage_delta > 0:
+            # Add to interesting inputs
+            self._report.interesting_inputs.append(test_case)
+
+            # Add to corpus if not too large
+            if len(self._corpus) < self.config.max_corpus_size:
+                self._corpus.append(test_case)
+
+    def _update_statistics(self, result: FuzzingResult, mutation_op: MutationOperator) -> None:
+        """Update fuzzing statistics.
+
+        Args:
+            result: Fuzzing result.
+            mutation_op: Mutation operator that was applied.
+        """
+        self._report.total_iterations += 1
+
+        if result.result == TestResult.CRASH:
+            self._report.total_crashes += 1
+
+        if result.result == TestResult.HANG:
+            self._report.total_hangs += 1
+
+        if result.coverage_delta > 0:
+            self._report.total_coverage_branches += result.coverage_delta
+
+        # Track mutation operator stats
+        op_name = mutation_op.name
+        self._report.mutation_stats[op_name] = self._report.mutation_stats.get(op_name, 0) + 1
+
+    def _minimize_corpus(self) -> None:
+        """Minimize corpus using AFL-style algorithm.
+
+        Keeps only inputs that contribute unique coverage, removing redundant inputs.
+        """
+        if len(self._corpus) <= self.config.min_corpus_size:
+            return
+
+        # Track which coverage branches each input covers
+        coverage_per_input: dict[int, set[int]] = {}
+        for idx, test_case in enumerate(self._corpus):
+            coverage_per_input[idx] = {self._compute_coverage_hash(test_case)}
+
+        # Greedy set cover: keep inputs that cover unique branches
+        minimized: list[bytes] = []
+        covered_branches: set[int] = set()
+
+        while coverage_per_input:
+            # Find input that covers most uncovered branches
+            best_idx = max(
+                coverage_per_input.keys(),
+                key=lambda i: len(coverage_per_input[i] - covered_branches),
+            )
+
+            # Add to minimized corpus
+            minimized.append(self._corpus[best_idx])
+            covered_branches.update(coverage_per_input[best_idx])
+
+            # Remove this input
+            del coverage_per_input[best_idx]
+
+            # Stop if we've covered everything or reached max size
+            if len(minimized) >= self.config.max_corpus_size:
+                break
+
+        self._corpus = minimized
+
+    def _pack_value(self, value: int, length: int) -> bytes:
+        """Pack integer value into bytes (little-endian).
+
+        Args:
+            value: Integer value.
+            length: Number of bytes.
+
+        Returns:
+            Packed bytes.
+
+        Example:
+            >>> fuzzer._pack_value(0x1234, 2)
+            b'\\x34\\x12'
+        """
+        return value.to_bytes(length, byteorder="little")
+
+    def export_crashes(self, output_dir: Path) -> None:
+        """Export crash-inducing inputs to directory.
+
+        Args:
+            output_dir: Output directory for crash files.
+
+        Example:
+            >>> fuzzer.export_crashes(Path("crashes/"))
+        """
+        output_dir.mkdir(parents=True, exist_ok=True)
+
+        for idx, crash in enumerate(self._report.crashes):
+            crash_file = output_dir / f"crash_{idx:04d}.bin"
+            crash_file.write_bytes(crash)
+
+    def export_corpus(self, output_dir: Path) -> None:
+        """Export minimized corpus to directory.
+
+        Args:
+            output_dir: Output directory for corpus files.
+
+        Example:
+            >>> fuzzer.export_corpus(Path("corpus/"))
+        """
+        output_dir.mkdir(parents=True, exist_ok=True)
+
+        for idx, test_case in enumerate(self._corpus):
+            corpus_file = output_dir / f"input_{idx:04d}.bin"
+            corpus_file.write_bytes(test_case)
+
+    def export_pcap(self, messages: list[bytes], output: Path) -> None:
+        """Export fuzzed messages as PCAP file.
+
+        Args:
+            messages: Protocol messages to export.
+            output: Output PCAP file path.
+
+        Example:
+            >>> fuzzer.export_pcap(fuzzer._corpus, Path("corpus.pcap"))
+        """
+        try:
+            from scapy.all import (  # type: ignore[attr-defined]
+                IP,
+                UDP,
+                Ether,
+                wrpcap,
+            )
+        except ImportError as e:
+            raise ImportError(
+                "scapy is required for PCAP export. Install with: uv pip install scapy"
+            ) from e
+
+        packets = []
+        for msg in messages:
+            pkt = Ether() / IP() / UDP(sport=12345, dport=54321) / msg
+            packets.append(pkt)
+
+        wrpcap(str(output), packets)
+
+    def export_report(self, output: Path) -> None:
+        """Export fuzzing report as JSON.
+
+        Args:
+            output: Output JSON file path.
+
+        Example:
+            >>> fuzzer.export_report(Path("fuzzing_report.json"))
+        """
+        import json
+
+        report_data = {
+            "total_iterations": self._report.total_iterations,
+            "total_crashes": self._report.total_crashes,
+            "unique_crashes": self._report.unique_crashes,
+            "total_hangs": self._report.total_hangs,
+            "total_coverage_branches": self._report.total_coverage_branches,
+            "corpus_size": self._report.corpus_size,
+            "crash_rate": self._report.crash_rate,
+            "mutation_stats": self._report.mutation_stats,
+            "coverage_history": self._report.coverage_history,
+            "execution_time_seconds": self._report.execution_time_seconds,
+        }
+
+        output.write_text(json.dumps(report_data, indent=2))
+
+
+__all__ = [
+    "FuzzingConfig",
+    "FuzzingReport",
+    "FuzzingResult",
+    "FuzzingStrategy",
+    "MutationOperator",
+    "ProtocolFuzzer",
+    "TestResult",
+]