Plan for Lecture on the Markov chain paper

Questions for discussion:

1. Is the Markov chain model a good one for representing how fuzzing of a program progresses.
You can think, e.g., how it would apply to the program

void  crashme2 (char s) {
  if (s == 'b')
    abort();
}

if the mutation operator only does bit-flips.
(In general, the example is intended to illustrate the case where it is not enough with
a single mutation to change the path, but instead a sequence is needed).

2. Is it generally true that we should not assign more energy to high-density regions.
You can think about this for, e.g., the program:

void  crashme3 (char* s) {
  if (s[0] == 'b')
    be_happy();
  if (s[1] == 'a')
    be_happy();
  if (s[2] == 'd')
    be_happy();
  if (16bit_complex_checksum(s) == 29,756)
    abort();
}

3. The paper suggests an improvement over AFL's strategies for selecting which seeds to fuzz, and how to fuzz them.
Can you in fact think of an even better strategy, that would work faster on the Running example in Section 3.2?
(this is not completely super-difficult)

4. In general, what do the evaluations actually say about the selection of strategy in grey-box fuzzing?