
* Make -k use random kernel addresses (from System.map ?)

* --oneshot
  ./scrashme --oneshot sys_futex -1,0x40000000,1,2,3,4

* --info sys_open
   i386:   5
   x86-64: 239
   ppc64:  5

* Colorise some output
  - The wandering value in --rotate
  - Highlight odd looking return values

* Add number of args per syscall to tables
  - Only print random values for regs that matter
  - Zero non-used regs. Allow an override ?

* --check-clobber
  Set regs that should be preserved across syscalls to a known value, and check
  on return whether any of them got clobbered.

* In struct checking, with some smarts, we could check the struct we passed
  afterwards to ensure nothing scribbled outside of bounds.

* --logfile

* --nrsyscalls (set NR_SYSCALLS)
  Hmm, maybe --kver=2.6.9 to set the nr to the nr syscalls in that rev ?

* flush() & fsync() before making the call

* Save time by not calling pointless syscalls.
  - skip pause(), and any other functions that take no inputs from userspace.
  - optionally skip syscalls we know check for CAP_SYS_ADMIN early

* Reduce amount of output from -C
  The values passed aren't very interesting. (maybe add a --debug?)

* add a switch to use 32bit syscall entry point on x86-64
  This will require us to use assembly instead of syscall() again.

* Pass "interesting" 32 bit patterns.
	80000000
	80000001
	8fffffff

* Pass "interesting" 64 bit patterns.
	0000000100000000
	00000001ffffffff
	0000000800000000 (non canonical RIP?)
	8000000000000000
	80000000ffffffff
	ffffffff00000000
	ffffffff7fffffff
	ffffffffffffffff
	fffffff7ffffffff (non canonical RIP?)

* For -i make 'len' parameters try 'interesting' parameters rather than just random
  (ULONG_MAX, INT_MAX etc in the hope to exploit overflows)
  Possibly introduce yet another option, as random len's are also useful.

* Due to forking of child processes, things like mmap/mprotect etc
  don't do anything to affect future calls.
  - Maybe add a --no-children to prevent forking?
  - Or possibly a new syscall flag 'DONTFORK' for mm related syscalls ?
  - Or possibly a --vm mode to only call VM related calls.

* Xen dom0 hypercalls ?

* Other arch support. S390? fully native PPC64? (PPC64 currently requires 32-bit glibc-kernheaders)

