1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
To report security bugs, see ‘SECURITY’ in the top source directory.
Fuzzing libnbd using the American Fuzzy Lop (AFL) fuzzer
========================================================
You can fuzz libnbd with AFL or AFL++ (https://aflplus.plus/) using
the wrapper in this directory.
You will need to recompile libnbd with AFL instrumentation:
./configure CC=/usr/bin/afl-gcc CXX=/usr/bin/afl-g++ \
--disable-shared \
--disable-golang --disable-ocaml --disable-python --disable-rust
make clean
make
To use clang instead (recommended with AFL++):
export AFL_USE_ASAN=1
./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \
--disable-shared \
--disable-golang --disable-ocaml --disable-python --disable-rust
make clean
make
The fuzzing/testcase_dir directory contains some initial testcases
that AFL can use.
Run multiple copies of afl-fuzz. Usually you should run 1 master (-M)
and as many slaves (-S) as you can.
Master:
mkdir -p fuzzing/sync_dir
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
./fuzzing/libnbd-fuzz-wrapper @@
Slaves:
# replace fuzzNN with fuzz02, fuzz03, etc.
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
./fuzzing/libnbd-fuzz-wrapper @@
Test Coverage
-------------
To find out if the fuzzing is covering all of the code, I used afl-cov
(https://github.com/mrash/afl-cov). Usage is rather complex, so
consult the README of that project, but in brief:
(1) Create a second copy of the libnbd source, and compile it with
profiling:
./configure CFLAGS="-O2 -g -pg -fprofile-arcs -ftest-coverage" \
--disable-shared \
--disable-golang --disable-ocaml --disable-python --disable-rust
make clean
make
(2) Assuming ../libnbd-afl is the libnbd source compiled with AFL, and
the current directory is libnbd compiled with profiling, then run the
command below. You can run this even while afl-fuzz is running.
afl-cov -d ../libnbd-afl/fuzzing/sync_dir \
--code-dir . \
--coverage-cmd "fuzzing/libnbd-fuzz-wrapper AFL_FILE"
This will create an HTML test coverage report in
../libnbd-afl/fuzzing/sync_dir/cov/web/
Fuzzing libnbd using honggfuzz
==============================
Recompile libnbd with honggfuzz instrumentation:
./configure \
CC=/path/to/hfuzz-clang CXX=/path/to/hfuzz-clang++ \
--disable-shared \
--disable-golang --disable-ocaml --disable-python --disable-rust
make clean
make
Run honggfuzz using test cases:
honggfuzz -i fuzzing/testcase_dir -z -- \
./fuzzing/libnbd-fuzz-wrapper ___FILE___
(Note 3 underscore characters on each side.)
Fuzzing libnbd using Clang + libFuzzer
======================================
Recompile libnbd with libFuzzer enabled and build the libFuzzer test
binary:
./configure \
CC=clang \
CFLAGS="-g -O1" \
--enable-libfuzzer \
--disable-shared \
--disable-golang --disable-ocaml --disable-python --disable-rust
make clean
make CFLAGS="-g -O1 -fsanitize=fuzzer,address" -C lib
make CFLAGS="-g -O1 -fsanitize=fuzzer,address" \
-C fuzzing libnbd-libfuzzer-test
(The awkward additional CFLAGS on the make command line are necessary
because ./configure attempts to test that the compiler works, but this
test fails when -fsanitize=fuzzer is used as that option adds an extra
main() definition.)
",address" enables the Clang Address Sanitizer, and can be omitted for
faster fuzzing.
You can then run the fuzzer program directly on the input corpus:
./fuzzing/libnbd-libfuzzer-test fuzzing/testcase_dir
New test inputs are written to fuzzing/testcase_dir and will be used
on subsequent runs. If this is undesirable then delete
fuzzing/testcase_dir/[0-f]* before the run.
There are various extra command line options supported by libFuzzer.
For more details see:
https://llvm.org/docs/LibFuzzer.html
|
