1 # Persistent fuzzing # 2 3 Honggfuzz is capable of fuzzing APIs, which is to say; to test new data within the same process. This speeds-up the process of fuzzing APIs greatly 4 5 # Requirements for hardware-based counter-based fuzzing # 6 * GNU/Linux or POSIX interface (e.g. FreeBSD, Windows/CygWin) 7 8 # HowTo # 9 10 One can prepare a binary in the two following ways: 11 12 ## ASAN-style ## 13 14 Two functions must be prepared 15 16 ```int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)``` 17 18 and (optional) 19 20 ```int LLVMFuzzerInitialize(int *argc, char ***argv)``` 21 22 Example (test.c): 23 ``` 24 int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) { 25 TestAPI(buf, len); 26 return 0; 27 } 28 ``` 29 30 Compilation: 31 ``` 32 $ hfuzz_cc/hfuzz_clang test.c -o test 33 ``` 34 35 Execution: 36 ``` 37 $ honggfuzz -P -- ./test 38 ``` 39 40 ## HF_ITER style ## 41 42 A complete program needs to be prepared, using ```HF_ITER``` symbol to obtain new inputs 43 44 Example (test.c): 45 ```c 46 #include <inttypes.h> 47 48 extern HF_ITER(uint8_t** buf, size_t* len); 49 50 int main(void) { 51 for (;;) { 52 size_t len; 53 uint8_t *buf; 54 55 HF_ITER(&buf, &len); 56 57 TestAPI(buf, len); 58 } 59 } 60 ``` 61 62 Compilation: 63 ``` 64 $ hfuzz_cc/hfuzz_clang test.c -o test ~/honggfuzz/libfuzz/libfuzz.a 65 ``` 66 67 Execution: 68 ``` 69 $ honggfuzz -P -- ./test 70 ``` 71 72 # Feedback-driven modes # 73 74 The persistent fuzzing can be easily used together with feedback-driven fuzzing. In order to achieve that, one needs to compile binary with compile-time instrumentation, or use hardware-based instrumentation (BTS, Intel PT). More can be found in this [document](FeedbackDrivenFuzzing.md) 75 76 Example (compile-time) 77 ``` 78 $ honggfuzz -P -z -- ./test 79 ``` 80 81 Example (hardware-based) 82 ``` 83 $ honggfuzz -P --linux_perf_bts_edge -- ./test 84 $ honggfuzz -P --linux_perf_ipt_block -- ./test 85 ``` 86
