1 ======================================================= 2 libFuzzer a library for coverage-guided fuzz testing. 3 ======================================================= 4 .. contents:: 5 :local: 6 :depth: 1 7 8 Introduction 9 ============ 10 11 LibFuzzer is a library for in-process, coverage-guided, evolutionary fuzzing 12 of other libraries. 13 14 LibFuzzer is similar in concept to American Fuzzy Lop (AFL_), but it performs 15 all of its fuzzing inside a single process. This in-process fuzzing can be more 16 restrictive and fragile, but is potentially much faster as there is no overhead 17 for process start-up. 18 19 The fuzzer is linked with the library under test, and feeds fuzzed inputs to the 20 library via a specific fuzzing entrypoint (aka "target function"); the fuzzer 21 then tracks which areas of the code are reached, and generates mutations on the 22 corpus of input data in order to maximize the code coverage. The code coverage 23 information for libFuzzer is provided by LLVM's SanitizerCoverage_ 24 instrumentation. 25 26 Contact: libfuzzer(#)googlegroups.com 27 28 Versions 29 ======== 30 31 LibFuzzer is under active development so a current (or at least very recent) 32 version of Clang is the only supported variant. 33 34 (If `building Clang from trunk`_ is too time-consuming or difficult, then 35 the Clang binaries that the Chromium developers build are likely to be 36 fairly recent: 37 38 .. code-block:: console 39 40 mkdir TMP_CLANG 41 cd TMP_CLANG 42 git clone https://chromium.googlesource.com/chromium/src/tools/clang 43 cd .. 44 TMP_CLANG/clang/scripts/update.py 45 46 This installs the Clang binary as 47 ``./third_party/llvm-build/Release+Asserts/bin/clang``) 48 49 The libFuzzer code resides in the LLVM repository, and requires a recent Clang 50 compiler to build (and is used to `fuzz various parts of LLVM itself`_). 51 However the fuzzer itself does not (and should not) depend on any part of LLVM 52 infrastructure and can be used for other projects without requiring the rest 53 of LLVM. 54 55 56 57 Getting Started 58 =============== 59 60 .. contents:: 61 :local: 62 :depth: 1 63 64 Building 65 -------- 66 67 The first step for using libFuzzer on a library is to implement a fuzzing 68 target function that accepts a sequence of bytes, like this: 69 70 .. code-block:: c++ 71 72 // fuzz_target.cc 73 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 74 DoSomethingInterestingWithMyAPI(Data, Size); 75 return 0; // Non-zero return values are reserved for future use. 76 } 77 78 Next, build the libFuzzer library as a static archive, without any sanitizer 79 options. Note that the libFuzzer library contains the ``main()`` function: 80 81 .. code-block:: console 82 83 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer 84 # Alternative: get libFuzzer from a dedicated git mirror: 85 # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer 86 clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer 87 ar ruv libFuzzer.a Fuzzer*.o 88 89 Then build the fuzzing target function and the library under test using 90 the SanitizerCoverage_ option, which instruments the code so that the fuzzer 91 can retrieve code coverage information (to guide the fuzzing). Linking with 92 the libFuzzer code then gives an fuzzer executable. 93 94 You should also enable one or more of the *sanitizers*, which help to expose 95 latent bugs by making incorrect behavior generate errors at runtime: 96 97 - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`. 98 - UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explicitly 99 listed as resulting in undefined behavior. Use `-fsanitize=undefined -fno-sanitize-recover=undefined` 100 or any individual UBSAN check, e.g. `-fsanitize=signed-integer-overflow -fno-sanitize-recover=undefined`. 101 You may combine ASAN and UBSAN in one build. 102 - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory 103 contents that have not been initialized to a specific value. Use `-fsanitize=memory`. 104 MSAN can not be combined with other sanirizers and should be used as a seprate build. 105 106 Finally, link with ``libFuzzer.a``:: 107 108 clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer 109 110 Corpus 111 ------ 112 113 Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the 114 code under test. This corpus should ideally be seeded with a varied collection 115 of valid and invalid inputs for the code under test; for example, for a graphics 116 library the initial corpus might hold a variety of different small PNG/JPG/GIF 117 files. The fuzzer generates random mutations based around the sample inputs in 118 the current corpus. If a mutation triggers execution of a previously-uncovered 119 path in the code under test, then that mutation is saved to the corpus for 120 future variations. 121 122 LibFuzzer will work without any initial seeds, but will be less 123 efficient if the library under test accepts complex, 124 structured inputs. 125 126 The corpus can also act as a sanity/regression check, to confirm that the 127 fuzzing entrypoint still works and that all of the sample inputs run through 128 the code under test without problems. 129 130 If you have a large corpus (either generated by fuzzing or acquired by other means) 131 you may want to minimize it while still preserving the full coverage. One way to do that 132 is to use the `-merge=1` flag: 133 134 .. code-block:: console 135 136 mkdir NEW_CORPUS_DIR # Store minimized corpus here. 137 ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR 138 139 You may use the same flag to add more interesting items to an existing corpus. 140 Only the inputs that trigger new coverage will be added to the first corpus. 141 142 .. code-block:: console 143 144 ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR 145 146 147 Running 148 ------- 149 150 To run the fuzzer, first create a Corpus_ directory that holds the 151 initial "seed" sample inputs: 152 153 .. code-block:: console 154 155 mkdir CORPUS_DIR 156 cp /some/input/samples/* CORPUS_DIR 157 158 Then run the fuzzer on the corpus directory: 159 160 .. code-block:: console 161 162 ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ... 163 164 As the fuzzer discovers new interesting test cases (i.e. test cases that 165 trigger coverage of new paths through the code under test), those test cases 166 will be added to the corpus directory. 167 168 By default, the fuzzing process will continue indefinitely at least until 169 a bug is found. Any crashes or sanitizer failures will be reported as usual, 170 stopping the fuzzing process, and the particular input that triggered the bug 171 will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``, 172 or ``timeout-<sha1>``). 173 174 175 Parallel Fuzzing 176 ---------------- 177 178 Each libFuzzer process is single-threaded, unless the library under test starts 179 its own threads. However, it is possible to run multiple libFuzzer processes in 180 parallel with a shared corpus directory; this has the advantage that any new 181 inputs found by one fuzzer process will be available to the other fuzzer 182 processes (unless you disable this with the ``-reload=0`` option). 183 184 This is primarily controlled by the ``-jobs=N`` option, which indicates that 185 that `N` fuzzing jobs should be run to completion (i.e. until a bug is found or 186 time/iteration limits are reached). These jobs will be run across a set of 187 worker processes, by default using half of the available CPU cores; the count of 188 worker processes can be overridden by the ``-workers=N`` option. For example, 189 running with ``-jobs=30`` on a 12-core machine would run 6 workers by default, 190 with each worker averaging 5 bugs by completion of the entire process. 191 192 193 Options 194 ======= 195 196 To run the fuzzer, pass zero or more corpus directories as command line 197 arguments. The fuzzer will read test inputs from each of these corpus 198 directories, and any new test inputs that are generated will be written 199 back to the first corpus directory: 200 201 .. code-block:: console 202 203 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ] 204 205 If a list of files (rather than directories) are passed to the fuzzer program, 206 then it will re-run those files as test inputs but will not perform any fuzzing. 207 In this mode the fuzzer binary can be used as a regression test (e.g. on a 208 continuous integration system) to check the target function and saved inputs 209 still work. 210 211 The most important command line options are: 212 213 ``-help`` 214 Print help message. 215 ``-seed`` 216 Random seed. If 0 (the default), the seed is generated. 217 ``-runs`` 218 Number of individual test runs, -1 (the default) to run indefinitely. 219 ``-max_len`` 220 Maximum length of a test input. If 0 (the default), libFuzzer tries to guess 221 a good value based on the corpus (and reports it). 222 ``-timeout`` 223 Timeout in seconds, default 1200. If an input takes longer than this timeout, 224 the process is treated as a failure case. 225 ``-rss_limit_mb`` 226 Memory usage limit in Mb, default 2048. Use 0 to disable the limit. 227 If an input requires more than this amount of RSS memory to execute, 228 the process is treated as a failure case. 229 The limit is checked in a separate thread every second. 230 If running w/o ASAN/MSAN, you may use 'ulimit -v' instead. 231 ``-timeout_exitcode`` 232 Exit code (default 77) to emit when terminating due to timeout, when 233 ``-abort_on_timeout`` is not set. 234 ``-max_total_time`` 235 If positive, indicates the maximum total time in seconds to run the fuzzer. 236 If 0 (the default), run indefinitely. 237 ``-merge`` 238 If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories 239 that trigger new code coverage will be merged into the first corpus 240 directory. Defaults to 0. This flag can be used to minimize a corpus. 241 ``-reload`` 242 If set to 1 (the default), the corpus directory is re-read periodically to 243 check for new inputs; this allows detection of new inputs that were discovered 244 by other fuzzing processes. 245 ``-jobs`` 246 Number of fuzzing jobs to run to completion. Default value is 0, which runs a 247 single fuzzing process until completion. If the value is >= 1, then this 248 number of jobs performing fuzzing are run, in a collection of parallel 249 separate worker processes; each such worker process has its 250 ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``. 251 ``-workers`` 252 Number of simultaneous worker processes to run the fuzzing jobs to completion 253 in. If 0 (the default), ``min(jobs, NumberOfCpuCores()/2)`` is used. 254 ``-dict`` 255 Provide a dictionary of input keywords; see Dictionaries_. 256 ``-use_counters`` 257 Use `coverage counters`_ to generate approximate counts of how often code 258 blocks are hit; defaults to 1. 259 ``-use_traces`` 260 Use instruction traces (experimental, defaults to 0); see `Data-flow-guided fuzzing`_. 261 ``-only_ascii`` 262 If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0. 263 ``-artifact_prefix`` 264 Provide a prefix to use when saving fuzzing artifacts (crash, timeout, or 265 slow inputs) as ``$(artifact_prefix)file``. Defaults to empty. 266 ``-exact_artifact_path`` 267 Ignored if empty (the default). If non-empty, write the single artifact on 268 failure (crash, timeout) as ``$(exact_artifact_path)``. This overrides 269 ``-artifact_prefix`` and will not use checksum in the file name. Do not use 270 the same path for several parallel processes. 271 ``-print_final_stats`` 272 If 1, print statistics at exit. Defaults to 0. 273 ``-detect-leaks`` 274 If 1 (default) and if LeakSanitizer is enabled 275 try to detect memory leaks during fuzzing (i.e. not only at shut down). 276 ``-close_fd_mask`` 277 Indicate output streams to close at startup. Be careful, this will 278 remove diagnostic output from target code (e.g. messages on assert failure). 279 280 - 0 (default): close neither ``stdout`` nor ``stderr`` 281 - 1 : close ``stdout`` 282 - 2 : close ``stderr`` 283 - 3 : close both ``stdout`` and ``stderr``. 284 285 For the full list of flags run the fuzzer binary with ``-help=1``. 286 287 Output 288 ====== 289 290 During operation the fuzzer prints information to ``stderr``, for example:: 291 292 INFO: Seed: 3338750330 293 Loaded 1024/1211 files from corpus/ 294 INFO: -max_len is not provided, using 64 295 #0 READ units: 1211 exec/s: 0 296 #1211 INITED cov: 2575 bits: 8855 indir: 5 units: 830 exec/s: 1211 297 #1422 NEW cov: 2580 bits: 8860 indir: 5 units: 831 exec/s: 1422 L: 21 MS: 1 ShuffleBytes- 298 #1688 NEW cov: 2581 bits: 8865 indir: 5 units: 832 exec/s: 1688 L: 19 MS: 2 EraseByte-CrossOver- 299 #1734 NEW cov: 2583 bits: 8879 indir: 5 units: 833 exec/s: 1734 L: 27 MS: 3 ChangeBit-EraseByte-ShuffleBytes- 300 ... 301 302 The early parts of the output include information about the fuzzer options and 303 configuration, including the current random seed (in the ``Seed:`` line; this 304 can be overridden with the ``-seed=N`` flag). 305 306 Further output lines have the form of an event code and statistics. The 307 possible event codes are: 308 309 ``READ`` 310 The fuzzer has read in all of the provided input samples from the corpus 311 directories. 312 ``INITED`` 313 The fuzzer has completed initialization, which includes running each of 314 the initial input samples through the code under test. 315 ``NEW`` 316 The fuzzer has created a test input that covers new areas of the code 317 under test. This input will be saved to the primary corpus directory. 318 ``pulse`` 319 The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure 320 the user that the fuzzer is still working). 321 ``DONE`` 322 The fuzzer has completed operation because it has reached the specified 323 iteration limit (``-runs``) or time limit (``-max_total_time``). 324 ``MIN<n>`` 325 The fuzzer is minimizing the combination of input corpus directories into 326 a single unified corpus (due to the ``-merge`` command line option). 327 ``RELOAD`` 328 The fuzzer is performing a periodic reload of inputs from the corpus 329 directory; this allows it to discover any inputs discovered by other 330 fuzzer processes (see `Parallel Fuzzing`_). 331 332 Each output line also reports the following statistics (when non-zero): 333 334 ``cov:`` 335 Total number of code blocks or edges covered by the executing the current 336 corpus. 337 ``bits:`` 338 Rough measure of the number of code blocks or edges covered, and how often; 339 only valid if the fuzzer is run with ``-use_counters=1``. 340 ``indir:`` 341 Number of distinct function `caller-callee pairs`_ executed with the 342 current corpus; only valid if the code under test was built with 343 ``-fsanitize-coverage=indirect-calls``. 344 ``units:`` 345 Number of entries in the current input corpus. 346 ``exec/s:`` 347 Number of fuzzer iterations per second. 348 349 For ``NEW`` events, the output line also includes information about the mutation 350 operation that produced the new input: 351 352 ``L:`` 353 Size of the new input in bytes. 354 ``MS: <n> <operations>`` 355 Count and list of the mutation operations used to generate the input. 356 357 358 Examples 359 ======== 360 .. contents:: 361 :local: 362 :depth: 1 363 364 Toy example 365 ----------- 366 367 A simple function that does something interesting if it receives the input 368 "HI!":: 369 370 cat << EOF > test_fuzzer.cc 371 #include <stdint.h> 372 #include <stddef.h> 373 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 374 if (size > 0 && data[0] == 'H') 375 if (size > 1 && data[1] == 'I') 376 if (size > 2 && data[2] == '!') 377 __builtin_trap(); 378 return 0; 379 } 380 EOF 381 # Build test_fuzzer.cc with asan and link against libFuzzer.a 382 clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc libFuzzer.a 383 # Run the fuzzer with no corpus. 384 ./a.out 385 386 You should get an error pretty quickly:: 387 388 #0 READ units: 1 exec/s: 0 389 #1 INITED cov: 3 units: 1 exec/s: 0 390 #2 NEW cov: 5 units: 2 exec/s: 0 L: 64 MS: 0 391 #19237 NEW cov: 9 units: 3 exec/s: 0 L: 64 MS: 0 392 #20595 NEW cov: 10 units: 4 exec/s: 0 L: 1 MS: 4 ChangeASCIIInt-ShuffleBytes-ChangeByte-CrossOver- 393 #34574 NEW cov: 13 units: 5 exec/s: 0 L: 2 MS: 3 ShuffleBytes-CrossOver-ChangeBit- 394 #34807 NEW cov: 15 units: 6 exec/s: 0 L: 3 MS: 1 CrossOver- 395 ==31511== ERROR: libFuzzer: deadly signal 396 ... 397 artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed 398 399 400 PCRE2 401 ----- 402 403 Here we show how to use libFuzzer on something real, yet simple: pcre2_:: 404 405 COV_FLAGS=" -fsanitize-coverage=edge,indirect-calls,8bit-counters" 406 # Get PCRE2 407 wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre2-10.20.tar.gz 408 tar xf pcre2-10.20.tar.gz 409 # Build PCRE2 with AddressSanitizer and coverage; requires autotools. 410 (cd pcre2-10.20; ./autogen.sh; CC="clang -fsanitize=address $COV_FLAGS" ./configure --prefix=`pwd`/../inst && make -j && make install) 411 # Build the fuzzing target function that does something interesting with PCRE2. 412 cat << EOF > pcre_fuzzer.cc 413 #include <string.h> 414 #include <stdint.h> 415 #include "pcre2posix.h" 416 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 417 if (size < 1) return 0; 418 char *str = new char[size+1]; 419 memcpy(str, data, size); 420 str[size] = 0; 421 regex_t preg; 422 if (0 == regcomp(&preg, str, 0)) { 423 regexec(&preg, str, 0, 0, 0); 424 regfree(&preg); 425 } 426 delete [] str; 427 return 0; 428 } 429 EOF 430 clang++ -g -fsanitize=address $COV_FLAGS -c -std=c++11 -I inst/include/ pcre_fuzzer.cc 431 # Link. 432 clang++ -g -fsanitize=address -Wl,--whole-archive inst/lib/*.a -Wl,-no-whole-archive libFuzzer.a pcre_fuzzer.o -o pcre_fuzzer 433 434 This will give you a binary of the fuzzer, called ``pcre_fuzzer``. 435 Now, create a directory that will hold the test corpus: 436 437 .. code-block:: console 438 439 mkdir -p CORPUS 440 441 For simple input languages like regular expressions this is all you need. 442 For more complicated/structured inputs, the fuzzer works much more efficiently 443 if you can populate the corpus directory with a variety of valid and invalid 444 inputs for the code under test. 445 Now run the fuzzer with the corpus directory as the only parameter: 446 447 .. code-block:: console 448 449 ./pcre_fuzzer ./CORPUS 450 451 Initially, you will see Output_ like this:: 452 453 INFO: Seed: 2938818941 454 INFO: -max_len is not provided, using 64 455 INFO: A corpus is not provided, starting from an empty corpus 456 #0 READ units: 1 exec/s: 0 457 #1 INITED cov: 3 bits: 3 units: 1 exec/s: 0 458 #2 NEW cov: 176 bits: 176 indir: 3 units: 2 exec/s: 0 L: 64 MS: 0 459 #8 NEW cov: 176 bits: 179 indir: 3 units: 3 exec/s: 0 L: 63 MS: 2 ChangeByte-EraseByte- 460 ... 461 #14004 NEW cov: 1500 bits: 4536 indir: 5 units: 406 exec/s: 0 L: 54 MS: 3 ChangeBit-ChangeBit-CrossOver- 462 463 Now, interrupt the fuzzer and run it again the same way. You will see:: 464 465 INFO: Seed: 3398349082 466 INFO: -max_len is not provided, using 64 467 #0 READ units: 405 exec/s: 0 468 #405 INITED cov: 1499 bits: 4535 indir: 5 units: 286 exec/s: 0 469 #587 NEW cov: 1499 bits: 4540 indir: 5 units: 287 exec/s: 0 L: 52 MS: 2 InsertByte-EraseByte- 470 #667 NEW cov: 1501 bits: 4542 indir: 5 units: 288 exec/s: 0 L: 39 MS: 2 ChangeBit-InsertByte- 471 #672 NEW cov: 1501 bits: 4543 indir: 5 units: 289 exec/s: 0 L: 15 MS: 2 ChangeASCIIInt-ChangeBit- 472 #739 NEW cov: 1501 bits: 4544 indir: 5 units: 290 exec/s: 0 L: 64 MS: 4 ShuffleBytes-ChangeASCIIInt-InsertByte-ChangeBit- 473 ... 474 475 On the second execution the fuzzer has a non-empty input corpus (405 items). As 476 the first step, the fuzzer minimized this corpus (the ``INITED`` line) to 477 produce 286 interesting items, omitting inputs that do not hit any additional 478 code. 479 480 (Aside: although the fuzzer only saves new inputs that hit additional code, this 481 does not mean that the corpus as a whole is kept minimized. For example, if 482 an input hitting A-B-C then an input that hits A-B-C-D are generated, 483 they will both be saved, even though the latter subsumes the former.) 484 485 486 You may run ``N`` independent fuzzer jobs in parallel on ``M`` CPUs: 487 488 .. code-block:: console 489 490 N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M 491 492 By default (``-reload=1``) the fuzzer processes will periodically scan the corpus directory 493 and reload any new tests. This way the test inputs found by one process will be picked up 494 by all others. 495 496 If ``-workers=$M`` is not supplied, ``min($N,NumberOfCpuCore/2)`` will be used. 497 498 Heartbleed 499 ---------- 500 Remember Heartbleed_? 501 As it was recently `shown <https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html>`_, 502 fuzzing with AddressSanitizer_ can find Heartbleed. Indeed, here are the step-by-step instructions 503 to find Heartbleed with libFuzzer:: 504 505 wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz 506 tar xf openssl-1.0.1f.tar.gz 507 COV_FLAGS="-fsanitize-coverage=edge,indirect-calls" # -fsanitize-coverage=8bit-counters 508 (cd openssl-1.0.1f/ && ./config && 509 make -j 32 CC="clang -g -fsanitize=address $COV_FLAGS") 510 # Get and build libFuzzer 511 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer 512 clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer 513 # Get examples of key/pem files. 514 git clone https://github.com/hannob/selftls 515 cp selftls/server* . -v 516 cat << EOF > handshake-fuzz.cc 517 #include <openssl/ssl.h> 518 #include <openssl/err.h> 519 #include <assert.h> 520 #include <stdint.h> 521 #include <stddef.h> 522 523 SSL_CTX *sctx; 524 int Init() { 525 SSL_library_init(); 526 SSL_load_error_strings(); 527 ERR_load_BIO_strings(); 528 OpenSSL_add_all_algorithms(); 529 assert (sctx = SSL_CTX_new(TLSv1_method())); 530 assert (SSL_CTX_use_certificate_file(sctx, "server.pem", SSL_FILETYPE_PEM)); 531 assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM)); 532 return 0; 533 } 534 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 535 static int unused = Init(); 536 SSL *server = SSL_new(sctx); 537 BIO *sinbio = BIO_new(BIO_s_mem()); 538 BIO *soutbio = BIO_new(BIO_s_mem()); 539 SSL_set_bio(server, sinbio, soutbio); 540 SSL_set_accept_state(server); 541 BIO_write(sinbio, Data, Size); 542 SSL_do_handshake(server); 543 SSL_free(server); 544 return 0; 545 } 546 EOF 547 # Build the fuzzer. 548 clang++ -g handshake-fuzz.cc -fsanitize=address \ 549 openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o 550 # Run 20 independent fuzzer jobs. 551 ./a.out -jobs=20 -workers=20 552 553 Voila:: 554 555 #1048576 pulse cov 3424 bits 0 units 9 exec/s 24385 556 ================================================================= 557 ==17488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004748 at pc 0x00000048c979 bp 0x7fffe3e864f0 sp 0x7fffe3e85ca8 558 READ of size 60731 at 0x629000004748 thread T0 559 #0 0x48c978 in __asan_memcpy 560 #1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3 561 #2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4 562 563 Note: a `similar fuzzer <https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md>`_ 564 is now a part of the BoringSSL_ source tree. 565 566 Advanced features 567 ================= 568 .. contents:: 569 :local: 570 :depth: 1 571 572 Dictionaries 573 ------------ 574 LibFuzzer supports user-supplied dictionaries with input language keywords 575 or other interesting byte sequences (e.g. multi-byte magic values). 576 Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary 577 may significantly improve the search speed. 578 The dictionary syntax is similar to that used by AFL_ for its ``-x`` option:: 579 580 # Lines starting with '#' and empty lines are ignored. 581 582 # Adds "blah" (w/o quotes) to the dictionary. 583 kw1="blah" 584 # Use \\ for backslash and \" for quotes. 585 kw2="\"ac\\dc\"" 586 # Use \xAB for hex values 587 kw3="\xF7\xF8" 588 # the name of the keyword followed by '=' may be omitted: 589 "foo\x0Abar" 590 591 Data-flow-guided fuzzing 592 ------------------------ 593 594 *EXPERIMENTAL*. 595 With an additional compiler flag ``-fsanitize-coverage=trace-cmp`` (see SanitizerCoverageTraceDataFlow_) 596 and extra run-time flag ``-use_traces=1`` the fuzzer will try to apply *data-flow-guided fuzzing*. 597 That is, the fuzzer will record the inputs to comparison instructions, switch statements, 598 and several libc functions (``memcmp``, ``strcmp``, ``strncmp``, etc). 599 It will later use those recorded inputs during mutations. 600 601 This mode can be combined with DataFlowSanitizer_ to achieve better sensitivity. 602 603 Fuzzer-friendly build mode 604 --------------------------- 605 Sometimes the code under test is not fuzzing-friendly. Examples: 606 607 - The target code uses a PRNG seeded e.g. by system time and 608 thus two consequent invocations may potentially execute different code paths 609 even if the end result will be the same. This will cause a fuzzer to treat 610 two similar inputs as significantly different and it will blow up the test corpus. 611 E.g. libxml uses ``rand()`` inside its hash table. 612 - The target code uses checksums to protect from invalid inputs. 613 E.g. png checks CRC for every chunk. 614 615 In many cases it makes sense to build a special fuzzing-friendly build 616 with certain fuzzing-unfriendly features disabled. We propose to use a common build macro 617 for all such cases for consistency: ``FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION``. 618 619 .. code-block:: c++ 620 621 void MyInitPRNG() { 622 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 623 // In fuzzing mode the behavior of the code should be deterministic. 624 srand(0); 625 #else 626 srand(time(0)); 627 #endif 628 } 629 630 631 632 AFL compatibility 633 ----------------- 634 LibFuzzer can be used together with AFL_ on the same test corpus. 635 Both fuzzers expect the test corpus to reside in a directory, one file per input. 636 You can run both fuzzers on the same corpus, one after another: 637 638 .. code-block:: console 639 640 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@ 641 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir 642 643 Periodically restart both fuzzers so that they can use each other's findings. 644 Currently, there is no simple way to run both fuzzing engines in parallel while sharing the same corpus dir. 645 646 You may also use AFL on your target function ``LLVMFuzzerTestOneInput``: 647 see an example `here <https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/afl/afl_driver.cpp>`__. 648 649 How good is my fuzzer? 650 ---------------------- 651 652 Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death, 653 you will want to know whether the function or the corpus can be improved further. 654 One easy to use metric is, of course, code coverage. 655 You can get the coverage for your corpus like this: 656 657 .. code-block:: console 658 659 ASAN_OPTIONS=coverage=1:html_cov_report=1 ./fuzzer CORPUS_DIR -runs=0 660 661 This will run all tests in the CORPUS_DIR but will not perform any fuzzing. 662 At the end of the process it will dump a single html file with coverage information. 663 See SanitizerCoverage_ for details. 664 665 You may also use other ways to visualize coverage, 666 e.g. using `Clang coverage <http://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_, 667 but those will require 668 you to rebuild the code with different compiler flags. 669 670 User-supplied mutators 671 ---------------------- 672 673 LibFuzzer allows to use custom (user-supplied) mutators, 674 see FuzzerInterface.h_ 675 676 Startup initialization 677 ---------------------- 678 If the library being tested needs to be initialized, there are several options. 679 680 The simplest way is to have a statically initialized global object inside 681 `LLVMFuzzerTestOneInput` (or in global scope if that works for you): 682 683 .. code-block:: c++ 684 685 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 686 static bool Initialized = DoInitialization(); 687 ... 688 689 Alternatively, you may define an optional init function and it will receive 690 the program arguments that you can read and modify. Do this **only** if you 691 realy need to access ``argv``/``argc``. 692 693 .. code-block:: c++ 694 695 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { 696 ReadAndMaybeModify(argc, argv); 697 return 0; 698 } 699 700 701 Leaks 702 ----- 703 704 Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect 705 memory leaks at the process shutdown. 706 For in-process fuzzing this is inconvenient 707 since the fuzzer needs to report a leak with a reproducer as soon as the leaky 708 mutation is found. However, running full leak detection after every mutation 709 is expensive. 710 711 By default (``-detect_leaks=1``) libFuzzer will count the number of 712 ``malloc`` and ``free`` calls when executing every mutation. 713 If the numbers don't match (which by itself doesn't mean there is a leak) 714 libFuzzer will invoke the more expensive LeakSanitizer_ 715 pass and if the actual leak is found, it will be reported with the reproducer 716 and the process will exit. 717 718 If your target has massive leaks and the leak detection is disabled 719 you will eventually run out of RAM (see the ``-rss_limit_mb`` flag). 720 721 722 Developing libFuzzer 723 ==================== 724 725 Building libFuzzer as a part of LLVM project and running its test requires 726 fresh clang as the host compiler and special CMake configuration: 727 728 .. code-block:: console 729 730 cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=YES -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON /path/to/llvm 731 ninja check-fuzzer 732 733 734 Fuzzing components of LLVM 735 ========================== 736 .. contents:: 737 :local: 738 :depth: 1 739 740 To build any of the LLVM fuzz targets use the build instructions above. 741 742 clang-format-fuzzer 743 ------------------- 744 The inputs are random pieces of C++-like text. 745 746 .. code-block:: console 747 748 ninja clang-format-fuzzer 749 mkdir CORPUS_DIR 750 ./bin/clang-format-fuzzer CORPUS_DIR 751 752 Optionally build other kinds of binaries (ASan+Debug, MSan, UBSan, etc). 753 754 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23052 755 756 clang-fuzzer 757 ------------ 758 759 The behavior is very similar to ``clang-format-fuzzer``. 760 761 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23057 762 763 llvm-as-fuzzer 764 -------------- 765 766 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=24639 767 768 llvm-mc-fuzzer 769 -------------- 770 771 This tool fuzzes the MC layer. Currently it is only able to fuzz the 772 disassembler but it is hoped that assembly, and round-trip verification will be 773 added in future. 774 775 When run in dissassembly mode, the inputs are opcodes to be disassembled. The 776 fuzzer will consume as many instructions as possible and will stop when it 777 finds an invalid instruction or runs out of data. 778 779 Please note that the command line interface differs slightly from that of other 780 fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have 781 a single dash, while other arguments control the operation mode and target in a 782 similar manner to ``llvm-mc`` and should have two dashes. For example: 783 784 .. code-block:: console 785 786 llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10 787 788 Buildbot 789 -------- 790 791 A buildbot continuously runs the above fuzzers for LLVM components, with results 792 shown at http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer . 793 794 FAQ 795 ========================= 796 797 Q. Why doesn't libFuzzer use any of the LLVM support? 798 ----------------------------------------------------- 799 800 There are two reasons. 801 802 First, we want this library to be used outside of the LLVM without users having to 803 build the rest of LLVM. This may sound unconvincing for many LLVM folks, 804 but in practice the need for building the whole LLVM frightens many potential 805 users -- and we want more users to use this code. 806 807 Second, there is a subtle technical reason not to rely on the rest of LLVM, or 808 any other large body of code (maybe not even STL). When coverage instrumentation 809 is enabled, it will also instrument the LLVM support code which will blow up the 810 coverage set of the process (since the fuzzer is in-process). In other words, by 811 using more external dependencies we will slow down the fuzzer while the main 812 reason for it to exist is extreme speed. 813 814 Q. What about Windows then? The fuzzer contains code that does not build on Windows. 815 ------------------------------------------------------------------------------------ 816 817 Volunteers are welcome. 818 819 Q. When this Fuzzer is not a good solution for a problem? 820 --------------------------------------------------------- 821 822 * If the test inputs are validated by the target library and the validator 823 asserts/crashes on invalid inputs, in-process fuzzing is not applicable. 824 * Bugs in the target library may accumulate without being detected. E.g. a memory 825 corruption that goes undetected at first and then leads to a crash while 826 testing another input. This is why it is highly recommended to run this 827 in-process fuzzer with all sanitizers to detect most bugs on the spot. 828 * It is harder to protect the in-process fuzzer from excessive memory 829 consumption and infinite loops in the target library (still possible). 830 * The target library should not have significant global state that is not 831 reset between the runs. 832 * Many interesting target libraries are not designed in a way that supports 833 the in-process fuzzer interface (e.g. require a file path instead of a 834 byte array). 835 * If a single test run takes a considerable fraction of a second (or 836 more) the speed benefit from the in-process fuzzer is negligible. 837 * If the target library runs persistent threads (that outlive 838 execution of one test) the fuzzing results will be unreliable. 839 840 Q. So, what exactly this Fuzzer is good for? 841 -------------------------------------------- 842 843 This Fuzzer might be a good choice for testing libraries that have relatively 844 small inputs, each input takes < 10ms to run, and the library code is not expected 845 to crash on invalid inputs. 846 Examples: regular expression matchers, text or binary format parsers, compression, 847 network, crypto. 848 849 Trophies 850 ======== 851 * GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc 852 853 * MUSL LIBC: `[1] <http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://www.openwall.com/lists/oss-security/2015/03/30/3>`__ 854 855 * `pugixml <https://github.com/zeux/pugixml/issues/39>`_ 856 857 * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup; 858 also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_ 859 860 * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_ 861 862 * `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_ 863 864 * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_ 865 866 * `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_ 867 868 * `Python <http://bugs.python.org/issue25388>`_ 869 870 * OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_ `[4] <https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64>`_ `[5] <https://github.com/openssl/openssl/pull/931/commits/dd5ac557f052cc2b7f718ac44a8cb7ac6f77dca8>`_ `[6] <https://github.com/openssl/openssl/pull/931/commits/19b5b9194071d1d84e38ac9a952e715afbc85a81>`_ 871 872 * `Libxml2 873 <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE-2015-7942) 874 875 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_ 876 877 * Capstone: `[1] <https://github.com/aquynh/capstone/issues/600>`__ `[2] <https://github.com/aquynh/capstone/commit/6b88d1d51eadf7175a8f8a11b690684443b11359>`__ 878 879 * file:`[1] <http://bugs.gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com/view.php?id=553>`__ `[4] <http://bugs.gw.com/view.php?id=554>`__ 880 881 * Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__ 882 883 * gRPC: `[1] <https://github.com/grpc/grpc/pull/6071/commits/df04c1f7f6aec6e95722ec0b023a6b29b6ea871c>`__ `[2] <https://github.com/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com/grpc/grpc/pull/6071/commits/9cac2a12d9e181d130841092e9d40fa3309d7aa7>`__ `[4] <https://github.com/grpc/grpc/pull/6012/commits/82a91c91d01ce9b999c8821ed13515883468e203>`__ `[5] <https://github.com/grpc/grpc/pull/6202/commits/2e3e0039b30edaf89fb93bfb2c1d0909098519fa>`__ `[6] <https://github.com/grpc/grpc/pull/6106/files>`__ 884 885 * WOFF2: `[1] <https://github.com/google/woff2/commit/a15a8ab>`__ 886 887 * LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422. 888 889 .. _pcre2: http://www.pcre.org/ 890 .. _AFL: http://lcamtuf.coredump.cx/afl/ 891 .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html 892 .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow 893 .. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html 894 .. _AddressSanitizer: http://clang.llvm.org/docs/AddressSanitizer.html 895 .. _LeakSanitizer: http://clang.llvm.org/docs/LeakSanitizer.html 896 .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed 897 .. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h 898 .. _3.7.0: http://llvm.org/releases/3.7.0/docs/LibFuzzer.html 899 .. _building Clang from trunk: http://clang.llvm.org/get_started.html 900 .. _MemorySanitizer: http://clang.llvm.org/docs/MemorySanitizer.html 901 .. _UndefinedBehaviorSanitizer: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html 902 .. _`coverage counters`: http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters 903 .. _`caller-callee pairs`: http://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage 904 .. _BoringSSL: https://boringssl.googlesource.com/boringssl/ 905 .. _`fuzz various parts of LLVM itself`: `Fuzzing components of LLVM`_ 906