Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
86 lines (60 sloc) 1.68 KB

Persistent fuzzing

Honggfuzz is capable of fuzzing APIs, which is to say; to test new data within the same process. This speeds-up the process of fuzzing APIs greatly

Requirements for hardware-based counter-based fuzzing

  • GNU/Linux or POSIX interface (e.g. FreeBSD, Windows/CygWin)

HowTo

One can prepare a binary in the two following ways:

ASAN-style

Two functions must be prepared

int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)

and (optional)

int LLVMFuzzerInitialize(int *argc, char ***argv)

Example (test.c):

int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {
	TestAPI(buf, len);
	return 0;
}

Compilation:

$ hfuzz_cc/hfuzz_clang test.c -o test

Execution:

$ honggfuzz -P -- ./test

HF_ITER style

A complete program needs to be prepared, using HF_ITER symbol to obtain new inputs

Example (test.c):

#include <inttypes.h>

extern HF_ITER(uint8_t** buf, size_t* len);

int main(void) {
	for (;;) {
		size_t len;
		uint8_t *buf;

		HF_ITER(&buf, &len);

		TestAPI(buf, len);
	}
}

Compilation:

$ hfuzz_cc/hfuzz_clang test.c -o test ~/honggfuzz/libfuzz/libfuzz.a

Execution:

$ honggfuzz -P -- ./test

Feedback-driven modes

The persistent fuzzing can be easily used together with feedback-driven fuzzing. In order to achieve that, one needs to compile binary with compile-time instrumentation, or use hardware-based instrumentation (BTS, Intel PT). More can be found in this document

Example (compile-time)

$ honggfuzz -P -z -- ./test

Example (hardware-based)

$ honggfuzz -P --linux_perf_bts_edge -- ./test
$ honggfuzz -P --linux_perf_ipt_block -- ./test