Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
61 lines (42 sloc) 1.77 KB
Fuzzing libnbd using the American Fuzzy Lop (afl) fuzzer
--------------------------------------------------------
We can fuzz libnbd using the wrapper in this directory.
You will need to recompile libnbd with afl instrumentation:
./configure CC=/usr/bin/afl-gcc CXX=/usr/bin/afl-g++ \
--disable-shared --disable-ocaml --disable-python
make clean
make
The fuzzing/testcase_dir directory contains some initial testcases
that afl can use.
Run multiple copies of afl-fuzz. Usually you should run 1 master (-M)
and as many slaves (-S) as you can.
Master:
mkdir -p fuzzing/sync_dir
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
./fuzzing/libnbd-fuzz-wrapper @@
Slaves:
# replace fuzzNN with fuzz02, fuzz03, etc.
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
./fuzzing/libnbd-fuzz-wrapper @@
Test Coverage
-------------
To find out if the fuzzing is covering all of the code, I used afl-cov
(https://github.com/mrash/afl-cov). Usage is rather complex, so
consult the README of that project, but in brief:
(1) Create a second copy of the libnbd source, and compile it with
profiling:
./configure CFLAGS="-O2 -g -pg -fprofile-arcs -ftest-coverage" \
--disable-shared --disable-ocaml --disable-python
make clean
make
(2) Assuming ../libnbd-afl is the libnbd source compiled with afl, and
the current directory is libnbd compiled with profiling, then run the
command below. You can run this even while afl-fuzz is running.
afl-cov -d ../libnbd-afl/fuzzing/sync_dir \
--code-dir . \
--coverage-cmd "fuzzing/libnbd-fuzz-wrapper AFL_FILE"
This will create an HTML test coverage report in
../libnbd-afl/fuzzing/sync_dir/cov/web/
Notes
-----
To report security bugs, see ‘SECURITY’ in the top source directory.
You can’t perform that action at this time.