Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
71 lines (50 sloc) 2.37 KB
Fuzzing nbdkit using the American Fuzzy Lop (afl) fuzzer
--------------------------------------------------------
We can fuzz nbdkit using the -s (read from stdin) option, and feeding
in a file of "network" input. The stdout from nbdkit (ie. data that
would normally be sent back to the client) is ignored.
You will need to recompile nbdkit with afl instrumentation:
./configure CC=/usr/bin/afl-gcc CXX=/usr/bin/afl-g++
make clean
make
The fuzzing/testcase_dir directory contains some initial testcases
that afl can use.
Run multiple copies of afl-fuzz. Usually you should run 1 master (-M)
and as many slaves (-S) as you can.
Master:
mkdir -p fuzzing/sync_dir
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
./server/nbdkit -s ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Slaves:
# replace fuzzNN with fuzz02, fuzz03, etc.
afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
./server/nbdkit -s ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Test Coverage
-------------
To find out if the fuzzing is covering all of the code, I used afl-cov
(https://github.com/mrash/afl-cov). Usage is rather complex, so
consult the README of that project, but in brief:
(1) Create a second copy of the nbdkit source, and compile it with
profiling:
./configure CFLAGS="-O2 -g -pg -fprofile-arcs -ftest-coverage"
make clean
make
(2) Assuming ../nbdkit-afl is the nbdkit source compiled with afl, and
the current directory is nbdkit compiled with profiling, then run the
command below. You can run this even while afl-fuzz is running.
afl-cov -d ../nbdkit-afl/fuzzing/sync_dir \
--code-dir . \
--coverage-cmd "cat AFL_FILE | ./server/nbdkit -s ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M"
This will create an HTML test coverage report in
../nbdkit-afl/fuzzing/sync_dir/cov/web/
Notes
-----
To report security bugs, see ‘SECURITY’ in the top source directory.
We only have testcases for the newstyle fixed protocol so far, but if
people report that they are exposing the oldstyle protocol to the
internet / untrusted clients then we could extend the testing for
that.
We have only fuzzed the memory plugin, which is convenient because it
stores everything in memory and throws it away when nbdkit exits.
Since plugins can have bugs as well as the core server, it may be
productive to test other plugins and filters.
You can’t perform that action at this time.