Deserialization

[landaire]

Overview

Deserialization would be desired so we can take real "over-the-wire" data sent to a target server, application, or library, and deserialize it back into a Rust structure as defined in the fuzzer. This would help with reproducibility and using real corpuses to get started with fuzzing.

Blockers

lain does not use a 1:1 mapping between Rust objects and target objects. The expectation is that the user defines a struct with a layout that's similar to how the object looks while serialized. This includes the user defining things like the padding as part of the data structure. Bitfields are an exception where the Rust struct would appear larger than the target structure since these are defined as a whole-sized type (e.g. if you have two bitfields with 4 bits each, it'd be defined as two u8 fields).

Given the nature of fuzzing these data structures as well, it's not reliable to decode from a C type to Rust types for things like dynamic-sized arrays, strings, or things that rely on run-length encoding. For example, given the following struct:

struct Foo {
    len: u8,
    items: DynamicArray<Bar>,
}

How would we know the true length of items given that len will most of the time not exactly match the true length of items? Or null-terminated strings with null bytes embedded before the actual end of the string?

Possible solutions

The only realistic solution is to always assume well-formed data. Fuzzer-generated data will produce errors and cannot be deserialized. All fields will be considered trusted and well-formed. Users should not rely on decoding C structs for corpuses and instead should convert to a Rust-native serializing solution such as bincode.