[thirdparty/openssl.git] / fuzz / README.md

# I Can Haz Fuzz?

LibFuzzer
=========

Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

    $ sudo apt-get install git
    $ mkdir git-work
    $ git clone https://chromium.googlesource.com/chromium/src/tools/clang
    $ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

    $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at
https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

    $ cd
    $ sudo apt-get install subversion
    $ mkdir svn-work
    $ cd svn-work
    $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
    $ cd Fuzzer
    $ clang++ -c -g -O2 -std=c++11 *.cpp
    $ ar r libFuzzer.a *.o
    $ ranlib libFuzzer.a

Configure for fuzzing:

    $ CC=clang ./config enable-fuzz-libfuzzer \
            --with-fuzzer-include=../../svn-work/Fuzzer \
            --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
            -DPEDANTIC enable-asan enable-ubsan no-shared \
            -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
            -fsanitize-coverage=edge,indirect-calls,8bit-counters \
            enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
            enable-weak-ssl-ciphers enable-rc5 enable-md2 \
            enable-ssl3 enable-ssl3-method enable-nextprotoneg
    $ sudo apt-get install make
    $ LDCMD=clang++ make -j
    $ fuzz/helper.py $FUZZER

Where $FUZZER is one of the executables in `fuzz/`.

If you get a crash, you should find a corresponding input file in
`fuzz/corpora/$FUZZER-crash/`. You can reproduce the crash with

    $ fuzz/$FUZZER <crashfile>

AFL
===

Configure for fuzzing:

    $ sudo apt-get install afl-clang
    $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
        enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
        enable-ssl3 enable-ssl3-method enable-nextprotoneg \
        enable-ec_nistp_64_gcc_128
    $ make

The following options can also be enabled: enable-asan, enable-ubsan, enable-msan

Run one of the fuzzers:

    $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in `fuzz/`.
Commit	Line	Data
c38bb727 BL	1	# I Can Haz Fuzz?
c38bb727 BL	2
f59d0131 KR	3	LibFuzzer
	4	=========
	5
fe2582a2	6	Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).
c38bb727 BL	7
	8	Starting from a vanilla+OpenSSH server Ubuntu install.
	9
	10	Use Chrome's handy recent build of clang. Older versions may also work.
	11
	12	$ sudo apt-get install git
	13	$ mkdir git-work
	14	$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
	15	$ clang/scripts/update.py
	16
	17	You may want to git pull and re-run the update from time to time.
	18
	19	Update your path:
	20
	21	$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH
	22
	23	Get and build libFuzzer (there is a git mirror at
	24	https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
	25
	26	$ cd
	27	$ sudo apt-get install subversion
	28	$ mkdir svn-work
	29	$ cd svn-work
	30	$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
	31	$ cd Fuzzer
	32	$ clang++ -c -g -O2 -std=c++11 *.cpp
	33	$ ar r libFuzzer.a *.o
	34	$ ranlib libFuzzer.a
	35
	36	Configure for fuzzing:
	37
f59d0131 KR	38	$ CC=clang ./config enable-fuzz-libfuzzer \
	39	--with-fuzzer-include=../../svn-work/Fuzzer \
	40	--with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
3a9b9b2d	41	-DPEDANTIC enable-asan enable-ubsan no-shared \
0282aeb6	42	-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
e104d01d KR	43	-fsanitize-coverage=edge,indirect-calls,8bit-counters \
	44	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
	45	enable-weak-ssl-ciphers enable-rc5 enable-md2 \
	46	enable-ssl3 enable-ssl3-method enable-nextprotoneg
c38bb727 BL	47	$ sudo apt-get install make
c38bb727 BL	48	$ LDCMD=clang++ make -j
31b15b9b	49	$ fuzz/helper.py $FUZZER
c38bb727	50
31b15b9b	51	Where $FUZZER is one of the executables in `fuzz/`.
c38bb727 BL	52
c38bb727 BL	53	If you get a crash, you should find a corresponding input file in
31b15b9b	54	`fuzz/corpora/$FUZZER-crash/`. You can reproduce the crash with
c38bb727	55
31b15b9b	56	$ fuzz/$FUZZER <crashfile>
f59d0131 KR	57
	58	AFL
	59	===
	60
	61	Configure for fuzzing:
	62
	63	$ sudo apt-get install afl-clang
e104d01d KR	64	$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
	65	enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
	66	enable-ssl3 enable-ssl3-method enable-nextprotoneg \
	67	enable-ec_nistp_64_gcc_128
f59d0131 KR	68	$ make
f59d0131 KR	69
e104d01d KR	70	The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
e104d01d KR	71
f59d0131 KR	72	Run one of the fuzzers:
f59d0131 KR	73
31b15b9b	74	$ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
f59d0131	75
31b15b9b	76	Where $FUZZER is one of the executables in `fuzz/`.