]>
Commit | Line | Data |
---|---|---|
c38bb727 BL |
1 | # I Can Haz Fuzz? |
2 | ||
f59d0131 KR |
3 | LibFuzzer |
4 | ========= | |
5 | ||
fe2582a2 | 6 | Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html). |
c38bb727 BL |
7 | |
8 | Starting from a vanilla+OpenSSH server Ubuntu install. | |
9 | ||
10 | Use Chrome's handy recent build of clang. Older versions may also work. | |
11 | ||
12 | $ sudo apt-get install git | |
13 | $ mkdir git-work | |
14 | $ git clone https://chromium.googlesource.com/chromium/src/tools/clang | |
15 | $ clang/scripts/update.py | |
16 | ||
17 | You may want to git pull and re-run the update from time to time. | |
18 | ||
19 | Update your path: | |
20 | ||
21 | $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH | |
22 | ||
23 | Get and build libFuzzer (there is a git mirror at | |
24 | https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer): | |
25 | ||
26 | $ cd | |
27 | $ sudo apt-get install subversion | |
28 | $ mkdir svn-work | |
29 | $ cd svn-work | |
30 | $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer | |
31 | $ cd Fuzzer | |
32 | $ clang++ -c -g -O2 -std=c++11 *.cpp | |
33 | $ ar r libFuzzer.a *.o | |
34 | $ ranlib libFuzzer.a | |
35 | ||
36 | Configure for fuzzing: | |
37 | ||
f59d0131 KR |
38 | $ CC=clang ./config enable-fuzz-libfuzzer \ |
39 | --with-fuzzer-include=../../svn-work/Fuzzer \ | |
40 | --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \ | |
3a9b9b2d | 41 | -DPEDANTIC enable-asan enable-ubsan no-shared \ |
0282aeb6 | 42 | -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \ |
644fb113 | 43 | -fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp \ |
e104d01d KR |
44 | enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \ |
45 | enable-weak-ssl-ciphers enable-rc5 enable-md2 \ | |
f8d4b3be KR |
46 | enable-ssl3 enable-ssl3-method enable-nextprotoneg \ |
47 | --debug | |
c38bb727 BL |
48 | $ sudo apt-get install make |
49 | $ LDCMD=clang++ make -j | |
31b15b9b | 50 | $ fuzz/helper.py $FUZZER |
c38bb727 | 51 | |
31b15b9b | 52 | Where $FUZZER is one of the executables in `fuzz/`. |
c38bb727 BL |
53 | |
54 | If you get a crash, you should find a corresponding input file in | |
f8d4b3be | 55 | `fuzz/corpora/$FUZZER-crash/`. |
f59d0131 KR |
56 | |
57 | AFL | |
58 | === | |
59 | ||
60 | Configure for fuzzing: | |
61 | ||
62 | $ sudo apt-get install afl-clang | |
e104d01d KR |
63 | $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \ |
64 | enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \ | |
65 | enable-ssl3 enable-ssl3-method enable-nextprotoneg \ | |
f8d4b3be KR |
66 | enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \ |
67 | --debug | |
f59d0131 KR |
68 | $ make |
69 | ||
e104d01d KR |
70 | The following options can also be enabled: enable-asan, enable-ubsan, enable-msan |
71 | ||
f59d0131 KR |
72 | Run one of the fuzzers: |
73 | ||
31b15b9b | 74 | $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER |
f59d0131 | 75 | |
31b15b9b | 76 | Where $FUZZER is one of the executables in `fuzz/`. |
f8d4b3be KR |
77 | |
78 | Reproducing issues | |
79 | ================== | |
80 | ||
81 | If a fuzzer generates a reproducible error, you can reproduce the problem using | |
82 | the fuzz/*-test binaries and the file generated by the fuzzer. They binaries | |
83 | don't need to be build for fuzzing, there is no need to set CC or the call | |
84 | config with enable-fuzz-* or -fsanitize-coverage, but some of the other options | |
85 | above might be needed. For instance the enable-asan or enable-ubsan option might | |
86 | be useful to show you when the problem happens. For the client and server fuzzer | |
87 | it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to | |
88 | reproduce the generated random numbers. | |
89 | ||
90 | To reproduce the crash you can run: | |
91 | ||
92 | $ fuzz/$FUZZER-test $file | |
93 | ||
94 | Random numbers | |
95 | ============== | |
96 | ||
97 | The client and server fuzzer normally generate random numbers as part of the TLS | |
98 | connection setup. This results in the coverage of the fuzzing corpus changing | |
99 | depending on the random numbers. This also has an effect for coverage of the | |
100 | rest of the test suite and you see the coverage change for each commit even when | |
101 | no code has been modified. | |
102 | ||
103 | Since we want to maximize the coverage of the fuzzing corpus, the client and | |
104 | server fuzzer will use predictable numbers instead of the random numbers. This | |
105 | is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define. | |
106 | ||
107 | The coverage depends on the way the numbers are generated. We don't disable any | |
108 | check of hashes, but the corpus has the correct hash in it for the random | |
109 | numbers that were generated. For instance the client fuzzer will always generate | |
110 | the same client hello with the same random number in it, and so the server, as | |
111 | emulated by the file, can be generated for that client hello. | |
112 | ||
113 | Coverage changes | |
114 | ================ | |
115 | ||
116 | Since the corpus depends on the default behaviour of the client and the server, | |
117 | changes in what they send by default will have an impact on the coverage. The | |
118 | corpus will need to be updated in that case. | |
119 |