[thirdparty/openssl.git] / fuzz / README.md

# I Can Haz Fuzz?

LibFuzzer
=========

Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

    $ sudo apt-get install git
    $ mkdir git-work
    $ git clone https://chromium.googlesource.com/chromium/src/tools/clang
    $ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

    $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at
https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

    $ cd
    $ sudo apt-get install subversion
    $ mkdir svn-work
    $ cd svn-work
    $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
    $ cd Fuzzer
    $ clang++ -c -g -O2 -std=c++11 *.cpp
    $ ar r libFuzzer.a *.o
    $ ranlib libFuzzer.a

Configure for fuzzing:

    $ CC=clang ./config enable-fuzz-libfuzzer \
            --with-fuzzer-include=../../svn-work/Fuzzer \
            --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
            -DPEDANTIC enable-asan enable-ubsan no-shared \
            -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
            -fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp \
            enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
            enable-weak-ssl-ciphers enable-rc5 enable-md2 \
            enable-ssl3 enable-ssl3-method enable-nextprotoneg \
            --debug
    $ sudo apt-get install make
    $ LDCMD=clang++ make -j
    $ fuzz/helper.py $FUZZER

Where $FUZZER is one of the executables in `fuzz/`.

If you get a crash, you should find a corresponding input file in
`fuzz/corpora/$FUZZER-crash/`.

AFL
===

Configure for fuzzing:

    $ sudo apt-get install afl-clang
    $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
        enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
        enable-ssl3 enable-ssl3-method enable-nextprotoneg \
        enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
        --debug
    $ make

The following options can also be enabled: enable-asan, enable-ubsan, enable-msan

Run one of the fuzzers:

    $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in `fuzz/`.

Reproducing issues
==================

If a fuzzer generates a reproducible error, you can reproduce the problem using
the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
don't need to be build for fuzzing, there is no need to set CC or the call
config with enable-fuzz-* or -fsanitize-coverage, but some of the other options
above might be needed. For instance the enable-asan or enable-ubsan option might
be useful to show you when the problem happens. For the client and server fuzzer
it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to
reproduce the generated random numbers.

To reproduce the crash you can run:

    $ fuzz/$FUZZER-test $file

Random numbers
==============

The client and server fuzzer normally generate random numbers as part of the TLS
connection setup. This results in the coverage of the fuzzing corpus changing
depending on the random numbers. This also has an effect for coverage of the
rest of the test suite and you see the coverage change for each commit even when
no code has been modified.

Since we want to maximize the coverage of the fuzzing corpus, the client and
server fuzzer will use predictable numbers instead of the random numbers. This
is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define.

The coverage depends on the way the numbers are generated. We don't disable any
check of hashes, but the corpus has the correct hash in it for the random
numbers that were generated. For instance the client fuzzer will always generate
the same client hello with the same random number in it, and so the server, as
emulated by the file, can be generated for that client hello.

Coverage changes
================

Since the corpus depends on the default behaviour of the client and the server,
changes in what they send by default will have an impact on the coverage. The
corpus will need to be updated in that case.
Commit	Line	Data
c38bb727 BL	1	# I Can Haz Fuzz?
c38bb727 BL	2
f59d0131 KR	3	LibFuzzer
	4	=========
	5
fe2582a2	6	Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).
c38bb727 BL	7
	8	Starting from a vanilla+OpenSSH server Ubuntu install.
	9
	10	Use Chrome's handy recent build of clang. Older versions may also work.
	11
	12	$ sudo apt-get install git
	13	$ mkdir git-work
	14	$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
	15	$ clang/scripts/update.py
	16
	17	You may want to git pull and re-run the update from time to time.
	18
	19	Update your path:
	20
	21	$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH
	22
	23	Get and build libFuzzer (there is a git mirror at
	24	https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
	25
	26	$ cd
	27	$ sudo apt-get install subversion
	28	$ mkdir svn-work
	29	$ cd svn-work
	30	$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
	31	$ cd Fuzzer
	32	$ clang++ -c -g -O2 -std=c++11 *.cpp
	33	$ ar r libFuzzer.a *.o
	34	$ ranlib libFuzzer.a
	35
	36	Configure for fuzzing:
	37
f59d0131 KR	38	$ CC=clang ./config enable-fuzz-libfuzzer \
	39	--with-fuzzer-include=../../svn-work/Fuzzer \
	40	--with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
3a9b9b2d	41	-DPEDANTIC enable-asan enable-ubsan no-shared \
0282aeb6	42	-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
644fb113	43	-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp \
e104d01d KR	44	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
e104d01d KR	45	enable-weak-ssl-ciphers enable-rc5 enable-md2 \
f8d4b3be KR	46	enable-ssl3 enable-ssl3-method enable-nextprotoneg \
f8d4b3be KR	47	--debug
c38bb727 BL	48	$ sudo apt-get install make
c38bb727 BL	49	$ LDCMD=clang++ make -j
31b15b9b	50	$ fuzz/helper.py $FUZZER
c38bb727	51
31b15b9b	52	Where $FUZZER is one of the executables in `fuzz/`.
c38bb727 BL	53
c38bb727 BL	54	If you get a crash, you should find a corresponding input file in
f8d4b3be	55	`fuzz/corpora/$FUZZER-crash/`.
f59d0131 KR	56
	57	AFL
	58	===
	59
	60	Configure for fuzzing:
	61
	62	$ sudo apt-get install afl-clang
e104d01d KR	63	$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
	64	enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
	65	enable-ssl3 enable-ssl3-method enable-nextprotoneg \
f8d4b3be KR	66	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
f8d4b3be KR	67	--debug
f59d0131 KR	68	$ make
f59d0131 KR	69
e104d01d KR	70	The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
e104d01d KR	71
f59d0131 KR	72	Run one of the fuzzers:
f59d0131 KR	73
31b15b9b	74	$ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
f59d0131	75
31b15b9b	76	Where $FUZZER is one of the executables in `fuzz/`.
f8d4b3be KR	77
	78	Reproducing issues
	79	==================
	80
	81	If a fuzzer generates a reproducible error, you can reproduce the problem using
	82	the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
	83	don't need to be build for fuzzing, there is no need to set CC or the call
	84	config with enable-fuzz-* or -fsanitize-coverage, but some of the other options
	85	above might be needed. For instance the enable-asan or enable-ubsan option might
	86	be useful to show you when the problem happens. For the client and server fuzzer
	87	it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to
	88	reproduce the generated random numbers.
	89
	90	To reproduce the crash you can run:
	91
	92	$ fuzz/$FUZZER-test $file
	93
	94	Random numbers
	95	==============
	96
	97	The client and server fuzzer normally generate random numbers as part of the TLS
	98	connection setup. This results in the coverage of the fuzzing corpus changing
	99	depending on the random numbers. This also has an effect for coverage of the
	100	rest of the test suite and you see the coverage change for each commit even when
	101	no code has been modified.
	102
	103	Since we want to maximize the coverage of the fuzzing corpus, the client and
	104	server fuzzer will use predictable numbers instead of the random numbers. This
	105	is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define.
	106
	107	The coverage depends on the way the numbers are generated. We don't disable any
	108	check of hashes, but the corpus has the correct hash in it for the random
	109	numbers that were generated. For instance the client fuzzer will always generate
	110	the same client hello with the same random number in it, and so the server, as
	111	emulated by the file, can be generated for that client hello.
	112
	113	Coverage changes
	114	================
	115
	116	Since the corpus depends on the default behaviour of the client and the server,
	117	changes in what they send by default will have an impact on the coverage. The
	118	corpus will need to be updated in that case.
	119