Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13115100
fuzzing.md
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Subscribers
None
fuzzing.md
View Options
Fuzz
-
testing
Bitcoin
ABC
==========================
A
special
test
harness
in
`
src
/
test
/
fuzz
/
`
is
provided
for
each
fuzz
target
to
provide
an
easy
entry
point
for
fuzzers
and
the
like
.
In
this
document
we
'
ll
describe
how
to
use
it
with
AFL
and
libFuzzer
.
##
Preparing
fuzzing
AFL
needs
an
input
directory
with
examples
,
and
an
output
directory
where
it
will
place
examples
that
it
found
.
These
can
be
anywhere
in
the
file
system
,
we
'
ll
define
environment
variables
to
make
it
easy
to
reference
them
.
libFuzzer
will
use
the
input
directory
as
output
directory
.
Extract
the
example
seeds
(
or
other
starting
inputs
)
into
the
inputs
directory
before
starting
fuzzing
.
```
git
clone
https
:
//github.com/Bitcoin-ABC/qa-assets
export
DIR_FUZZ_IN
=$
PWD
/
qa
-
assets
/
fuzz_seed_corpus
```
Only
for
AFL
:
```
mkdir
outputs
export
AFLOUT
=$
PWD
/
outputs
```
##
AFL
###
Building
AFL
It
is
recommended
to
always
use
the
latest
version
of
afl
:
```
wget
http
:
//lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar
-
zxvf
afl
-
latest
.
tgz
cd
afl
-<
version
>
make
export
AFLPATH
=$
PWD
```
###
Instrumentation
To
build
Bitcoin
ABC
using
AFL
instrumentation
(
this
assumes
that
the
`
AFLPATH
`
was
set
as
above
):
```
mkdir
-
p
buildFuzzer
cd
buildFuzzer
cmake
-
GNinja
..
-
DCCACHE
=
OFF
-
DCMAKE_C_COMPILER
=
afl
-
gcc
-
DCMAKE_CXX_COMPILER
=
afl
-
g
++
export
AFL_HARDEN
=
1
ninja
bitcoin
-
fuzzers
```
We
disable
ccache
because
we
don
'
t
want
to
pollute
the
ccache
with
instrumented
objects
,
and
similarly
don
'
t
want
to
use
non
-
instrumented
cached
objects
linked
in
.
The
fuzzing
can
be
sped
up
significantly
(~
200
x
)
by
using
`
afl
-
clang
-
fast
`
and
`
afl
-
clang
-
fast
++
`
in
place
of
`
afl
-
gcc
`
and
`
afl
-
g
++
`
when
compiling
.
When
compiling
using
`
afl
-
clang
-
fast
`
/
`
afl
-
clang
-
fast
++
`
the
resulting
binary
will
be
instrumented
in
such
a
way
that
the
AFL
features
"persistent
mode"
and
"deferred forkserver"
can
be
used
.
See
https
:
//github.com/mcarpenter/afl/tree/master/llvm_mode for details.
###
Fuzzing
To
start
the
actual
fuzzing
use
:
```
export
FUZZ_TARGET
=
fuzz_target_foo
#
Pick
a
fuzz_target
mkdir
${
AFLOUT
}/${
FUZZ_TARGET
}
$
AFLPATH
/
afl
-
fuzz
-
i
${
DIR_FUZZ_IN
}/${
FUZZ_TARGET
}
-
o
${
AFLOUT
}/${
FUZZ_TARGET
}
-
m52
--
src
/
test
/
fuzz
/${
FUZZ_TARGET
}
```
You
may
have
to
change
a
few
kernel
parameters
to
test
optimally
-
`
afl
-
fuzz
`
will
print
an
error
and
suggestion
if
so
.
##
libFuzzer
A
recent
version
of
`
clang
`
,
the
address
/
undefined
sanitizers
(
ASan
/
UBSan
)
and
libFuzzer
is
needed
(
all
found
in
the
`
compiler
-
rt
`
runtime
libraries
package
).
To
build
all
fuzz
targets
with
libFuzzer
,
run
```
mkdir
-
p
buildFuzzer
cd
buildFuzzer
cmake
-
GNinja
..
\
-
DCCACHE
=
OFF
\
-
DCMAKE_C_COMPILER
=
clang
\
-
DCMAKE_CXX_COMPILER
=
clang
++
\
-
DENABLE_SANITIZERS
=
"fuzzer;address;undefined"
ninja
bitcoin
-
fuzzers
```
The
fuzzer
needs
some
inputs
to
work
on
,
but
the
inputs
or
seeds
can
be
used
interchangeably
between
libFuzzer
and
AFL
.
See
https
:
//llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer
instrumented
executable
.
Alternatively
run
the
script
in
`
./
test
/
fuzz
/
test_runner
.
py
`
and
provide
it
with
the
`
${
DIR_FUZZ_IN
}
`
created
earlier
.
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sun, Mar 2, 09:46 (1 d, 36 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5187242
Default Alt Text
fuzzing.md (3 KB)
Attached To
rABC Bitcoin ABC
Event Timeline
Log In to Comment