Changeset View
Changeset View
Standalone View
Standalone View
doc/fuzzing.md
Show All 26 Lines | |||||
export AFL_HARDEN=1 | export AFL_HARDEN=1 | ||||
cd src/ | cd src/ | ||||
make test/test_bitcoin_fuzzy | make test/test_bitcoin_fuzzy | ||||
``` | ``` | ||||
We disable ccache because we don't want to pollute the ccache with instrumented | We disable ccache because we don't want to pollute the ccache with instrumented | ||||
objects, and similarly don't want to use non-instrumented cached objects linked | objects, and similarly don't want to use non-instrumented cached objects linked | ||||
in. | in. | ||||
The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and | |||||
`afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When | |||||
compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting | |||||
`test_bitcoin_fuzzy` binary will be instrumented in such a way that the AFL | |||||
features "persistent mode" and "deferred forkserver" can be used. See | |||||
https://github.com/mcarpenter/afl/tree/master/llvm_mode for details. | |||||
Preparing fuzzing | Preparing fuzzing | ||||
------------------ | ------------------ | ||||
AFL needs an input directory with examples, and an output directory where it | AFL needs an input directory with examples, and an output directory where it | ||||
will place examples that it found. These can be anywhere in the file system, | will place examples that it found. These can be anywhere in the file system, | ||||
we'll define environment variables to make it easy to reference them. | we'll define environment variables to make it easy to reference them. | ||||
``` | ``` | ||||
Show All 15 Lines | |||||
To start the actual fuzzing use: | To start the actual fuzzing use: | ||||
``` | ``` | ||||
$AFLPATH/afl-fuzz -i ${AFLIN} -o ${AFLOUT} -m52 -- test/test_bitcoin_fuzzy | $AFLPATH/afl-fuzz -i ${AFLIN} -o ${AFLOUT} -m52 -- test/test_bitcoin_fuzzy | ||||
``` | ``` | ||||
You may have to change a few kernel parameters to test optimally - `afl-fuzz` | You may have to change a few kernel parameters to test optimally - `afl-fuzz` | ||||
will print an error and suggestion if so. | will print an error and suggestion if so. | ||||