OLD | NEW |
1 # Efficient Fuzzer | 1 # Efficient Fuzzer |
2 | 2 |
3 This document describes ways to determine your fuzzer efficiency and ways | 3 This document describes ways to determine your fuzzer efficiency and ways |
4 to improve it. | 4 to improve it. |
5 | 5 |
6 ## Overview | 6 ## Overview |
7 | 7 |
8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting
* | 8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting
* |
9 if it results in new coverage. The set of all interesting inputs is called | 9 if it results in new coverage. The set of all interesting inputs is called |
10 *corpus*. | 10 *corpus*. |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
82 should contain hundreds (if not thousands) of items. | 82 should contain hundreds (if not thousands) of items. |
83 | 83 |
84 Too small corpus size indicates some code barrier that | 84 Too small corpus size indicates some code barrier that |
85 libFuzzer is having problems penetrating. Common cases include: checksums, | 85 libFuzzer is having problems penetrating. Common cases include: checksums, |
86 magic numbers etc. The easiest way to diagnose this problem is to generate a | 86 magic numbers etc. The easiest way to diagnose this problem is to generate a |
87 [coverage report](#Coverage). To fix the issue you can: | 87 [coverage report](#Coverage). To fix the issue you can: |
88 | 88 |
89 * change the code (e.g. disable crc checks while fuzzing) | 89 * change the code (e.g. disable crc checks while fuzzing) |
90 * prepare [corpus seed](#Corpus-Seed) | 90 * prepare [corpus seed](#Corpus-Seed) |
91 * prepare [fuzzer dictionary](#Fuzzer-Dictionary) | 91 * prepare [fuzzer dictionary](#Fuzzer-Dictionary) |
| 92 * specify [custom options](#Custom-Options) |
92 | 93 |
93 ## Coverage | 94 ## Coverage |
94 | 95 |
95 You can easily generate source-level coverage report for a given corpus: | 96 You can easily generate source-level coverage report for a given corpus: |
96 | 97 |
97 ``` | 98 ``` |
98 ASAN_OPTIONS=html_cov_report=1:sancov_path=./third_party/llvm-build/Release+Asse
rts/bin/sancov \ | 99 ASAN_OPTIONS=html_cov_report=1:sancov_path=./third_party/llvm-build/Release+Asse
rts/bin/sancov \ |
99 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus | 100 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus |
100 ``` | 101 ``` |
101 | 102 |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
160 fuzzer_test("my_protocol_fuzzer") { | 161 fuzzer_test("my_protocol_fuzzer") { |
161 ... | 162 ... |
162 dict = "protocol.dict" | 163 dict = "protocol.dict" |
163 } | 164 } |
164 ``` | 165 ``` |
165 | 166 |
166 Make sure to submit dictionary file to git. The dictionary will be used | 167 Make sure to submit dictionary file to git. The dictionary will be used |
167 automatically by ClusterFuzz once it picks up new fuzzer version (once a day). | 168 automatically by ClusterFuzz once it picks up new fuzzer version (once a day). |
168 | 169 |
169 | 170 |
| 171 ### Custom Options |
| 172 |
| 173 It is possible to specify [libFuzzer parameters](http://llvm.org/docs/LibFuzzer.
html#usage) |
| 174 for any fuzzer being run at ClusterFuzz. Custom options will overwrite default |
| 175 values provided by ClusterFuzz. |
| 176 |
| 177 Just list all parameters in `libfuzzer_options` variable of build target: |
| 178 |
| 179 ``` |
| 180 fuzzer_test("my_protocol_fuzzer") { |
| 181 ... |
| 182 libfuzzer_options = [ |
| 183 "max_len=2048", |
| 184 "use_traces=1", |
| 185 ] |
| 186 } |
| 187 ``` |
| 188 |
| 189 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio
nary). |
| 190 Other options may be passed through `libfuzzer_options` property. |
| 191 |
| 192 |
170 [ClusterFuzz status]: ./clusterfuzz.md#Status-Links | 193 [ClusterFuzz status]: ./clusterfuzz.md#Status-Links |
171 [upload corpus to ClusterFuzz]: ./clusterfuzz.md#Upload-Corpus | 194 [upload corpus to ClusterFuzz]: ./clusterfuzz.md#Upload-Corpus |
172 [AFL]: http://lcamtuf.coredump.cx/afl/ | 195 [AFL]: http://lcamtuf.coredump.cx/afl/ |
OLD | NEW |