1 ========================================================
2 LibFuzzer -- a library for coverage-guided fuzz testing.
3 ========================================================
11 This library is intended primarily for in-process coverage-guided fuzz testing
12 (fuzzing) of other libraries. The typical workflow looks like this:
14 * Build the Fuzzer library as a static archive (or just a set of .o files).
15 Note that the Fuzzer contains the main() function.
16 Preferably do *not* use sanitizers while building the Fuzzer.
17 * Build the library you are going to test with
18 `-fsanitize-coverage={bb,edge}[,indirect-calls,8bit-counters]`
19 and one of the sanitizers. We recommend to build the library in several
20 different modes (e.g. asan, msan, lsan, ubsan, etc) and even using different
21 optimizations options (e.g. -O0, -O1, -O2) to diversify testing.
22 * Build a test driver using the same options as the library.
23 The test driver is a C/C++ file containing interesting calls to the library
24 inside a single function ``extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);``.
25 Currently, the only expected return value is 0, others are reserved for future.
26 * Link the Fuzzer, the library and the driver together into an executable
27 using the same sanitizer options as for the library.
28 * Collect the initial corpus of inputs for the
29 fuzzer (a directory with test inputs, one file per input).
30 The better your inputs are the faster you will find something interesting.
31 Also try to keep your inputs small, otherwise the Fuzzer will run too slow.
32 By default, the Fuzzer limits the size of every input to 64 bytes
33 (use ``-max_len=N`` to override).
34 * Run the fuzzer with the test corpus. As new interesting test cases are
35 discovered they will be added to the corpus. If a bug is discovered by
36 the sanitizer (asan, etc) it will be reported as usual and the reproducer
37 will be written to disk.
38 Each Fuzzer process is single-threaded (unless the library starts its own
39 threads). You can run the Fuzzer on the same corpus in multiple processes
43 The Fuzzer is similar in concept to AFL_,
44 but uses in-process Fuzzing, which is more fragile, more restrictive, but
45 potentially much faster as it has no overhead for process start-up.
46 It uses LLVM's SanitizerCoverage_ instrumentation to get in-process
49 The code resides in the LLVM repository, requires the fresh Clang compiler to build
50 and is used to fuzz various parts of LLVM,
51 but the Fuzzer itself does not (and should not) depend on any
52 part of LLVM and can be used for other projects w/o requiring the rest of LLVM.
56 To run fuzzing pass 0 or more directories::
58 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
60 To run individual tests without fuzzing pass 1 or more files::
62 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...]
64 The most important flags are::
66 seed 0 Random seed. If 0, seed is generated.
67 runs -1 Number of individual test runs (-1 for infinite runs).
68 max_len 64 Maximum length of the test input.
69 cross_over 1 If 1, cross over inputs.
70 mutate_depth 5 Apply this number of consecutive mutations to each input.
71 timeout 1200 Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort.
72 abort_on_timeout 0 If positive, call abort on timeout.
73 timeout_exitcode 77 Unless abort_on_timeout is set, use this exitcode on timeout.
74 max_total_time 0 If positive, indicates the maximal total time in seconds to run the fuzzer.
76 merge 0 If 1, the 2-nd, 3-rd, etc corpora will be merged into the 1-st corpus. Only interesting units will be taken.
77 jobs 0 Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log.
78 workers 0 Number of simultaneous worker processes to run the jobs. If zero, "min(jobs,NumberOfCpuCores()/2)" is used.
79 sync_command 0 Execute an external command "<sync_command> <test_corpus>" to synchronize the test corpus.
80 sync_timeout 600 Minimum timeout between syncs.
81 use_traces 0 Experimental: use instruction traces
82 only_ascii 0 If 1, generate only ASCII (isprint+isspace) inputs.
83 artifact_prefix "" Write fuzzing artifacts (crash, timeout, or slow inputs) as $(artifact_prefix)file
84 exact_artifact_path "" Write the single artifact on failure (crash, timeout) as $(exact_artifact_path). This overrides -artifact_prefix and will not use checksum in the file name. Do not use the same path for several parallel processes.
85 print_final_stats 0 If 1, print statistics at exit.
87 For the full list of flags run the fuzzer binary with ``-help=1``.
95 A simple function that does something interesting if it receives the input "HI!"::
97 cat << EOF >> test_fuzzer.cc
100 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
101 if (size > 0 && data[0] == 'H')
102 if (size > 1 && data[1] == 'I')
103 if (size > 2 && data[2] == '!')
108 # Get lib/Fuzzer. Assuming that you already have fresh clang in PATH.
109 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
110 # Build lib/Fuzzer files.
111 clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
112 # Build test_fuzzer.cc with asan and link against lib/Fuzzer.
113 clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc Fuzzer*.o
114 # Run the fuzzer with no corpus.
117 You should get ``Illegal instruction (core dumped)`` pretty quickly.
122 Here we show how to use lib/Fuzzer on something real, yet simple: pcre2_::
124 COV_FLAGS=" -fsanitize-coverage=edge,indirect-calls,8bit-counters"
126 svn co svn://vcs.exim.org/pcre2/code/trunk pcre
127 # Get lib/Fuzzer. Assuming that you already have fresh clang in PATH.
128 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
129 # Build PCRE2 with AddressSanitizer and coverage.
130 (cd pcre; ./autogen.sh; CC="clang -fsanitize=address $COV_FLAGS" ./configure --prefix=`pwd`/../inst && make -j && make install)
131 # Build lib/Fuzzer files.
132 clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
133 # Build the actual function that does something interesting with PCRE2.
134 cat << EOF > pcre_fuzzer.cc
137 #include "pcre2posix.h"
138 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
139 if (size < 1) return 0;
140 char *str = new char[size+1];
141 memcpy(str, data, size);
144 if (0 == regcomp(&preg, str, 0)) {
145 regexec(&preg, str, 0, 0, 0);
152 clang++ -g -fsanitize=address $COV_FLAGS -c -std=c++11 -I inst/include/ pcre_fuzzer.cc
154 clang++ -g -fsanitize=address -Wl,--whole-archive inst/lib/*.a -Wl,-no-whole-archive Fuzzer*.o pcre_fuzzer.o -o pcre_fuzzer
156 This will give you a binary of the fuzzer, called ``pcre_fuzzer``.
157 Now, create a directory that will hold the test corpus::
161 For simple input languages like regular expressions this is all you need.
162 For more complicated inputs populate the directory with some input samples.
163 Now run the fuzzer with the corpus dir as the only parameter::
165 ./pcre_fuzzer ./CORPUS
167 You will see output like this::
170 #0 READ cov 0 bits 0 units 1 exec/s 0
171 #1 pulse cov 3 bits 0 units 1 exec/s 0
172 #1 INITED cov 3 bits 0 units 1 exec/s 0
173 #2 pulse cov 208 bits 0 units 1 exec/s 0
174 #2 NEW cov 208 bits 0 units 2 exec/s 0 L: 64
175 #3 NEW cov 217 bits 0 units 3 exec/s 0 L: 63
176 #4 pulse cov 217 bits 0 units 3 exec/s 0
178 * The ``Seed:`` line shows you the current random seed (you can change it with ``-seed=N`` flag).
179 * The ``READ`` line shows you how many input files were read (since you passed an empty dir there were inputs, but one dummy input was synthesised).
180 * The ``INITED`` line shows you that how many inputs will be fuzzed.
181 * The ``NEW`` lines appear with the fuzzer finds a new interesting input, which is saved to the CORPUS dir. If multiple corpus dirs are given, the first one is used.
182 * The ``pulse`` lines appear periodically to show the current status.
184 Now, interrupt the fuzzer and run it again the same way. You will see::
187 #0 READ cov 0 bits 0 units 564 exec/s 0
188 #1 pulse cov 502 bits 0 units 564 exec/s 0
190 #512 pulse cov 2933 bits 0 units 564 exec/s 512
191 #564 INITED cov 2991 bits 0 units 344 exec/s 564
192 #1024 pulse cov 2991 bits 0 units 344 exec/s 1024
193 #1455 NEW cov 2995 bits 0 units 345 exec/s 1455 L: 49
195 This time you were running the fuzzer with a non-empty input corpus (564 items).
196 As the first step, the fuzzer minimized the set to produce 344 interesting items (the ``INITED`` line)
198 It is quite convenient to store test corpuses in git.
199 As an example, here is a git repository with test inputs for the above PCRE2 fuzzer::
201 git clone https://github.com/kcc/fuzzing-with-sanitizers.git
202 ./pcre_fuzzer ./fuzzing-with-sanitizers/pcre2/C1/
204 You may run ``N`` independent fuzzer jobs in parallel on ``M`` CPUs::
206 N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M
208 By default (``-reload=1``) the fuzzer processes will periodically scan the CORPUS directory
209 and reload any new tests. This way the test inputs found by one process will be picked up
212 If ``-workers=$M`` is not supplied, ``min($N,NumberOfCpuCore/2)`` will be used.
216 Remember Heartbleed_?
217 As it was recently `shown <https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html>`_,
218 fuzzing with AddressSanitizer can find Heartbleed. Indeed, here are the step-by-step instructions
219 to find Heartbleed with LibFuzzer::
221 wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz
222 tar xf openssl-1.0.1f.tar.gz
223 COV_FLAGS="-fsanitize-coverage=edge,indirect-calls" # -fsanitize-coverage=8bit-counters
224 (cd openssl-1.0.1f/ && ./config &&
225 make -j 32 CC="clang -g -fsanitize=address $COV_FLAGS")
226 # Get and build LibFuzzer
227 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
228 clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
229 # Get examples of key/pem files.
230 git clone https://github.com/hannob/selftls
231 cp selftls/server* . -v
232 cat << EOF > handshake-fuzz.cc
233 #include <openssl/ssl.h>
234 #include <openssl/err.h>
242 SSL_load_error_strings();
243 ERR_load_BIO_strings();
244 OpenSSL_add_all_algorithms();
245 assert (sctx = SSL_CTX_new(TLSv1_method()));
246 assert (SSL_CTX_use_certificate_file(sctx, "server.pem", SSL_FILETYPE_PEM));
247 assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM));
250 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
251 static int unused = Init();
252 SSL *server = SSL_new(sctx);
253 BIO *sinbio = BIO_new(BIO_s_mem());
254 BIO *soutbio = BIO_new(BIO_s_mem());
255 SSL_set_bio(server, sinbio, soutbio);
256 SSL_set_accept_state(server);
257 BIO_write(sinbio, Data, Size);
258 SSL_do_handshake(server);
264 clang++ -g handshake-fuzz.cc -fsanitize=address \
265 openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o
266 # Run 20 independent fuzzer jobs.
267 ./a.out -jobs=20 -workers=20
271 #1048576 pulse cov 3424 bits 0 units 9 exec/s 24385
272 =================================================================
273 ==17488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004748 at pc 0x00000048c979 bp 0x7fffe3e864f0 sp 0x7fffe3e85ca8
274 READ of size 60731 at 0x629000004748 thread T0
275 #0 0x48c978 in __asan_memcpy
276 #1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3
277 #2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4
279 Note: a `similar fuzzer <https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md>`_
280 is now a part of the boringssl source tree.
288 LibFuzzer supports user-supplied dictionaries with input language keywords
289 or other interesting byte sequences (e.g. multi-byte magic values).
290 Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary
291 may significantly improve the search speed.
292 The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::
294 # Lines starting with '#' and empty lines are ignored.
296 # Adds "blah" (w/o quotes) to the dictionary.
298 # Use \\ for backslash and \" for quotes.
300 # Use \xAB for hex values
302 # the name of the keyword followed by '=' may be omitted:
305 Data-flow-guided fuzzing
306 ------------------------
309 With an additional compiler flag ``-fsanitize-coverage=trace-cmp`` (see SanitizerCoverageTraceDataFlow_)
310 and extra run-time flag ``-use_traces=1`` the fuzzer will try to apply *data-flow-guided fuzzing*.
311 That is, the fuzzer will record the inputs to comparison instructions, switch statements,
312 and several libc functions (``memcmp``, ``strcmp``, ``strncmp``, etc).
313 It will later use those recorded inputs during mutations.
315 This mode can be combined with DataFlowSanitizer_ to achieve better sensitivity.
319 LibFuzzer can be used in parallel with AFL_ on the same test corpus.
320 Both fuzzers expect the test corpus to reside in a directory, one file per input.
321 You can run both fuzzers on the same corpus in parallel::
323 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program -r @@
324 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir
326 Periodically restart both fuzzers so that they can use each other's findings.
328 How good is my fuzzer?
329 ----------------------
331 Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death,
332 you will want to know whether the function or the corpus can be improved further.
333 One easy to use metric is, of course, code coverage.
334 You can get the coverage for your corpus like this::
336 ASAN_OPTIONS=coverage_pcs=1 ./fuzzer CORPUS_DIR -runs=0
338 This will run all the tests in the CORPUS_DIR but will not generate any new tests
339 and dump covered PCs to disk before exiting.
340 Then you can subtract the set of covered PCs from the set of all instrumented PCs in the binary,
341 see SanitizerCoverage_ for details.
343 User-supplied mutators
344 ----------------------
346 LibFuzzer allows to use custom (user-supplied) mutators,
347 see FuzzerInterface.h_
349 Startup initialization
350 ----------------------
351 If the library being tested needs to be initialized, there are several options.
353 The simplest way is to have a statically initialized global object::
355 static bool Initialized = DoInitialization();
357 Alternatively, you may define an optional init function and it will receive
358 the program arguments that you can read and modify::
360 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
361 ReadAndMaybeModify(argc, argv);
365 Finally, you may use your own ``main()`` and call ``FuzzerDriver``
366 from there, see FuzzerInterface.h_.
368 Try to avoid initialization inside the target function itself as
369 it will skew the coverage data. Don't do this::
371 extern "C" int LLVMFuzzerTestOneInput(...) {
372 static bool initialized = false;
378 Fuzzing components of LLVM
379 ==========================
383 The inputs are random pieces of C++-like text.
385 Build (make sure to use fresh clang as the host compiler)::
387 cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=YES -DCMAKE_BUILD_TYPE=Release /path/to/llvm
388 ninja clang-format-fuzzer
390 ./bin/clang-format-fuzzer CORPUS_DIR
392 Optionally build other kinds of binaries (asan+Debug, msan, ubsan, etc).
394 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23052
399 The behavior is very similar to ``clang-format-fuzzer``.
401 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23057
406 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=24639
411 This tool fuzzes the MC layer. Currently it is only able to fuzz the
412 disassembler but it is hoped that assembly, and round-trip verification will be
415 When run in dissassembly mode, the inputs are opcodes to be disassembled. The
416 fuzzer will consume as many instructions as possible and will stop when it
417 finds an invalid instruction or runs out of data.
419 Please note that the command line interface differs slightly from that of other
420 fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
421 a single dash, while other arguments control the operation mode and target in a
422 similar manner to ``llvm-mc`` and should have two dashes. For example::
424 llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
429 We have a buildbot that runs the above fuzzers for LLVM components
430 24/7/365 at http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer .
432 Pre-fuzzed test inputs in git
433 -----------------------------
435 The buildbot occumulates large test corpuses over time.
436 The corpuses are stored in git on github and can be used like this::
438 git clone https://github.com/kcc/fuzzing-with-sanitizers.git
439 bin/clang-format-fuzzer fuzzing-with-sanitizers/llvm/clang-format/C1
440 bin/clang-fuzzer fuzzing-with-sanitizers/llvm/clang/C1/
441 bin/llvm-as-fuzzer fuzzing-with-sanitizers/llvm/llvm-as/C1 -only_ascii=1
445 =========================
447 Q. Why Fuzzer does not use any of the LLVM support?
448 ---------------------------------------------------
450 There are two reasons.
452 First, we want this library to be used outside of the LLVM w/o users having to
453 build the rest of LLVM. This may sound unconvincing for many LLVM folks,
454 but in practice the need for building the whole LLVM frightens many potential
455 users -- and we want more users to use this code.
457 Second, there is a subtle technical reason not to rely on the rest of LLVM, or
458 any other large body of code (maybe not even STL). When coverage instrumentation
459 is enabled, it will also instrument the LLVM support code which will blow up the
460 coverage set of the process (since the fuzzer is in-process). In other words, by
461 using more external dependencies we will slow down the fuzzer while the main
462 reason for it to exist is extreme speed.
464 Q. What about Windows then? The Fuzzer contains code that does not build on Windows.
465 ------------------------------------------------------------------------------------
467 The sanitizer coverage support does not work on Windows either as of 01/2015.
468 Once it's there, we'll need to re-implement OS-specific parts (I/O, signals).
470 Q. When this Fuzzer is not a good solution for a problem?
471 ---------------------------------------------------------
473 * If the test inputs are validated by the target library and the validator
474 asserts/crashes on invalid inputs, the in-process fuzzer is not applicable
475 (we could use fork() w/o exec, but it comes with extra overhead).
476 * Bugs in the target library may accumulate w/o being detected. E.g. a memory
477 corruption that goes undetected at first and then leads to a crash while
478 testing another input. This is why it is highly recommended to run this
479 in-process fuzzer with all sanitizers to detect most bugs on the spot.
480 * It is harder to protect the in-process fuzzer from excessive memory
481 consumption and infinite loops in the target library (still possible).
482 * The target library should not have significant global state that is not
483 reset between the runs.
484 * Many interesting target libs are not designed in a way that supports
485 the in-process fuzzer interface (e.g. require a file path instead of a
487 * If a single test run takes a considerable fraction of a second (or
488 more) the speed benefit from the in-process fuzzer is negligible.
489 * If the target library runs persistent threads (that outlive
490 execution of one test) the fuzzing results will be unreliable.
492 Q. So, what exactly this Fuzzer is good for?
493 --------------------------------------------
495 This Fuzzer might be a good choice for testing libraries that have relatively
496 small inputs, each input takes < 1ms to run, and the library code is not expected
497 to crash on invalid inputs.
498 Examples: regular expression matchers, text or binary format parsers.
502 * GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc
506 * http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c
507 * http://www.openwall.com/lists/oss-security/2015/03/30/3
509 * `pugixml <https://github.com/zeux/pugixml/issues/39>`_
511 * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;
512 also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_
514 * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_
516 * `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_
518 * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_
520 * `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_
522 * `Python <http://bugs.python.org/issue25388>`_
524 * OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_
527 <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_
529 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
531 * LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.
533 .. _pcre2: http://www.pcre.org/
535 .. _AFL: http://lcamtuf.coredump.cx/afl/
537 .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html
538 .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow
539 .. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html
541 .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed
543 .. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h