walkero
/
libpsl
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity
libpsl/fuzz
History
Xavier Claessens 13bf8e102e Meson: Fix link of fuzzer tests 
libicu is an internal dependency of libpsl, so if an executable
uses libicu directly, linking on libpsl is not enough, it must also
link on libicu.

Closes: #115
 		2018-12-08 08:12:17 -05:00
..
libpsl_fuzzer.in Update internal IDNA corpora from OSS-Fuzz 2017-07-14 15:53:31 +02:00
libpsl_icu_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_icu_load_dafsa_fuzzer.in Update fuzzer corpora 2017-07-19 15:01:40 +02:00
libpsl_icu_load_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_icu_load_fuzzer.repro Fix oss-fuzz issue #2600 (buffer overflow in libicu code) 2017-07-13 15:40:58 +02:00
libpsl_idn2_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_idn2_fuzzer.repro Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_idn2_load_dafsa_fuzzer.in Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_idn2_load_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_idn_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_idn_load_dafsa_fuzzer.in Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_idn_load_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
libpsl_load_dafsa_fuzzer.in Update fuzzer corpora and scripts 2017-06-30 19:55:55 +02:00
libpsl_load_fuzzer.in Update corpora from oss-fuzz 2017-09-15 17:49:19 +02:00
Makefile.am Remove unconditional setting of GCC-specific flag 2018-01-16 15:56:24 +01:00
README.md Remove C++ settings from fuzz/README.md 2017-07-02 21:11:43 +02:00
coverage.sh Add fuzzing architecture 2017-06-09 16:27:37 +02:00
fuzzer.h fuzz: Skip the tests if fmemopen() is not found 2018-04-20 14:46:02 +02:00
get_all_corpora Improve fuzz/get_all_corpora 2017-07-27 11:29:29 +02:00
get_ossfuzz_corpora Update fuzzer corpora and scripts 2017-06-30 19:55:55 +02:00
libpsl_fuzzer.c fuzz: Skip the tests if fmemopen() is not found 2018-04-20 14:46:02 +02:00
libpsl_icu_load_fuzzer.dict Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_idn2_load_fuzzer.dict Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_idn_load_fuzzer.dict Fuzz all types of builds (idn2, idn, icu, none) 2017-07-12 15:37:35 +02:00
libpsl_load_dafsa_fuzzer.c fuzz: Skip the tests if fmemopen() is not found 2018-04-20 14:46:02 +02:00
libpsl_load_fuzzer.c fuzz: Skip the tests if fmemopen() is not found 2018-04-20 14:46:02 +02:00
libpsl_load_fuzzer.dict New fuzz/libpsl_load_fuzzer.c plus corpus directory 2017-06-14 09:49:07 +02:00
main.c fuzz: Skip the tests if fmemopen() is not found 2018-04-20 14:46:02 +02:00
meson.build Meson: Fix link of fuzzer tests 2018-12-08 08:12:17 -05:00
run-afl.sh Update copyrights 2018-02-22 10:04:00 +01:00
run-clang.sh Update copyrights 2018-02-22 10:04:00 +01:00
view-coverage.sh Add fuzzing architecture 2017-06-09 16:27:37 +02:00

README.md

Fuzzers

These are fuzzers designed for use with libFuzzer or afl. They can be used to run on Google's OSS-Fuzz (https://github.com/google/oss-fuzz/).

The convention used here is that the initial values for each parser fuzzer are taken from the $NAME.in directory.

Crash reproducers from OSS-Fuzz are put into $NAME.repro directory for regression testing with top dir 'make check' or 'make check-valgrind'.

The ./configure runs below are for libidn2. To test libicu replace 'libidn2' with 'libicu', to test with libidn replace 'libidn2' by 'libidn'.

Running a fuzzer using clang

Use the following commands on top dir:

export CC=clang-5.0
export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp"
./configure --enable-static --disable-gtk-doc --enable-runtime=libidn2 --enable-builtin=libidn2
make clean
make -j$(nproc)
cd fuzz

# build and run libpsl_fuzzer
./run-clang.sh libpsl_fuzzer

Running a fuzzer using AFL

Use the following commands on top dir:

$ CC=afl-clang-fast ./configure --disable-gtk-doc --enable-runtime=libidn2 --enable-builtin=libidn2
$ make -j$(nproc) clean all
$ cd fuzz
$ ./run-afl.sh libpsl_fuzzer

Fuzz code coverage using the corpus directories *.in/

Code coverage reports currently work best with gcc+lcov+genhtml.

In the top directory:

CC=gcc CFLAGS="-O0 -g" ./configure --disable-gtk-doc --enable-runtime=libidn2 --enable-builtin=libidn2
make fuzz-coverage
xdg-open lcov/index.html

Each fuzzer target has it's own functions to cover, e.g. libpsl_fuzzer covers psl_is_public_suffix.

To work on corpora for better coverage, cd fuzz and use e.g. ./view-coverage.sh libpsl_fuzzer.

Enhancing the testsuite for issues found

Each reproducer file should be dropped into the appropriate *.repro/ directory.

Clang CFI instrumentation

CC=clang-5.0 CFLAGS="-B/usr/bin/gold -O0 -fsanitize=cfi -flto -fvisibility=default -fno-sanitize-trap=all" ./configure
make clean
make
make check