openssl/fuzz
Ben Laurie 75a112295d Linkify libfuzzer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 11:24:51 +01:00
..
asn1.c
asn1parse.c
bignum.c
bndiv.c
build.info
cms.c
conf.c
fuzzer.h
helper.py
README.md Linkify libfuzzer. 2016-06-03 11:24:51 +01:00
server.c

I Can Haz Fuzz?

Or, how to fuzz OpenSSL with libfuzzer.

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

$ sudo apt-get install git
$ mkdir git-work
$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
$ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

$ cd
$ sudo apt-get install subversion
$ mkdir svn-work
$ cd svn-work
$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
$ cd Fuzzer
$ clang++ -c -g -O2 -std=c++11 *.cpp
$ ar r libFuzzer.a *.o
$ ranlib libFuzzer.a

Configure for fuzzing:

$ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py <fuzzer> <arguments>

Where <fuzzer> is one of the executables in fuzz/. Most fuzzers do not need any command line arguments, but, for example, asn1 needs the name of a data type.

If you get a crash, you should find a corresponding input file in fuzz/corpora/<fuzzer>-crash/. You can reproduce the crash with

$ fuzz/<fuzzer> <crashfile>