Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

png-afl: document usage and minor tweaks #133

Merged
merged 1 commit into from
May 5, 2019
Merged

png-afl: document usage and minor tweaks #133

merged 1 commit into from
May 5, 2019

Conversation

martinlindhe
Copy link
Member

fixes #132

HeroicKatora
HeroicKatora requested changes May 5, 2019
View reviewed changes
png-afl/Cargo.toml Outdated Show resolved Hide resolved
@martinlindhe martinlindhe mentioned this pull request May 5, 2019
Closed
@martinlindhe martinlindhe merged commit edcf8b0 into image-rs:master May 5, 2019
@martinlindhe martinlindhe deleted the afl branch May 5, 2019 18:27
@martinlindhe
Copy link
Member Author

@HeroicKatora thank you for your help!

@Shnatsel
Copy link
Contributor

Shnatsel commented May 6, 2019

You probably also want the -d flag in that AFL command.

The default mode for AFL is "deterministic mode" which does a number of deterministic transformations of the input such as cycling every byte in the input through all values from 0 to 255, setting 4-byte chunks to interesting values, etc. When running on CI you'd probably want the "havoc" mode that just transforms the inputs randomly and doesn't run the exhaustive-ish deterministic search, which is what the -d flag activates.

The ideal setup is actually non-deterministic and deterministic modes running in parallel, run these commands in several terminal tabs / tmux shells / screen sessions:

cargo afl fuzz -M master -m 200 -i fuzzing_seeds -o out target/debug/png-afl
cargo afl fuzz -S slave1 -m 200 -i fuzzing_seeds -o out target/debug/png-afl
cargo afl fuzz -S slave2 -m 200 -i fuzzing_seeds -o out target/debug/png-afl

and so on for however many cores you have.

@Shnatsel
Copy link
Contributor

Shnatsel commented May 6, 2019

Oh yeah, fuzzing in release mode also works fine and is obviously faster. You'll be missing out on the extra checks from debug mode though.

Also you might want to enable Address Sanitizer to look for memory safety issues, see https://github.com/japaric/rust-san for more info. However, this is only relevant if your code or one of your dependencies uses unsafe code, and last time I checked image-png had no unsafe in it.

@birktj
Copy link
Member

birktj commented May 6, 2019

According to https://doc.rust-lang.org/std/macro.debug_assert.html it should be possible to enable debug_assert! on release builds with -C debug-assertions, I would guess that is a good idea for fuzzing so that is both quite fast and you have the extra checks.

@Shnatsel
Copy link
Contributor

Shnatsel commented May 6, 2019

There is also a toggle for checked arithmetic, not sure if -C debug-assertions also toggles that or not. These tricks are getting quite generic, I think you should upstream this into Rust AFL guide: https://github.com/rust-fuzz/book

@HeroicKatora
Copy link
Member

Both of these checks are enabled as part of cargo afl build: https://github.com/rust-fuzz/afl.rs/blob/e6fe251b42e09a9b512da7c0db11041c0a5653bf/src/bin/cargo-afl.rs#L157-L167

@Shnatsel
Copy link
Contributor

Shnatsel commented May 6, 2019

Oh, that's quite surprising behavior! That should definitely be documented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HeroicKatora HeroicKatora HeroicKatora approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

png-afl fuzzer is broken
4 participants
@martinlindhe @Shnatsel @birktj @HeroicKatora