Xen project Mailing List

Re: [Xen-devel] [PATCH 4/4] tools/fuzz: add README.afl

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>

Date: Wed, 25 Jan 2017 09:51:38 +0000

Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Wed, 25 Jan 2017 09:51:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, Jan 24, 2017 at 7:27 PM, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > On 20/01/17 12:11, Wei Liu wrote: >> And rename README to README.oss-fuzz. >> >> Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> >> --- >> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> >> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> >> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> >> Cc: Jan Beulich <jbeulich@xxxxxxxx> >> --- >> tools/fuzz/README.afl | 27 +++++++++++++++++++++++++++ >> tools/fuzz/{README => README.oss-fuzz} | 0 >> 2 files changed, 27 insertions(+) >> create mode 100644 tools/fuzz/README.afl >> rename tools/fuzz/{README => README.oss-fuzz} (100%) >> >> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl >> new file mode 100644 >> index 0000000..7214b61 >> --- /dev/null >> +++ b/tools/fuzz/README.afl >> @@ -0,0 +1,27 @@ >> +# OVERVIEW >> + >> +Some fuzzing targets have American Fuzzy Lop (AFL) support. >> + >> +See also http://lcamtuf.coredump.cx/afl/ >> + >> +# HOW IT WORKS >> + >> +AFL provides a customised toolchain to build an executable, which in >> +turn is launched by the fuzzer. >> + >> +# HOW TO USE IT >> + >> +Use the x86 instruction emulator fuzzer as an example. >> + >> +1. download and compile AFL in $AFLPATH. >> + >> +2. run the following commands to build: >> + $ cd tools/fuzz/x86_instruction_emulator >> + $ make distclean >> + $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer >> + >> +3. run the fuzzer with AFL: >> + $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \ >> + ./afl-x86-insn-emulator-fuzzer @@ >> + >> +Please see AFL documentation for more information. > > Having just debugged this README (I totally haven't forgotten how to > use AFL, despite all the recent work on it ;p), it is missing the > initial test case. > > I previously used a ret instruction as the seed testcase. > > $ mkdir testcase_dir > $ echo -n -e '\xc3' > testcase_dir/ret.bin > > after which ALF is happy to start running. In my own version I had a special option to pass to the binary to generate a set of test cases. Wei, do you have any opinions on this? One of the things I found was that there were certain "corners" of the code that for some reason AFL had trouble reaching (i.e., after two days of running there were lines that still didn't have any coverage). One of the advantages of generating test cases is that if some of these are identified, we may be able to get a more even coverage more quickly. -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.