[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/4] tools/fuzz: add README.afl



On Tue, Jan 24, 2017 at 7:27 PM, Andrew Cooper
<andrew.cooper3@xxxxxxxxxx> wrote:
> On 20/01/17 12:11, Wei Liu wrote:
>> And rename README to README.oss-fuzz.
>>
>> Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
>> ---
>> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
>> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
>> Cc: Jan Beulich <jbeulich@xxxxxxxx>
>> ---
>>  tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
>>  tools/fuzz/{README => README.oss-fuzz} |  0
>>  2 files changed, 27 insertions(+)
>>  create mode 100644 tools/fuzz/README.afl
>>  rename tools/fuzz/{README => README.oss-fuzz} (100%)
>>
>> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
>> new file mode 100644
>> index 0000000..7214b61
>> --- /dev/null
>> +++ b/tools/fuzz/README.afl
>> @@ -0,0 +1,27 @@
>> +# OVERVIEW
>> +
>> +Some fuzzing targets have American Fuzzy Lop (AFL) support.
>> +
>> +See also http://lcamtuf.coredump.cx/afl/
>> +
>> +# HOW IT WORKS
>> +
>> +AFL provides a customised toolchain to build an executable, which in
>> +turn is launched by the fuzzer.
>> +
>> +# HOW TO USE IT
>> +
>> +Use the x86 instruction emulator fuzzer as an example.
>> +
>> +1. download and compile AFL in $AFLPATH.
>> +
>> +2. run the following commands to build:
>> +   $ cd tools/fuzz/x86_instruction_emulator
>> +   $ make distclean
>> +   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
>> +
>> +3. run the fuzzer with AFL:
>> +   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
>> +     ./afl-x86-insn-emulator-fuzzer @@
>> +
>> +Please see AFL documentation for more information.
>
> Having just debugged this README  (I totally haven't forgotten how to
> use AFL, despite all the recent work on it ;p), it is missing the
> initial test case.
>
> I previously used a ret instruction as the seed testcase.
>
> $ mkdir testcase_dir
> $ echo -n -e '\xc3' > testcase_dir/ret.bin
>
> after which ALF is happy to start running.

In my own version I had a special option to pass to the binary to
generate a set of test cases.  Wei, do you have any opinions on this?

One of the things I found was that there were certain "corners" of the
code that for some reason AFL had trouble reaching (i.e., after two
days of running there were lines that still didn't have any coverage).
One of the advantages of generating test cases is that if some of
these are identified, we may be able to get a more even coverage more
quickly.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.