Xen project Mailing List

Re: [Xen-devel] [PATCH 4/4] tools/fuzz: add README.afl

To: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>

Date: Wed, 25 Jan 2017 09:54:32 +0000

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 25 Jan 2017 09:54:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, Jan 25, 2017 at 09:51:38AM +0000, George Dunlap wrote: > On Tue, Jan 24, 2017 at 7:27 PM, Andrew Cooper > <andrew.cooper3@xxxxxxxxxx> wrote: > > On 20/01/17 12:11, Wei Liu wrote: > >> And rename README to README.oss-fuzz. > >> > >> Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> > >> --- > >> Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > >> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> > >> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> > >> Cc: Jan Beulich <jbeulich@xxxxxxxx> > >> --- > >> tools/fuzz/README.afl | 27 +++++++++++++++++++++++++++ > >> tools/fuzz/{README => README.oss-fuzz} | 0 > >> 2 files changed, 27 insertions(+) > >> create mode 100644 tools/fuzz/README.afl > >> rename tools/fuzz/{README => README.oss-fuzz} (100%) > >> > >> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl > >> new file mode 100644 > >> index 0000000..7214b61 > >> --- /dev/null > >> +++ b/tools/fuzz/README.afl > >> @@ -0,0 +1,27 @@ > >> +# OVERVIEW > >> + > >> +Some fuzzing targets have American Fuzzy Lop (AFL) support. > >> + > >> +See also http://lcamtuf.coredump.cx/afl/ > >> + > >> +# HOW IT WORKS > >> + > >> +AFL provides a customised toolchain to build an executable, which in > >> +turn is launched by the fuzzer. > >> + > >> +# HOW TO USE IT > >> + > >> +Use the x86 instruction emulator fuzzer as an example. > >> + > >> +1. download and compile AFL in $AFLPATH. > >> + > >> +2. run the following commands to build: > >> + $ cd tools/fuzz/x86_instruction_emulator > >> + $ make distclean > >> + $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer > >> + > >> +3. run the fuzzer with AFL: > >> + $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- > >> \ > >> + ./afl-x86-insn-emulator-fuzzer @@ > >> + > >> +Please see AFL documentation for more information. > > > > Having just debugged this README (I totally haven't forgotten how to > > use AFL, despite all the recent work on it ;p), it is missing the > > initial test case. > > > > I previously used a ret instruction as the seed testcase. > > > > $ mkdir testcase_dir > > $ echo -n -e '\xc3' > testcase_dir/ret.bin > > > > after which ALF is happy to start running. > > In my own version I had a special option to pass to the binary to > generate a set of test cases. Wei, do you have any opinions on this? > > One of the things I found was that there were certain "corners" of the > code that for some reason AFL had trouble reaching (i.e., after two > days of running there were lines that still didn't have any coverage). > One of the advantages of generating test cases is that if some of > these are identified, we may be able to get a more even coverage more > quickly. > I haven't read that version in detailed, but I agree with you that having ability to generate tailored test case is a good idea. Wei. > -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.