American fuzzy lop (AFL) is a popular, effective, and modern fuzz testing tool. afl.rs allows one to run AFL on code written in the Rust programming language.
afl-rs can be found here and some documention are in the Rust Fuzz Book.
$ cargo install --force aflBefore running afl, you need first to compile the targets.
$ cd afl-fuzz
$ cargo afl buildSimple fuzzer calling wasmer_runtime::compile.
- src: src/compile.rs.
- cmd:
cargo afl fuzz -i in -o out target/debug/compile.
Fuzzer using wasmer_runtime::compile_with API with:
- backend: llvm
- src: src/compile_with_llvm.rs.
- cmd:
cargo afl fuzz -i in -o out target/debug/compile_with_llvm.
Simple fuzzer calling wasmer_runtime_core::validate_and_report_errors_with_features with:
- simd: false
- threads: false
- src: src/validate.rs.
- cmd:
cargo afl fuzz -i in -o out target/debug/validate.
Simple fuzzer calling wasmer_runtime_core::validate_and_report_errors_with_features with:
- simd: true
- threads: true
- src: src/validate_all_feat.rs.
- cmd:
cargo afl fuzz -i in -o out target/debug/validate_all_feat.
Simple fuzzer calling wasmer_runtime::instantiate API with:
- imports: None
- src: src/simple_instantiate.rs.
- cmd:
cargo afl fuzz -i in -o out target/debug/simple_instantiate.
Fuzzer twice wasmer_runtime::compile_with API with respectively llvm and singlepass backends.
Then, results of both compilations are compared to detect differences in compilation.
- backend: llvm
- backend: SinglePassCompiler
- src: src/diff_compile_backend.rs
- cmd:
cargo afl fuzz -i in -o out target/debug/diff_compile_backend
TODO FIX: This fuzzer is broken because of runtime issue with libdiffuzz:
This fuzzer is calling wasmer_runtime::compile twice. This fuzzer is doing "differential fuzzing" i.e calling twice wasmer_runtime::compile and comparing the results.
result1 != result2 is synonym of non-deterministic like usage of uninitialized memory.
- src: src/diff_compile.rs.
- cmd:
$ AFL_PRELOAD=path/to/libdiffuzz.so cargo afl fuzz -i in -o out target/debug/diff_compileYou need to execute the following commands to get afl running properly.
echo core >/proc/sys/kernel/core_pattern
# sudo su -c "echo core >/proc/sys/kernel/core_pattern"
cd /sys/devices/system/cpu
echo performance | tee cpu*/cpufreq/scaling_governor
# sudo su -c "cd /sys/devices/system/cpu; echo performance | tee cpu*/cpufreq/scaling_governor"Help: cargo afl fuzz help
Interesting options:
Required parameters:
-i dir - input directory with test cases
-o dir - output directory for fuzzer findings
Execution control settings:
-t msec - timeout for each run (auto-scaled, 50-1000 ms)
-m megs - memory limit for child process (50 MB default / none for no limit)
Fuzzing behavior settings:
-d - quick & dirty mode (skips deterministic steps)
-x dir - optional fuzzer dictionary (see README)
Other stuff:
-M / -S id - distributed mode (see parallel_fuzzing.txt)
-C - crash exploration mode (the peruvian rabbit thing)If you get this issue during compilation:
= note: /usr/bin/ld: __sancov_guards
[...]
/usr/bin/ld: final link failed: bad value
collect2: error: ld returned 1 exit status
Try to run cargo build with the RUSTFLAGS value:
$ RUSTFLAGS='-C codegen-units=1' cargo afl buildCheckout corpus_minimization.md.
Command: cargo afl fuzz -t 100+ -m none -i in -o out target/debug/simple_instantiate
