<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="generator" content="hevea 2.32">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">
<link rel="stylesheet" type="text/css" href="manual.css">
<title>Chapter 23  Fuzzing with afl-fuzz</title>
</head>
<body>
<a href="spacetime.html"><img src="previous_motif.svg" alt="Previous"></a>
<a href="index.html"><img src="contents_motif.svg" alt="Up"></a>
<a href="plugins.html"><img src="next_motif.svg" alt="Next"></a>
<hr>
<h1 class="chapter" id="sec542">Chapter 23  Fuzzing with afl-fuzz</h1>
<ul>
<li><a href="afl-fuzz.html#sec543">23.1  Overview</a>
</li><li><a href="afl-fuzz.html#sec544">23.2  Generating instrumentation</a>
</li><li><a href="afl-fuzz.html#sec546">23.3  Example</a>
</li></ul>
<h2 class="section" id="sec543">23.1  Overview</h2>
<p>American fuzzy lop (“afl-fuzz”) is a <em>fuzzer</em>, a tool for
testing software by providing randomly-generated inputs, searching for
those inputs which cause the program to crash.</p><p>Unlike most fuzzers, afl-fuzz observes the internal behaviour of the
program being tested, and adjusts the test cases it generates to
trigger unexplored execution paths. As a result, test cases generated
by afl-fuzz cover more of the possible behaviours of the tested
program than other fuzzers.</p><p>This requires that programs to be tested are instrumented to
communicate with afl-fuzz. The native-code compiler “ocamlopt” can
generate such instrumentation, allowing afl-fuzz to be used against
programs written in OCaml.</p><p>For more information on afl-fuzz, see the website at
<a href="http://lcamtuf.coredump.cx/afl/">http://lcamtuf.coredump.cx/afl/</a>.
</p>
<h2 class="section" id="sec544">23.2  Generating instrumentation</h2>
<p>The instrumentation that afl-fuzz requires is not generated by
default, and must be explicitly enabled, by passing the <span class="c003">-afl-instrument</span> option to <span class="c003">ocamlopt</span>.</p><p>To fuzz a large system without modifying build tools, OCaml’s <span class="c003">configure</span> script also accepts the <span class="c003">afl-instrument</span> option. If
OCaml is configured with <span class="c003">afl-instrument</span>, then all programs
compiled by <span class="c003">ocamlopt</span> will be instrumented.</p>
<h3 class="subsection" id="sec545">23.2.1  Advanced options</h3>
<p>In rare cases, it is useful to control the amount of instrumentation
generated. By passing the <span class="c003">-afl-inst-ratio N</span> argument to <span class="c003">ocamlopt</span> with <span class="c003">N</span> less than 100, instrumentation can be
generated for only N% of branches. (See the afl-fuzz documentation on
the parameter <span class="c003">AFL_INST_RATIO</span> for the precise effect of this).</p>
<h2 class="section" id="sec546">23.3  Example</h2>
<p>As an example, we fuzz-test the following program, <span class="c003">readline.ml</span>:</p><pre>let _ =
let s = read_line () in
match Array.to_list (Array.init (String.length s) (String.get s)) with
['s'; 'e'; 'c'; 'r'; 'e'; 't'; ' '; 'c'; 'o'; 'd'; 'e'] -> failwith "uh oh"
| _ -> ()
</pre><p>
There is a single input (the string “secret code”) which causes this
program to crash, but finding it by blind random search is infeasible.</p><p>Instead, we compile with afl-fuzz instrumentation enabled:
</p><pre>ocamlopt -afl-instrument readline.ml -o readline
</pre><p>Next, we run the program under afl-fuzz:
</p><pre>mkdir input
echo asdf > input/testcase
mkdir output
afl-fuzz -i input -o output ./readline
</pre><p>By inspecting instrumentation output, the fuzzer finds the crashing input quickly.
</p>
<hr>
<a href="spacetime.html"><img src="previous_motif.svg" alt="Previous"></a>
<a href="index.html"><img src="contents_motif.svg" alt="Up"></a>
<a href="plugins.html"><img src="next_motif.svg" alt="Next"></a>
</body>
</html>
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-release
>
by-pkgid
>
fb18813323b88f9a6e869238ab603257
>
files
>
3
