Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

using fuzz introspector with other fuzzers (AFL-Like) #1331

Open
alexsetsove opened this issue Dec 5, 2023 · 3 comments
Open

using fuzz introspector with other fuzzers (AFL-Like) #1331

alexsetsove opened this issue Dec 5, 2023 · 3 comments

Comments

@alexsetsove
Copy link

I read the LocalBuild documentation page and understand that libFuzzer is the default fuzzer used. However, I could not find any documentation showing how to use fuzz introspector with other fuzzers like AFL, Honggfuzz, or custom fuzzers.

I would appreciate a link to a manual or source code that will help me understand how to use this project.

@DavidKorczynski
Copy link
Contributor

In essence Fuzz Introspector is independent of libFuzzer as such -- it relies on identifying the entrypoint LLVMFuzzerTestOneInput and then also the ability to read coverage data from llvm-cov.

Could you give some specifics about your usecase and in particular (1) your harness and (2) hw you collect code coverage? Then I might be able to come up with something that generates the introspector report.

@alexsetsove
Copy link
Author

I appreciate your response so much.

Obviously, there are some harnesses that are libfuzzer-compatible for OSS-fuzz, but my challenge is in this specific case. Like this, I want to fuzz PHP without any specific harness:


 afl-fuzz -i serialized_data -o basic_fuzz -m none -- ./sapi/cli/php -r 'unserialize(file_get_contents("php://stdin"));'

This link could be a good starting point to learn how to merge and generate reports. Do I have the right direction?

https://github.com/google/oss-fuzz/blob/2de46953155fb8be2fa672c0428325f49370cb5e/infra/base-images/base-runner/coverage#L521-L554

The questions are, how do I compile the fuzzer? Is it necessary to have LLVMFuzzerTestOneInput function?

Thank you in advance for your response.

@DavidKorczynski
Copy link
Contributor

The questions are, how do I compile the fuzzer? Is it necessary to have LLVMFuzzerTestOneInput function?

For now yes, however, it may be possible to simply switch this as the only entrypoint to something more flexible. I'm happy to support the process if you're interested in implementing this.

The key would be to make it possible to compile the php binary using LLVM LTO and then enable the LLVM frontend from here https://github.com/ossf/fuzz-introspector/tree/main/frontends/llvm to run on the linked module. This frontend essentially outputs a call tree for the "fuzzer" which I assume in this case would be from the main function in sapi/cli/php?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants