drop-in replacement for libfuzzer

Lander Brandt

Last update: Nov 2, 2022

Related tags

Command-line fazi

Overview

Fazi

A reimplementation of libfuzzer in Rust with some improvements

Supported Features

Anything else that's missing from libFuzzer's featureset will likely not be supported. Feel free to file an issue if you'd like to voice support for something.

Usage

Step 1: Build fazi (requires Rust nightly):

$ cargo build --release

Note: Fazi can also be built without the main entrypoint by providing the --no-default-features flag

Step 2: Build your harness:

$ FAZI_DIR="../path-to-fazi" clang ./main.c -fsanitize=fuzzer-no-link -fsanitize=address -lfazi -L$FAZI_DIR/target/release/

Step 3: Run the harness:

$ ./a.out

You can list command-line options with the --help flag:

fazi

USAGE:
    a.out [OPTIONS] [SUBCOMMAND]

OPTIONS:
        --corpus-dir <CORPUS_DIR>
            Location at which inputs that cause new coverage will be saved [default: ./corpus]

        --crashes-dir <CRASHES_DIR>
            Location at which crashing inputs will be saved [default: ./crashes]

    -h, --help
            Print help information

        --len-control <LEN_CONTROL>
            Length control is used in an algorithm for deciding how quickly the input size grows. A
            larger value will result in faster growth while a smaller value will result in slow
            growth [default: 100]

        --max-input-len <MAX_INPUT_LEN>
            The maximum size (in bytes) that an input can extend to [default: 65000]

        --max-iters <MAX_ITERS>
            Maximum number of fuzzing iterations before the fuzzer should exit

        --max-mutation-depth <MAX_MUTATION_DEPTH>
            The maximum number of times to mutate a single input before moving on to another
            [default: 15]

        --seed <SEED>
            RNG seed

SUBCOMMANDS:
    help     Print this message or the help of the given subcommand(s)
    repro    Reproduce some crash

Running the Example Rust Harness

The example pure Rust harness can be found at the /examples/simple_harness.rs.

To build/run it, clone the repo and run the following commands:

cargo rustc --no-default-features --features=hook_builtins --example simple_harness -- \
    -Znew-llvm-pass-manager=no \
    -C passes=sancov \
    -C llvm-args=-sanitizer-coverage-level=3 \
    -C llvm-args=-sanitizer-coverage-inline-8bit-counters \
    -C llvm-args=-sanitizer-coverage-trace-compares \
    -C llvm-args=-sanitizer-coverage-pc-table \
    -Z sanitizer=address

./target/debug/examples/simple_harness

Why

While libfuzzer can be used as a library, engaging with it from some environments may be difficult to setup. Fazi provides similar functionality to libfuzzer, but gives greater flexibility into how you can use it. For instance, a native application which requires its own main entry point may be setup like:

/// compiled with -fsanitize=fuzer-no-link

extern "C" int LLVMFuzzerRunDriver(int *argc, char ***argv,
                  int (*UserCb)(const uint8_t *Data, size_t Size));

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    // fuzz
}

int main(int *argc, char ***argv) {
    // Do my own thing
    LLVMFuzzerRunDriver(argc, argv, LLVMFuzzerTestOneInput);
}

This model is difficult when integrating into an application with a lot of state or its own runtime environment, such as the JVM. Instead of providing a callback, Fazi lets you just ask it for data and tell it when the testcase is done:

extern "C" void fazi_start_iteration(char** data, size_t* size);
extern "C" void fazi_end_iteration(bool need_more_data);
extern "C" void fazi_initialize();
extern "C" void fazi_set_corpus_dir(const char*);
extern "C" void fazi_set_crashes_dir(const char*);

int main() {
    // Setup fazi globals
    fazi_initialize();

    while (true) {
        const char* data = nullptr;
        size_t len = 0;
        fazi_start_iteration(&data, &len);

        bool need_more_data = some_api(data, len);

        fazi_end_iteration(need_more_data);
    }
}

xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement

xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement, but as a companion utility with some more user-friendly feedback and some optimisations that make sense under certain tasks (see below).

310 Jan 5, 2023

Xcode Neovim Replacement-ish.

An XCode replacement-ish development environment that aims to be your reliable XCode alternative to develop exciting new [apple] software products 🚀

272 Dec 30, 2022

A more convenient `#[target_feature]` replacement

A more convenient #[target_feature] replacement To get good performance out of SIMD everything on the SIMD codepath must be inlined. With how SIMD is

3 Apr 10, 2023

Simpler and more powerful replacement for `find`

FindFile (FF) An simple, ergonomic, and powerful replacement for find. Note: this repo is under active development The syntax is (mostly) figured out,

4 Jun 20, 2023

A modern, maintained replacement for ls

eza eza is a modern, maintained replacement for ls, built on exa. README Sections: Options — Installation — Development eza is a modern, maintained re

13 Aug 7, 2023

Patch binary file using IDA signatures and defined replacement bytes in YAML.

fabricbin Patch binary file using IDA signatures and defined replacement bytes in YAML. Install: cargo install --git https://github.com/makindotcc/fab

3 Oct 24, 2023

Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

294 Dec 23, 2022

Rustyread is a drop in replacement of badread simulate.

Rustyread is a drop in replacement of badread simulate. Rustyread is very heavily inspired by badread, it reuses the same error and quality model file. But Rustyreads is multi-threaded and benefits from other optimizations.

20 Oct 1, 2022

age-encrypted secrets for NixOS; drop-in replacement for agenix

ragenix ragenix provides age-encrypted secrets for NixOS systems which live in the Nix store and are decrypted on system activation. Using ragenix to

91 Jan 8, 2023

🐱‍👤 Drop-in HTTP replacement module for Garry's Mod

🐱‍👤 gmsv_reqwest This module is a drop-in replacement for Garry's Mod's HTTP function, inspired by gmsv_chttp created by timschumi. The module uses

38 Dec 12, 2022

A drop-in replacement for `dapp` and `seth` in Rust

dapptools.rs Rust port of DappTools dapp example Usage Run Solidity tests Any contract that contains a function starting with test is being tested. Th

5k Jan 1, 2023

A (mostly) drop-in replacement for Rust's Result that provides backtrace support

Errant A (mostly) drop-in replacement for Rust's Result that provides backtrace support. Please note that Errant is still very early in development an

17 Dec 26, 2022

messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code.

messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code. Goals Al

11 Dec 10, 2022

Modern Drop-in Replacement for Nginx AutoIndex / FancyIndex!

MeowIndex A cute, feature-rich file listing module to replace nginx's autoindex / fancyindex. Features List files Show file icons Clickable, length-sa

4 Feb 25, 2023

A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities.

utiles utiles = utils + tiles A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities. Installation pip install u

5 Jun 20, 2023

A lightweight, no-fuss, drop-in replacement for Rudderstack

Welcome to Stilgar! Stilgar is a lightweight, no-fuss, drop-in replacement for Rudderstack. Key features: Seamlessly compatible with all Rudderstack c

4 Jul 21, 2023

Drop-in replacement for the Actix Web HTTP Logger middleware

actix-contrib-logger Logger middleware for the Actix Web framework. Actually it's a copy & paste from the official Logger middleware (original source

5 Aug 28, 2023

Drop-in Access Control via NFT Ownership

niftygate - Signature-Based Authenticating Proxy What is it? niftygate is a proxy for HTTP services, that validates signatures, providing an AuthN lay

70 Jan 3, 2023

Drop-in proxy for Discord gateway connections and sessions allowing for zero downtime deploys

gateway-proxy This is a very hacky project, so it might stop working if Discord changes their API core. This is unlikely, but keep that in mind while

39 Nov 26, 2022

Comments

Improve the pure Rust APIs
There are a fair number of assumptions currently about the global state that don't play well if we wanted to support a dumb fuzzing mode with no instrumentation. Some TODO items:

[x] Figure out how to approach multiple Fazi instances to avoid mismatching global state from local state.

[ ] Remove certain instrumentation-only mutations if instrumentation is not enabled (e.g. SanCov-enabled comparisons).

[x] Provide a pure Rust sample of using Fazi with and without instrumentation.
opened by landaire 2