drop-in replacement for libfuzzer

Related tags

Command-line fazi
Overview

crates.io docs.rs

Fazi

fazi

A reimplementation of libfuzzer in Rust with some improvements

Supported Features

  • libFuzzer's mutations
  • SanCov feedback
  • Building without a main() entry point
  • Crash replaying
  • Recoverage
  • Custom user initialization
  • Scaling/forking support
  • Timeout detection
  • Custom dictionaries
  • Custom user-defined mutations

Anything else that's missing from libFuzzer's featureset will likely not be supported. Feel free to file an issue if you'd like to voice support for something.

Usage

Step 1: Build fazi (requires Rust nightly):

$ cargo build --release

Note: Fazi can also be built without the main entrypoint by providing the --no-default-features flag

Step 2: Build your harness:

$ FAZI_DIR="../path-to-fazi" clang ./main.c -fsanitize=fuzzer-no-link -fsanitize=address -lfazi -L$FAZI_DIR/target/release/

Step 3: Run the harness:

$ ./a.out

fazi_running

You can list command-line options with the --help flag:

fazi

USAGE:
    a.out [OPTIONS] [SUBCOMMAND]

OPTIONS:
        --corpus-dir <CORPUS_DIR>
            Location at which inputs that cause new coverage will be saved [default: ./corpus]

        --crashes-dir <CRASHES_DIR>
            Location at which crashing inputs will be saved [default: ./crashes]

    -h, --help
            Print help information

        --len-control <LEN_CONTROL>
            Length control is used in an algorithm for deciding how quickly the input size grows. A
            larger value will result in faster growth while a smaller value will result in slow
            growth [default: 100]

        --max-input-len <MAX_INPUT_LEN>
            The maximum size (in bytes) that an input can extend to [default: 65000]

        --max-iters <MAX_ITERS>
            Maximum number of fuzzing iterations before the fuzzer should exit

        --max-mutation-depth <MAX_MUTATION_DEPTH>
            The maximum number of times to mutate a single input before moving on to another
            [default: 15]

        --seed <SEED>
            RNG seed

SUBCOMMANDS:
    help     Print this message or the help of the given subcommand(s)
    repro    Reproduce some crash

Running the Example Rust Harness

The example pure Rust harness can be found at the /examples/simple_harness.rs.

To build/run it, clone the repo and run the following commands:

cargo rustc --no-default-features --features=hook_builtins --example simple_harness -- \
    -Znew-llvm-pass-manager=no \
    -C passes=sancov \
    -C llvm-args=-sanitizer-coverage-level=3 \
    -C llvm-args=-sanitizer-coverage-inline-8bit-counters \
    -C llvm-args=-sanitizer-coverage-trace-compares \
    -C llvm-args=-sanitizer-coverage-pc-table \
    -Z sanitizer=address

./target/debug/examples/simple_harness

Why

While libfuzzer can be used as a library, engaging with it from some environments may be difficult to setup. Fazi provides similar functionality to libfuzzer, but gives greater flexibility into how you can use it. For instance, a native application which requires its own main entry point may be setup like:

/// compiled with -fsanitize=fuzer-no-link

extern "C" int LLVMFuzzerRunDriver(int *argc, char ***argv,
                  int (*UserCb)(const uint8_t *Data, size_t Size));

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    // fuzz
}

int main(int *argc, char ***argv) {
    // Do my own thing
    LLVMFuzzerRunDriver(argc, argv, LLVMFuzzerTestOneInput);
}

This model is difficult when integrating into an application with a lot of state or its own runtime environment, such as the JVM. Instead of providing a callback, Fazi lets you just ask it for data and tell it when the testcase is done:

extern "C" void fazi_start_iteration(char** data, size_t* size);
extern "C" void fazi_end_iteration(bool need_more_data);
extern "C" void fazi_initialize();
extern "C" void fazi_set_corpus_dir(const char*);
extern "C" void fazi_set_crashes_dir(const char*);

int main() {
    // Setup fazi globals
    fazi_initialize();

    while (true) {
        const char* data = nullptr;
        size_t len = 0;
        fazi_start_iteration(&data, &len);

        bool need_more_data = some_api(data, len);

        fazi_end_iteration(need_more_data);
    }
}
You might also like...
🦀️atos for linux by rust - A partial replacement for Apple's atos tool for converting addresses within a binary file to symbols.

atosl-rs 🦀️ atos for linux by rust - A partial replacement for Apple's atos tool for converting addresses within a binary file to symbols. tested on

xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement

xcp is a (partial) clone of the Unix cp command. It is not intended as a full replacement, but as a companion utility with some more user-friendly feedback and some optimisations that make sense under certain tasks (see below).

Xcode Neovim Replacement-ish.
Xcode Neovim Replacement-ish.

An XCode replacement-ish development environment that aims to be your reliable XCode alternative to develop exciting new [apple] software products 🚀

A more convenient `#[target_feature]` replacement

A more convenient #[target_feature] replacement To get good performance out of SIMD everything on the SIMD codepath must be inlined. With how SIMD is

Simpler and more powerful replacement for `find`

FindFile (FF) An simple, ergonomic, and powerful replacement for find. Note: this repo is under active development The syntax is (mostly) figured out,

A modern, maintained replacement for ls
A modern, maintained replacement for ls

eza eza is a modern, maintained replacement for ls, built on exa. README Sections: Options — Installation — Development eza is a modern, maintained re

Patch binary file using IDA signatures and defined replacement bytes in YAML.

fabricbin Patch binary file using IDA signatures and defined replacement bytes in YAML. Install: cargo install --git https://github.com/makindotcc/fab

Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

Rustyread is a drop in replacement of badread simulate.

Rustyread is a drop in replacement of badread simulate. Rustyread is very heavily inspired by badread, it reuses the same error and quality model file. But Rustyreads is multi-threaded and benefits from other optimizations.

age-encrypted secrets for NixOS; drop-in replacement for agenix

ragenix ragenix provides age-encrypted secrets for NixOS systems which live in the Nix store and are decrypted on system activation. Using ragenix to

🐱‍👤 Drop-in HTTP replacement module for Garry's Mod

🐱‍👤 gmsv_reqwest This module is a drop-in replacement for Garry's Mod's HTTP function, inspired by gmsv_chttp created by timschumi. The module uses

A drop-in replacement for `dapp` and `seth` in Rust

dapptools.rs Rust port of DappTools dapp example Usage Run Solidity tests Any contract that contains a function starting with test is being tested. Th

A (mostly) drop-in replacement for Rust's Result that provides backtrace support

Errant A (mostly) drop-in replacement for Rust's Result that provides backtrace support. Please note that Errant is still very early in development an

messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code.
messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code.

messloc is a drop in replacement for malloc that can transparently recover from memory fragmentation without any changes to application code. Goals Al

Modern Drop-in Replacement for Nginx AutoIndex / FancyIndex!
Modern Drop-in Replacement for Nginx AutoIndex / FancyIndex!

MeowIndex A cute, feature-rich file listing module to replace nginx's autoindex / fancyindex. Features List files Show file icons Clickable, length-sa

A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities.

utiles utiles = utils + tiles A mostly drop-in replacement for mercantile written w/ rust, plus several other util(e)ities. Installation pip install u

A lightweight, no-fuss, drop-in replacement for Rudderstack

Welcome to Stilgar! Stilgar is a lightweight, no-fuss, drop-in replacement for Rudderstack. Key features: Seamlessly compatible with all Rudderstack c

Drop-in replacement for the Actix Web HTTP Logger middleware

actix-contrib-logger Logger middleware for the Actix Web framework. Actually it's a copy & paste from the official Logger middleware (original source

A drop-in replacement for std::time::Instant that is faster and more accurate.

Fastant A drop-in replacement for std::time::Instant that measures time with high performance and high accuracy powered by Time Stamp Counter (TSC). U

Comments
  • Improve the pure Rust APIs

    Improve the pure Rust APIs

    There are a fair number of assumptions currently about the global state that don't play well if we wanted to support a dumb fuzzing mode with no instrumentation. Some TODO items:

    • [x] Figure out how to approach multiple Fazi instances to avoid mismatching global state from local state.
    • [ ] Remove certain instrumentation-only mutations if instrumentation is not enabled (e.g. SanCov-enabled comparisons).
    • [x] Provide a pure Rust sample of using Fazi with and without instrumentation.
    opened by landaire 2
Owner
Lander Brandt
Lander Brandt
A lightweight, no-fuss, drop-in replacement for Rudderstack

Welcome to Stilgar! Stilgar is a lightweight, no-fuss, drop-in replacement for Rudderstack. Key features: Seamlessly compatible with all Rudderstack c

Withings 4 Jul 21, 2023
Drop-in replacement for the Actix Web HTTP Logger middleware

actix-contrib-logger Logger middleware for the Actix Web framework. Actually it's a copy & paste from the official Logger middleware (original source

Mariano Ruiz 5 Aug 28, 2023
A drop-in replacement for std::time::Instant that is faster and more accurate.

Fastant A drop-in replacement for std::time::Instant that measures time with high performance and high accuracy powered by Time Stamp Counter (TSC). U

FastLabs 8 Sep 15, 2024
A tiling layout engine for egui with drag-and-drop and resizing

egui_tiles Layouting and docking for egui. Supports: Horizontal and vertical layouts Grid layouts Tabs Drag-and-drop docking Trying it cargo r --examp

rerun.io 83 Jun 5, 2023
exa is a modern replacement for ls.

exa exa is a modern replacement for ls. README Sections: Options — Installation — Development exa is a modern replacement for the venerable file-listi

Benjamin Sago 20.3k Jan 8, 2023
zoxide is a blazing fast replacement for your cd command

zoxide A smarter cd command for your terminal zoxide is a blazing fast replacement for your cd command, inspired by z and z.lua. It keeps track of the

Ajeet D'Souza 8.7k Dec 31, 2022
procs is a replacement for ps written in Rust.

procs is a replacement for ps written in Rust. Documentation quick links Features Platform Installation Usage Configuration Features Output by t

null 3.6k Dec 30, 2022
fastmod is a fast partial replacement for the codemod tool

fastmod is a fast partial replacement for codemod. Like codemod, it is a tool to assist you with large-scale codebase refactors, and it supports most of codemod's options.

Facebook Incubator 1.4k Dec 29, 2022
A readline replacement written in Rust

A readline replacement written in Rust Basic example // Create a default reedline object to handle user input use reedline::{DefaultPrompt, Reedline,

JT 292 Jan 9, 2023
Fls - Ferris-LS, a very bad LS replacement. Besides that, proves that I suck at clean & good code.

FLS A handy ls remake, purely for learning. Why FLS? There's no reason, at all, don't use it. I just want to learn Rust :D Usage Flags: -i = Use icons

florida 6 Jan 24, 2022