Structure aware fuzzing on target with multiple inputs and different data formats

86 views

Skip to first unread message

Mikerah Quintyne-Collins

unread,

May 31, 2022, 12:15:46 PM5/31/22

to libfuzzer

Hi there,

After a phase of using going with the usual unstructured fuzzing approach for a fuzzing project of mine, I've recently dug into structure aware fuzzing. It seems like libfuzzer is the best tool for this and I have several questions about since my case doesn't seem all that common.

I have a target that takes 4 files as input as command-line arguments e.g. `target file1 file2 file3 file4`. The files `file1` and `file2` are in a custom format for this target and files `file3` and `file4` are json files.

From the documentation, I need to implement `LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)` but it's unclear to me how to do the following:

- use *Data to get the inputs that I need for my target

- use a custom mutator on *Data to get the different files formats that I need for my target.

Are there any examples that are similar that I can take a look at?

Thank you

Konstantin Serebryany

unread,

Jun 1, 2022, 7:10:41 PM6/1/22

to Mikerah Quintyne-Collins, libfuzzer

Hi Mikerah,

It is not common to use libFuzzer on targets that are not APIs, but separate binaries.

(It is possible though, see https://github.com/llvm/llvm-project/blob/main/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp)

If at all possible, please consider fuzzing an API, not a binary, which will open more tooling for you.

The simplest way currently to encode file1..file4 in a single input is to wrap then in a proto, and use libprotobuf-mutator

https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md#protocol-buffers-as-intermediate-format

Or wrap the four files into your own serialization format (anything, e.g. .tar) and use a custom mutator to

unpack, and mutate.

Note: we are about to open-source another fuzzing engine that would make fuzzing out-of-process targets with a custom mutator quite a bit simpler, stay tuned.

--kcc

--
You received this message because you are subscribed to the Google Groups "libfuzzer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/6cd1795c-ed51-4b74-9f4d-389761c591e0n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages