diff options
author | Ben Laurie <ben@links.org> | 2016-03-26 17:19:14 +0000 |
---|---|---|
committer | Ben Laurie <ben@links.org> | 2016-05-07 18:13:54 +0100 |
commit | c38bb72797916f2a0ab9906aad29162ca8d53546 (patch) | |
tree | e3df72e2e4c4d14a822cd0a3101d005a8923a929 /fuzz/README.md | |
parent | 049f5bbce3eebdf4ec2030042eb2ae64bb67aedb (diff) |
Add fuzzing!
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'fuzz/README.md')
-rw-r--r-- | fuzz/README.md | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/fuzz/README.md b/fuzz/README.md new file mode 100644 index 0000000000..948590df93 --- /dev/null +++ b/fuzz/README.md @@ -0,0 +1,47 @@ +# I Can Haz Fuzz? + +Or, how to fuzz OpenSSL with libfuzzer. + +Starting from a vanilla+OpenSSH server Ubuntu install. + +Use Chrome's handy recent build of clang. Older versions may also work. + + $ sudo apt-get install git + $ mkdir git-work + $ git clone https://chromium.googlesource.com/chromium/src/tools/clang + $ clang/scripts/update.py + +You may want to git pull and re-run the update from time to time. + +Update your path: + + $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH + +Get and build libFuzzer (there is a git mirror at +https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer): + + $ cd + $ sudo apt-get install subversion + $ mkdir svn-work + $ cd svn-work + $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer + $ cd Fuzzer + $ clang++ -c -g -O2 -std=c++11 *.cpp + $ ar r libFuzzer.a *.o + $ ranlib libFuzzer.a + +Configure for fuzzing: + + $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared + $ sudo apt-get install make + $ LDCMD=clang++ make -j + $ fuzz/helper.py <fuzzer> <arguments> + +Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not +need any command line arguments, but, for example, `asn1` needs the name of a +data type. + +If you get a crash, you should find a corresponding input file in +`fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with + + $ fuzz/<fuzzer> <crashfile> |