kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tweak FUZZING.md and minimise_corpuses.sh.

Browse Source 
Change-Id: If312ce3783bcc39ebd2047470251334aa0897d3d
Reviewed-on: https://boringssl-review.googlesource.com/7508
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-03-21 15:55:19 -04:00
parent fdc955cf14
commit e11988f511
2 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
FUZZING.md
View File

@ -13,9 +13,9 @@ CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ..
In order for the fuzz tests to link, the linker needs to find libFuzzer. This is not commonly provided and you may need to download the [Clang source code](http://llvm.org/releases/download.html) and do the following: In order for the fuzz tests to link, the linker needs to find libFuzzer. This is not commonly provided and you may need to download the [Clang source code](http://llvm.org/releases/download.html) and do the following:
``` ```
cd llvm-3.7.0.src/lib svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
ar q libFuzzer.a *.o ar ruv libFuzzer.a Fuzzer*.o
``` ```
Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory. Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
@ -44,3 +44,15 @@ Here are the recommended values of `max_len` for each test.
When a large number of new seeds are available, it's a good idea to minimise the corpus so that different seeds that trigger the same code paths can be deduplicated. When a large number of new seeds are available, it's a good idea to minimise the corpus so that different seeds that trigger the same code paths can be deduplicated.
In order to minimise all the corpuses, build for fuzzing and run `./fuzz/minimise_corpuses.sh`. Note that minimisation is, oddly, often not idempotent for unknown reasons. In order to minimise all the corpuses, build for fuzzing and run `./fuzz/minimise_corpuses.sh`. Note that minimisation is, oddly, often not idempotent for unknown reasons.
## Fuzzer mode
When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` defined. This modifies the library, particularly the TLS stack, to be more friendly to fuzzers. It will:
* Replace `RAND_bytes` with a deterministic PRNG. Call `RAND_reset_for_fuzzing()` at the start of fuzzers which use `RAND_bytes` to reset the PRNG state.
* Modify the TLS stack to perform all signature checks (CertificateVerify and ServerKeyExchange) and the Finished check, but always act as if the check succeeded.
* Treat every cipher as the NULL cipher.
This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.

3
fuzz/minimise_corpuses.sh
View File

@ -25,7 +25,6 @@ for testSource in $(ls -1 *.cc); do
test=$(echo $testSource | sed -e 's/\.cc$//') test=$(echo $testSource | sed -e 's/\.cc$//')
mv ${test}_corpus ${test}_corpus_old mv ${test}_corpus ${test}_corpus_old
mkdir ${test}_corpus mkdir ${test}_corpus
$buildDir/fuzz/$test -max_len=50000 -runs=0 -save_minimized_corpus=1 \ $buildDir/fuzz/$test -max_len=50000 -merge=1 ${test}_corpus ${test}_corpus_old
${test}_corpus ${test}_corpus_old
rm -Rf ${test}_corpus_old rm -Rf ${test}_corpus_old
done done