AFL Targets
To fuzz targets written for AFL, replace calls to AFL's compilers (i.e. afl-clang,afl-clang++ etc) with FUZZ_STANDALONE_CC and FUZZ_STANDALONE_CXX. If you have a configurable build system, this may look something like:
1
CC=$FUZZ_STANDALONE_CC CXX=$FUZZ_STANDALONE_CXX make my_target
Copied!
Ensure that you also use the CFLAGS and CXXFLAGS provided in the build environment. You can append your own, but be sure to include the Fuzzbuzz-provided ones. These help us build special versions of your target to track metrics like code coverage.
Then, in the harness field, specify whether the binary takes input via stdin, or from a file. If the binary takes input from a file, mark the location in the binary's command line where the input file should be placed with a @@. This will be replaced automatically when fuzzing.
AFL configuration options like memory limit, timeout threshold and dictionary can also be set in the configuration file. This is an example of a configuration file with all the features described above:
fuzzbuzz.yaml
1
language: c++
2
targets:
3
- name: my-target
4
environment:
5
# you can specify your own CFLAGS/CXXFLAGS, just remember to
6
# use the fuzzbuzz-provided defaults as well
7
- CXXFLAGS="$CXXFLAGS -g"
8
setup:
9
- $FUZZ_STANDALONE_CXX $CXXFLAGS my_binary.cpp -o ./target
10
corpus: ./my_target/corpus
11
timeout: 500 # in milliseconds
12
memory_limit: 1000 # in megabytes
13
dictionary: ./my_target/dict # location of dictionary file
14
harness:
15
binary: ./target @@
16
# input can be one of: stdin, file, socket
17
input: file
Copied!
You're ready to go! Push your project to Fuzzbuzz and it will detect your targets automatically.
Check out our Advanced Configuration documentation to learn how to use sanitizers on Fuzzbuzz
Last modified 2yr ago
Copy link