To fuzz targets written for AFL, replace calls to AFL's compilers (i.e.
afl-clang++ etc) with
FUZZ_STANDALONE_CXX. If you have a configurable build system, this may look something like:
CC=$FUZZ_STANDALONE_CC CXX=$FUZZ_STANDALONE_CXX make my_target
Ensure that you also use the
CXXFLAGS provided in the build environment. You can append your own, but be sure to include the Fuzzbuzz-provided ones. These help us build special versions of your target to track metrics like code coverage.
Then, in the harness field, specify whether the binary takes input via stdin, or from a file. If the binary takes input from a file, mark the location in the binary's command line where the input file should be placed with a @@. This will be replaced automatically when fuzzing.
AFL configuration options like memory limit, timeout threshold and dictionary can also be set in the configuration file. This is an example of a configuration file with all the features described above:
fuzzbuzz.yamllanguage: c++targets:- name: my-targetenvironment:# you can specify your own CFLAGS/CXXFLAGS, just remember to# use the fuzzbuzz-provided defaults as well- CXXFLAGS="$CXXFLAGS -g"setup:- $FUZZ_STANDALONE_CXX $CXXFLAGS my_binary.cpp -o ./targetcorpus: ./my_target/corpustimeout: 500 # in millisecondsmemory_limit: 1000 # in megabytesdictionary: ./my_target/dict # location of dictionary fileharness:binary: ./target @@# input can be one of: stdin, file, socketinput: file
You're ready to go! Push your project to Fuzzbuzz and it will detect your targets automatically.