Configuration

Target Configuration (fuzzbuzz.yaml)

Every repository needs a fuzzbuzz.yaml, which tells Fuzzbuzz how to set up and configure your fuzz targets.
The following sections describe each field allowed in a fuzzbuzz.yaml configuration file and how to use them.

base

Type: string
Required: yes
Valid values: ubuntu:16.04
The name of the operating system to use as the base of the Docker image the target is set up and fuzzed in. As of now, ubuntu:16.04 is the only option.

Usage:

fuzzbuzz.yaml
1
base: ubuntu:16.04
Copied!

environment

Type: Array
Required: no
Environment variables that will be accessible to each target.

Usage:

fuzzbuzz.yaml
1
environment:
2
- ENV_VAR=value
3
- ENV_VAR2=value2
Copied!

setup

Type: Array
Required: no
A list of commands to run prior to each target's specific setup commands.

Usage:

fuzzbuzz.yaml
1
setup:
2
- sudo apt-get update
3
- sudo apt-get install my-dependency
Copied!

language

Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in. This must be specified either here, or in target.language. If it is specified in both, the value in target.language overrides the one here.

Usage:

fuzzbuzz.yaml
1
language: c++
Copied!

version

Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use. This must be specified either here, or in target.version. If it is specified in both, the value in target.version overrides the one here.

Usage:

fuzzbuzz.yaml
1
language: go
2
version: "1.11"
Copied!

checkout

Type: string
Required: yes (Golang only)
Specifies where in the Gopath to place your code. This must be specified either here, or in target.harness.checkout. If it is specified in both, the value in target.harness.checkout overrides the one here.

Usage:

fuzzbuzz.yaml
1
# checkout specifies where to check your code out
2
# this repository will be placed in the directory:
3
# ~/go/src/github.com/x/y/
4
checkout: github.com/x/y
Copied!

targets

Type: Array
Required: yes
An array of target configurations.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: target-name
3
# --- Other target configuration options omitted
Copied!

target.name

Type: string
Required: yes
The name of the target. Must be unique within the fuzzbuzz.yaml. Can only contain letters, numbers, dashes and underscores.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
Copied!

target.language

Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
language: c
Copied!

target.version

Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
language: go
4
version: "1.11"
Copied!

target.environment

Type: Array
Required: no
Environment variables that will be accessible to this specific target.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
environment:
4
- ENV_VAR=value
5
- ENV_VAR2=value2
Copied!

target.setup

Type: Array
Required: no
A list of commands to run that set up or compile the target.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
setup:
4
- sudo apt-get install my-lib
5
- CC=$FUZZ_CC CXX=$FUZZ_CXX make my-target
Copied!

target.corpus

Type: string
Required: yes
The location of the target's test corpus. This should point to a directory of files, each of which should be a separate test case that can be fed to the target and runs a test that passes. The directory can be left empty, but this will result in a more inefficient start to fuzzing.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
corpus: ./my-target/corpus
Copied!

target.harness

Type: Map
Required: yes
Configuration that tells Fuzzbuzz how to find & run the target. Configuration differs depending on the language
C
C++
Golang
Binaries
Harness specifies the location of the final compiled binary.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
harness:
4
binary: ./target
Copied!
Harness specifies the location of the final compiled binary.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
harness:
4
binary: ./target
Copied!
Harness specifies the method to fuzz, the package it resides in, and any build tags to use when compiling.

Usage:

1
targets:
2
- name: my-target
3
harness:
4
# the name of your method
5
function: FuzzMe
6
# build tags are optional
7
build_tags: tag1 tag2 tag3
8
# package specifies the package to import the
9
# desired function from
10
package: github.com/x/y/z/a/b/c
11
# checkout specifies where to check your code out
12
# this repository will be placed in the directory:
13
# ~/go/src/github.com/x/y/
14
checkout: github.com/x/y
Copied!
Harness specifies the location of the final compiled binary, as well as how the binary receives input.
If the binary takes input from a file, mark the location in the binary's command line where the input file should be placed with a @@. This will be replaced automatically when fuzzing.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
harness:
4
binary: ./target @@
5
input: file # either stdin, socket or file
Copied!
The socket input mode is coming soon, and is not currently available on the platform.

target.memory_limit

Type: integer
Required: no
The maximum memory usage in megabytes to allow when processing a test case. Any tests that use more memory than this will be reported as bugs.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
memory_limit: 1000 # 1 GB
Copied!

target.timeout

Type: integer
Required: no
The maximum amount of time in milliseconds the target should take to process any one test case.

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
timeout: 500 # 500 milliseconds
Copied!

target.sanitizers

This field is only valid for targets written in or compiled from C and C++.
Type: Map
Required: no
Valid values: address
Sanitizers to use with this target. Sanitizers are analyzers that are compiled along with the target, and alert on specific issues.
Supported sanitizers:
  • Address Sanitizer: finds bugs including Use After Free, Buffer Over/Underflows, Use After Returns, Memory Leaks, etc
    • Fuzzbuzz sets the following defaults for ASAN_OPTIONS (these will override your settings): abort_on_error=1:print_scariness=1
    • symbolize=0 is set during runtime, and symbolize=1 is set when reproducing crashes to gather stacktraces

Usage:

fuzzbuzz.yaml
1
targets:
2
- name: my-target
3
sanitizers:
4
# sanitizer options can be specified as a string
5
address: detect_stack_use_after_return=1:debug=1
6
# the field can also be left blank, e.g.:
7
address:
Copied!
Last modified 2yr ago