Every repository needs a fuzzbuzz.yaml
, which tells Fuzzbuzz how to set up and configure your fuzz targets.
The following sections describe each field allowed in a fuzzbuzz.yaml
configuration file and how to use them.
Type: string
Required: yes
Valid values: ubuntu:16.04
The name of the operating system to use as the base of the Docker image the target is set up and fuzzed in. As of now, ubuntu:16.04
is the only option.
fuzzbuzz.yamlbase: ubuntu:16.04
Type: Array
Required: no
Environment variables that will be accessible to each target.
fuzzbuzz.yamlenvironment:- ENV_VAR=value- ENV_VAR2=value2
Type: Array
Required: no
A list of commands to run prior to each target's specific setup commands.
fuzzbuzz.yamlsetup:- sudo apt-get update- sudo apt-get install my-dependency
Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in. This must be specified either here, or in target.language
. If it is specified in both, the value in target.language
overrides the one here.
fuzzbuzz.yamllanguage: c++
Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use. This must be specified either here, or in target.version
. If it is specified in both, the value in target.version
overrides the one here.
fuzzbuzz.yamllanguage: goversion: "1.11"
Type: string
Required: yes (Golang only)
Specifies where in the Gopath to place your code. This must be specified either here, or in target.harness.checkout
. If it is specified in both, the value in target.harness.checkout
overrides the one here.
fuzzbuzz.yaml# checkout specifies where to check your code out# this repository will be placed in the directory:# ~/go/src/github.com/x/y/checkout: github.com/x/y
Type: Array
Required: yes
An array of target configurations.
fuzzbuzz.yamltargets:- name: target-name# --- Other target configuration options omitted
Type: string
Required: yes
The name of the target. Must be unique within the fuzzbuzz.yaml
. Can only contain letters, numbers, dashes and underscores.
fuzzbuzz.yamltargets:- name: my-target
Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in.
fuzzbuzz.yamltargets:- name: my-targetlanguage: c
Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use.
fuzzbuzz.yamltargets:- name: my-targetlanguage: goversion: "1.11"
Type: Array
Required: no
Environment variables that will be accessible to this specific target.
fuzzbuzz.yamltargets:- name: my-targetenvironment:- ENV_VAR=value- ENV_VAR2=value2
Type: Array
Required: no
A list of commands to run that set up or compile the target.
fuzzbuzz.yamltargets:- name: my-targetsetup:- sudo apt-get install my-lib- CC=$FUZZ_CC CXX=$FUZZ_CXX make my-target
Type: string
Required: yes
The location of the target's test corpus. This should point to a directory of files, each of which should be a separate test case that can be fed to the target and runs a test that passes. The directory can be left empty, but this will result in a more inefficient start to fuzzing.
fuzzbuzz.yamltargets:- name: my-targetcorpus: ./my-target/corpus
Type: Map
Required: yes
Configuration that tells Fuzzbuzz how to find & run the target. Configuration differs depending on the language
Harness specifies the method to fuzz, the package it resides in, and any build tags to use when compiling.
targets:- name: my-targetharness:# the name of your methodfunction: FuzzMe# build tags are optionalbuild_tags: tag1 tag2 tag3# package specifies the package to import the# desired function frompackage: github.com/x/y/z/a/b/c# checkout specifies where to check your code out# this repository will be placed in the directory:# ~/go/src/github.com/x/y/checkout: github.com/x/y
Harness specifies the location of the final compiled binary, as well as how the binary receives input.
If the binary takes input from a file, mark the location in the binary's command line where the input file should be placed with a @@
. This will be replaced automatically when fuzzing.
fuzzbuzz.yamltargets:- name: my-targetharness:binary: ./target @@input: file # either stdin, socket or file
The socket
input mode is coming soon, and is not currently available on the platform.
Type: integer
Required: no
The maximum memory usage in megabytes to allow when processing a test case. Any tests that use more memory than this will be reported as bugs.
fuzzbuzz.yamltargets:- name: my-targetmemory_limit: 1000 # 1 GB
Type: integer
Required: no
The maximum amount of time in milliseconds the target should take to process any one test case.
fuzzbuzz.yamltargets:- name: my-targettimeout: 500 # 500 milliseconds
This field is only valid for targets written in or compiled from C and C++.
Type: Map
Required: no
Valid values: address
Sanitizers to use with this target. Sanitizers are analyzers that are compiled along with the target, and alert on specific issues.
Supported sanitizers:
​Address Sanitizer: finds bugs including Use After Free, Buffer Over/Underflows, Use After Returns, Memory Leaks, etc
Fuzzbuzz sets the following defaults for ASAN_OPTIONS (these will override your settings): abort_on_error=1:print_scariness=1
symbolize=0
is set during runtime, and symbolize=1
is set when reproducing crashes to gather stacktraces
fuzzbuzz.yamltargets:- name: my-targetsanitizers:# sanitizer options can be specified as a stringaddress: detect_stack_use_after_return=1:debug=1# the field can also be left blank, e.g.:address: