Configuration
Every repository needs a fuzz.yaml, which tells Fuzzbuzz how to set up and configure your fuzz targets.
The following sections describe each field allowed in a fuzz.yaml configuration file and how to use them.
Type: string
Required: yes
Valid values: ubuntu:16.04
The name of the operating system to use as the base of the Docker image the target is set up and fuzzed in. As of now, ubuntu:16.04 is the only option.
base: ubuntu:16.04
Type: Array
Required: no
Environment variables that will be accessible to each target.
environment:- ENV_VAR=value- ENV_VAR2=value2
Type: Array
Required: no
A list of commands to run prior to each target's specific setup commands.
setup:- sudo apt-get update- sudo apt-get install my-dependency
Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in. This must be specified either here, or in target.language. If it is specified in both, the value in target.language overrides the one here.
language: c++
Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use. This must be specified either here, or in target.version. If it is specified in both, the value in target.version overrides the one here.
language: goversion: "1.11"
Type: string
Required: yes (Golang only)
Specifies where in the Gopath to place your code. This must be specified either here, or in target.harness.checkout. If it is specified in both, the value in target.harness.checkout overrides the one here.
# checkout specifies where to check your code out# this repository will be placed in the directory:# ~/go/src/github.com/x/y/checkout: github.com/x/y
Type: Array
Required: yes
An array of target configurations.
targets:- name: target-name# --- Other target configuration options omitted
Type: string
Required: yes
The name of the target. Must be unique within the fuzz.yaml. Can only contain letters, numbers, dashes and underscores.
targets:- name: my-target
Type: string
Required: yes
Valid values: c, c++, go
The name of the language the target was written in.
targets:- name: my-targetlanguage: c
Type: string
Required: yes (all languages except C/C++)
The version of the target's language to use.
targets:- name: my-targetlanguage: goversion: "1.11"
Type: Array
Required: no
Environment variables that will be accessible to this specific target.
targets:- name: my-targetenvironment:- ENV_VAR=value- ENV_VAR2=value2
Type: Array
Required: no
A list of commands to run that set up or compile the target.
targets:- name: my-targetsetup:- sudo apt-get install my-lib- CC=$FUZZ_CC CXX=$FUZZ_CXX make my-target
Type: string
Required: yes
The location of the target's test corpus. This should point to a directory of files, each of which should be a separate test case that can be fed to the target and runs a test that passes. The directory can be left empty, but this will result in a more inefficient start to fuzzing.
targets:- name: my-targetcorpus: ./my-target/corpus
Type: Map
Required: yes
Configuration that tells Fuzzbuzz how to find & run the target. Configuration differs depending on the language
Harness specifies the method to fuzz, the package it resides in, and any build tags to use when compiling.
targets:- name: my-targetharness:# the name of your methodfunction: FuzzMe# build tags are optionalbuild_tags: tag1 tag2 tag3# package specifies the package to import the# desired function frompackage: github.com/x/y/z/a/b/c# checkout specifies where to check your code out# this repository will be placed in the directory:# ~/go/src/github.com/x/y/checkout: github.com/x/y
Harness specifies the location of the final compiled binary, as well as how the binary receives input.
If the binary takes input from a file, mark the location in the binary's command line where the input file should be placed with a @@. This will be replaced automatically when fuzzing.
targets:- name: my-targetharness:binary: ./target @@input: file # either stdin, socket or file
The socket input mode is coming soon, and is not currently available on the platform.
Type: integer
Required: no
The maximum memory usage in megabytes to allow when processing a test case. Any tests that use more memory than this will be reported as bugs.
targets:- name: my-targetmemory_limit: 1000 # 1 GB
Type: integer
Required: no
The maximum amount of time in milliseconds the target should take to process any one test case.
targets:- name: my-targettimeout: 500 # 500 milliseconds
This field is only valid for targets written in or compiled from C and C++.
Type: Map
Required: no
Valid values: address
Sanitizers to use with this target. Sanitizers are analyzers that are compiled along with the target, and alert on specific issues.
Supported sanitizers:
​Address Sanitizer: finds bugs including Use After Free, Buffer Over/Underflows, Use After Returns, Memory Leaks, etc
Fuzzbuzz sets the following defaults for ASAN_OPTIONS (these will override your settings):
abort_on_error=1:print_scariness=1symbolize=0is set during runtime, andsymbolize=1is set when reproducing crashes to gather stacktraces
targets:- name: my-targetsanitizers:# sanitizer options can be specified as a stringaddress: detect_stack_use_after_return=1:debug=1# the field can also be left blank, e.g.:address:
