Fuzzing has gotÂ a lot of attention lately and if you write C or C++ code and haven’t thought about fuzzing, you really should. It’s common to find dozens of bugs when first applying itÂ to a project.
To get familiar with the latest in fuzzing, I decided to fuzzÂ DTC,Â our tool for manipulating flattened device trees. Fuzzing is veryÂ effective at testing tools that take input from files, so DTCÂ fits the bill. For other projects, you can either build a test harness that takes file input or use theÂ LLVMÂ fuzzing library.
As for the tool, I choseÂ American Fuzzy Lop (AFL).Â AFL is a fuzzer that is both powerful and easy to use—you can be up and running in minutes. It instruments the code and uses that feedback in order to discover new significant test cases. It also comes withÂ an LLVM plugin which works well on POWER Linux.
Here are the steps I took to fuzz DTC.Â I’m starting from a ppc64le Ubuntu 15.10 Docker image, so the first step is to install some required packages:
apt-get install build-essential wget git llvm clang flex bison
Now download and build AFL, including the LLVM plugin:
mkdir -p $HOME/afl cd $HOME/afl wget -N http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz tar xzf afl-latest.tgz --strip-components=1 make AFL_NOX86=1 cd llvm_mode make cd ../
Download and build DTCÂ using the LLVM plugin:
git clone git://git.kernel.org/pub/scm/utils/dtc/dtc.git cd dtc make CC=$HOME/afl/afl-clang-fast
Create an input and output directory, and seed the input directory. I just chose one of the DTCÂ test cases for this. These will be mutated to produce new test cases. You can add as many as you want but keep themÂ reasonably small:
mkdir -p in out cp tests/fdtdump.dts in
$HOME/afl/afl-fuzz -i in -o out -- ./dtc -I dts @@
Notice how @@ is used to specify the name of the input file to be tested. AFLÂ will feed the file to STDIN otherwise.
AFL also produces a very useful test corpus in out/queue which you can use for more heavyweight testing, eg valgrind or the LLVM sanitizers.