Fuzzing has got\u00c2\u00a0a lot of attention lately and if you write C or C++ code and haven’t thought about fuzzing, you really should. It’s common to find dozens of bugs when first applying it\u00c2\u00a0to a project.<\/p>\n
To get familiar with the latest in fuzzing, I decided to fuzz\u00c2\u00a0DTC<\/a>,\u00c2\u00a0our tool for manipulating flattened device trees. Fuzzing is very\u00c2\u00a0effective at testing tools that take input from files, so DTC\u00c2\u00a0fits the bill. For other projects, you can either build a test harness that takes file input or use the\u00c2\u00a0LLVM<\/a>\u00c2\u00a0fuzzing library.<\/p>\n As for the tool, I chose\u00c2\u00a0American Fuzzy Lop (AFL).\u00c2\u00a0AFL is a fuzzer that is both powerful and easy to use—you can be up and running in minutes. It instruments the code and uses that feedback in order to discover new significant test cases. It also comes with\u00c2\u00a0an LLVM plugin which works well on POWER Linux.<\/p>\n Here are the steps I took to fuzz DTC.\u00c2\u00a0I’m starting from a ppc64le Ubuntu 15.10 Docker image, so the first step is to install some required packages:<\/p>\n Now download and build AFL, including the LLVM plugin:<\/p>\n Download and build DTC\u00c2\u00a0using the LLVM plugin:<\/p>\n Create an input and output directory, and seed the input directory. I just chose one of the DTC\u00c2\u00a0test cases for this. These will be mutated to produce new test cases. You can add as many as you want but keep them\u00c2\u00a0reasonably small:<\/p>\n Run it!<\/p>\n Notice how @@ is used to specify the name of the input file to be tested. AFL\u00c2\u00a0will feed the file to STDIN otherwise.<\/p>\n That simple setup has found<\/a> quite<\/a> a<\/a> number<\/a> of<\/a> bugs.<\/a>\u00c2\u00a0Thanks to David Gibson, the maintainer of DTC, for fixing them all!<\/p>\n AFL also produces a very useful test corpus in out\/queue which you can use for more heavyweight testing, eg valgrind or the LLVM sanitizers.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Fuzzing has got\u00c2\u00a0a lot of attention lately and if you write C or C++ code and haven’t thought about fuzzing, you really should. It’s common to find dozens of bugs when first applying it\u00c2\u00a0to a project. To get familiar with the latest in fuzzing, I decided to fuzz\u00c2\u00a0DTC,\u00c2\u00a0our tool for manipulating flattened device trees. Fuzzing … Continue reading “Fuzzing on POWER Linux with AFL”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/posts\/278"}],"collection":[{"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/comments?post=278"}],"version-history":[{"count":24,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/posts\/278\/revisions"}],"predecessor-version":[{"id":286,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/posts\/278\/revisions\/286"}],"wp:attachment":[{"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/categories?post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anton.ozlabs.org\/blog\/wp-json\/wp\/v2\/tags?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}apt-get install build-essential wget git llvm clang flex bison<\/pre>\n
mkdir -p $HOME\/afl\r\ncd $HOME\/afl\r\nwget -N http:\/\/lcamtuf.coredump.cx\/afl\/releases\/afl-latest.tgz\r\ntar xzf afl-latest.tgz --strip-components=1\r\nmake AFL_NOX86=1\r\ncd llvm_mode\r\nmake\r\ncd ..\/<\/pre>\n
git clone git:\/\/git.kernel.org\/pub\/scm\/utils\/dtc\/dtc.git\r\ncd dtc\r\nmake CC=$HOME\/afl\/afl-clang-fast<\/pre>\n
mkdir -p in out\r\ncp tests\/fdtdump.dts in<\/pre>\n
$HOME\/afl\/afl-fuzz -i in -o out -- .\/dtc -I dts @@<\/pre>\n