|
1 | | -# Fuzz Tests |
| 1 | +# Fuzzing |
2 | 2 |
|
3 | | -Repository for fuzz testing Miniscript. |
| 3 | +`miniscript` has a fuzzing harness setup for use with honggfuzz. |
4 | 4 |
|
5 | | -## How to reproduce crashes? |
| 5 | +To run the fuzz-tests as in CI -- briefly fuzzing every target -- simply |
| 6 | +run |
6 | 7 |
|
7 | | -Travis should output a offending hex("048531e80700ae6400670000af5168" in the example) |
8 | | -which you can use as shown. Copy and paste the following code lines into file reporting crashes and |
9 | | -replace the hex with the offending hex. |
10 | | -Refer to file [roundtrip_concrete.rs](./fuzz_targets/roundtrip_concrete.rs) for an example. |
| 8 | + ./fuzz.sh |
| 9 | + |
| 10 | +in this directory. |
| 11 | + |
| 12 | +To build honggfuzz, you must have libunwind on your system, as well as |
| 13 | +libopcodes and libbfd from binutils **2.38** on your system. The most |
| 14 | +recently-released binutils 2.39 has changed their API in a breaking way. |
| 15 | + |
| 16 | +On Nix, you can obtain these libraries by running |
| 17 | + |
| 18 | + nix-shell -p libopcodes_2_38 -p libunwind |
| 19 | + |
| 20 | +and then run fuzz.sh as above. |
| 21 | + |
| 22 | +# Fuzzing with weak cryptography |
| 23 | + |
| 24 | +You may wish to replace the hashing and signing code with broken crypto, |
| 25 | +which will be faster and enable the fuzzer to do otherwise impossible |
| 26 | +things such as forging signatures or finding preimages to hashes. |
| 27 | + |
| 28 | +Doing so may result in spurious bug reports since the broken crypto does |
| 29 | +not respect the encoding or algebraic invariants upheld by the real crypto. We |
| 30 | +would like to improve this but it's a nontrivial problem -- though not |
| 31 | +beyond the abilities of a motivated student with a few months of time. |
| 32 | +Please let us know if you are interested in taking this on! |
| 33 | + |
| 34 | +Meanwhile, to use the broken crypto, simply compile (and run the fuzzing |
| 35 | +scripts) with |
| 36 | + |
| 37 | + RUSTFLAGS="--cfg=hashes_fuzz --cfg=secp256k1_fuzz" |
| 38 | + |
| 39 | +which will replace the hashing library with broken hashes, and the |
| 40 | +secp256k1 library with broken cryptography. |
| 41 | + |
| 42 | +Needless to say, NEVER COMPILE REAL CODE WITH THESE FLAGS because if a |
| 43 | +fuzzer can break your crypto, so can anybody. |
| 44 | + |
| 45 | +# Long-term fuzzing |
| 46 | + |
| 47 | +To see the full list of targets, the most straightforward way is to run |
| 48 | + |
| 49 | + source ./fuzz-util.sh |
| 50 | + listTargetNames |
| 51 | + |
| 52 | +To run each of them for an hour, run |
| 53 | + |
| 54 | + ./cycle.sh |
| 55 | + |
| 56 | +To run a single fuzztest indefinitely, run |
| 57 | + |
| 58 | + cargo hfuzz run <target> |
| 59 | + |
| 60 | +`cycle.sh` uses the `chrt` utility to try to reduce the priority of the |
| 61 | +jobs. If you would like to run for longer, the most straightforward way |
| 62 | +is to edit `cycle.sh` before starting. To run the fuzz-tests in parallel, |
| 63 | +you will need to implement a custom harness. |
| 64 | + |
| 65 | +# Adding fuzz tests |
| 66 | + |
| 67 | +All fuzz tests can be found in the `fuzz_target/` directory. Adding a new |
| 68 | +one is as simple as copying an existing one and editing the `do_test` |
| 69 | +function to do what you want. |
| 70 | + |
| 71 | +If your test clearly belongs to a specific crate, please put it in that |
| 72 | +crate's directory. Otherwise you can put it directly in `fuzz_target/`. |
| 73 | + |
| 74 | +If you need to add dependencies, edit the file `generate-files.sh` to add |
| 75 | +it to the generated `Cargo.toml`. |
| 76 | + |
| 77 | +Once you've added a fuzztest, regenerate the `Cargo.toml` and CI job by |
| 78 | +running |
| 79 | + |
| 80 | + ./generate-files.sh |
| 81 | + |
| 82 | +Then to test your fuzztest, run |
| 83 | + |
| 84 | + ./fuzz.sh <target> |
| 85 | + |
| 86 | +If it is working, you will see a rapid stream of data for many seconds |
| 87 | +(you can hit Ctrl+C to stop it early). If not, you should quickly see |
| 88 | +an error. |
| 89 | + |
| 90 | +# Reproducing Failures |
| 91 | + |
| 92 | +If a fuzztest fails, it will exit with a summary which looks something like |
| 93 | + |
| 94 | +``` |
| 95 | +... |
| 96 | + fuzzTarget : hfuzz_target/x86_64-unknown-linux-gnu/release/hashes_sha256 |
| 97 | +CRASH: |
| 98 | +DESCRIPTION: |
| 99 | +ORIG_FNAME: 00000000000000000000000000000000.00000000.honggfuzz.cov |
| 100 | +FUZZ_FNAME: hfuzz_workspace/hashes_sha256/SIGABRT.PC.7ffff7c8abc7.STACK.18826d9b64.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz |
| 101 | +... |
| 102 | +===================================================================== |
| 103 | +fff400610004 |
| 104 | +``` |
| 105 | + |
| 106 | +The final line is a hex-encoded version of the input that caused the crash. You |
| 107 | +can test this directly by editing the `duplicate_crash` test to copy/paste the |
| 108 | +hex output into the call to `extend_vec_from_hex`. Then run the test with |
| 109 | + |
| 110 | + cargo test |
| 111 | + |
| 112 | +Note that if you set your `RUSTFLAGS` while fuzzing (see above) you must make |
| 113 | +sure they are set the same way when running `cargo test`. |
| 114 | + |
| 115 | +If the `duplicate_crash` function is not present, please add it. A template is |
| 116 | +as follows: |
11 | 117 |
|
12 | 118 | ``` |
13 | 119 | #[cfg(test)] |
|
0 commit comments