aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2016-12-14 08:12:41 -0500
committerNick Mathewson <nickm@torproject.org>2017-01-30 08:37:24 -0500
commit44fa14c0e28ac26a551169d5621648db9bc08da9 (patch)
treedd8a193620dde44a973945f3a27a3a3951921ac7 /doc
parent0fb1156e9f0ee62e9b704e9e56ebae3c8d436218 (diff)
downloadtor-44fa14c0e28ac26a551169d5621648db9bc08da9.tar.gz
tor-44fa14c0e28ac26a551169d5621648db9bc08da9.zip
Try to tweak fuzzing.md to correspond to my changes
Diffstat (limited to 'doc')
-rw-r--r--doc/HACKING/Fuzzing.md36
1 files changed, 19 insertions, 17 deletions
diff --git a/doc/HACKING/Fuzzing.md b/doc/HACKING/Fuzzing.md
index 703f028891..36f0fc4f5e 100644
--- a/doc/HACKING/Fuzzing.md
+++ b/doc/HACKING/Fuzzing.md
@@ -3,6 +3,11 @@
To run the fuzzing test cases in a deterministic fashion, use:
make fuzz
+ [I've turned this off for now. - NM]
+
+To build the fuzzing harness binaries, use:
+ make fuzzers
+
== Guided Fuzzing with AFL
There is no HTTPS, hash, or signature for American Fuzzy Lop's source code, so
@@ -22,7 +27,7 @@ To Find The ASAN Memory Limit: (64-bit only)
On 64-bit platforms, afl needs to know how much memory ASAN uses.
Or, you can configure tor without --enable-expensive-hardening, then use
make fuzz
-to run the generated test cases through an ASAN-enabled fuzz_dir.
+to run the generated test cases through an ASAN-enabled fuzz-http.
Read afl/docs/notes_for_asan.txt for more details.
Download recidivm from http://jwilk.net/software/recidivm
@@ -36,10 +41,14 @@ Read afl/docs/notes_for_asan.txt for more details.
(Normally, recidivm would output a figure automatically, but in some cases,
the fuzzing harness will hang when the memory limit is too small.)
+You could also just say "none" instead of the memory limit below, if you
+don't care about memory limits.
+
+
To Run:
- mkdir -p src/test/fuzz/fuzz_dir_testcase src/test/fuzz/fuzz_dir_findings
- echo "dummy" > src/test/fuzz/fuzz_dir_testcase/minimal.case
- ../afl/afl-fuzz -i src/test/fuzz/fuzz_dir_testcase -o src/test/fuzz/fuzz_dir_findings -m <asan-memory-limit> -- src/test/fuzz_dir
+ mkdir -p src/test/fuzz/fuzz_http_findings
+ ../afl/afl-fuzz -i src/test/fuzz/data/http -x src/test/fuzz/dict/http -o src/test/fuzz/fuzz_http_findings -m <asan-memory-limit> -- src/test/fuzz_dir
+
AFL has a multi-core mode, check the documentation for details.
You might find the included fuzz-multi.sh script useful for this.
@@ -48,19 +57,12 @@ macOS (OS X) requires slightly more preparation, including:
* using afl-clang (or afl-clang-fast from the llvm directory)
* disabling external crash reporting (AFL will guide you through this step)
-AFL may also benefit from using dictionary files for text-based inputs: these
-can be placed in src/test/fuzz/fuzz_dir_dictionary/.
-
-Multiple dictionaries can be used with AFL, you should choose a combination of
-dictionaries that targets the code you are fuzzing.
-
== Writing Tor fuzzers
-A tor fuzzing harness should:
-* read input from standard input (many fuzzing frameworks also accept file
- names)
-* parse that input
-* produce results on standard output (this assists in diagnosing errors)
+A tor fuzzing harness should have:
+* a fuzz_init() function to set up any necessary global state.
+* a fuzz_main() function to receive input and pass it to a parser.
+* a fuzz_cleanup() function to clear global state.
Most fuzzing frameworks will produce many invalid inputs - a tor fuzzing
harness should rejecting invalid inputs without crashing or behaving badly.
@@ -78,8 +80,8 @@ Check if a hang is reproducible before reporting it. Sometimes, processing
valid inputs may take a second or so, particularly with the fuzzer and
sanitizers enabled.
-To see what fuzz_dir is doing with a test case, call it like this:
- src/test/fuzz_dir --debug < /path/to/test.case
+To see what fuzz-http is doing with a test case, call it like this:
+ src/test/fuzz/fuzz-http --debug < /path/to/test.case
(Logging is disabled while fuzzing to increase fuzzing speed.)