| Adam Langley | 9a4beb8 | 2015-11-09 13:57:26 -0800 | [diff] [blame] | 1 | # Fuzz testing |
| 2 | |
| 3 | Modern fuzz testers are very effective and we wish to use them to ensure that no silly bugs creep into BoringSSL. |
| 4 | |
| Adam Langley | 9c969bf | 2018-08-24 10:46:01 -0700 | [diff] [blame] | 5 | We use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing and there are a number of fuzz testing functions in `fuzz/`. They are not built by default because they require that the rest of BoringSSL be built with some changes that make fuzzing much more effective, but are completely unsafe for real use. |
| Adam Langley | 9a4beb8 | 2015-11-09 13:57:26 -0800 | [diff] [blame] | 6 | |
| Adam Langley | 9c969bf | 2018-08-24 10:46:01 -0700 | [diff] [blame] | 7 | In order to build the fuzz tests you will need at least Clang 6.0. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this: |
| Adam Langley | 7104cc9 | 2015-11-10 15:00:51 -0800 | [diff] [blame] | 8 | |
| 9 | ``` |
| David Benjamin | 1a5570b | 2023-04-19 15:38:47 -0400 | [diff] [blame] | 10 | CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 -B build |
| 11 | ninja -C build |
| Adam Langley | 7104cc9 | 2015-11-10 15:00:51 -0800 | [diff] [blame] | 12 | ``` |
| 13 | |
| Adam Langley | 7104cc9 | 2015-11-10 15:00:51 -0800 | [diff] [blame] | 14 | |
| Adam Langley | 9a4beb8 | 2015-11-09 13:57:26 -0800 | [diff] [blame] | 15 | From the `build/` directory, you can then run the fuzzers. For example: |
| 16 | |
| 17 | ``` |
| David Benjamin | 2ad3c98 | 2016-12-10 11:44:45 -0500 | [diff] [blame] | 18 | ./fuzz/cert -max_len=10000 -jobs=32 -workers=32 ../fuzz/cert_corpus/ |
| Adam Langley | 9a4beb8 | 2015-11-09 13:57:26 -0800 | [diff] [blame] | 19 | ``` |
| 20 | |
| David Benjamin | 9539ebb | 2016-03-21 18:24:53 -0400 | [diff] [blame] | 21 | The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this. |
| 22 | |
| Max Moroz | 188487f | 2016-04-11 15:36:49 +0200 | [diff] [blame] | 23 | The recommended values of `max_len` for each test are: |
| 24 | |
| Adam Langley | 3871dc9 | 2016-10-02 10:03:36 -0700 | [diff] [blame] | 25 | | Test | `max_len` value | |
| 26 | |---------------|-----------------| |
| Adam Langley | 31f94b0 | 2019-10-21 09:03:49 -0700 | [diff] [blame] | 27 | | `bn_div` | 384 | |
| Adam Langley | 9c969bf | 2018-08-24 10:46:01 -0700 | [diff] [blame] | 28 | | `bn_mod_exp` | 4096 | |
| David Benjamin | 2ad3c98 | 2016-12-10 11:44:45 -0500 | [diff] [blame] | 29 | | `cert` | 10000 | |
| Adam Langley | 3871dc9 | 2016-10-02 10:03:36 -0700 | [diff] [blame] | 30 | | `client` | 20000 | |
| 31 | | `pkcs8` | 2048 | |
| 32 | | `privkey` | 2048 | |
| 33 | | `server` | 4096 | |
| Robert Sloan | 15073af | 2016-11-29 10:52:24 -0800 | [diff] [blame] | 34 | | `session` | 8192 | |
| Adam Langley | 3871dc9 | 2016-10-02 10:03:36 -0700 | [diff] [blame] | 35 | | `spki` | 1024 | |
| 36 | | `read_pem` | 512 | |
| 37 | | `ssl_ctx_api` | 256 | |
| Max Moroz | 188487f | 2016-04-11 15:36:49 +0200 | [diff] [blame] | 38 | |
| 39 | These were determined by rounding up the length of the largest case in the corpus. |
| Adam Langley | 9a4beb8 | 2015-11-09 13:57:26 -0800 | [diff] [blame] | 40 | |
| 41 | There are directories in `fuzz/` for each of the fuzzing tests which contain seed files for fuzzing. Some of the seed files were generated manually but many of them are “interesting” results generated by the fuzzing itself. (Where “interesting” means that it triggered a previously unknown path in the code.) |
| Adam Langley | 7104cc9 | 2015-11-10 15:00:51 -0800 | [diff] [blame] | 42 | |
| David Benjamin | 5545b61 | 2021-04-14 16:23:27 -0400 | [diff] [blame] | 43 | ## Minimising the corpora |
| Adam Langley | ddcc186 | 2016-03-03 09:50:25 -0800 | [diff] [blame] | 44 | |
| 45 | When a large number of new seeds are available, it's a good idea to minimise the corpus so that different seeds that trigger the same code paths can be deduplicated. |
| 46 | |
| David Benjamin | 5545b61 | 2021-04-14 16:23:27 -0400 | [diff] [blame] | 47 | In order to minimise all the corpora, build for fuzzing and run `./fuzz/minimise_corpora.sh`. Note that minimisation is, oddly, often not idempotent for unknown reasons. |
| David Benjamin | e11988f | 2016-03-21 15:55:19 -0400 | [diff] [blame] | 48 | |
| 49 | ## Fuzzer mode |
| 50 | |
| David Benjamin | ec978dd | 2016-11-04 18:59:33 -0400 | [diff] [blame] | 51 | When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` and `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. This modifies the library to be more friendly to fuzzers. If `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` is set, BoringSSL will: |
| David Benjamin | e11988f | 2016-03-21 15:55:19 -0400 | [diff] [blame] | 52 | |
| 53 | * Replace `RAND_bytes` with a deterministic PRNG. Call `RAND_reset_for_fuzzing()` at the start of fuzzers which use `RAND_bytes` to reset the PRNG state. |
| 54 | |
| David Benjamin | ec978dd | 2016-11-04 18:59:33 -0400 | [diff] [blame] | 55 | * Use a hard-coded time instead of the actual time. |
| 56 | |
| 57 | Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will: |
| 58 | |
| David Benjamin | e11988f | 2016-03-21 15:55:19 -0400 | [diff] [blame] | 59 | * Modify the TLS stack to perform all signature checks (CertificateVerify and ServerKeyExchange) and the Finished check, but always act as if the check succeeded. |
| 60 | |
| 61 | * Treat every cipher as the NULL cipher. |
| 62 | |
| David Benjamin | fbc45d7 | 2016-09-22 01:21:24 -0400 | [diff] [blame] | 63 | * Tickets are unencrypted and the MAC check is performed but ignored. |
| 64 | |
| David Benjamin | 9343b0b | 2017-07-01 00:31:27 -0400 | [diff] [blame] | 65 | * renegotiation\_info checks are ignored. |
| 66 | |
| David Benjamin | e11988f | 2016-03-21 15:55:19 -0400 | [diff] [blame] | 67 | This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol. |
| David Benjamin | 1e663e8 | 2016-09-22 01:02:13 -0400 | [diff] [blame] | 68 | |
| 69 | ## TLS transcripts |
| 70 | |
| David Benjamin | fd06601 | 2016-11-15 00:47:17 -0500 | [diff] [blame] | 71 | The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags. |
| 72 | |
| David Benjamin | 13f1f17 | 2017-07-06 11:15:09 -0400 | [diff] [blame] | 73 | There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-config` flags. |
| David Benjamin | fd06601 | 2016-11-15 00:47:17 -0500 | [diff] [blame] | 74 | |
| 75 | If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`: |
| David Benjamin | 1e663e8 | 2016-09-22 01:02:13 -0400 | [diff] [blame] | 76 | |
| 77 | ``` |
| David Benjamin | fd06601 | 2016-11-15 00:47:17 -0500 | [diff] [blame] | 78 | cd fuzz |
| David Benjamin | 519118f | 2017-03-30 12:33:29 -0400 | [diff] [blame] | 79 | ./refresh_ssl_corpora.sh /path/to/fuzzer/mode/build /path/to/non/fuzzer/mode/build |
| David Benjamin | 1e663e8 | 2016-09-22 01:02:13 -0400 | [diff] [blame] | 80 | ``` |
