Skip to content

Latest commit

 

History

History

tests-fuzz

README.md

Fuzzing stdio-wrapped knotd with AFL

  1. Ensure Clang
  2. Ensure AFL 1.83b+ or install a fresh one
    1. curl -O -L http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
    2. tar -xzf afl-latest.tgz
    3. cd afl-*/
    4. make
    5. make -C llvm_mode
    6. sudo make install
  3. Compile Knot DNS with afl-clang compiler
    1. CC=afl-clang-fast ./configure --disable-shared --disable-utilities --disable-documentation
    2. (Add --with-sanitizer=address for ASAN)
    3. make
  4. Try running knotd_stdio
    1. cd tests-fuzz
    2. make check-compile
    3. mkdir -p /tmp/knotd-fuzz/rundir /tmp/knotd-fuzz/storage
    4. ./knotd_stdio -c ./knotd_wrap/knot_stdio.conf
    5. (Consider adding zones or modules to the configuration)
  5. Prepare an initial corpus
    1. Checkout the dns-fuzzing repository git clone https://github.com/CZ-NIC/dns-fuzzing in
    2. (Add more custom test cases to in/packet/)
  6. Minimize the tested corpus with afl-cmin and simple packet parser (doesn't work with ASAN!)
    1. afl-cmin -i in/packet/ -o min -- ./fuzz_packet
  7. Run the fuzzer
    1. AFL_PERSISTENT=1 afl-fuzz -m 1000M -i min -o out -- ./knotd_stdio -c knotd_wrap/knot_stdio.conf
    2. (Add AFL_USE_ASAN=1 and use -m none if compiled with ASAN)
    3. (Consider parallel fuzzing, see afl-fuzz -h)

NOTE: Sanitizer utilization is a bit problematical with AFL, see [notes_for_asan.txt] (https://github.com/mirrorer/afl/blob/master/docs/notes_for_asan.txt).

Fuzzing with libFuzzer (requires Clang 6.0+)

  1. Ensure Clang with -fsanitize=fuzzer support (e.g. LLVM)
  2. Configure with
    1. ./configure --with-fuzzer --disable-shared --disable-documentation
    2. (You should also add --with-sanitizer= address for ASAN or undefined for UBSAN)
    3. (Add proper CC=clang-6.0 if necessary)
  3. Compile Knot DNS:
    1. make
  4. Create and check the fuzzing binaries
    1. cd tests-fuzz
    2. make check
  5. Download the corpora
    1. git submodule init
    2. git submodule update --recursive --remote
  6. (Optional) add more test cases
    1. ./fuzz_packet -merge=1 fuzz_packet.in <DIR_WITH_NEW_PACKET_TEST_CASES>
    2. ./fuzz_zscanner -merge=1 fuzz_zscanner.in <DIR_WITH_NEW_ZSCANNER_TEST_CASES>
  7. Run the fuzzer
    1. (Set proper symbolizer if necessary export ASAN_SYMBOLIZER_PATH=$(readlink -f `which llvm-symbolizer-6.0`) for ASAN or export UBSAN_SYMBOLIZER_PATH=$(readlink -f `which llvm-symbolizer-6.0`) for UBSAN)
    2. ./fuzz_packet fuzz_packet.in or ./fuzz_zscanner fuzz_zscanner.in
    3. (Add parallel fuzzing -jobs=<CPUS>