1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
# Setting up New Target
Fuzzer configurations are placed into a subdirectories inside the [`targets/` dir](../targets)
of the [oss-fuzz repo] on GitHub.
For example, the configuration files for the
[boringssl](https://github.com/google/boringssl) targets are located in
[`targets/boringssl`](../targets/boringssl).
## Prerequisites
- [Install Docker](https://docs.docker.com/engine/installation). ([Why Docker?](faq.md#why-do-you-use-docker))
- Googlers: [go/installdocker](https://goto.google.com/installdocker).
- NOTE: if you want to run `docker` without `sudo` also follow the optional
[Create a docker group](https://docs.docker.com/engine/installation/linux/ubuntulinux/#/create-a-docker-group) section.
- NOTE: Docker images can consume significant disk space. Run
[docker-cleanup](https://gist.github.com/mikea/d23a839cba68778d94e0302e8a2c200f)
periodically to garbage collect unused images.
- [Itegrate](ideal_integration.md) one or more [Fuzz Target](http://libfuzzer.info/#fuzz-target)
with the project you want to fuzz.
## Overview
To add a new OSS target to OSS-Fuzz, 3 supporting files have to be added to OSS-Fuzz source code repository:
* `targets/<target_name>/Dockerfile` - defines an container environment with all the dependencies
needed to build the project and the fuzzer.
* `targets/<target_name>/build.sh` - build script that will be executed inside the container.
* `targets/<target_name>/Jenkinsfile` - will be needed to integrate fuzzers with ClusterFuzz build and distributed execution system.
Specify your target VCS location in it.
To create a new directory for the target and *automatically generate* these 3 files a python script can be used:
```bash
$ cd /path/to/oss-fuzz
$ export TARGET_NAME=target_name
$ python infra/helper.py generate $TARGET_NAME
```
Create a fuzzer and add it to the *target_name/* directory as well.
## Dockerfile
This is the Docker image definition that build.sh will be executed in.
It is very simple for most libraries:
```docker
FROM ossfuzz/base-libfuzzer # base image with clang toolchain
MAINTAINER YOUR_EMAIL # each file should have a maintainer
RUN apt-get install -y ... # install required packages to build a project
RUN git checkout <git_url> <checkout_dir> # checkout all sources needed to build your target
WORKDIR <checkout_dir> # current directory for build script
COPY build.sh fuzzer.cc $SRC/ # install build script and other source files.
```
Expat example: [expat/Dockerfile](../targets/expat/Dockerfile)
### Fuzzer execution environment
[This page](fuzzer_environment.md) gives information about the environment that
your fuzzers will run under on ClusterFuzz, and the assumptions that you can
make.
## build.sh
This is where most of the work is done to build fuzzers for your target. The script will
be executed within an image built from a `Dockerfile`.
In general, this script will need to:
1. Build the target using its build system *with* correct compiler and its flags provided as
*environment variables* (see below).
2. Build the fuzzers, linking with the target and libFuzzer. Resulting fuzzers
should be placed in `/out`.
For expat, this looks like:
```bash
#!/bin/bash -eu
./buildconf.sh
# configure scripts usually use correct environment variables.
./configure
make -j$(nproc) clean all
# build the fuzzer, linking with libFuzzer and libexpat.a
$CXX $CXXFLAGS -std=c++11 -Ilib/ \
$SRC/parse_fuzzer.cc -o /out/expat_parse_fuzzer \
-lfuzzer .libs/libexpat.a
```
### build.sh Script Environment
When build.sh script is executed, the following locations are available within the image:
| Path | Description
| ------ | -----
| `$SRC/<some_dir>` | Source code needed to build your target.
| `/usr/lib/libfuzzer.a` | Prebuilt libFuzzer library that need to be linked into all fuzzers (`-lfuzzer`).
You *must* use special compiler flags to build your target and fuzzers.
These flags are provided in following environment variables:
| Env Variable | Description
| ------------- | --------
| `$CC`, `$CXX`, `$CCC` | The C and C++ compiler binaries.
| `$CFLAGS`, `$CXXFLAGS` | C and C++ compiler flags.
Many well-crafted build scripts will automatically use these variables. If not,
passing them manually to a build tool might be required.
See [Provided Environment Variables](../infra/base-images/base-libfuzzer/README.md#provided-environment-variables) section in
`base-libfuzzer` image documentation for more details.
## Testing locally
Helper script can be used to build images and fuzzers. Non-script
version using docker commands directly is documented [here](building_running_fuzzers_external.md).
```bash
$ cd /path/to/oss-fuzz
$ python infra/helper.py build_image $TARGET_NAME
$ python infra/helper.py build_fuzzers $TARGET_NAME
```
This should place the built fuzzers into `/path/to/oss-fuzz/build/out/$TARGET_NAME`
on your machine (`/out` in the container). You can then try to run these fuzzers
inside the container to make sure that they work properly:
```bash
$ python infra/helper.py run_fuzzer $TARGET_NAME name_of_a_fuzzer
```
If everything works locally, then it should also work on our automated builders
and ClusterFuzz.
It's recommended to look at coverage as a sanity check to make sure that fuzzer gets to the code you expect.
```bash
$ python infra/helper.py coverage $TARGET_NAME name_of_a_fuzzer
```
## Debugging Problems
[Debugging](debugging.md) document lists ways to debug your build scripts or fuzzers
in case you run into problems.
### Custom libFuzzer options for ClusterFuzz
By default ClusterFuzz will run your fuzzer without any options. You can specify
custom options by creating a `my_fuzzer.options` file next to a `my_fuzzer` executable in `/out`:
```
[libfuzzer]
max_len = 1024
```
[List of available options](http://llvm.org/docs/LibFuzzer.html#options)
At least `max_len` is highly recommended.
For out of tree fuzzers you will likely add options file using docker's
`COPY` directive and will copy it into output in build script.
([Woff2 example](https://github.com/google/oss-fuzz/blob/master/targets/woff2/convert_woff2ttf_fuzzer.options).)
### Seed Corpus
oss-fuzz uses evolutionary fuzzing algorithms. Supplying seed corpus consisting
of sample inputs is one of the best ways to improve fuzzer coverage.
To provide a corpus for `my_fuzzer`, put `my_fuzzer_seed_corpus.zip` file next
to the fuzzer binary in `/out` during the build. Individual files in the zip file
will be used as starting inputs for mutations. You can store the corpus next to
source files, generate during build or fetch it using curl or any other tool of
your choice.
([Boringssl example](https://github.com/google/oss-fuzz/blob/master/targets/boringssl/build.sh#L42).)
Seed corpus files will be used for cross-mutations and portions of them might appear
in bug reports or be used for further security research. It is important that corpus
has an appropriate and consistent license.
### Dictionaries
Dictionaries hugely improve fuzzer effectiveness for inputs with lots of similar
sequences of bytes. [libFuzzer documentation](http://llvm.org/docs/LibFuzzer.html#dictionaries)
Put your dict file in `/out` and specify in .options file:
```
[libfuzzer]
dict = dictionary_name.dict
```
It is common for several fuzzers to reuse the same dictionary if they are fuzzing very similar inputs.
([Expat example](https://github.com/google/oss-fuzz/blob/master/targets/expat/parse_fuzzer.options).)
## Jenkinsfile
This file will be largely the same for most libraries, and is used by our build
infrastructure. For expat, this is:
```groovy
// load libFuzzer pipeline definition.
def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy',
'https://github.com/google/oss-fuzz.git')
libfuzzerBuild {
git = "git://git.code.sf.net/p/expat/code_git"
}
```
Simply replace the "git" entry with the correct git url for the target.
*Note*: only git is supported right now.
## Checking in to oss-fuzz repository
Fork oss-fuzz, commit and push to the fork, and then create a pull request with
your change! Follow the [Forking Project](https://guides.github.com/activities/forking/) guide
if you are new to contributing via GitHub.
### Copyright headers
Please include copyright headers for all files checked in to oss-fuzz:
```
# Copyright 2016 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
```
If porting a fuzzer from Chromium, keep the Chromium license header.
## The end
Once your change is merged, the fuzzers should be automatically built and run on
ClusterFuzz after a short while!
[oss-fuzz repo]: https://github.com/google/oss-fuzz
[dictionaries]: http://llvm.org/docs/LibFuzzer.html#dictionaries
[Install Docker]: https://docs.docker.com/engine/installation/linux/ubuntulinux/
|
