選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

fuzzing.md 2.1KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172
  1. Fuzz-testing Bitcoin Core
  2. ==========================
  3. A special test harness `test_bitcoin_fuzzy` is provided to provide an easy
  4. entry point for fuzzers and the like. In this document we'll describe how to
  5. use it with AFL.
  6. Building AFL
  7. -------------
  8. It is recommended to always use the latest version of afl:
  9. ```
  10. wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
  11. tar -zxvf afl-latest.tgz
  12. cd afl-<version>
  13. make
  14. export AFLPATH=$PWD
  15. ```
  16. Instrumentation
  17. ----------------
  18. To build Bitcoin Core using AFL instrumentation (this assumes that the
  19. `AFLPATH` was set as above):
  20. ```
  21. ./configure --disable-ccache --disable-shared --enable-tests CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++
  22. export AFL_HARDEN=1
  23. cd src/
  24. make test/test_bitcoin_fuzzy
  25. ```
  26. We disable ccache because we don't want to pollute the ccache with instrumented
  27. objects, and similarly don't want to use non-instrumented cached objects linked
  28. in.
  29. The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and
  30. `afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When
  31. compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting
  32. `test_bitcoin_fuzzy` binary will be instrumented in such a way that the AFL
  33. features "persistent mode" and "deferred forkserver" can be used. See
  34. https://github.com/mcarpenter/afl/tree/master/llvm_mode for details.
  35. Preparing fuzzing
  36. ------------------
  37. AFL needs an input directory with examples, and an output directory where it
  38. will place examples that it found. These can be anywhere in the file system,
  39. we'll define environment variables to make it easy to reference them.
  40. ```
  41. mkdir inputs
  42. AFLIN=$PWD/inputs
  43. mkdir outputs
  44. AFLOUT=$PWD/outputs
  45. ```
  46. Example inputs are available from:
  47. - https://download.visucore.com/bitcoin/bitcoin_fuzzy_in.tar.xz
  48. - http://strateman.ninja/fuzzing.tar.xz
  49. Extract these (or other starting inputs) into the `inputs` directory before starting fuzzing.
  50. Fuzzing
  51. --------
  52. To start the actual fuzzing use:
  53. ```
  54. $AFLPATH/afl-fuzz -i ${AFLIN} -o ${AFLOUT} -m52 -- test/test_bitcoin_fuzzy
  55. ```
  56. You may have to change a few kernel parameters to test optimally - `afl-fuzz`
  57. will print an error and suggestion if so.