diff options
Diffstat (limited to 'tests-fuzz/README.md')
-rw-r--r-- | tests-fuzz/README.md | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/tests-fuzz/README.md b/tests-fuzz/README.md new file mode 100644 index 0000000..fd39851 --- /dev/null +++ b/tests-fuzz/README.md @@ -0,0 +1,59 @@ +# Fuzzing stdio-wrapped knotd with [AFL](http://lcamtuf.coredump.cx/afl/) + +1. Ensure [Clang](https://clang.llvm.org) +1. Ensure AFL 1.83b+ or install a fresh one + 1. `curl -O -L http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz` + 1. `tar -xzf afl-latest.tgz` + 1. `cd afl-*/` + 1. `make` + 1. `make -C llvm_mode` + 1. `sudo make install` +1. Compile Knot DNS with `afl-clang` compiler + 1. `CC=afl-clang-fast ./configure --disable-shared --disable-utilities --disable-documentation` + 1. (Add `--with-sanitizer=address` for [ASAN](http://clang.llvm.org/docs/AddressSanitizer.html)) + 1. `make` +1. Try running `knotd_stdio` + 1. `cd tests-fuzz` + 1. `make check-compile` + 1. `mkdir -p /tmp/knotd-fuzz/rundir /tmp/knotd-fuzz/storage` + 1. `./knotd_stdio -c ./knotd_wrap/knot_stdio.conf` + 1. (Consider adding zones or modules to the configuration) +1. Prepare an initial corpus + 1. Checkout the dns-fuzzing repository `git clone https://github.com/CZ-NIC/dns-fuzzing in` + 1. (Add more custom test cases to `in/packet/`) +1. Minimize the tested corpus with `afl-cmin` and simple packet parser (doesn't work with ASAN!) + 1. `afl-cmin -i in/packet/ -o min -- ./fuzz_packet` +1. Run the fuzzer + 1. `AFL_PERSISTENT=1 afl-fuzz -m 1000M -i min -o out -- ./knotd_stdio -c knotd_wrap/knot_stdio.conf` + 1. (Add `AFL_USE_ASAN=1` and use `-m none` if compiled with ASAN) + 1. (Consider parallel fuzzing, see `afl-fuzz -h`) + +**NOTE:** Sanitizer utilization is a bit problematical with AFL, see [notes_for_asan.txt] +(https://github.com/mirrorer/afl/blob/master/docs/notes_for_asan.txt). + +# Fuzzing with [libFuzzer](https://llvm.org/docs/LibFuzzer.html) (requires Clang 6.0+) + +1. Ensure [Clang](https://clang.llvm.org) with `-fsanitize=fuzzer` support (e.g. [LLVM](https://apt.llvm.org)) +1. Configure with + 1. `./configure --with-fuzzer --disable-shared --disable-documentation` + 1. (You should also add `--with-sanitizer=` + `address` for [ASAN](http://clang.llvm.org/docs/AddressSanitizer.html) or + `undefined` for [UBSAN](http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html)) + 1. (Add proper `CC=clang-6.0` if necessary) +1. Compile Knot DNS: + 1. `make` +1. Create and check the fuzzing binaries + 1. `cd tests-fuzz` + 1. `make check` +1. Download the corpora + 1. `git submodule init` + 1. `git submodule update --recursive --remote` +1. (Optional) add more test cases + 1. `./fuzz_packet -merge=1 fuzz_packet.in <DIR_WITH_NEW_PACKET_TEST_CASES>` + 1. `./fuzz_zscanner -merge=1 fuzz_zscanner.in <DIR_WITH_NEW_ZSCANNER_TEST_CASES>` +1. Run the fuzzer + 1. (Set proper symbolizer if necessary + ``export ASAN_SYMBOLIZER_PATH=$(readlink -f `which llvm-symbolizer-6.0`)`` for ASAN or + ``export UBSAN_SYMBOLIZER_PATH=$(readlink -f `which llvm-symbolizer-6.0`)`` for UBSAN) + 1. `./fuzz_packet fuzz_packet.in` or `./fuzz_zscanner fuzz_zscanner.in` + 1. (Add parallel fuzzing `-jobs=<CPUS>` |