Skip to content

Fuzz-testing Bitcoin Cash Node

A special test harness in src/test/fuzz/ is provided for each fuzz target to provide an easy entry point for fuzzers and the like. In this document we'll describe how to use it with AFL and libFuzzer.

Preparing fuzzing

AFL needs an input directory with examples, and an output directory where it will place examples that it found. These can be anywhere in the file system, we'll define environment variables to make it easy to reference them.

libFuzzer will use the input directory as output directory.

Extract the example seeds (or other starting inputs) into the inputs directory before starting fuzzing.

git clone https://gitlab.com/bitcoin-cash-node/bchn-sw/qa-assets
export DIR_FUZZ_IN=$PWD/qa-assets/fuzz_seed_corpus

Only for AFL:

mkdir outputs
export AFLOUT=$PWD/outputs

AFL

Building AFL

It is recommended to always use the latest version of afl:

wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -zxvf afl-latest.tgz
cd afl-<version>
make
export AFLPATH=$PWD

Instrumentation

To build Bitcoin Cash Node using AFL instrumentation (this assumes that the AFLPATH was set as above):

mkdir -p buildFuzzer
cd buildFuzzer
cmake -GNinja .. -DCCACHE=OFF -DCMAKE_C_COMPILER=afl-gcc -DCMAKE_CXX_COMPILER=afl-g++
export AFL_HARDEN=1
ninja bitcoin-fuzzers

We disable ccache because we don't want to pollute the ccache with instrumented objects, and similarly don't want to use non-instrumented cached objects linked in.

The fuzzing can be sped up significantly (~200x) by using afl-clang-fast and afl-clang-fast++ in place of afl-gcc and afl-g++ when compiling. When compiling using afl-clang-fast/afl-clang-fast++ the resulting binary will be instrumented in such a way that the AFL features "persistent mode" and "deferred forkserver" can be used. See https://github.com/google/AFL/tree/master/llvm_mode for details.

Fuzzing

To start the actual fuzzing use:

export FUZZ_TARGET=fuzz_target_foo  # Pick a fuzz_target
mkdir ${AFLOUT}/${FUZZ_TARGET}
$AFLPATH/afl-fuzz -i ${DIR_FUZZ_IN}/${FUZZ_TARGET} -o ${AFLOUT}/${FUZZ_TARGET} -m52 -- src/test/fuzz/${FUZZ_TARGET}

You may have to change a few kernel parameters to test optimally - afl-fuzz will print an error and suggestion if so.

libFuzzer

A recent version of clang, the address sanitizer and libFuzzer is needed (all found in the compiler-rt runtime libraries package).

To build all fuzz targets with libFuzzer, run

mkdir -p buildFuzzer
cd buildFuzzer
cmake -GNinja .. \
  -DCCACHE=OFF \
  -DCMAKE_C_COMPILER=clang \
  -DCMAKE_CXX_COMPILER=clang++ \
  -DENABLE_SANITIZERS="fuzzer;address"
ninja bitcoin-fuzzers

The fuzzer needs some inputs to work on, but the inputs or seeds can be used interchangeably between libFuzzer and AFL.

See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer instrumented executable.

Alternatively run the script in ./test/fuzz/test_runner.py and provide it with the ${DIR_FUZZ_IN} created earlier: ./test/fuzz/test_runner.py -l DEBUG $DIR_FUZZ_IN

If the test_runner.py script is missing, create it with ninja link-fuzz-test_runner.py