6 Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html).
8 Starting from a vanilla+OpenSSH server Ubuntu install.
10 Use Chrome's handy recent build of clang. Older versions may also work.
12 $ sudo apt-get install git
14 $ git clone https://chromium.googlesource.com/chromium/src/tools/clang
15 $ clang/scripts/update.py
17 You may want to git pull and re-run the update from time to time.
21 $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH
23 Get and build libFuzzer (there is a git mirror at
24 https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
27 $ sudo apt-get install subversion
30 $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
32 $ clang++ -c -g -O2 -std=c++11 *.cpp
33 $ ar r libFuzzer.a *.o
36 Configure for fuzzing:
38 $ CC=clang ./config enable-fuzz-libfuzzer \
39 --with-fuzzer-include=../../svn-work/Fuzzer \
40 --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
41 enable-asan enable-ubsan no-shared
42 $ sudo apt-get install make
43 $ LDCMD=clang++ make -j
44 $ fuzz/helper.py <fuzzer> <arguments>
46 Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
47 need any command line arguments, but, for example, `asn1` needs the name of a
50 If you get a crash, you should find a corresponding input file in
51 `fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
53 $ fuzz/<fuzzer> <crashfile>
58 Configure for fuzzing:
60 $ sudo apt-get install afl-clang
61 $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
64 Run one of the fuzzers:
66 $ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments>
68 Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
69 need any command line arguments, but, for example, `asn1` needs the name of a