Skip to content

expert

Running OSS-Fuzz Targets with Mayhem

In this lesson, we'll walk you through how to upload an oss-fuzz fuzz target into Mayhem!

Estimated Time: 10 minutes

By the end of this lesson, you will be able to:

  1. Define what the OSS-Fuzz project is.
  2. Walk through an OSS-Fuzz example and upload the target into Mayhem.

OSS-Fuzz Repository

Google's oss-fuzz project is an effort by Google to fuzz the various open source components of Google Chrome. They have recently open sourced it to allow contributors of these open source projects to implement dynamic analysis into their workflow while they continue to develop their project. Google then takes these 'fuzz targets' and runs them on their massive compute cluster to perform continuous analysis on their large array of components that are part of Google Chrome.

This project has been widely successful and has already found hundreds of critical bugs within their codebases. Google also saves all their generated testcases so that when a new feature update is pushed to Chrome, they have a large level of assurance due to the database of testcases already stored and can evaluate that behavior has not changed within that dataset.

There are currently hundreds of fuzz targets inside this oss-fuzz project that are continuously being tested by Google with more being added regularly. Since these targets were written to support LibFuzzer, an industry leading in-memory fuzzer, any of these targets can also be ingested by Mayhem.

Note

Creating a test driver for LibFuzzer has all the typical requirements of writing a test driver for a typical Dynamic Analysis fuzzer like AFL or Mayhem but actually has stricter requirements because it runs in memory and has to avoid things like modifying global state or any other external effects that may affect the outcome of a subsequent run in memory.

Uploading an OSS-Fuzz Target into Mayhem

First let's clone the oss-fuzz repository and use project zlib as our example.

  1. Clone the oss-fuzz git repository at https://github.com/google/oss-fuzz
  2. Navigate into the oss-fuzz directory and pull the necessary images for building a Project. cd oss-fuzz && python infra/helper.py pull_images
  3. Build the image and fuzzers. python infra/helper.py build_image zlib python infra/helper.py build_fuzzers --sanitizer address zlib
  4. This has now built the zlib fuzz targets into the build/out/zlib directory.
  5. Package one of the targets with the Mayhem CLI. mayhem package build/out/zlib/compress_fuzzer -o zlib_compress
  6. View the Mayhemfile to ensure the libfuzzer and sanitizer directives are set appropriately to true.
  7. Run mayhem run zlib_compress to start analysis by Mayhem.

✏️ Summary and Recap

In this lesson, you learned about Google's OSS-Fuzz project and how upload an OSS-Fuzz target into Mayhem!

I learned how to...

1. Define what the OSS-Fuzz project is.
  • Google's oss-fuzz project is an effort by Google to fuzz the various open source components of Google Chrome. They have recently open sourced it to allow contributors of these open source projects to implement dynamic analysis into their workflow while they continue to develop their project. Google then takes these 'fuzz targets' and runs them on their massive compute cluster to perform continuous analysis on their large array of components that are part of Google Chrome.
2. Walk through an OSS-Fuzz example and upload the target into Mayhem.
  • You'll need to perform the following steps:
    1. Clone the oss-fuzz git repository at https://github.com/google/oss-fuzz
    2. Navigate into the oss-fuzz directory and pull the necessary images for building a Project. cd oss-fuzz && python infra/helper.py pull_images
    3. Build the image and fuzzers. python infra/helper.py build_image zlib python infra/helper.py build_fuzzers --sanitizer address zlib
    4. This has now built the zlib fuzz targets into the build/out/zlib directory.
    5. Package one of the targets with the Mayhem CLI. mayhem package build/out/zlib/compress_fuzzer -o zlib_compress
    6. View the Mayhemfile to ensure the libfuzzer and sanitizer directives are set appropriately to true.
    7. Run mayhem run zlib_compress to start analysis by Mayhem.