From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,HK_RANDOM_FROM,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EDE5C4CEC9 for ; Wed, 18 Sep 2019 23:35:39 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 278FB218AE for ; Wed, 18 Sep 2019 23:35:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="qnF6ANOe" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 278FB218AE Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:36060 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iAjU1-00008A-Ms for qemu-devel@archiver.kernel.org; Wed, 18 Sep 2019 19:35:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33429) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iAjEl-0000dh-Qs for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iAjEk-0002k6-2n for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:51 -0400 Received: from mail-eopbgr700101.outbound.protection.outlook.com ([40.107.70.101]:46848 helo=NAM04-SN1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iAjEj-0002jO-Sa for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:49 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hYktvPTje5lD0QP/psbpddcqAcLPqCvjq3r/LgzMHtumYkebWraHLF8zpKL6ZCTXNLCGQeUpO1D72k+zdgxYW+vOmGcbs6rJLKSqX35p4Pcm5F6iQktxG3Q+AdrxOwL4W+Qsec7M6Z8keX90kQx9AiXTIrUfnB1wVH16RStUNP2eWymJze1CqHOiFmbUeTS6SZj0ZZ47CuChaq1OuWaLzWiVzhORHVBxtDCPcLWKZo/D79kyfKdrOaQ6HR5B34O61Bb0L2+U0Zafg8dWUQdKvsReylRY5XzykgHvuUKxoTJepwTL4TXiQ0GAE7/GQdED6A8bEz3x3SbFuyRTwq7QPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=35WXf4PmtsVb8aeIi7GRO2/t/g9rmSMUSEvk+8j9sBw=; b=FXdaFH/U/gLc5Lg0uw9uD1DmbdTtb+iO8fQY9l7fbaeKzJVmboFsAhv3SaLc2uXM1COBh55x7VcuXI8/sL/sjT9Qpgk6esyvfSH6+1ADo/mIzqxyOLGC5KIqSBocASyiLBrRSEFHVVov9JpI2y1dBIXc0S9vfukTjmzAvrPKj96947712y6odHLNZNYXi7lj+igS/VF3WDea7i/NpLI93Z2JjOJDlLRXWzlt5c7E+uJeAHe79jJL71E+gMmENKd2dkbP2/NQoJTgW4BzUFm1HjWCN4qPB91fAcX7b2ADLNAuZ3HACrgLAIGOG7HDB76tN6yZ8bCY+Xj827L7mOQ3vg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=35WXf4PmtsVb8aeIi7GRO2/t/g9rmSMUSEvk+8j9sBw=; b=qnF6ANOebTq1bahkdZNZXYyHALkYBr6yio+eXmvrkg1br4AORLSQGWk25Q9mqctJ271it/t7p1RJXTitmugve+K4ALEJQ+tQjFDaDLOJtiVJr3ai7rCSYNxyKPw8VIIvJ2cmcM1onhVfLYPtxdFhz0tBTUgOWdDe2IRtz2RDKfY= Received: from CY4PR03MB2872.namprd03.prod.outlook.com (10.175.118.17) by CY4PR03MB3016.namprd03.prod.outlook.com (10.175.117.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.20; Wed, 18 Sep 2019 23:19:48 +0000 Received: from CY4PR03MB2872.namprd03.prod.outlook.com ([fe80::6d88:c5bd:41ad:b107]) by CY4PR03MB2872.namprd03.prod.outlook.com ([fe80::6d88:c5bd:41ad:b107%3]) with mapi id 15.20.2263.023; Wed, 18 Sep 2019 23:19:48 +0000 From: "Oleinik, Alexander" To: "qemu-devel@nongnu.org" Thread-Topic: [PATCH v3 22/22] fuzz: add documentation to docs/devel/ Thread-Index: AQHVbneQioRrB1GE6EuvuszSk8W0eA== Date: Wed, 18 Sep 2019 23:19:48 +0000 Message-ID: <20190918231846.22538-23-alxndr@bu.edu> References: <20190918231846.22538-1-alxndr@bu.edu> In-Reply-To: <20190918231846.22538-1-alxndr@bu.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.23.0 x-originating-ip: [128.197.127.33] x-clientproxiedby: BL0PR02CA0124.namprd02.prod.outlook.com (2603:10b6:208:35::29) To CY4PR03MB2872.namprd03.prod.outlook.com (2603:10b6:903:134::17) authentication-results: spf=none (sender IP is ) smtp.mailfrom=alxndr@bu.edu; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 56310e6f-1920-474e-7eec-08d73c8eb333 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CY4PR03MB3016; x-ms-traffictypediagnostic: CY4PR03MB3016: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 01644DCF4A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(1496009)(4636009)(39860400002)(366004)(376002)(136003)(346002)(396003)(199004)(189003)(66066001)(86362001)(52116002)(478600001)(2616005)(7736002)(71190400001)(8676002)(36756003)(71200400001)(14454004)(54906003)(316002)(786003)(6486002)(14444005)(81156014)(75432002)(256004)(6436002)(305945005)(6916009)(6512007)(5640700003)(386003)(486006)(26005)(11346002)(186003)(102836004)(99286004)(76176011)(66946007)(446003)(476003)(66476007)(66556008)(64756008)(66446008)(6506007)(5660300002)(4326008)(2501003)(2351001)(6116002)(81166006)(50226002)(25786009)(1076003)(2906002)(88552002)(8936002)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR03MB3016; H:CY4PR03MB2872.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: bu.edu does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: NyrKd7o9S7+bH8WqH5RtDCeaWcAGazSpjOF8AmGoizS11PZxbxKDy1IXQ3/KHPmq7+ihtitPUpd8Sgn8BjLix6ll5xHmK/eyEICHehEB1IgosWegIc2FfX+5evGKLZFo2Vt4jFNaMNOeTzsQLf77zTE6VTwlWnuDQUwxlPi7nfobcHN1bxL3mfHBA1wWHP7dk4DATqmcyL7cyUOmdxK7Fux9DTjRO20ziD5SxLivykmv0GfSUrsEBegodcYNWu9FuLz3OovlbGBvwn1XM9ZCDW/4dn0wiRFXMWCcNoY0qF/0TB55amc+zbHITOkhCG4nw5mWvQnDXwkWbeUgiubxEU3lMcYKY15EsKR0m7K+yw6uqhPHdpYBy6/PfxCLstnxU7We603/W1lzRAR/u6BYLT9NfteehR+yKakalY/vXio= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 56310e6f-1920-474e-7eec-08d73c8eb333 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2019 23:19:48.6853 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: OQzuZP61t8A29U8h4vtmo2MkbBndbWoCKDo2isD8iD9Qc3RIcxqgQgLW7puLuOaJ X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR03MB3016 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 40.107.70.101 Subject: [Qemu-devel] [PATCH v3 22/22] fuzz: add documentation to docs/devel/ X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "pbonzini@redhat.com" , "bsd@redhat.com" , "stefanha@redhat.com" , "Oleinik, Alexander" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Signed-off-by: Alexander Oleinik --- docs/devel/fuzzing.txt | 114 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs/devel/fuzzing.txt diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt new file mode 100644 index 0000000000..53a1f858f5 --- /dev/null +++ b/docs/devel/fuzzing.txt @@ -0,0 +1,114 @@ +=3D Fuzzing =3D + +=3D=3D Introduction =3D=3D + +This document describes the virtual-device fuzzing infrastructure in QEMU = and +how to use it to implement additional fuzzers. + +=3D=3D Basics =3D=3D + +Fuzzing operates by passing inputs to an entry point/target function. The +fuzzer tracks the code coverage triggered by the input. Based on these +findings, the fuzzer mutates the input and repeats the fuzzing.=20 + +To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libf= uzzer +is an _in-process_ fuzzer. For the developer, this means that it is their +responsibility to ensure that state is reset between fuzzing-runs. + +=3D=3D Building the fuzzers =3D=3D + +NOTE: If possible, build a 32-bit binary. When forking, the page map ends = up +being much smaller. On 64-bit AddressSanitizer consumes 20 Terabytes of vi= rtual +memory. + +To build the fuzzers, install a recent version of clang: +Configure with (substitute the clang binaries with the version you install= ed): + + CC=3Dclang-8 CXX=3Dclang++-8 /path/to/configure --enable-fuzzing + +Fuzz targets are built similarily to system/softmmu: + + make i386-softmmu/fuzz + +This builds ./i386-softmmu/qemu-fuzz-i386 + +The first option to this command is: --FUZZER_NAME +To list all of the available fuzzers run qemu-fuzz-i386 with no arguments. + +Libfuzzer parses all arguments that do not begin with "--". Information ab= out +these is available by passing -help=3D1 + +Now the only thing left to do is wait for the fuzzer to trigger potential +crashes. + +=3D=3D Adding a new fuzzer =3D=3D +Coverage over virtual devices can be improved by adding additional fuzzers= .=20 +Fuzzers are kept in tests/fuzz/ and should be added to +tests/fuzz/Makefile.include + +Fuzzers can rely on both qtest and libqos to communicate with virtual devi= ces. + +1. Create a new source file. For example ``tests/fuzz/fuzz-foo-device.c``. + +2. Write the fuzzing code using the libqtest/libqos API. See existing fuzz= ers +for reference. + +3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the +corresponding object to fuzz-obj-y + +Fuzzers can be more-or-less thought of as special qtest programs which can +modify the qtest commands and/or qtest command arguments based on inputs +provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly = the +fuzzer loops over the byte-array interpreting it as a list of qtest comman= ds, +addresses, or values. + + +=3D Implmentation Details =3D + +=3D=3D The Fuzzer's Lifecycle =3D=3D + +The fuzzer has two entrypoints that libfuzzer calls. + +LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of t= he +necessary state + +LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input a= nd +resets the state at the end of each run. + +In more detail: + +LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with t= wo +dashes, so they are ignored by libfuzzer main()). Currently, the arguments +select the fuzz target. Then, the qtest client is initialized. If the targ= et +requires qos, qgraph is set up and the QOM/LIBQOS modules are initailized. +Then the QGraph is walked and the QEMU cmd_line is determined and saved. + +After this, the vl.c:real_main is called to set up the guest. After this, = the +fuzzer saves the initial vm/device state to ram, after which the initiliza= tion +is complete. + +LLVMFuzzerTestOneInput: Uses qtest/qos functions to act based on the fuzz +input. It is also responsible for manually calling the main loop/main_loop= _wait +to ensure that bottom halves are executed. Finally, it calls reset() which +restores state from the ramfile and/or resets the guest. + + +Since the same process is reused for many fuzzing runs, QEMU state needs t= o +be reset at the end of each run. There are currently two implemented +options for resetting state:=20 +1. Reboot the guest between runs. + Pros: Straightforward and fast for simple fuzz targets.=20 + Cons: Depending on the device, does not reset all device state. If the + device requires some initialization prior to being ready for fuzzing + (common for QOS-based targets), this initialization needs to be done af= ter + each reboot. + Example target: --virtio-net-ctrl-fuzz +2. Run each test case in a separate forked process and copy the coverage + information back to the parent. This is fairly similar to AFL's "deferr= ed" + fork-server mode [3] + Pros: Relatively fast. Devices only need to be initialized once. No nee= d + to do slow reboots or vmloads. + Cons: Not officially supported by libfuzzer and the implementation is v= ery + flimsy. Does not work well for devices that rely on dedicated threads. + Example target: --qtest-fork-fuzz + --=20 2.23.0