2.3 KiB
Fuzzing
Fuzz testing is an automated software testing method that injects invalid, malformed, or unexpected inputs to reveal defects and vulnerabilities. A fuzzing tool monitors the system for exceptions like crashes, information leakage, or errors, helping developers identify and fix bugs and security loopholes.
Current state of fuzzing in liboqs
- kem
- bike
- classic_mceliece
- frodokem
- hqc
- kyber
- ml_kem
- ntruprime
- sig
- dilithium
- falcon
- mayo
- ml_dsa
- sphincs
- sig_stfl
- lms
- sig_stfl
- xmss
Building and running fuzz tests
Building fuzz tests is very similar to building normally with some optional steps to target different types of bugs. The most basic ways to build the fuzz tests is as follows;
mkdir build && cd build
cmake -GNinja .. -DOQS_BUILD_FUZZ_TESTS=ON
ninja -j$(nproc)
You'll now be able to run a fuzz test e.g.
./tests/fuzz_test_dilithium2
#9764 NEW cov: 4 ft: 708 corp: 100/318b lim: 43 exec/s: 9764 rss: 362Mb L: 41/41 MS: 4 EraseBytes-InsertRepeatedBytes-CMP-ChangeBit- DE: "\0004m\372"-
...
The fuzzer will run indefinetely or;
- until it finds a bug and crashes,
- you manually stop the fuzzer i.e. CTRL-C
- you set a timeout using the command line.
For more details on the available command line args please consult the libfuzzer docs.
Sanitizers
It is a common pattern to combine fuzzing with various sanitizers to catch different bugs. One of the simpler sanitizers is the fuzzing sanitizer, which will instrument the code for coverage driven fuzzing. To enable this simply add this to your environment variables before configuring cmake;
export CFLAGS=-fsanitize=fuzzer-no-link
It is common to combine the fuzzer sanitizer with either the address or the undefined behaviour sanitizer. To add these simply add the relevant flags to BOTH the CFLAGS and LDFLAGS e.g.
export CFLAGS=-fsanitize=fuzzer-no-link,address
export LDFLAGS=-fsanitize=address
Then rerun cmake as normal i.e.
mkdir build && cd build
cmake -GNinja .. -DOQS_BUILD_FUZZ_TESTS=ON
ninja -j$(nproc)