diff options
Diffstat (limited to 'examples/src/main/java')
3 files changed, 153 insertions, 18 deletions
diff --git a/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java b/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java index acc023a2..b68ef6f7 100644 --- a/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java +++ b/examples/src/main/java/com/example/ExampleValueProfileFuzzer.java @@ -32,14 +32,14 @@ public class ExampleValueProfileFuzzer { // Without -use_value_profile=1, the fuzzer gets stuck here as there is no direct correspondence // between the input bytes and the compared string. With value profile, the fuzzer can guess the // expected input byte by byte, which takes linear rather than exponential time. - if (base64(data.consumeBytes(6)).equals("SmF6emVy")) { + if (((Object) base64(data.consumeBytes(6))).equals("SmF6emVy")) { long[] plaintextBlocks = data.consumeLongs(2); if (plaintextBlocks.length != 2) return; if (insecureEncrypt(plaintextBlocks[0]) == 0x9fc48ee64d3dc090L) { - // Without --fake_pcs (enabled by default with -use_value_profile=1), the fuzzer would get - // stuck here as the value profile information for long comparisons would not be able to - // distinguish between this comparison and the one above. + // Without variants of the fuzzer hooks for compares that also take in fake PCs, the fuzzer + // would get stuck here as the value profile information for long comparisons would not be + // able to distinguish between this comparison and the one above. if (insecureEncrypt(plaintextBlocks[1]) == 0x888a82ff483ad9c2L) { mustNeverBeCalled(); } diff --git a/examples/src/main/java/com/example/JpegImageParserFuzzer.java b/examples/src/main/java/com/example/JpegImageParserFuzzer.java index a6898bf0..ba3e7c81 100644 --- a/examples/src/main/java/com/example/JpegImageParserFuzzer.java +++ b/examples/src/main/java/com/example/JpegImageParserFuzzer.java @@ -22,20 +22,6 @@ import org.apache.commons.imaging.formats.jpeg.JpegImageParser; // Found https://issues.apache.org/jira/browse/IMAGING-275. public class JpegImageParserFuzzer { - public static void fuzzerInitialize() { - String foo = System.getProperty("foo"); - String bar = System.getProperty("bar"); - String baz = System.getProperty("baz"); - // Only used to verify that arguments are correctly passed down to child processes. - if (foo == null || bar == null || baz == null || !foo.equals("foo") - || !(bar.equals("b;ar") || bar.equals("b:ar")) || !baz.equals("baz")) { - // Exit the process with an exit code different from that for a finding. - System.err.println("ERROR: Did not correctly pass all jvm_args to child process."); - System.err.printf("foo: %s%nbar: %s%nbaz: %s%n", foo, bar, baz); - System.exit(3); - } - } - public static void fuzzerTestOneInput(byte[] input) { try { new JpegImageParser().getBufferedImage(new ByteSourceArray(input), new HashMap<>()); diff --git a/examples/src/main/java/com/example/MazeFuzzer.java b/examples/src/main/java/com/example/MazeFuzzer.java new file mode 100644 index 00000000..9d3448c7 --- /dev/null +++ b/examples/src/main/java/com/example/MazeFuzzer.java @@ -0,0 +1,149 @@ +// Copyright 2022 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +import com.code_intelligence.jazzer.api.Consumer3; +import com.code_intelligence.jazzer.api.Jazzer; +import java.util.Arrays; +import java.util.stream.Collectors; + +// A fuzz target that shows how manually informing the fuzzer about important state can make a fuzz +// target much more effective. +// This is a Java version of the famous "maze game" discussed in +// "IJON: Exploring Deep State Spaces via Fuzzing", available at: +// https://wcventure.github.io/FuzzingPaper/Paper/SP20_IJON.pdf +public final class MazeFuzzer { + private static final String[] MAZE_STRING = new String[] { + " ███████████████████", + " █ █ █ █ █ █", + "█ █ █ █ ███ █ █ █ ███", + "█ █ █ █ █ █", + "█ █████ ███ ███ █ ███", + "█ █ █ █ █ █", + "█ ███ ███████ █ ███ █", + "█ █ █ █ █ █", + "███████ █ █ █████ ███", + "█ █ █ █ █", + "█ ███████ █ ███ ███ █", + "█ █ █ █ █ █ █", + "███ ███ █ ███ █ ███ █", + "█ █ █ █ █ █", + "█ ███████ █ █ █ █ █ █", + "█ █ █ █ █ █ █", + "█ █ █████████ ███ ███", + "█ █ █ █ █ █ █", + "█ █ █ ███ █████ ███ █", + "█ █ █ ", + "███████████████████ #", + }; + + private static final char[][] MAZE = parseMaze(); + private static final char[][] REACHED_FIELDS = parseMaze(); + + public static void fuzzerTestOneInput(byte[] commands) { + executeCommands(commands, (x, y, won) -> { + if (won) { + throw new TreasureFoundException(commands); + } + // This is the key line that makes this fuzz target work: It instructs the fuzzer to track + // every new combination of x and y as a new feature. Without it, the fuzzer would be + // completely lost in the maze as guessing an escaping path by chance is close to impossible. + Jazzer.exploreState(hash(x, y), 0); + if (REACHED_FIELDS[y][x] == ' ') { + // Fuzzer reached a new field in the maze, print its progress. + REACHED_FIELDS[y][x] = '.'; + System.out.println(renderMaze(REACHED_FIELDS)); + } + }); + } + + // Hash function with good mixing properties published by Thomas Mueller + // under the terms of CC BY-SA 4.0 at + // https://stackoverflow.com/a/12996028 + // https://creativecommons.org/licenses/by-sa/4.0/ + private static byte hash(byte x, byte y) { + int h = (x << 8) | y; + h = ((h >> 16) ^ h) * 0x45d9f3b; + h = ((h >> 16) ^ h) * 0x45d9f3b; + h = (h >> 16) ^ h; + return (byte) h; + } + + private static class TreasureFoundException extends RuntimeException { + TreasureFoundException(byte[] commands) { + super(renderPath(commands)); + } + } + + private static void executeCommands(byte[] commands, Consumer3<Byte, Byte, Boolean> callback) { + byte x = 0; + byte y = 0; + callback.accept(x, y, false); + + for (byte command : commands) { + byte nextX = x; + byte nextY = y; + switch (command) { + case 'L': + nextX--; + break; + case 'R': + nextX++; + break; + case 'U': + nextY--; + break; + case 'D': + nextY++; + break; + default: + return; + } + char nextFieldType; + try { + nextFieldType = MAZE[nextY][nextX]; + } catch (IndexOutOfBoundsException e) { + // Fuzzer tried to walk through the exterior walls of the maze. + continue; + } + if (nextFieldType != ' ' && nextFieldType != '#') { + // Fuzzer tried to walk through the interior walls of the maze. + continue; + } + // Fuzzer performed a valid move. + x = nextX; + y = nextY; + callback.accept(x, y, nextFieldType == '#'); + } + } + + private static char[][] parseMaze() { + return Arrays.stream(MazeFuzzer.MAZE_STRING).map(String::toCharArray).toArray(char[][] ::new); + } + + private static String renderMaze(char[][] maze) { + return Arrays.stream(maze).map(String::new).collect(Collectors.joining("\n", "\n", "\n")); + } + + private static String renderPath(byte[] commands) { + char[][] mutableMaze = parseMaze(); + executeCommands(commands, (x, y, won) -> { + if (!won) { + mutableMaze[y][x] = '.'; + } + }); + return renderMaze(mutableMaze); + } +} |