oss-fuzz/docs/new_project_guide.md

277 lines
12 KiB
Markdown
Raw Normal View History

# Setting up a New Project
## Prerequisites
2016-12-03 04:54:38 +00:00
- [Integrate](ideal_integration.md) one or more [Fuzz Targets](glossary.md#fuzz-target)
2016-12-02 16:52:30 +00:00
with the project you want to fuzz.<BR>
2016-12-07 19:35:53 +00:00
Examples:
2016-12-02 16:51:43 +00:00
[boringssl](https://github.com/google/boringssl/tree/master/fuzz),
[SQLite](https://www.sqlite.org/src/artifact/ad79e867fb504338),
[s2n](https://github.com/awslabs/s2n/tree/master/tests/fuzz),
[openssl](https://github.com/openssl/openssl/tree/master/fuzz),
[FreeType](http://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/tools/ftfuzzer),
[re2](https://github.com/google/re2/tree/master/re2/fuzzing),
[harfbuzz](https://github.com/behdad/harfbuzz/tree/master/test/fuzzing),
[pcre2](http://vcs.pcre.org/pcre2/code/trunk/src/pcre2_fuzzsupport.c?view=markup),
2017-01-31 15:42:27 +00:00
[ffmpeg](https://github.com/FFmpeg/FFmpeg/blob/master/tools/target_dec_fuzzer.c).
2016-12-02 16:52:30 +00:00
2016-12-11 06:24:11 +00:00
- [Install Docker](installing_docker.md). ([Why Docker?](faq.md#why-do-you-use-docker))
2016-12-02 16:51:43 +00:00
2016-10-12 01:26:42 +00:00
2016-09-27 19:17:38 +00:00
## Overview
2016-12-07 19:35:53 +00:00
To add a new OSS project to OSS-Fuzz, you need a project subdirectory
inside the [`projects/`](../projects) directory in [OSS-Fuzz repository](https://github.com/google/oss-fuzz).
Example: [boringssl](https://github.com/google/boringssl) project is located in
2016-11-30 04:19:44 +00:00
[`projects/boringssl`](../projects/boringssl).
2016-11-30 04:19:44 +00:00
The project directory needs to contain the following three configuration files:
* `projects/<project_name>/project.yaml` - provides metadata about the project.
2016-12-07 19:35:53 +00:00
* `projects/<project_name>/Dockerfile` - defines the container environment with information
2016-12-03 05:01:03 +00:00
on dependencies needed to build the project and its [fuzz targets](glossary.md#fuzz-target).
2016-12-07 19:35:53 +00:00
* `projects/<project_name>/build.sh` - build script that executes inside the container and
2016-11-30 04:19:44 +00:00
generates project build.
2016-12-07 19:35:53 +00:00
To *automatically* create a new directory for your project and
generate templated versions of these configuration files,
2016-11-30 04:19:44 +00:00
run the following set of commands:
2016-09-01 18:43:44 +00:00
```bash
2016-09-27 18:39:04 +00:00
$ cd /path/to/oss-fuzz
2016-11-30 04:19:44 +00:00
$ export PROJECT_NAME=<project_name>
2016-11-29 19:27:56 +00:00
$ python infra/helper.py generate $PROJECT_NAME
2016-09-01 18:43:44 +00:00
```
2016-12-03 05:01:03 +00:00
It is preferred to keep and maintain [fuzz targets](glossary.md#fuzz-target) in your own source code repository. If this is not possible due to various reasons, you can store them inside the OSS-Fuzz's project directory created above.
2016-09-27 21:07:19 +00:00
## project.yaml
This file stores the metadata about your project. The following attributes are supported:
* `homepage` - Project's homepage.
* `primary_contact`, `auto_ccs` - Primary contact and CCs list. These people get access to ClusterFuzz
which includes crash reports, fuzzer statistics, etc and are auto-cced on newly filed bugs in OSS-Fuzz
tracker.
* `sanitizers` (optional) - List of sanitizers to use. By default, you shouldn't override this and it
will use the default list of supported sanitizers (currently -
AddressSanitizer("address"), UndefinedBehaviorSanitizer("undefined")).
If your project does not build with a particular sanitizer configuration and you need some time fixing
it, then you can use this option to override the defaults temporarily. E.g. For disabling
UndefinedBehaviourSanitizer build, then you can just specify all supported sanitizers, except "undefined".
Example: [boringssl](https://github.com/google/oss-fuzz/blob/master/projects/boringssl/project.yaml).
2016-09-27 19:17:38 +00:00
## Dockerfile
2016-12-07 19:35:53 +00:00
This file defines the Docker image definition. This is where the build.sh script will be executed in.
2016-11-29 21:21:48 +00:00
It is very simple for most projects:
```docker
FROM ossfuzz/base-builder # base image with clang toolchain
2016-11-30 04:19:44 +00:00
MAINTAINER YOUR_EMAIL # maintainer for this file
RUN apt-get install -y ... # install required packages to build your project
2016-11-30 17:24:04 +00:00
RUN git clone <git_url> <checkout_dir> # checkout all sources needed to build your project
WORKDIR <checkout_dir> # current directory for build script
2016-11-30 04:19:44 +00:00
COPY build.sh fuzzer.cc $SRC/ # copy build script and other fuzzer files in src dir
```
2016-11-29 19:27:56 +00:00
Expat example: [expat/Dockerfile](../projects/expat/Dockerfile)
2016-09-27 19:17:38 +00:00
## build.sh
2016-12-07 19:35:53 +00:00
This file describes how to build [fuzz targets](glossary.md#fuzz-target) for your project.
2016-11-30 04:19:44 +00:00
The script will be executed within the image built from `Dockerfile`.
In general, this script will need to:
2016-12-07 19:35:53 +00:00
1. Build the project using your build system *with* correct compiler and its flags provided as
*environment variables* (see below).
2016-12-03 05:01:03 +00:00
2. Build the [fuzz targets](glossary.md#fuzz-target), linking your project's build and libFuzzer.
Resulting binaries should be placed in `$OUT`.
2016-12-07 19:35:53 +00:00
2016-12-08 17:55:28 +00:00
*Note*:
1. Please don't assume that the fuzzing engine is libFuzzer and hardcode in your build scripts.
In future, we will add support for other fuzzing engines like AFL.
2016-12-08 17:55:28 +00:00
So, link the fuzzing engine using `-lFuzzingEngine`, see example below.
2. Please make sure that the binary names for your [fuzz targets](glossary.md#fuzz-target) contain only
2016-12-08 17:57:58 +00:00
alphanumeric characters, underscore(_) or dash(-). Otherwise, they won't run on our infrastructure.
2016-11-30 04:28:51 +00:00
For expat, this looks like [this](https://github.com/google/oss-fuzz/blob/master/projects/expat/build.sh):
```bash
#!/bin/bash -eu
./buildconf.sh
2016-09-27 20:41:52 +00:00
# configure scripts usually use correct environment variables.
./configure
2016-09-27 20:41:52 +00:00
2016-11-30 04:28:51 +00:00
make clean
make -j$(nproc) all
$CXX $CXXFLAGS -std=c++11 -Ilib/ \
2016-11-30 04:28:51 +00:00
$SRC/parse_fuzzer.cc -o $OUT/parse_fuzzer \
-lFuzzingEngine .libs/libexpat.a
2016-11-30 04:28:51 +00:00
cp $SRC/*.dict $SRC/*.options $OUT/
```
2016-12-07 19:35:53 +00:00
### build.sh Script Environment
2016-09-27 20:41:52 +00:00
When build.sh script is executed, the following locations are available within the image:
| Location|Env| Description |
|---------| -------- | ---------- |
| `/out/` | `$OUT` | Directory to store build artifacts (fuzz targets, dictionaries, options files, seed corpus archives). |
| `/src/` | `$SRC` | Directory to checkout source files |
| `/work/`| `$WORK` | Directory for storing intermediate files |
| `/usr/lib/libFuzzingEngine.a` | `$LIB_FUZZING_ENGINE` | Location of prebuilt fuzzing engine library (e.g. libFuzzer ) that needs to be linked with all fuzz targets (`-lFuzzingEngine`).
While files layout is fixed within a container, the environment variables are
provided to be able to write retargetable scripts.
2016-09-27 20:41:52 +00:00
2016-11-30 04:19:44 +00:00
You *must* use the special compiler flags needed to build your project and fuzz targets.
These flags are provided in the following environment variables:
2016-09-27 20:41:52 +00:00
| Env Variable | Description
| ------------- | --------
| `$CC`, `$CXX`, `$CCC` | The C and C++ compiler binaries.
| `$CFLAGS`, `$CXXFLAGS` | C and C++ compiler flags.
2016-09-27 20:41:52 +00:00
2016-11-30 04:19:44 +00:00
Most well-crafted build scripts will automatically use these variables. If not,
pass them manually to the build tool.
See [Provided Environment Variables](../infra/base-images/base-builder/README.md#provided-environment-variables) section in
`base-builder` image documentation for more details.
2016-10-13 21:03:43 +00:00
2017-02-07 17:35:26 +00:00
## Fuzzer execution environment
[This page](fuzzer_environment.md) gives information about the environment that
your [fuzz targets](glossary.md#fuzz-target) will run on ClusterFuzz, and the assumptions that you can make.
2016-11-07 20:28:32 +00:00
## Testing locally
2016-12-03 05:01:03 +00:00
Use the helper script to build docker image and [fuzz targets](glossary.md#fuzz-target).
2016-11-07 20:28:32 +00:00
```bash
$ cd /path/to/oss-fuzz
2016-11-29 19:31:18 +00:00
$ python infra/helper.py build_image $PROJECT_NAME
2017-02-03 03:12:13 +00:00
$ python infra/helper.py build_fuzzers -e SANITIZER=<address/memory/undefined> $PROJECT_NAME
2016-11-07 20:28:32 +00:00
```
2016-12-03 05:01:03 +00:00
This should place the built binaries into `/path/to/oss-fuzz/build/out/$PROJECT_NAME`
2017-01-14 19:46:45 +00:00
directory on your machine (and `$OUT` in the container).
*Note*: You *must* run these fuzz target binaries inside the base-runner docker
container to make sure that they work properly:
2016-11-07 20:28:32 +00:00
```bash
2016-11-30 05:14:25 +00:00
$ python infra/helper.py run_fuzzer $PROJECT_NAME <fuzz_target>
2016-11-07 20:28:32 +00:00
```
2017-01-14 19:46:45 +00:00
If everything works locally, then it should also work on our automated builders and ClusterFuzz.
2017-01-14 20:13:15 +00:00
If it fails, check out [this](fuzzer_environment.md#dependencies) entry.
2016-11-07 20:28:32 +00:00
2016-12-07 19:35:53 +00:00
It's recommended to look at code coverage as a sanity check to make sure that
2016-12-03 05:01:03 +00:00
[fuzz target](glossary.md#fuzz-target) gets to the code you expect.
2016-11-07 20:28:32 +00:00
```bash
2016-11-30 05:14:25 +00:00
$ python infra/helper.py coverage $PROJECT_NAME <fuzz_target>
2016-11-07 20:28:32 +00:00
```
2017-02-03 03:12:13 +00:00
*Note*: Currently, we only support AddressSanitizer (address) and UndefinedBehaviorSanitizer (undefined)
2017-02-07 23:23:00 +00:00
configurations. MemorySanitizer is in development mode and not recommended for use. <b>Make sure to test each
of the supported build configurations with the above commands (build_fuzzers -> run_fuzzer -> coverage).</b>
2016-11-07 20:28:32 +00:00
## Debugging Problems
2016-12-03 05:01:03 +00:00
[Debugging](debugging.md) document lists ways to debug your build scripts or
[fuzz targets](glossary.md#fuzz-target)
2016-11-07 20:28:32 +00:00
in case you run into problems.
## Custom libFuzzer options for ClusterFuzz
2016-09-27 21:07:19 +00:00
2016-11-29 22:05:11 +00:00
By default, ClusterFuzz will run your fuzzer without any options. You can specify
2016-11-30 04:28:51 +00:00
custom options by creating a `my_fuzzer.options` file next to a `my_fuzzer` executable in `$OUT`:
```
2016-10-13 15:33:02 +00:00
[libfuzzer]
2016-10-13 15:24:56 +00:00
max_len = 1024
```
2016-11-30 16:25:49 +00:00
[List of available options](http://llvm.org/docs/LibFuzzer.html#options). Use of `max_len` is highly recommended.
2016-10-13 15:27:26 +00:00
2016-12-03 05:01:03 +00:00
For out of tree [fuzz targets](glossary.md#fuzz-target), you will likely add options file using docker's
2016-12-07 19:35:53 +00:00
`COPY` directive and will copy it into output in build script.
2016-11-30 05:14:25 +00:00
(example: [woff2](https://github.com/google/oss-fuzz/blob/master/projects/woff2/convert_woff2ttf_fuzzer.options)).
2016-10-28 22:09:44 +00:00
2016-11-07 20:28:32 +00:00
2016-10-28 22:13:26 +00:00
### Seed Corpus
2016-10-28 22:09:44 +00:00
2016-11-29 22:05:11 +00:00
OSS-Fuzz uses evolutionary fuzzing algorithms. Supplying seed corpus consisting
2016-12-03 05:01:03 +00:00
of good sample inputs is one of the best ways to improve [fuzz target](glossary.md#fuzz-target)'s coverage.
2016-10-28 22:09:44 +00:00
To provide a corpus for `my_fuzzer`, put `my_fuzzer_seed_corpus.zip` file next
2016-12-07 19:35:53 +00:00
to the [fuzz target](glossary.md#fuzz-target)'s binary in `$OUT` during the build. Individual files in this
archive will be used as starting inputs for mutations. You can store the corpus
next to source files, generate during build or fetch it using curl or any other
tool of your choice.
2016-12-05 02:59:29 +00:00
(example: [boringssl](https://github.com/google/oss-fuzz/blob/master/projects/boringssl/build.sh#L41)).
2016-10-28 22:09:44 +00:00
Seed corpus files will be used for cross-mutations and portions of them might appear
in bug reports or be used for further security research. It is important that corpus
has an appropriate and consistent license.
2016-10-13 15:24:56 +00:00
### Dictionaries
Dictionaries hugely improve fuzzing efficiency for inputs with lots of similar
2016-12-03 05:01:03 +00:00
sequences of bytes. [libFuzzer documentation](http://libfuzzer.info#dictionaries)
2016-11-30 04:28:51 +00:00
Put your dict file in `$OUT` and specify in .options file:
2016-10-13 15:24:56 +00:00
```
[libfuzzer]
dict = dictionary_name.dict
```
2016-12-03 05:01:03 +00:00
It is common for several [fuzz targets](glossary.md#fuzz-target)
to reuse the same dictionary if they are fuzzing very similar inputs.
2016-11-30 05:14:25 +00:00
(example: [expat](https://github.com/google/oss-fuzz/blob/master/projects/expat/parse_fuzzer.options)).
2016-10-17 19:39:28 +00:00
2016-11-30 04:19:44 +00:00
## Checking in to OSS-Fuzz repository
2016-11-29 22:05:11 +00:00
Fork OSS-Fuzz, commit and push to the fork, and then create a pull request with
2016-10-13 21:07:40 +00:00
your change! Follow the [Forking Project](https://guides.github.com/activities/forking/) guide
if you are new to contributing via GitHub.
### Copyright headers
Please include copyright headers for all files checked in to oss-fuzz:
```
# Copyright 2016 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
```
2016-11-30 04:28:51 +00:00
If you are porting a fuzz target from Chromium, keep the original Chromium license header.
## The end
2016-11-30 04:28:51 +00:00
Once your change is merged, your project and fuzz targets should be automatically built and run on
2016-12-07 19:35:53 +00:00
ClusterFuzz after a short while (&lt; 1 day)!<BR><BR>
2016-12-02 17:58:13 +00:00
Check your project's build status [here](https://oss-fuzz-build-logs.storage.googleapis.com/status.html).<BR>
2017-02-13 20:27:35 +00:00
Check out the crashes generated and code coverage statistics on [ClusterFuzz](clusterfuzz.md) web interface [here](https://oss-fuzz.com/).