*.*

Author: guidovranken

CMakeLists.txt

@@ -0,0 +1,6 @@
+cmake_minimum_required (VERSION 2.6)
+project (vfuzz)
+add_definitions(-Wall -Wextra -std=c++17 -O3 -g -DNDEBUG)
+add_subdirectory(libvfuzz-core)
+add_subdirectory(libvfuzz-runtime)
+add_subdirectory(examples)

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Guido Vranken
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,80 @@
+# vfuzz
+
+(previously called VrankenFuzz).
+
+I don't claim superiority over other engines in performance or efficiency out of the box, but this does implement some features that I felt where lacking elsewhere.
+
+## Custom generators
+
+Fetch any type of data from anywhere in your harness. The single byte array input provided by AFL/libFuzzer is a crude instrument for constructing complex objects in your harness. Protobufs are used to work around this, but there is no reason to not provide multiple data streams at the engine level.
+
+## Custom sensors
+
+Rather than just code coverage, use any quantifier. Code coverage is quite useful for most purposes, but not always sufficient for exploring specific corner cases.
+
+You can use any ```uint64_t``` value in combination with one of several conditions (value higher than previous, value lower than previous, # of unique values) (which I call Processors) to add inputs to the corpus.
+
+Custom sensors should make it easy to implement fuzzing non-LLVM-based languages, provided that you can extract a coverage signal from that language's interpreter or runtime. libFuzzer's equivalent of custom sensors is "extra counters", and I and several other people used this feature to implement libFuzzer support for [go-fuzz](https://github.com/dvyukov/go-fuzz) (which in turn made Go fuzzing on [OSS-Fuzz](https://github.com/google/oss-fuzz) possible) with minimal effort.
+
+The library also comes bundled with some built-in sensors that are a bridge between instrumentation and system calls and the rest of the library:
+
+### kSensorBuiltinCodeCoverage
+
+Add to corpus if total of unique PC's observed is higher than before.
+
+### kSensorBuiltinStackDepth
+
+Add to corpus if stack pointer observed is lower than before. Useful for finding stack overflows.
+
+### kSensorBuiltinStackUnique
+
+Add to corpus if total of unique stack pointers observed is higher than before. Useful for finding stack overflows.
+
+### kSensorBuiltinIntensity
+
+Add to corpus if total of non-unique PC's observed is higher than before. Useful for finding slow inputs.
+
+### kSensorBuiltinAllocSingleMax
+
+Add to corpus if ```malloc()``` size from a particular location is higher than before. Useful for finding heap exhaustion inputs.
+
+### kSensorBuiltinAllocGlobalMax
+
+Add to corpus if peak concurrent heap usage is higher than before. Useful for finding heap exhaustion inputs.
+
+### kSensorBuiltinAutoCodeIntensity
+
+Add to corpus if the number of times a particular PC is executed during a single run is higher than before. Useful for finding slow inputs.
+
+## Components
+
+The library is split into two components.
+
+### libvfuzz-core
+
+This implements core fuzzer functionality like corpora, dictionaries, mutators, sensors and generators and is agnostic with respect to target-specific interfaces like instrumentation. You could use this to build new fuzzer engines, experiment with features like new mutators, implement fuzzing for other languages etc.
+
+### libfuzzer-runtime
+
+This is a bridge between both the user and the system (including instrumentation) one one hand, and libvfuzz-core on the other hand.
+
+## State of the project
+
+This is alpha-grade software. I can't provide much support but PR's are very welcome. This has only been tested and used on 64 bit Linux.
+
+## Compilation
+
+A recent version of Clang is required.
+
+From the project's top-level directory:
+
+```sh
+mkdir build/
+cd build/
+cmake -DCMAKE_CXX_COMPILER=clang++-8 -DCMAKE_C_COMPILER=clang-8 ..
+make -j$(nproc)
+```
+
+## License
+
+MIT

examples/CMakeLists.txt

@@ -0,0 +1,13 @@
+cmake_minimum_required (VERSION 2.6)
+project (examples)
+
+include_directories(../include/)
+include_directories(../libvfuzz-core/src)
+
+add_executable(nlohmann nlohmann.cpp)
+set_target_properties(nlohmann PROPERTIES COMPILE_FLAGS -fsanitize-coverage=trace-pc-guard)
+set_target_properties(nlohmann PROPERTIES LINK_FLAGS -fsanitize-coverage=trace-pc-guard)
+target_link_libraries(nlohmann vfuzz-runtime vfuzz-core)
+
+add_executable(libvfuzz-core-example libvfuzz-core-example.cpp)
+target_link_libraries(libvfuzz-core-example vfuzz-core)

examples/libvfuzz-core-example.cpp

@@ -0,0 +1,37 @@
+#include <sensor/processor/highest.h>
+#include <logger/consolelogger.h>
+#include <container/corpus/corpus.h>
+#include <util/random.h>
+#include <iostream>
+
+int main(void)
+{
+    using namespace vfuzz;
+
+    auto Rand = std::make_shared<util::Random>(0);
+    container::InputCluster ic(Rand, 10, 10);
+    auto corpus = std::make_shared<container::corpus::Corpus>(Rand, ic);
+
+    auto loggers = std::make_shared<LoggerChain>();
+    auto consolelogger = std::make_shared<ConsoleLogger>();
+    loggers->AddLogger(consolelogger);
+
+    vfuzz::sensor::ProcessorHighest p(loggers);
+
+    consolelogger->Start();
+
+    for (const auto& v : {123, 999, 3}) {
+        p.ReceiveInput(123, v);
+    }
+
+    consolelogger->Stop();
+
+    std::cout << "Number of new values: " << p.GetNumValues() << std::endl;
+
+    std::cout << "Values are: " << std::endl;
+    p.GetValues([](const uint64_t v) {
+            std::cout << "\t" << v << std::endl;
+    });
+
+    return 0;
+}

examples/nlohmann.cpp

@@ -0,0 +1,35 @@
+#include <vfuzz/vfuzz.h>
+#include "nlohmann/json.hpp"
+
+extern "C" void VFuzzInit(int argc, char **argv) {
+    (void)argc;
+    (void)argv;
+
+    /* Experiment with uncommenting any of the following lines. */
+    //sensor_enable(vfuzz::kSensorBuiltinCodeCoverage);
+    //sensor_enable(vfuzz::kSensorBuiltinStackDepth);
+    //sensor_enable(vfuzz::kSensorBuiltinStackUnique);
+    //sensor_enable(vfuzz::kSensorBuiltinFlowtrace);
+    //sensor_enable(vfuzz::kSensorBuiltinIntensity);
+    //sensor_enable(vfuzz::kSensorBuiltinAllocSingleMax);
+    //sensor_enable(vfuzz::kSensorBuiltinAllocGlobalMax);
+    //sensor_enable(vfuzz::kSensorBuiltinAllocUnique);
+    //sensor_enable(vfuzz::kSensorBuiltinValueProfile);
+    //sensor_enable(vfuzz::kSensorBuiltinFuncEnter);
+    //sensor_enable(vfuzz::kSensorBuiltinCMPDiff);
+    //sensor_enable(vfuzz::kSensorBuiltinAutoCodeIntensity);
+}
+
+extern "C" void VFuzzRun(void) {
+    vfuzz::datasource::Datasource ds;
+
+    const auto s = ds.Get<std::string>();
+    try {
+        auto j = nlohmann::json::parse(s);
+    } catch ( ... ) {
+        /* Experiment with uncommenting the following line.
+         * It prevents the input getting added to the corpus
+         * if json parsing failed */
+         //vfuzz_discard();
+    }
+}

examples/nlohmann/LICENSE.MIT

@@ -0,0 +1,21 @@
+MIT License 
+
+Copyright (c) 2013-2019 Niels Lohmann
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.