Training (optional)

Fuzz Dojo.

Improve a OSS-Fuzz project code coverage by 5% or more to achieve the flag.

Fuzz-Dojo commands:

Note that these are only available in fuzz-dojo challenges. For OSS-Fuzz challenges, oss_help displays oss-fuzz specific commands.

/challenge/comments Add comments to existing fuzz drivers to demonstrate your understanding of their operation.

/challenge/plan Develop a conceptual plan to create a new fuzz driver

/challenge/build (sanitizer) Run this first. Compiles oss-fuzz project currently configured. Copies fuzz driver source code into /home/hacker/fuzz-dojo/(project) Project Source code is placed in /src-orig - working code will be stored in /src-{sanitizer} such as /src-none, /src-address, /src-memory /src-undefined and /src-thread Fuzz drivers are placed in /out

(sanitizer) is an OPTIONAL value of none (Default) address memory undefined thread coverage or inspector

/challenge/rebuild (sanitizer) Recompiles ONLY the fuzz drivers and not the entire project. NOTE This function primarily checks for compile errors. It may or may not replace the compiled fuzz driver in the /OUT directory!

(sanitizer) is an OPTIONAL value of none (Default) address memory undefined thread coverage or inspector

/out/(driver) Runs a fuzz driver compiled with /challenge/build

/challenge/loc (sanitizer) (driver) Compiles and runs all fuzz drivers for 30 seconds, reports LOC and functional coverage of each fuzz driver and the entire project.

(sanitizer) is an OPTIONAL value of none (Default) address memory undefined or thread
(driver) is an OPTIONAL value of exactly 1 fuzz driver to execute and provide coverage data. If this is not provided, all of the fuzz drivers will be compiled. Example:

/challenge/loc newfuzzer

/challenge/fuzz-introspector Compiles project and creates Fuzz Introspector report that can be viewed in a web browser under Desktop

report Start Web server to view coverage report previously generated by /challenge/loc

fi-report Start Web server to view coverage report previously generated by /challenge/fuzz-introspector

loc-report View quick LOC report previously generated by /challenge/loc

find-drv (keyword) Locates all fuzz drivers within /src-orig

(keyword) is an OPTIONAL value of a text string to search the source code for, rather than for fuzz drivers references

drivers Lists all fuzz drivers within /out

test-crashes Tests all crash files within the /out directory by executing all fuzz drivers with all crash files

Refine your fuzz drivers to increase code coverage.

Run a fuzz introspector report and view the call tree, looking at unreached sections, and determine why these areas are not being hit.
Vary the structure and constraints on your input data. Are many runs failing early due to invalid data types?
Could different parameter combinations hit code not currently being reached?
Examine the functions being called. Could you call functions higher on the call tree to reach more code?
Experiment with different sanitizers and check for hidden errors, revealed by fuzzing runs with address, undefined, thread, and memory sanitizers.
Are you using a seed corpus? Can you make this corpus more diverse and also remove redundant samples?
Could implementing additional preconditions be necessary to fulfill control dependencies needed for untouched code? I.E., do you need to open a file before you can read from it?
Look for complex branch conditions involving checksums, hashes, or magic values. Could you add custom comparators to your fuzz driver, or bypass these checks by calling functions beyond them?
Are timeouts or memory errors occurring when running your fuzz driver?
Can you improve performance by testing and optimizing your code?
Do you see the need to extend your fuzz driver by calling additional functions or by creating a different new fuzz driver entirely?

Practical examples of fuzz driver improvements may be found in the training exercises.

Important Resources:

The challenges below will demonstrate techniques to improve the code coverage of existing fuzz drivers

Resources