Skip to content

Latest commit

 

History

History
106 lines (85 loc) · 4.13 KB

FUZZING.adoc

File metadata and controls

106 lines (85 loc) · 4.13 KB

Log4j contains fuzz tests implemented using Jazzer[1]. These tests are located in -fuzz-test prefixed modules; log4j-core-fuzz-test, log4j-layout-template-json-fuzz-test, etc.

Google OSS-Fuzz

OSS-Fuzz is a Google service that continuously runs fuzz tests of critical F/OSS projects on a beefy cluster and reports its findings (bugs, vulnerabilities, etc.) privately to project maintainers. Log4j provides OSS-Fuzz integration with following helpers:

  • Dockerfile to create a container image for running tests

  • oss-fuzz-build.sh to generate fuzz test runner scripts along with all necessary dependencies

F.A.Q.

Below we will try to answer some frequently asked questions.

How can I run fuzz tests locally?

  1. Clone the OSS-Fuzz repository:

    git clone --depth 1 https://github.com/google/oss-fuzz google-oss-fuzz && cd $_
  2. Build the container image:

    python infra/helper.py build_image log4j2
  3. Run the container image to build the Log4j project and generate runner scripts along with dependencies:

    python infra/helper.py build_fuzzers \
      --sanitizer address --engine libfuzzer --architecture x86_64 \
      log4j2
  4. List generated runner scripts:

    ls -al build/out/log4j2
  5. Check one of the generated runner scripts:

    python infra/helper.py check_build \
      --sanitizer address --engine libfuzzer --architecture x86_64 \
      log4j2 log4j-core-fuzz-test-PatternLayoutFuzzer
  6. Execute one of the generated runner scripts:

    python infra/helper.py run_fuzzer \
      --sanitizer address --engine libfuzzer --architecture x86_64 \
      log4j2 log4j-core-fuzz-test-PatternLayoutFuzzer

How can I view fuzzing failures detected by OSS-Fuzz?

The system running fuzzers registered to OSS-Fuzz is called ClusterFuzz, which provides a web interface for maintainers to monitor the fuzzing results. Tests outputs and reproduction inputs for failed tests are stored in a Google Cloud Storage bucket. Access to both the web interface and the bucket is restricted, and only allowed to those configured for the project.

How can I reproduce fuzzing failures detected by OSS-Fuzz?

Download the associated .testcase file from the Google Cloud Storage bucket, and run the following command:

python infra/helper.py reproduce \
  log4j2 <FUZZ-TARGET-NAME> <TESTCASE-FILE-PATH>

Refer to the related OSS-Fuzz documentation for details.


1. We are aware that Jazzer is discontinued. Yet it is still the only mature fuzzing framework in Java and the recommended library by OSS-Fuzz.