Futag is an automated instrument to generate fuzz targets for software libraries. Unlike the standalone program, software library may not contain an entry point so that generating fuzz target for it remains a challenge. FUTAG uses LLVM clang and clang tools as front end to analyze and generate the fuzzing targets. Futag uses static analysis to find:
- Entities dependencies (data types, functions, structures, etc.) in the source code of target library.
- Library usage contexts. The information then is used for generating fuzz targets.
This project is based on llvm-project with Clang statistic analysis, LLVM lto and is distributed under "GPL v3 license"
Currently Futag supports:
- automatically compiling libraries with Makefile, cmake and configure;
- automatically generating fuzzing-targets for functions of libraries in C/C++ languages. Additionally, Futag provides the ability to test compiled targets.
You can try to build Futag with pre-built Docker files for Ubuntu OS.
Download the latest futag-llvm.2.0.1.tar.xz and unzip
This instruction allows you to build a copy of the project and run it on a Unix-like system.
Futag is based on llvm-project. For compiling the project, these packages must be installed on your system:
- CMake >=3.13.4 cmake-3.19.3-Linux-x86_64.sh - Makefile/workspace generator
- GCC>=5.1.0 C/C++ compiler
- python >=3.6
- pip
- zlib >=1.2.3.4 Compression library
- GNU Make 3.79, 3.79.1 Makefile/build processor
Please check prerequirement on official website of LLVM for more detail.
You also need to create a symbolic link "python" to "python3" if such a link does not exist on your system. On an Ubuntu system, this can be done by installing the python-is-python3 package.
- Clone the project:
~$ git clone https://github.com/ispras/Futag
- Prepare the "custom-llvm" directory by running the script:
~/Futag/custom-llvm$ ./prepare.sh
This script creates the Futag/build directory and copies the Futag/custom-llvm/build.sh script into it.
Run the copied script in "Futag/build":
~/Futag/build$ ./build.sh
- As a result, the tool will be installed in the Futag/futag-llvm directory.
- Analyze the library:
# package futag must be already installed
from futag.preprocessor import *
testing_lib = Builder(
"futag-llvm/", # path to the futag-llvm
"path/to/library/source/code" # library root
)
testing_lib.auto_build()
testing_lib.analyze()
- Generate and compile fuzz-drivers
# package futag must be already installed
from futag.generator import *
g = Generator(
"futag-llvm/", # path to the futag-llvm
"path/to/library/source/code" # library root
# target_type = LIBFUZZER, # or AFLPLUSPLUS
)
g.gen_targets(
anonymous=False # Option for generating fuzzing-wrapper of private functions
)
g.compile_targets(
8, # Compile fuzz drivers with 8 processes
# keep_failed=True, # keep uncompiled targets
# extra_include="-DHAVE_CONFIG_H", # extra included paths
# extra_dynamiclink="-lz", # extra system linked libraries
# flags="-ferror-limit=1", # flags for compiling, default to ""
)
By default, successfully compiled fuzz-drivers for target functions are located in the futag-fuzz-drivers directory, where each target function is in its own subdirectory, the name of which matches the name of the target function. If several fuzz-drivers have been generated for a function, corresponding directories are created in the subdirectory of the target function, where a serial number is added to the name of the target function.
Documentation Futag Python-package follows by this link
Details of working with Futag can be read here
The example script can be viewed here
Testing repository has been created to test Futag for libraries (json-c, php, FreeImage, etc.), you can try with Docker container.
- Tran Chi Thien ([email protected])
- Shamil Kurmangaleev ([email protected])
- Theodor Arsenij Larionov-Trichkin ([email protected])
-
C. T. Tran and S. Kurmangaleev, "Futag: Automated fuzz target generator for testing software libraries" 2021 Ivannikov Memorial Workshop (IVMEM), 2021, pp. 80-85, doi: 10.1109/IVMEM53963.2021.00021.
-
Research on automatic generation of fuzz-target for software library functions, Ivannikov ISP RAS Open Conference 2022
-
Crash in function png_convert_from_time_t of libpng version 1.6.37 (confirmed)
-
Global-buffer-overflow in function ErrorIDToName of tinyxml2 version 9.0.0