Build a Fuzzing Testbench with AFL — SOF Project 2.4.1 documentation

Build a Fuzzing Testbench with AFL¶

American fuzzy lop (AFL) is a free software fuzzer that can be used to
detect software bugs. Use these instructions to build and run a testbench
with AFL.

Install AFL¶

Follow the steps in the AFL Quick Start Guide to install AFL on your system.

We assume that AFL is installed at:

$HOME/work/

Build a testbench with AFL instrumentation¶

According to AFL’s README, AFL is a “brute-force fuzzer coupled with an exceedingly
simple but rock-solid instrumentation-guided genetic algorithm.” You must
add instrumentation to the code before running a fuzzer in order to get
potentially useful results; otherwise, you might not get any results.

When you build AFL from the previous step, an afl-gcc executable is
generated; this works as a companion tool that acts as a drop-in
replacement for gcc or clang. Before you build the testbench, make
sure you are compiling code with afl-gcc in order to add instrumentation
to the code. The host-build-all.sh script from the scripts/ directory
does exactly this when you run it with the -f option.

Note

By default, the host-build-all.sh script assumes you have installed
AFL in the $HOME/work/ directory. If you install AFL in any other
directory, you must change the path in this script.

Run AFL¶

From the AFL directory, run AFL by entering the following:

./

afl

-

fuzz

-

i

testcase_dir

-

o

findings_dir

/

path

/

to

/

program

[

...

params

...

]

@@

AFL assumes that the inputs for the program you wish to fuzz are
in the form of files. So, you must create a directory that contains these
input files. This is the testcase_dir in the above command.

Since you are fuzzing the testbench, the program here is testbench.

params are the different parameters of the program apart from the input
file.

@@: Each file from testcase_dir is substituted in place of this.
As AFL continues to run, newly-generated testcases are placed in
testcase_dir, and AFL in its further iterations runs with these
newly-generated testcases.

Example¶

Use AFL to fuzz the volume component of the testbench

To fuzz the volume component of the testbench, use topology files as inputs
and place the topology files of volume components in an inputs directory:

/home/sof/work/sof/tools/testbench/inputs

# Add AFL directory to $PATH export PATH=$PATH:$HOME/AFL # Go to the testbench directory cd tools/testbench # Run the fuzzer afl-fuzz -i inputs/ -o output/ build_testbench/install/bin/testbench -r 48000 -R 48000 -i zeros_in.raw -o volume_out.raw -b S16_LE -t @@

AFL runs and places problem inputs in the provided output directory (-o
option in the above command). The inputs are well-organized into
crashes, hangs, etc. Run the testbench with the volume component in
gdb to assist in figuring out the error.

Reference¶

AFL README
is a good place to learn more about the AFL tool itself as well as the
various options it provides.