Add .NET Libraries fuzzing targets and automation #101993
Conversation
|
Tagging subscribers to this area: @dotnet/area-meta |
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/JsonSerializerFuzzer.cs
Outdated
Show resolved
Hide resolved
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/SearchValuesByteCharFuzzer.cs
Show resolved
Hide resolved
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/HttpHeadersFuzzer.cs
Outdated
Show resolved
Hide resolved
MihaZupan
force-pushed
the
libraries-fuzzing
branch
from
10d46a6
to
bbe7db9
Compare
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/JsonSerializerFuzzer.cs
Outdated
Show resolved
Hide resolved
| env: | ||
| onefuzzDropDirectory: $(fuzzerProject)/deployment/UTF8Fuzzer | ||
| SYSTEM_ACCESSTOKEN: $(System.AccessToken) | ||
| displayName: Send UTF8Fuzzer to OneFuzz |
There was a problem hiding this comment.
So for right now, until the workaround is no longer needed, to add new tests one adds a new test file and then also updates this file?
There was a problem hiding this comment.
Yes.
When you add a new target and test it locally, the prepare-onefuzz part of
dotnet publish -o publish && publish/DotnetFuzzing.exe prepare-onefuzz deployment
will also update this file for you, so you should only have to:
- Add 1 file
- Test changes
- Commit the 2 changed files
| <NetCoreAppCurrentVersion>9.0</NetCoreAppCurrentVersion> | ||
| <NetCoreAppCurrent>net$(NetCoreAppCurrentVersion)</NetCoreAppCurrent> |
There was a problem hiding this comment.
This can't share the same settings that the rest of the repo uses?
There was a problem hiding this comment.
I think it should be possible, I just gave up after spending a few hours bashing my head against different configurations that wouldn't compile.
We have similar isolated configurations for HttpStress / SslStress.
|
|
||
| namespace DotnetFuzzing; | ||
|
|
||
| internal static class Assert |
There was a problem hiding this comment.
We can't use xunit's asserts directly, and/or AssertExtensions?
There was a problem hiding this comment.
I think we'd have to figure out #101993 (comment) first.
Given it's just helpers for Equal(T, T) and Equal(Span<T>, Span<T>) at this point, I didn't think it mattered enough.
|
|
||
| <PropertyGroup> | ||
| <OutputType>Exe</OutputType> | ||
| <TargetFramework>$(NetCoreAppCurrent)-windows</TargetFramework> |
There was a problem hiding this comment.
This only works on Windows?
There was a problem hiding this comment.
As-is, yes.
We could make it work on Linux as well if needed, it's "just work". Namely updating the pipeline, and tweaking how we consume local bits to avoid the limitation in SharpFuzz to instrument mixed-mode assemblies only on Windows.
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/SearchValuesStringFuzzer.cs
Outdated
Show resolved
Hide resolved
| // Adapted from https://github.com/GrabYourPitchforks/utf8fuzz | ||
| internal sealed class UTF8Fuzzer : IFuzzer | ||
| { | ||
| public string BlameAlias => "mizupan"; |
There was a problem hiding this comment.
Feels unsustainable to be assigning these to a specific alias. Can we create some kind of team alias that these are assigned to instead?
There was a problem hiding this comment.
Sadly can't assign work items to groups / multiple people in AzDo.
I've changed it to always assign me for now, and I'll re-assign as needed (we shouldn't be getting these reports all that often anyway).
| string[] TargetCoreLibPrefixes { get; } | ||
|
|
||
| /// <summary>Optional name of the dictionary to use to better guide the fuzzer.</summary> | ||
| string? Dictionary => null; |
There was a problem hiding this comment.
Is this overridden anywhere?
There was a problem hiding this comment.
The JsonDocumentFuzzer sets json.dict
|
|
||
| await DownloadArtifactAsync( | ||
| Path.Combine(publishDirectory, "libfuzzer-dotnet.exe"), | ||
| "https://github.com/Metalnem/libfuzzer-dotnet/releases/download/v2023.06.26.1359/libfuzzer-dotnet-windows.exe", |
There was a problem hiding this comment.
We're ok downloading such executables from an arbitrary repo?
There was a problem hiding this comment.
I don't know of a great alternative.
I figured that since the version is pinned (checksum), it's pretty much the same thing as us using the SharpFuzz 2.1.1 NuGet package from the internal mirror / asking anyone working on fuzzers to install dotnet tool install --global SharpFuzz.CommandLine.
MihaZupan
force-pushed
the
libraries-fuzzing
branch
from
abf031a
to
70857b2
Compare
src/libraries/Fuzzing/DotnetFuzzing/Fuzzers/HttpHeadersFuzzer.cs
Outdated
Show resolved
Hide resolved
| internal sealed class PooledBoundedMemory<T> : IDisposable where T : unmanaged | ||
| { | ||
| // Default libFuzzer max_len for inputs is 4096. | ||
| private const int MaxLength = 4096 * 2; |
There was a problem hiding this comment.
Isn't pooling in this fashion potentially going to allocate dozens of GB of memory? Especially in the SearchValues and UTF-8 tests, the elementCount parameter could potentially be any arbitrary integer 0 .. 4096, depending on where the fuzzer places certain delimiter characters we're searching for.
There was a problem hiding this comment.
Should be around 400 MB I believe (8k sizes, 2 variants of poison placement each, 2-3 memory pages each, one for chars + one for bytes).
Note that we're only pooling 1 buffer for each (type, size, placement) as that's enough for practically all uses by fuzzers.
|
@MihuBot fuzz HttpHeaders |
|
This PR introduces a new
DotnetFuzzingproject undersrc/libraries/Fuzzingwhich contains fuzzing targets and relevant automation for fuzzing locally, and to automatically submit jobs to OneFuzz.The goal is that it should be easy to author new fuzzing targets without having to deal with the infrastructure aspects.
I included the following targets for now:
HttpHeadersFuzzerJsonDocumentFuzzerSearchValuesByteCharFuzzerSearchValuesStringFuzzerUTF8FuzzerThe new
deploy-to-onefuzz.ymlinternal pipeline will periodically build the runtime and resubmit fuzzing jobs to OneFuzz.See the new
README.mdfor details about what it looks like to run locally / add new targets.