1# Persistent fuzzing # 2 3Honggfuzz is capable of fuzzing APIs, which is to say; to test new data within the same process. This speeds-up the process of fuzzing APIs greatly 4 5# Requirements for hardware-based counter-based fuzzing # 6 * GNU/Linux or POSIX interface (e.g. FreeBSD, Windows/CygWin) 7 8# HowTo # 9 10One can prepare a binary in the two following ways: 11 12## ASAN-style ## 13 14Two functions must be prepared 15 16```int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len)``` 17 18and (optional) 19 20```int LLVMFuzzerInitialize(int *argc, char ***argv)``` 21 22Example (test.c): 23``` 24int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) { 25 TestAPI(buf, len); 26 return 0; 27} 28``` 29 30Compilation: 31``` 32$ hfuzz_cc/hfuzz_clang test.c -o test 33``` 34 35Execution: 36``` 37$ honggfuzz -P -- ./test 38``` 39 40## HF_ITER style ## 41 42A complete program needs to be prepared, using ```HF_ITER``` symbol to obtain new inputs 43 44Example (test.c): 45```c 46#include <inttypes.h> 47 48extern HF_ITER(uint8_t** buf, size_t* len); 49 50int main(void) { 51 for (;;) { 52 size_t len; 53 uint8_t *buf; 54 55 HF_ITER(&buf, &len); 56 57 TestAPI(buf, len); 58 } 59} 60``` 61 62Compilation: 63``` 64$ hfuzz_cc/hfuzz_clang test.c -o test ~/honggfuzz/libfuzz/libfuzz.a 65``` 66 67Execution: 68``` 69$ honggfuzz -P -- ./test 70``` 71 72# Feedback-driven modes # 73 74The persistent fuzzing can be easily used together with feedback-driven fuzzing. In order to achieve that, one needs to compile binary with compile-time instrumentation, or use hardware-based instrumentation (BTS, Intel PT). More can be found in this [document](FeedbackDrivenFuzzing.md) 75 76Example (compile-time) 77``` 78$ honggfuzz -P -z -- ./test 79``` 80 81Example (hardware-based) 82``` 83$ honggfuzz -P --linux_perf_bts_edge -- ./test 84$ honggfuzz -P --linux_perf_ipt_block -- ./test 85``` 86