Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/CodeIntelligenceTesting/jazzer

Coverage-guided, in-process fuzzing for the JVM
https://github.com/CodeIntelligenceTesting/jazzer

clojure fuzzer fuzzing java jni jvm kotlin security

Last synced: 3 months ago
JSON representation

Coverage-guided, in-process fuzzing for the JVM

Host: GitHub
URL: https://github.com/CodeIntelligenceTesting/jazzer
Owner: CodeIntelligenceTesting
License: apache-2.0
Created: 2021-01-28T19:08:19.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2024-04-24T13:16:33.000Z (6 months ago)
Last Synced: 2024-07-12T07:34:38.805Z (4 months ago)
Topics: clojure, fuzzer, fuzzing, java, jni, jvm, kotlin, security
Language: Java
Homepage: https://code-intelligence.com
Size: 4.74 MB
Stars: 981
Watchers: 27
Forks: 130
Open Issues: 40
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        


  



  Jazzer

  Fuzz Testing for the JVM

  

    

  

  

    

  

  

    

  

  

    

  

  

    

  

  


Website

|

Blog

|

Twitter



> [!IMPORTANT]

> Hello Jazzer/Jazzer.js users!

>

> We stopped maintaining Jazzer/Jazzer.js as open source.

> But we'd be happy to try and understand what you're trying to achieve with it, and help you if we can! 

>

> We already added significant new value to our CI Fuzz solution, which includes Jazzer and Jazzer.js.

> Learn more on how to turbocharge your Java Fuzz Testing with [Jazzer Pro](https://www.code-intelligence.com/introducing-jazzer-pro).

> 

> Visit [code-intelligence.com](https://code-intelligence.com) for more information, or get in contact with us via [[email protected]](mailto:[email protected]).

>

> Thanks,

>

> The Code Intelligence team

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by [Code Intelligence](https://code-intelligence.com).

It is based on [libFuzzer](https://llvm.org/docs/LibFuzzer.html) and brings many of its instrumentation-powered mutation features to the JVM.

Jazzer currently supports the following platforms:

* Linux x86_64

* macOS 12+ x86_64 & arm64

* Windows x86_64

## Quick start

You can use Docker to try out Jazzer's Autofuzz mode, in which it automatically generates arguments to a given Java function and reports unexpected exceptions and detected security issues:

```

docker run -it cifuzz/jazzer-autofuzz \

   com.mikesamuel:json-sanitizer:1.2.0 \

   com.google.json.JsonSanitizer::sanitize \

   --autofuzz_ignore=java.lang.ArrayIndexOutOfBoundsException

```

Here, the first two arguments are the Maven coordinates of the Java library and the fully qualified name of the Java function to be fuzzed in "method reference" form.

The optional `--autofuzz_ignore` flag takes a list of uncaught exception classes to ignore.

After a few seconds, Jazzer should trigger an `AssertionError`, reproducing a bug it found in this library that has since been fixed.

## Using Jazzer via...

### JUnit 5

The following steps assume that JUnit 5.9.0 or higher is set up for your project, for example based on the official [junit5-samples](https://github.com/junit-team/junit5-samples).

1. Add a dependency on `com.code-intelligence:jazzer-junit:`.

   All Jazzer Maven artifacts are signed with [this key](deploy/maven.pub).

2. Add a new *fuzz test* to a new or existing test class: a method annotated with [`@FuzzTest`](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-junit/com/code_intelligence/jazzer/junit/FuzzTest.html) and at least one parameter.

   Using a single parameter of type [`FuzzedDataProvider`](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_intelligence/jazzer/api/FuzzedDataProvider.html), which provides utility functions to produce commonly used Java values, or `byte[]` is recommended for optimal performance and reproducibility of findings.

3. Assuming your test class is called `com.example.MyFuzzTests`, create the *inputs directory* `src/test/resources/com/example/MyFuzzTestsInputs`.

4. Run a fuzz test with the environment variable `JAZZER_FUZZ` set to `1` to let the fuzzer rapidly try new sets of arguments.

   If the fuzzer finds arguments that make your fuzz test fail or even trigger a security issue, it will store them in the inputs directory.

   In this mode, only a single fuzz test is executed per test run (see [#599](https://github.com/CodeIntelligenceTesting/jazzer/issues/599) for details).

5. Run the fuzz test without `JAZZER_FUZZ` set to execute it only on the inputs in the inputs directory.

   This mode, which behaves just like a traditional unit test, ensures that issues previously found by the fuzzer remain fixed and can also be used to debug the fuzz test on individual inputs.

A simple property-based fuzz test could look like this (excluding imports):

```java

class ParserTests {

   @Test

   void unitTest() {

      assertEquals("foobar", SomeScheme.decode(SomeScheme.encode("foobar")));

   }

   @FuzzTest

   void fuzzTest(FuzzedDataProvider data) {

      String input = data.consumeRemainingAsString();

      assertEquals(input, SomeScheme.decode(SomeScheme.encode(input)));

   }

}

```

A complete Maven example project can be found in [`examples/junit`](examples/junit).

### GitHub releases

You can also use GitHub release archives to run a standalone Jazzer binary that starts its own JVM configured for fuzzing:

1. Download and extract the latest release from the [GitHub releases page](https://github.com/CodeIntelligenceTesting/jazzer/releases).

2. Add a new class to your project with a public static void fuzzerTestOneInput(FuzzedDataProvider data) method.

3. Compile your fuzz test with `jazzer_standalone.jar` on the classpath.

4. Run the `jazzer` binary (`jazzer.exe` on Windows), specifying the classpath and fuzz test class:

```shell

./jazzer --cp= --target_class=

```

If you see an error saying that `libjvm.so` has not been found, make sure that `JAVA_HOME` points to a JDK.

The [`examples`](examples/src/main/java/com/example) directory includes both toy and real-world examples of fuzz tests.

### Docker

The "distroless" Docker image [cifuzz/jazzer](https://hub.docker.com/r/cifuzz/jazzer) includes a recent Jazzer release together with OpenJDK 17.

Mount a directory containing your compiled fuzz target into the container under `/fuzzing` and use it like a GitHub release binary by running:

```sh

docker run -v path/containing/the/application:/fuzzing cifuzz/jazzer --cp= --target_class=

```

If Jazzer produces a finding, the input that triggered it will be available in the same directory.

### Bazel

Support for Jazzer is available in [rules_fuzzing](https://github.com/bazelbuild/rules_fuzzing), the official Bazel rules for fuzzing.

See [the README](https://github.com/bazelbuild/rules_fuzzing#java-fuzzing) for instructions on how to use Jazzer in a Java Bazel project.

### OSS-Fuzz

[Code Intelligence](https://code-intelligence.com) and Google have teamed up to bring support for Java, Kotlin, and other JVM-based languages to [OSS-Fuzz](https://github.com/google/oss-fuzz), Google's project for large-scale fuzzing of open-souce software.

Read [the OSS-Fuzz guide](https://google.github.io/oss-fuzz/getting-started/new-project-guide/jvm-lang/) to learn how to set up a Java project.

## Building from source

Information on building and testing Jazzer for development can be found in [CONTRIBUTING.md](CONTRIBUTING.md)

## Further documentation

* [Common options and workflows](docs/common.md)

* [Advanced techniques](docs/advanced.md)

## Findings

A list of security issues and bugs found by Jazzer is maintained [here](docs/findings.md).

If you found something interesting and the information is public, please send a PR to add it to the list.

## Credit

The following developers have contributed to Jazzer before its public release:

[Sergej Dechand](https://github.com/serj),

[Christian Hartlage](https://github.com/dende),

[Fabian Meumertzheim](https://github.com/fmeum),

[Sebastian Pöplau](https://github.com/sebastianpoeplau),

[Mohammed Qasem](https://github.com/mohqas),

[Simon Resch](https://github.com/simonresch),

[Henrik Schnor](https://github.com/henrikschnor),

[Khaled Yakdan](https://github.com/kyakdan)

The LLVM-style edge coverage instrumentation for JVM bytecode used by Jazzer relies on [JaCoCo](https://github.com/jacoco/jacoco).

Previously, Jazzer used AFL-style coverage instrumentation as pioneered by [kelinci](https://github.com/isstac/kelinci).







[`FuzzedDataProvider`]: https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_intelligence/jazzer/api/FuzzedDataProvider.html