https://github.com/fuzzitdev/javafuzz
coverage guided fuzz testing for java
https://github.com/fuzzitdev/javafuzz
fuzz-testing fuzzer fuzzing java testing
Last synced: about 2 months ago
JSON representation
coverage guided fuzz testing for java
- Host: GitHub
- URL: https://github.com/fuzzitdev/javafuzz
- Owner: fuzzitdev
- License: apache-2.0
- Archived: true
- Created: 2019-11-15T15:34:51.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2021-04-30T03:42:39.000Z (almost 4 years ago)
- Last Synced: 2024-06-10T12:12:45.969Z (10 months ago)
- Topics: fuzz-testing, fuzzer, fuzzing, java, testing
- Language: Java
- Homepage: https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/javafuzz
- Size: 362 KB
- Stars: 228
- Watchers: 8
- Forks: 25
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-java - Javafuzz
README
fuzzit.dev was [acquired](https://about.gitlab.com/press/releases/2020-06-11-gitlab-acquires-peach-tech-and-fuzzit-to-expand-devsecops-offering.html) by GitLab and the new home for this repo is [here](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/javafuzz)
# Javafuzz: coverage-guided fuzz testing for Java
Javafuzz is coverage-guided [fuzzer](https://developer.mozilla.org/en-US/docs/Glossary/Fuzzing)
for testing Java packages.Fuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs,
security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.Fuzzing can be seen as a powerful and efficient strategy in real-world software in addition to classic unit-tests.
## Usage
### Fuzz Target
The first step is to implement the following function (also called a fuzz target):
```java
public class FuzzExample extends AbstractFuzzTarget {
public void fuzz(byte[] data) {
try {
BufferedImage image = ImageIO.read(new ByteArrayInputStream(data));
} catch (IOException e) {
// ignore as we expect this exception
}
}
}
```Features of the fuzz target:
* Javafuzz will call the fuzz target in an infinite loop with random data (according to the coverage guided algorithm) passed to `buf`.
* The function must catch and ignore any expected only (dont catch Exception) exceptions that arise when passing invalid input to the tested package.
* The fuzz target must call the test function/library with with the passed buffer or a transformation on the test buffer
if the structure is different or from different type.
* Fuzz functions can also implement application level checks to catch application/logical bugs - For example:
decode the buffer with the testable library, encode it again, and check that both results are equal. To communicate the results
the result/bug the function should throw an exception.
* Javafuzz will report any unhandled exceptions as crashes as well as inputs that hit the memory limit specified to javafuzz
or hangs/they run more the the specified timeout limit per testcase.### Installing
Add this to your `pom.xml````yaml
dev.fuzzit.javafuzz
core
1.23-SNAPSHOT
test
dev.fuzzit.javafuzz
javafuzz-maven-plugin
1.22
```
### Running
The next step is to javafuzz with your fuzz target function
```bash
docker run -it maven:3.6.2-jdk-11 /bin/bash
git clone https://github.com/fuzzitdev/javafuzz.git
cd javafuzz
mvn install
cd examples
wget -O jacocoagent.jar https://github.com/fuzzitdev/javafuzz/raw/master/javafuzz-maven-plugin/src/main/resources/jacocoagent-exp.jar
MAVEN_OPTS="-javaagent:jacocoagent.jar" mvn javafuzz:fuzz -DclassName=dev.fuzzit.javafuzz.examples.FuzzYaml
``````bash
# Output:
#0 READ units: 0
#1 NEW cov: 61 corp: 0 exec/s: 1 rss: 23.37 MB
#23320 PULSE cov: 61 corp: 1 exec/s: 10614 rss: 35.3 MB
#96022 NEW cov: 70 corp: 1 exec/s: 11320 rss: 129.95 MB
#96971 NEW cov: 78 corp: 2 exec/s: 10784 rss: 129.95 MB
#97046 NEW cov: 79 corp: 3 exec/s: 9375 rss: 129.95 MB
#97081 NEW cov: 81 corp: 4 exec/s: 11666 rss: 129.95 MB
#97195 NEW cov: 93 corp: 5 exec/s: 9500 rss: 129.95 MB
#97216 NEW cov: 97 corp: 6 exec/s: 10500 rss: 129.95 MB
#97238 NEW cov: 102 corp: 7 exec/s: 11000 rss: 129.95 MB
#97303 NEW cov: 108 corp: 8 exec/s: 10833 rss: 129.96 MB
#97857 PULSE cov: 108 corp: 9 exec/s: 225 rss: 129.96 MB
#97857 PULSE cov: 108 corp: 9 exec/s: 0 rss: 940.97 MB
#97857 PULSE cov: 108 corp: 9 exec/s: 0 rss: 1566.01 MB
```This example quickly finds an infinite hang which takes all the memory in `jpeg-js`.
### Corpus
Javafuzz will generate and test various inputs in an infinite loop. `corpus` is optional directory and will be used to
save the generated testcases so later runs can be started from the same point and provided as seed corpus.Javafuzz can also start with an empty directory (i.e no seed corpus) though some valid test-cases in the seed corpus
may speed up the fuzzing substantially.Javafuzz tries to mimic some of the arguments and output style from [libFuzzer](https://llvm.org/docs/LibFuzzer.html).
More fuzz targets examples (for real and popular libraries) are located under the examples directory and
bugs that were found using those targets are listed in the trophies section.### Coverage
For coverage instrumentation we use [JaCoCo library](https://github.com/jacoco/jacoco)
## Other languages
Currently this library also exists for the following languages:
* javascript [jsfuzz](https://github.com/fuzzitdev/jsfuzz)
* python via [pythonfuzz](https://github.com/fuzzitdev/pythonfuzz)## Credits & Acknowledgments
Javafuzz is a port of [fuzzitdev/jsfuzz](https://github.com/fuzzitdev/jsfuzz).
Which in turn based based on [go-fuzz](https://github.com/dvyukov/go-fuzz) originally developed by [Dmitry Vyukov's](https://twitter.com/dvyukov).
Which is in turn heavily based on [Michal Zalewski](https://twitter.com/lcamtuf) [AFL](http://lcamtuf.coredump.cx/afl/).Another solid fuzzing with coverage library for java is [JQF](https://github.com/rohanpadhye/jqf) but is more
focused on semantic fuzzing (i.e structure aware) and thus depends on quickcheck. JavaFuzz does not
depends on any framework an focuses on mutations producing buffer array and using coverage to find more bugs.## Contributions
Contributions are welcome!:) There are still a lot of things to improve, and tests and features to add. We will slowly post those in the
issues section. Before doing any major contribution please open an issue so we can discuss and help guide the process before
any unnecessary work is done.