You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,8 +23,7 @@ Naturally, this is conditional on the same operation run twice returning the sam
23
23
24
24
1. Clone this repository, run `make`; this will build libdiffuzz.so
25
25
1. Make your code run the same operation twice in the same process and compare outputs.
26
-
1. Run your code like this: `LD_PRELOAD=/path/to/libdiffuzz.so /path/to/your/binary`.
27
-
1. If you're fuzzing with [AFL](http://lcamtuf.coredump.cx/afl/), use `AFL_PRELOAD=/path/to/libdiffuzz.so afl-fuzz ...` instead. If you're not fuzzing with AFL - you should!
26
+
1. Run your code like this: `LD_PRELOAD=/path/to/libdiffuzz.so /path/to/your/binary`. If you're fuzzing with [AFL](http://lcamtuf.coredump.cx/afl/), use `AFL_PRELOAD=/path/to/libdiffuzz.so afl-fuzz ...` instead. If you're not fuzzing with AFL - you should!
28
27
1. Brag that you've used differential fuzzing to find vulnerabilities in real code
29
28
30
29
## Quick start for Rust code
@@ -36,7 +35,7 @@ However, if you have read from [the black book](https://doc.rust-lang.org/nomico
36
35
1. Clone this repository, run `make`; this will build libdiffuzz.so
37
36
1. Make sure [this code](https://gist.github.com/Shnatsel/0c024a51b64c6e0b6c6e66f991904816) doesn't reliably crash when run on its own, but does crash when you run it like this: `LD_PRELOAD=/path/to/libdiffuzz.so target/release/membleed`
38
37
1. If you haven't done regular fuzzing yet - do set up fuzzing with AFL. [It's not that hard.](https://fuzz.rs/book/afl/setup.html)
39
-
1. In your fuzz target run the same operation twice and `assert!` that they produce the same result. See [example fuzz target for lodepng-rust](https://github.com/Shnatsel/lodepng-afl-fuzz-differential) for reference.
38
+
1. In your fuzz target run the same operation twice and `assert!` that they produce the same result. See [example fuzz target for lodepng-rust](https://github.com/Shnatsel/lodepng-afl-fuzz-differential) for reference.[A more complicated example](https://github.com/Shnatsel/claxon-differential-fuzzing) is also available.
40
39
1. Add the following to your fuzz harness:
41
40
```rust
42
41
// Use the system allocator so we can substitute it with a custom one via LD_PRELOAD
@@ -73,3 +72,5 @@ List of previously unknown (i.e. zero-day) vulnerabilities found using this tool
73
72
## See also
74
73
75
74
[libdislocator](https://github.com/mirrorer/afl/tree/master/libdislocator), poor man's [Address Sanitizer](https://clang.llvm.org/docs/AddressSanitizer.html) that also works with black-box binaries. libdiffuzz is based on libdislocator code.
75
+
76
+
For background on how this project came about, see [How I've found vulnerability in a popular Rust crate (and you can too)](https://medium.com/@shnatsel/how-ive-found-vulnerability-in-a-popular-rust-crate-and-you-can-too-3db081a67fb).
0 commit comments