| American Fuzzy Lop (AFL) is available from all good distros, or from |
| the upstream site: http://lcamtuf.coredump.cx/afl/ |
| |
| Configure to build the instumented binary: |
| |
| CC=afl-gcc ../src/configure --disable-shared --enable-static |
| |
| Build the binary: |
| |
| make clean |
| make afl-x509 |
| |
| Run the fuzzer (you may need root to change the CPU governor): |
| |
| mkdir afl-findings |
| afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \ |
| -o afl-findings -M fuzzer01 \ |
| subversion/tests/afl/afl-x509 |
| afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \ |
| -o afl-findings -S fuzzer02 \ |
| subversion/tests/afl/afl-x509 |
| afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \ |
| -o afl-findings -S fuzzer03 \ |
| subversion/tests/afl/afl-x509 |
| |
| Wait, burning CPU... |
| |
| Testcases that cause SEGVs are easier to debug using a separate build |
| without AFL instrumentation: |
| |
| gdb --args subversion/tests/afl/afl-x509 afl-findings/fuzzer01/crashes/some-test-case |