Change fuzzing target to fuzz turn type and parameters

Signed-off-by: Ludvig Liljenberg <lliljenberg@microsoft.com>
hyperlight-dev · Feb 28, 2025 · 42f6f6c · 42f6f6c
1 parent 63fa7c6
commit 42f6f6c
Show file tree

Hide file tree

Showing 11 changed files with 39 additions and 31 deletions.
diff --git a/.github/workflows/dep_fuzzing.yml b/.github/workflows/dep_fuzzing.yml
@@ -44,7 +44,7 @@ jobs:
         run: cargo install cargo-fuzz
 
       - name: Run Fuzzing
-        run: cargo +nightly fuzz run --release fuzz_target_1 -- -max_total_time=300
+        run: just fuzz-timed ${{ inputs.max_total_time }}
         working-directory: src/hyperlight_host
 
       - name: Upload Crash Artifacts

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -3,6 +3,7 @@
         "Cargo.toml", 
         // guest crates for testing, not part of the workspace
         "src/tests/rust_guests/simpleguest/Cargo.toml",
-        "src/tests/rust_guests/callbackguest/Cargo.toml"
+        "src/tests/rust_guests/callbackguest/Cargo.toml",
+        "src/hyperlight_host/fuzz/Cargo.toml"
     ]
 }
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Justfile b/Justfile
@@ -187,7 +187,8 @@ bench target=default-target features="":
 
 # FUZZING
 fuzz:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1
+    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 --release
 
-fuzz-timed:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 -- -max_total_time=300
+# Stop fuzzing after `max_time` seconds
+fuzz-timed max_time:
+    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 --release -- -max_total_time={{ max_time }}
diff --git a/src/hyperlight_common/Cargo.toml b/src/hyperlight_common/Cargo.toml
@@ -20,9 +20,11 @@ anyhow = { version = "1.0.96", default-features = false }
 log = "0.4.25"
 tracing = { version = "0.1.41", optional = true }
 strum = {version = "0.27",  default-features = false, features = ["derive"]}
+arbitrary = {version = "1.4.1", optional = true, features = ["derive"]}
 
 [features]
 default = ["tracing"]
+fuzzing = ["dep:arbitrary"]
 
 [dev-dependencies]
 hyperlight-testing = { workspace = true }

diff --git a/src/hyperlight_common/src/flatbuffer_wrappers/function_types.rs b/src/hyperlight_common/src/flatbuffer_wrappers/function_types.rs
@@ -32,6 +32,7 @@ use crate::flatbuffers::hyperlight::generated::{
 };
 
 /// Supported parameter types with values for function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Clone, PartialEq)]
 pub enum ParameterValue {
     /// i32
@@ -104,6 +105,7 @@ pub enum ReturnValue {
 }
 
 /// Supported return types from function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Copy, Clone, PartialEq, Eq, Default)]
 #[repr(C)]
 pub enum ReturnType {

diff --git a/src/hyperlight_common/src/lib.rs b/src/hyperlight_common/src/lib.rs
@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#![no_std]
+// We use Arbitrary during fuzzing, which requires std
+#![cfg_attr(not(feature = "fuzzing"), no_std)]
 
 extern crate alloc;
 

diff --git a/src/hyperlight_host/Cargo.toml b/src/hyperlight_host/Cargo.toml
@@ -132,6 +132,7 @@ mshv3 = ["dep:mshv-bindings3", "dep:mshv-ioctls3"]
 inprocess = []
 # This enables easy debug in the guest
 gdb = ["dep:gdbstub", "dep:gdbstub_arch"]
+fuzzing = ["hyperlight-common/fuzzing"]
 
 [[bench]]
 name = "benchmarks"

diff --git a/src/hyperlight_host/fuzz/Cargo.toml b/src/hyperlight_host/fuzz/Cargo.toml
@@ -10,7 +10,7 @@ cargo-fuzz = true
 [dependencies]
 libfuzzer-sys = "0.4"
 hyperlight-testing = { workspace = true }
-hyperlight-host = { workspace = true, default-features = true }
+hyperlight-host = { workspace = true, default-features = true, features = ["fuzzing"]}
 
 [[bin]]
 name = "fuzz_target_1"

diff --git a/src/hyperlight_host/fuzz/README.md b/src/hyperlight_host/fuzz/README.md
@@ -4,23 +4,19 @@ This directory contains the fuzzing infrastructure for Hyperlight. We use `cargo
 
 You can run the fuzzers with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name>
+just fuzz
 ```
-
-> Note: Because nightly toolchains are not stable, we pin the nightly version to `2023-11-28`. To install this toolchain, run:
-> ```sh
-> rustup toolchain install nightly-2023-11-28-x86_64-unknown-linux-gnu
-> ```
+which evaluates to the following command `cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 --release`. We use the release profile to make sure the release-optimized guest is used. The default fuzz profile which is release+debugsymbols would cause our debug guests to be loaded, since we currently determine which test guest to load based on whether debug symbols are present.
 
 As per Microsoft's Offensive Research & Security Engineering (MORSE) team, all host exposed functions that receive or interact with guest data must be continuously fuzzed for, at least, 500 million fuzz test cases without any crashes. Because `cargo-fuzz` doesn't support setting a maximum number of iterations; instead, we use the `--max_total_time` flag to set a maximum time to run the fuzzer. We have a GitHub action (acting like a CRON job) that runs the fuzzers for 24 hours every week.
 
-Currently, we only fuzz the `PrintOutput` function. We plan to add more fuzzers in the future.
+Currently, we only fuzz the parameters and return type to a hardcoded `PrintOutput` guest function. We plan to add more fuzzers in the future.
 
 ## On Failure 
 
 If you encounter a failure, you can re-run an entire seed (i.e., group of inputs) with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name> -- -seed=<seed-number>
+cargo +nightly fuzz run <fuzzer_name> -- -seed=<seed-number>
 ```
 
 The seed number can be seed in a specific run, like:
@@ -29,5 +25,5 @@ The seed number can be seed in a specific run, like:
 Or, if repro-ing a failure from CI, you can download the artifact from the fuzzing run, and run it like:
 
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
+cargo +nightly fuzz run -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
 ```
diff --git a/src/hyperlight_host/fuzz/fuzz_targets/fuzz_target_1.rs b/src/hyperlight_host/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -16,15 +16,15 @@ limitations under the License.
 
 #![no_main]
 
-use hyperlight_host::func::{ParameterValue, ReturnType, ReturnValue};
+use hyperlight_host::func::{ParameterValue, ReturnType};
 use hyperlight_host::sandbox::uninitialized::GuestBinary;
 use hyperlight_host::sandbox_state::sandbox::EvolvableSandbox;
 use hyperlight_host::sandbox_state::transition::Noop;
 use hyperlight_host::{MultiUseSandbox, UninitializedSandbox};
 use hyperlight_testing::simple_guest_as_string;
 use libfuzzer_sys::fuzz_target;
 
-fuzz_target!(|data: &[u8]| {
+fuzz_target!(|data: (ReturnType, Option<Vec<ParameterValue>>)| {
     let u_sbox = UninitializedSandbox::new(
         GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
         None,
@@ -33,18 +33,7 @@ fuzz_target!(|data: &[u8]| {
     )
     .unwrap();
 
-    let mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
+    let mut mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
 
-    let msg = String::from_utf8_lossy(data).to_string();
-    let len = msg.len() as i32;
-    let mut ctx = mu_sbox.new_call_context();
-    let result = ctx
-        .call(
-            "PrintOutput",
-            ReturnType::Int,
-            Some(vec![ParameterValue::String(msg.clone())]),
-        )
-        .unwrap();
-
-    assert_eq!(result, ReturnValue::Int(len));
+    let _ = mu_sbox.call_guest_function_by_name("PrintOutput", data.0, data.1);
 });