Adds fuzzing target to fuzz the ParameterValue and ReturnType. Rename

existing target to host_print. Move fuzz directory to root directory.

Signed-off-by: Ludvig Liljenberg <lliljenberg@microsoft.com>

.github/workflows/Fuzzing.yml

@@ -10,9 +10,9 @@ permissions:
   contents: read
 
 jobs:
-
   fuzzing:
     uses: ./.github/workflows/dep_fuzzing.yml
     with:
+      targets: '["host_print", "guest_call"]' # Pass as a JSON array
       max_total_time: 18000 # 5 hours in seconds
     secrets: inherit

.github/workflows/ValidatePullRequest.yml

@@ -54,6 +54,7 @@ jobs:
       - docs-pr
     uses: ./.github/workflows/dep_fuzzing.yml
     with:
+      targets: '["host_print", "guest_call"]' # Pass as a JSON array
       max_total_time: 300 # 5 minutes in seconds
       docs_only: ${{needs.docs-pr.outputs.docs-only}}
     secrets: inherit

.github/workflows/dep_fuzzing.yml

@@ -7,6 +7,10 @@ on:
         description: Maximum total time for the fuzz run in seconds
         required: true
         type: number
+      targets:
+        description: Fuzz targets to run
+        required: true
+        type: string
       docs_only:
         description: Skip fuzzing if docs only
         required: false
@@ -21,6 +25,9 @@ jobs:
   fuzz:
     if: ${{ inputs.docs_only == 'false' }}
     runs-on: [ self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd" ]
+    strategy:
+      matrix:
+        target: ${{ fromJson(inputs.targets) }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -44,12 +51,12 @@ jobs:
         run: cargo install cargo-fuzz
 
       - name: Run Fuzzing
-        run: cargo +nightly fuzz run --release fuzz_target_1 -- -max_total_time=300
+        run: just fuzz-timed ${{ matrix.target }} ${{ inputs.max_total_time }}
         working-directory: src/hyperlight_host
 
       - name: Upload Crash Artifacts
         if: failure() # This ensures artifacts are only uploaded on failure
         uses: actions/upload-artifact@v4
         with:
           name: fuzz-crash-artifacts
-          path: src/hyperlight_host/fuzz/artifacts/
+          path: fuzz/artifacts/

Cargo.toml

@@ -11,7 +11,7 @@ members = [
     "src/hyperlight_host",
     "src/hyperlight_guest_capi",
     "src/hyperlight_testing",
-    "src/hyperlight_host/fuzz",
+    "fuzz",
 ]
 # Because hyperlight-guest has custom linker flags,
 # we exclude it from the default-members list

Justfile

@@ -190,8 +190,11 @@ bench target=default-target features="":
     cargo bench --profile={{ if target == "debug" { "dev" } else { target } }} {{ if features =="" {''} else { "--features " + features } }} -- --verbose
 
 # FUZZING
-fuzz:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1
 
-fuzz-timed:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 -- -max_total_time=300
+# Fuzzes the given target
+fuzz fuzz-target:
+    cargo +nightly fuzz run {{ fuzz-target }} --release
+
+# Fuzzes the given target. Stops after `max_time` seconds
+fuzz-timed fuzz-target max_time:
+    cargo +nightly fuzz run {{ fuzz-target }} --release -- -max_total_time={{ max_time }}

fuzz/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "hyperlight-fuzz"
+version = "0.0.0"
+publish = false
+edition = { workspace = true }
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+hyperlight-testing = { workspace = true }
+hyperlight-host = { workspace = true, default-features = true, features = ["fuzzing"]}
+
+[[bin]]
+name = "host_print"
+path = "fuzz_targets/host_print.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "guest_call"
+path = "fuzz_targets/guest_call.rs"
+test = false
+doc = false
+bench = false

src/hyperlight_host/fuzz/README.md → fuzz/README.md

@@ -4,23 +4,19 @@ This directory contains the fuzzing infrastructure for Hyperlight. We use `cargo
 
 You can run the fuzzers with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name>
+just fuzz
 ```
-
-> Note: Because nightly toolchains are not stable, we pin the nightly version to `2023-11-28`. To install this toolchain, run:
-> ```sh
-> rustup toolchain install nightly-2023-11-28-x86_64-unknown-linux-gnu
-> ```
+which evaluates to the following command `cargo +nightly fuzz run host_print --release`. We use the release profile to make sure the release-optimized guest is used. The default fuzz profile which is release+debugsymbols would cause our debug guests to be loaded, since we currently determine which test guest to load based on whether debug symbols are present.
 
 As per Microsoft's Offensive Research & Security Engineering (MORSE) team, all host exposed functions that receive or interact with guest data must be continuously fuzzed for, at least, 500 million fuzz test cases without any crashes. Because `cargo-fuzz` doesn't support setting a maximum number of iterations; instead, we use the `--max_total_time` flag to set a maximum time to run the fuzzer. We have a GitHub action (acting like a CRON job) that runs the fuzzers for 24 hours every week.
 
-Currently, we only fuzz the `PrintOutput` function. We plan to add more fuzzers in the future.
+Currently, we fuzz the parameters and return type to a hardcoded `PrintOutput` guest function, and the `HostPrint` host function. We plan to add more fuzzers in the future.
 
 ## On Failure 
 
 If you encounter a failure, you can re-run an entire seed (i.e., group of inputs) with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name> -- -seed=<seed-number>
+cargo +nightly fuzz run <fuzzer_name> -- -seed=<seed-number>
 ```
 
 The seed number can be seed in a specific run, like:
@@ -29,5 +25,5 @@ The seed number can be seed in a specific run, like:
 Or, if repro-ing a failure from CI, you can download the artifact from the fuzzing run, and run it like:
 
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
+cargo +nightly fuzz run -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
 ```

src/hyperlight_host/fuzz/fuzz_targets/fuzz_target_1.rs → fuzz/fuzz_targets/guest_call.rs

@@ -16,35 +16,35 @@ limitations under the License.
 
 #![no_main]
 
-use hyperlight_host::func::{ParameterValue, ReturnType, ReturnValue};
+use std::sync::{Mutex, OnceLock};
+
+use hyperlight_host::func::{ParameterValue, ReturnType};
 use hyperlight_host::sandbox::uninitialized::GuestBinary;
 use hyperlight_host::sandbox_state::sandbox::EvolvableSandbox;
 use hyperlight_host::sandbox_state::transition::Noop;
 use hyperlight_host::{MultiUseSandbox, UninitializedSandbox};
 use hyperlight_testing::simple_guest_as_string;
 use libfuzzer_sys::fuzz_target;
-
-fuzz_target!(|data: &[u8]| {
-    let u_sbox = UninitializedSandbox::new(
-        GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
-        None,
-        None,
-        None,
-    )
-    .unwrap();
-
-    let mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
-
-    let msg = String::from_utf8_lossy(data).to_string();
-    let len = msg.len() as i32;
-    let mut ctx = mu_sbox.new_call_context();
-    let result = ctx
-        .call(
-            "PrintOutput",
-            ReturnType::Int,
-            Some(vec![ParameterValue::String(msg.clone())]),
+static SANDBOX: OnceLock<Mutex<MultiUseSandbox>> = OnceLock::new();
+
+// This fuzz target tests all combinations of ReturnType and Parameters for `call_guest_function_by_name`.
+// For fuzzing efficiency, we create one Sandbox and reuse it for all fuzzing iterations.
+fuzz_target!(
+    init: {
+        let u_sbox = UninitializedSandbox::new(
+            GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
+            None,
+            None,
+            None,
         )
         .unwrap();
 
-    assert_eq!(result, ReturnValue::Int(len));
-});
+        let mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
+        SANDBOX.set(Mutex::new(mu_sbox)).unwrap();
+    },
+
+    |data: (ReturnType, Option<Vec<ParameterValue>>)| {
+        let mut sandbox = SANDBOX.get().unwrap().lock().unwrap();
+        let _ = sandbox.call_guest_function_by_name("PrintOutput", data.0, data.1);
+    }
+);

fuzz/fuzz_targets/host_print.rs

@@ -0,0 +1,51 @@
+#![no_main]
+
+use std::sync::{Mutex, OnceLock};
+
+use hyperlight_host::func::{ParameterValue, ReturnType, ReturnValue};
+use hyperlight_host::sandbox::uninitialized::GuestBinary;
+use hyperlight_host::sandbox_state::sandbox::EvolvableSandbox;
+use hyperlight_host::sandbox_state::transition::Noop;
+use hyperlight_host::{MultiUseSandbox, UninitializedSandbox};
+use hyperlight_testing::simple_guest_as_string;
+use libfuzzer_sys::{fuzz_target, Corpus};
+
+static SANDBOX: OnceLock<Mutex<MultiUseSandbox>> = OnceLock::new();
+
+// This fuzz target is used to test the HostPrint host function. We generate
+// an arbitrary ParameterValue::String, which is passed to the guest, which passes
+// it without modification to the host function.
+// For fuzzing efficiency, we create one Sandbox and reuse it for all fuzzing iterations.
+fuzz_target!(
+    init: {
+        let u_sbox = UninitializedSandbox::new(
+            GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
+            None,
+            None,
+            None,
+        )
+        .unwrap();
+
+        let mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
+        SANDBOX.set(Mutex::new(mu_sbox)).unwrap();
+    },
+
+    |data: ParameterValue| -> Corpus {
+        // only interested in String types
+        if !matches!(data, ParameterValue::String(_)) {
+            return Corpus::Reject;
+        }
+
+        let mut sandbox = SANDBOX.get().unwrap().lock().unwrap();
+        let res = sandbox.call_guest_function_by_name(
+            "PrintOutput",
+            ReturnType::Int,
+            Some(vec![data.clone()]),
+        );
+        match res {
+            Ok(ReturnValue::Int(len)) => assert!(len >= 0),
+            _ => panic!("Unexpected return value: {:?}", res),
+        }
+
+        Corpus::Keep
+});

rust-toolchain.toml

@@ -1,4 +1,2 @@
 [toolchain]
-channel = "1.81.0"
-# if you update this, don't forget to change the pinned version
-# of nightly we use in the fuzzing workflow.
+channel = "1.81.0"

src/hyperlight_common/Cargo.toml

@@ -20,9 +20,11 @@ anyhow = { version = "1.0.96", default-features = false }
 log = "0.4.26"
 tracing = { version = "0.1.41", optional = true }
 strum = {version = "0.27",  default-features = false, features = ["derive"]}
+arbitrary = {version = "1.4.1", optional = true, features = ["derive"]}
 
 [features]
 default = ["tracing"]
+fuzzing = ["dep:arbitrary"]
 
 [dev-dependencies]
 hyperlight-testing = { workspace = true }

src/hyperlight_common/src/flatbuffer_wrappers/function_types.rs

@@ -32,6 +32,7 @@ use crate::flatbuffers::hyperlight::generated::{
 };
 
 /// Supported parameter types with values for function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Clone, PartialEq)]
 pub enum ParameterValue {
     /// i32
@@ -104,6 +105,7 @@ pub enum ReturnValue {
 }
 
 /// Supported return types from function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Copy, Clone, PartialEq, Eq, Default)]
 #[repr(C)]
 pub enum ReturnType {

src/hyperlight_common/src/lib.rs

@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#![no_std]
+// We use Arbitrary during fuzzing, which requires std
+#![cfg_attr(not(feature = "fuzzing"), no_std)]
 
 extern crate alloc;
 

src/hyperlight_guest/Cargo.toml

@@ -16,6 +16,7 @@ Library to build guest applications for hyperlight.
 default = ["libc", "printf"]
 libc = [] # compile musl libc
 printf = [] # compile printf
+fuzzing = []
 
 [dependencies]
 anyhow = { version = "1.0.96", default-features = false }

src/hyperlight_host/Cargo.toml

@@ -132,6 +132,7 @@ mshv3 = ["dep:mshv-bindings3", "dep:mshv-ioctls3"]
 inprocess = []
 # This enables easy debug in the guest
 gdb = ["dep:gdbstub", "dep:gdbstub_arch"]
+fuzzing = ["hyperlight-common/fuzzing"]
 
 [[bench]]
 name = "benchmarks"