Change fuzzing target to fuzz turn type and parameters

Signed-off-by: Ludvig Liljenberg <lliljenberg@microsoft.com>
hyperlight-dev · Feb 28, 2025 · fcb0862 · fcb0862
1 parent 63fa7c6
commit fcb0862
Show file tree

Hide file tree

Showing 11 changed files with 36 additions and 29 deletions.
diff --git a/.github/workflows/dep_fuzzing.yml b/.github/workflows/dep_fuzzing.yml
@@ -44,7 +44,7 @@ jobs:
         run: cargo install cargo-fuzz
 
       - name: Run Fuzzing
-        run: cargo +nightly fuzz run --release fuzz_target_1 -- -max_total_time=300
+        run: just fuzz-timed ${{ inputs.max_total_time }}
         working-directory: src/hyperlight_host
 
       - name: Upload Crash Artifacts

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -3,6 +3,7 @@
         "Cargo.toml", 
         // guest crates for testing, not part of the workspace
         "src/tests/rust_guests/simpleguest/Cargo.toml",
-        "src/tests/rust_guests/callbackguest/Cargo.toml"
+        "src/tests/rust_guests/callbackguest/Cargo.toml",
+        "src/hyperlight_host/fuzz/Cargo.toml"
     ]
 }
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Justfile b/Justfile
@@ -189,5 +189,6 @@ bench target=default-target features="":
 fuzz:
     cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1
 
-fuzz-timed:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 -- -max_total_time=300
+# Stop fuzzing after `max_time` seconds
+fuzz-timed max_time:
+    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 -- -max_total_time={{ max_time }}
diff --git a/src/hyperlight_common/Cargo.toml b/src/hyperlight_common/Cargo.toml
@@ -20,9 +20,11 @@ anyhow = { version = "1.0.96", default-features = false }
 log = "0.4.25"
 tracing = { version = "0.1.41", optional = true }
 strum = {version = "0.27",  default-features = false, features = ["derive"]}
+arbitrary = {version = "1.4.1", optional = true, features = ["derive"]}
 
 [features]
 default = ["tracing"]
+fuzzing = ["dep:arbitrary"]
 
 [dev-dependencies]
 hyperlight-testing = { workspace = true }

diff --git a/src/hyperlight_common/src/flatbuffer_wrappers/function_types.rs b/src/hyperlight_common/src/flatbuffer_wrappers/function_types.rs
@@ -32,6 +32,7 @@ use crate::flatbuffers::hyperlight::generated::{
 };
 
 /// Supported parameter types with values for function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Clone, PartialEq)]
 pub enum ParameterValue {
     /// i32
@@ -104,6 +105,7 @@ pub enum ReturnValue {
 }
 
 /// Supported return types from function calling.
+#[cfg_attr(feature = "fuzzing", derive(arbitrary::Arbitrary))]
 #[derive(Debug, Copy, Clone, PartialEq, Eq, Default)]
 #[repr(C)]
 pub enum ReturnType {

diff --git a/src/hyperlight_common/src/lib.rs b/src/hyperlight_common/src/lib.rs
@@ -14,7 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#![no_std]
+// We use Arbitrary during fuzzing, which requires std
+#![cfg_attr(not(feature = "fuzzing"), no_std)]
 
 extern crate alloc;
 

diff --git a/src/hyperlight_host/Cargo.toml b/src/hyperlight_host/Cargo.toml
@@ -132,6 +132,7 @@ mshv3 = ["dep:mshv-bindings3", "dep:mshv-ioctls3"]
 inprocess = []
 # This enables easy debug in the guest
 gdb = ["dep:gdbstub", "dep:gdbstub_arch"]
+fuzzing = ["hyperlight-common/fuzzing"]
 
 [[bench]]
 name = "benchmarks"

diff --git a/src/hyperlight_host/fuzz/Cargo.toml b/src/hyperlight_host/fuzz/Cargo.toml
@@ -10,7 +10,7 @@ cargo-fuzz = true
 [dependencies]
 libfuzzer-sys = "0.4"
 hyperlight-testing = { workspace = true }
-hyperlight-host = { workspace = true, default-features = true }
+hyperlight-host = { workspace = true, default-features = true, features = ["fuzzing"]}
 
 [[bin]]
 name = "fuzz_target_1"

diff --git a/src/hyperlight_host/fuzz/README.md b/src/hyperlight_host/fuzz/README.md
@@ -4,23 +4,18 @@ This directory contains the fuzzing infrastructure for Hyperlight. We use `cargo
 
 You can run the fuzzers with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name>
+just fuzz
 ```
 
-> Note: Because nightly toolchains are not stable, we pin the nightly version to `2023-11-28`. To install this toolchain, run:
-> ```sh
-> rustup toolchain install nightly-2023-11-28-x86_64-unknown-linux-gnu
-> ```
-
 As per Microsoft's Offensive Research & Security Engineering (MORSE) team, all host exposed functions that receive or interact with guest data must be continuously fuzzed for, at least, 500 million fuzz test cases without any crashes. Because `cargo-fuzz` doesn't support setting a maximum number of iterations; instead, we use the `--max_total_time` flag to set a maximum time to run the fuzzer. We have a GitHub action (acting like a CRON job) that runs the fuzzers for 24 hours every week.
 
-Currently, we only fuzz the `PrintOutput` function. We plan to add more fuzzers in the future.
+Currently, we only fuzz the parameters and return type to a hardcoded `PrintOutput` guest function. We plan to add more fuzzers in the future.
 
 ## On Failure 
 
 If you encounter a failure, you can re-run an entire seed (i.e., group of inputs) with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name> -- -seed=<seed-number>
+cargo +nightly fuzz run <fuzzer_name> -- -seed=<seed-number>
 ```
 
 The seed number can be seed in a specific run, like:
@@ -29,5 +24,5 @@ The seed number can be seed in a specific run, like:
 Or, if repro-ing a failure from CI, you can download the artifact from the fuzzing run, and run it like:
 
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
+cargo +nightly fuzz run -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
 ```
diff --git a/src/hyperlight_host/fuzz/fuzz_targets/fuzz_target_1.rs b/src/hyperlight_host/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -24,7 +24,7 @@ use hyperlight_host::{MultiUseSandbox, UninitializedSandbox};
 use hyperlight_testing::simple_guest_as_string;
 use libfuzzer_sys::fuzz_target;
 
-fuzz_target!(|data: &[u8]| {
+fuzz_target!(|data: (ReturnType, Option<Vec<ParameterValue>>)| {
     let u_sbox = UninitializedSandbox::new(
         GuestBinary::FilePath(simple_guest_as_string().expect("Guest Binary Missing")),
         None,
@@ -33,18 +33,7 @@ fuzz_target!(|data: &[u8]| {
     )
     .unwrap();
 
-    let mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
+    let mut mu_sbox: MultiUseSandbox = u_sbox.evolve(Noop::default()).unwrap();
 
-    let msg = String::from_utf8_lossy(data).to_string();
-    let len = msg.len() as i32;
-    let mut ctx = mu_sbox.new_call_context();
-    let result = ctx
-        .call(
-            "PrintOutput",
-            ReturnType::Int,
-            Some(vec![ParameterValue::String(msg.clone())]),
-        )
-        .unwrap();
-
-    assert_eq!(result, ReturnValue::Int(len));
+    let _ = mu_sbox.call_guest_function_by_name("PrintOutput", data.0, data.1);
 });