Add advanced fuzzer (#724) (#733)

xgreenx · maxammann · netrome · web-flow · commit dfab064ad084 · 2024-09-10T13:34:13.000Z
* Add advanced fuzzer (#724) * Add initial fuzz files * Fix original fuzz test * Add byte-based script functions back for fuzzing * Disable some errors for fuzzing * Fix new fuzz test due to changes in fuel-vm * Remove unused target * Add readme * feat: Store example corpus in version control * chore: Instructions for how to generate a seed corpus * chore: Remove unused dependencies in binaries * fix: Cargo fmt * fix: Clippy * fix: Pass `fuzzing` as rustc flag when compiling fuzz binaries * feat: Remove broken `grammar_aware` fuzz target in favor of `grammar_aware_advanced` * feat: Default to LibAFL fuzzer * docs: Improve code coverage instructions * feat: Use feature flags to toggle between libFuzzer and LibAFL * docs: Further improvements to code coverage instructions * docs: Clarify what the execute binary does * fix: Minor cleanup * chore: Remove `arbitrary` dependency * feat: Link investigation ticket to ignored assertions * fix: Resurrect proptest arbitrary usage in `fuel-merkle` crate * fix: Remove gas statistics output * fix: typo in fuel-vm/fuzz/README.md Co-authored-by: AurelienFT <32803821+AurelienFT@users.noreply.github.com> * chore: Remove example corpus and update README.md * fix: Minor enhancements from PR review * fix: Remove redundant magic 256 term * fix: Cargo fmt * chore: Bump secp256k1 version and re-enable disabled code paths for fuzzing * chore: Add changelog entry * fix: Clippy fix * fix: Format * Update fuel-crypto/src/secp256/signature_format.rs * chore: Add supported rust version to fuzzer readme * refactor: use `expect` instead of `unwrap` in a lot of places * refactor: Apply review suggestions * fix: More unwrap -> expect --------- Co-authored-by: Max Ammann <max@maxammann.org> Co-authored-by: Mårten Blankfors <marten@blankfors.se> Co-authored-by: Mårten Blankfors <nilssonmartenx@gmail.com> Co-authored-by: AurelienFT <32803821+AurelienFT@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,13 +8,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [Unreleased]
 
 ### Added
-
 - [#670](https://github.com/FuelLabs/fuel-vm/pull/670): Add DA compression functionality to `Transaction` and any types within
+- [#733](https://github.com/FuelLabs/fuel-vm/pull/733): Add LibAFL based fuzzer and update `secp256k1` version to 0.29.1.
 
 ### Changed
 
 #### Breaking
-
 - [#670](https://github.com/FuelLabs/fuel-vm/pull/670): The `predicate` field of `fuel_tx::input::Coin` is now a wrapper struct `PredicateCode`.
 
 ## [Version 0.56.0]
diff --git a/README.md b/README.md
@@ -88,4 +88,4 @@ It returns `receipts` that contain result of execution. The `assert_panics` can
 The `fuel-tx` provides `fuel_tx::TransactionBuilder` that simplifies the building 
 of custom transaction for testing purposes.
 
-You can check how `TransactionBuilder::script` or `TransactionBuilder::create` are used for better understanding.
+You can check how `TransactionBuilder::script` or `TransactionBuilder::create` are used for better understanding.
diff --git a/fuel-asm/Cargo.toml b/fuel-asm/Cargo.toml
@@ -11,7 +11,6 @@ repository = { workspace = true }
 description = "Atomic types of the FuelVM."
 
 [dependencies]
-arbitrary = { version = "1.1", features = ["derive"], optional = true }
 bitflags = { workspace = true }
 fuel-types = { workspace = true, default-features = false }
 serde = { version = "1.0", default-features = false, features = ["derive"], optional = true }
diff --git a/fuel-asm/src/args.rs b/fuel-asm/src/args.rs
@@ -11,7 +11,6 @@ crate::enum_try_from! {
     #[cfg_attr(feature = "typescript", wasm_bindgen::prelude::wasm_bindgen)]
     #[repr(u8)]
     #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
-    #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
     /// Argument list for GM (get metadata) instruction
     /// The VM is the only who should match this struct, and it *MUST* always perform
     /// exhaustive match so all offered variants are covered.
@@ -51,7 +50,6 @@ crate::enum_try_from! {
     #[cfg_attr(feature = "typescript", wasm_bindgen::prelude::wasm_bindgen)]
     #[repr(u16)]
     #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
-    #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
     pub enum GTFArgs {
         /// Set `$rA` to `tx.type`
         Type = 0x001,
diff --git a/fuel-asm/src/panic_instruction.rs b/fuel-asm/src/panic_instruction.rs
@@ -11,7 +11,6 @@ use crate::{
 #[cfg_attr(feature = "typescript", wasm_bindgen::prelude::wasm_bindgen)]
 #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
 #[derive(fuel_types::canonical::Deserialize, fuel_types::canonical::Serialize)]
-#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 /// Describe a panic reason with the instruction that generated it
 pub struct PanicInstruction {
     reason: PanicReason,
diff --git a/fuel-asm/src/panic_reason.rs b/fuel-asm/src/panic_reason.rs
@@ -27,7 +27,6 @@ enum_from! {
     #[cfg_attr(feature = "typescript", wasm_bindgen::prelude::wasm_bindgen)]
     #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
     #[derive(fuel_types::canonical::Serialize, fuel_types::canonical::Deserialize)]
-    #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
     #[repr(u8)]
     #[non_exhaustive]
     /// Panic reason representation for the interpreter.
diff --git a/fuel-crypto/Cargo.toml b/fuel-crypto/Cargo.toml
@@ -22,7 +22,7 @@ p256 =  { version = "0.13", default-features = false, features = ["digest", "ecd
 rand = { version = "0.8", default-features = false, optional = true }
 # `rand-std` is used to further protect the blinders from side-channel attacks and won't compromise
 # the deterministic arguments of the signature (key, nonce, message), as defined in the RFC-6979
-secp256k1 = { version = "0.26", default-features = false, features = ["rand-std", "recovery"], optional = true }
+secp256k1 = { version = "0.29.1", default-features = false, features = ["rand-std", "recovery"], optional = true }
 serde = { version = "1.0", default-features = false, features = ["derive"], optional = true }
 sha2 = { version = "0.10", default-features = false }
 zeroize = { version = "1.5", features = ["derive"] }
@@ -41,6 +41,9 @@ serde = ["dep:serde", "fuel-types/serde"]
 std = ["alloc", "coins-bip32", "secp256k1", "coins-bip39", "fuel-types/std", "lazy_static", "rand?/std_rng", "serde?/default"]
 test-helpers = []
 
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
+
 [[bench]]
 name = "signature"
 harness = false
diff --git a/fuel-crypto/benches/signature.rs b/fuel-crypto/benches/signature.rs
@@ -70,8 +70,8 @@ fn signatures(c: &mut Criterion) {
 
         let public = PublicKey::from_secret_key(&secp, &key);
         let message = fuel_crypto::Message::new(message);
-        let message =
-            Message::from_slice(message.as_ref()).expect("failed to create secp message");
+        let message = Message::from_digest_slice(message.as_ref())
+            .expect("failed to create secp message");
         let signature = secp_signing.sign_ecdsa(&message, &key);
         let recoverable = secp.sign_ecdsa_recoverable(&message, &key);
 
diff --git a/fuel-crypto/src/message.rs b/fuel-crypto/src/message.rs
@@ -118,6 +118,6 @@ impl fmt::Display for Message {
 #[cfg(feature = "std")]
 impl From<&Message> for secp256k1::Message {
     fn from(message: &Message) -> Self {
-        secp256k1::Message::from_slice(&*message.0).expect("length always matches")
+        secp256k1::Message::from_digest_slice(&*message.0).expect("length always matches")
     }
 }
diff --git a/fuel-tx/Cargo.toml b/fuel-tx/Cargo.toml
@@ -59,3 +59,6 @@ alloc = ["hashbrown", "fuel-types/alloc", "itertools/use_alloc", "derivative", "
 # serde is requiring alloc because its mandatory for serde_json. to avoid adding a new feature only for serde_json, we just require `alloc` here since as of the moment we don't have a use case of serde without alloc.
 serde = ["alloc", "fuel-asm/serde", "fuel-crypto/serde", "fuel-merkle/serde", "serde_json", "hashbrown/serde", "bitflags/serde"]
 da-compression = ["serde", "fuel-compression"]
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
diff --git a/fuel-vm/Cargo.toml b/fuel-vm/Cargo.toml
@@ -85,7 +85,6 @@ std = [
     "itertools/use_std",
 ]
 alloc = ["fuel-asm/alloc", "fuel-tx/alloc", "fuel-tx/alloc"]
-arbitrary = ["fuel-asm/arbitrary"]
 profile-gas = ["profile-any"]
 profile-coverage = ["profile-any"]
 profile-any = ["dyn-clone"] # All profiling features should depend on this
@@ -109,3 +108,6 @@ test-helpers = [
     "tai64",
     "fuel-crypto/test-helpers",
 ]
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
diff --git a/fuel-vm/fuzz/.cargo/config.toml b/fuel-vm/fuzz/.cargo/config.toml
@@ -0,0 +1,2 @@
+[build]
+rustflags = "--cfg fuzzing"
diff --git a/fuel-vm/fuzz/Cargo.toml b/fuel-vm/fuzz/Cargo.toml
@@ -3,22 +3,41 @@ name = "fuel-vm-fuzz"
 version = "0.0.0"
 authors = ["Automatically generated"]
 publish = false
-edition = "2018"
+edition = "2021"
 
 [package.metadata]
 cargo-fuzz = true
 
 [dependencies]
-arbitrary = { version = "1.0", features = ["derive"] }
-fuel-vm = { path = "..", features = ["arbitrary"] }
-libfuzzer-sys = "0.4"
+fuel-vm = { path = "..", features = ["test-helpers"] }
+clap = { version = "4.0", features = ["derive"] }
+hex = "*"
+
+[features]
+default = ["libfuzzer"]
+libfuzzer = ["libfuzzer-sys"]
+libafl = ["libafl_libfuzzer"]
+
+[dependencies.libfuzzer-sys]
+version = "0.4"
+optional = true
+
+[dependencies.libafl_libfuzzer]
+version = "0.13"
+optional = true
 
 # Prevent this from interfering with workspaces as this crate requires unstable features.
 [workspace]
 members = ["."]
 
+[profile.release]
+panic = 'abort'
+
+[profile.dev]
+panic = 'abort'
+
 [[bin]]
-name = "grammar_aware"
-path = "fuzz_targets/grammar_aware.rs"
+name = "grammar_aware_advanced"
+path = "fuzz_targets/grammar_aware_advanced.rs"
 test = false
 doc = false
diff --git a/fuel-vm/fuzz/README.md b/fuel-vm/fuzz/README.md
@@ -0,0 +1,99 @@
+# Fuzz test for the Fuel VM
+This crate provides the `grammar_aware_advanced` fuzz target which can be run with `cargo fuzz` to fuzz test the Fuel VM.
+
+General information about fuzzing Rust can be found on [appsec.guide](https://appsec.guide/docs/fuzzing/rust/cargo-fuzz/).
+
+### Installation
+The fuzzer requires nightly rust and works with rustc version `1.82.0-nightly`. To be able to run the fuzzer, the following tools must be installed.
+
+Install:
+```
+cargo install cargo-fuzz
+apt install clang pkg-config libssl-dev # for LibAFL
+rustup component add llvm-tools-preview --toolchain nightly
+```
+
+### Seeds
+
+The input to the fuzzer is a byte vector that contains script assembly, script data, and the assembly of a contract to be called. Each of these is separated by a 64-bit magic value `0x00ADBEEF5566CEAA`.
+
+While the fuzzer can be started without any seeds, it is recommended to generate seeds from compiled sway programs.
+
+#### Generate your own seeds
+
+If you want to run the fuzzer with custom input, you can run the `seed` binary against a directory of compiled sway programs.
+
+```
+cargo run --bin seed <input dir> <output dir>
+```
+
+#### Example: Generating a corpus from the sway examples
+This section explains how to use the [sway examples](https://github.com/FuelLabs/sway/tree/master/examples) to generate an initial corpus.
+
+This can be acieved by doing the following:
+
+1. Compile the sway examples with `forc`.
+```
+# In sway/examples
+forc build
+```
+
+2. Gather all the resulting binaries in a temporary directory (for example `/tmp/corpus`).
+```
+# In sway/examples
+for file in $(find . -name "*.bin" | rg debug); do cp $file /tmp/corpus; done
+```
+
+3. Run the `seed binary` against the generated binaries
+```
+# In fuel-vm/fuel-vm/fuzz
+mkdir generated_seeds
+cargo run --bin seed /tmp/corpus ./generated_seeds
+```
+
+Now the directory `./generated_seeds` contains the newly generated seeds. Copy this over to `corpus/grammar_aware_advanced` to run the fuzzer with these seeds.
+
+### Running the Fuzzer
+The Rust nightly version is required for executing cargo-fuzz. The simplest way to run the fuzzer is to run the following command:
+```
+cargo +nightly fuzz run grammar_aware_advanced
+```
+
+However, we recommend adding a few flags to the command to improve fuzzing efficiency. First, we can add `--no-default-features --features libafl` to ensure we use the LibAFL fuzzer instead of the default libFuzzer. Secondly, we can set `--sanitizer none` to disable AddressSanitizer for a significant speed improvement, as we do not expect memory issues in a Rust program that does not use a significant amount of unsafe code. This has been confirmed by a ToB [cargo-geiger](https://github.com/rust-secure-code/cargo-geiger) analysis showed. It makes sense to leave AddressSanitizer turned on if we use more unsafe Rust in the future (either directly or through dependencies). Finally, the `-ignore_crashes=1 -ignore_timeouts=1 -ignore_ooms=1 -fork=7` flags are useful to ensure a smooth LibAFL experience utilizing 7 cores.
+
+Putting this together we arrive at the following command.
+```
+cargo +nightly fuzz run --no-default-features --features libafl --sanitizer none grammar_aware_advanced -- -ignore_crashes=1 -ignore_timeouts=1 -ignore_ooms=1 -fork=7
+```
+
+### Generate Coverage
+It is important to measure a fuzzing campaign’s coverage after its run. To perform this measurement, we can use tools provided by cargo-fuzz and [rustc](https://doc.rust-lang.org/stable/rustc/instrument-coverage.html). First, install [cargo-binutils](https://github.com/rust-embedded/cargo-binutils#installation). After that, execute the following command:
+```
+cargo +nightly fuzz coverage grammar_aware_advanced corpus/grammar_aware_advanced
+```
+
+The code coverage report can now be displayed with the following command:
+
+```
+cargo cov -- report target/x86_64-unknown-linux-gnu/coverage/x86_64-unknown-linux-gnu/release/grammar_aware_advanced  -instr-profile=coverage/grammar_aware_advanced/coverage.profdata 
+```
+
+We can also generate a HTML visualization of the code coverage using the following command:
+
+```
+cargo cov -- show target/x86_64-unknown-linux-gnu/coverage/x86_64-unknown-linux-gnu/release/grammar_aware_advanced --format=html -instr-profile=coverage/grammar_aware_advanced/coverage.profdata $(pwd | sed "s/fuel-vm\/fuzz//") > index.html
+```
+
+### Execute a Test Case
+The fuzzing campain will output any crashes to `artifacts/grammar_aware_advanced`. To further investigate these crashes, the `execute` binary can be used.
+```
+cargo run --bin execute artifacts/grammar_aware_advanced/<crash file>
+```
+
+This is useful for triaging issues.
+
+### Collect Gas Statistics
+The `collect` binary writes gas statistics to a file called gas_statistics.csv. This can be used to analyze the execution time versus gas usage on a test corpus.
+```
+cargo run --bin collect
+```
diff --git a/fuel-vm/fuzz/fuzz_targets/grammar_aware.rs b/fuel-vm/fuzz/fuzz_targets/grammar_aware.rs
diff --git a/fuel-vm/fuzz/fuzz_targets/grammar_aware_advanced.rs b/fuel-vm/fuzz/fuzz_targets/grammar_aware_advanced.rs
@@ -0,0 +1,13 @@
+#![no_main]
+
+#[cfg(feature = "libafl")]
+extern crate libafl_libfuzzer as libfuzzer_sys;
+
+use fuel_vm_fuzz::{decode, execute};
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    if let Some(data) = decode(data) {
+        execute(data);
+    }
+});
diff --git a/fuel-vm/fuzz/src/bin/collect.rs b/fuel-vm/fuzz/src/bin/collect.rs
@@ -0,0 +1,39 @@
+use std::fs::File;
+use fuel_vm_fuzz::execute;
+use fuel_vm_fuzz::decode;
+use std::fs;
+use std::io::Write;
+use std::path::Path;
+use std::time::Instant;
+
+fn main() {
+    let path = std::env::args().nth(1).expect("no path given");
+    let mut file = File::create("gas_statistics.csv").expect("couldn't create a file to write gas statistics to");
+
+    write!(file, "name\tgas\ttime_ms\n").unwrap();
+
+    if Path::new(&path).is_file() {
+        eprintln!("Pass directory")
+    } else {
+        let paths = fs::read_dir(path).expect("unable to read dir");
+
+        for path in paths {
+            let entry = path.expect("unable to yield entry");
+            let data = std::fs::read(entry.path()).expect("unable to read path {}");
+            let name = entry.file_name();
+            let name = name.to_str().expect("failed to read file name as string");
+            println!("{:?}", name);
+
+            let Some(data) = decode(&data) else {  eprintln!("unable to decode"); continue; };
+
+            let now = Instant::now();
+            let result = execute(data);
+            let gas = result.gas_used;
+
+            write!(file, "{name}\t{gas}\t{}\n", now.elapsed().as_millis()).expect("unable to write to gas statistics file");
+            if result.success {
+                println!("{:?}:{}", name, result.success);
+            }
+        }
+    }
+}
diff --git a/fuel-vm/fuzz/src/bin/execute.rs b/fuel-vm/fuzz/src/bin/execute.rs
diff --git a/fuel-vm/fuzz/src/bin/seed.rs b/fuel-vm/fuzz/src/bin/seed.rs
diff --git a/fuel-vm/fuzz/src/lib.rs b/fuel-vm/fuzz/src/lib.rs
diff --git a/fuel-vm/src/interpreter/diff/tests.rs b/fuel-vm/src/interpreter/diff/tests.rs
diff --git a/fuel-vm/src/util.rs b/fuel-vm/src/util.rs

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,6 @@ impl fmt::Display for Message {`
`118`	`118`	`#[cfg(feature = "std")]`
`119`	`119`	`impl From<&Message> for secp256k1::Message {`
`120`	`120`	`fn from(message: &Message) -> Self {`
`121`		`- secp256k1::Message::from_slice(&*message.0).expect("length always matches")`
	`121`	`+ secp256k1::Message::from_digest_slice(&*message.0).expect("length always matches")`
`122`	`122`	`}`
`123`	`123`	`}`