search

CodeIntelligenceTesting / jazzer

Coverage-guided, in-process fuzzing for the JVM
https://code-intelligence.com
Other
1.03k stars 137 forks source link

How to mutate to a specific value? #747

Closed yongxin3344520 closed 1 year ago

yongxin3344520 commented 1 year ago 
   @FuzzTest
    public void fuzzTest1(FuzzedDataProvider data) {
        String input = data.consumeRemainingAsString();
        if ("administrator".equals(input)){
            throw  new RuntimeException();
        }
   }

How did the above code change to the "Administrator" value? Where is the source code for its working principle? Thanks !

fmeum commented 1 year ago

There are two different parts of Jazzer at play here:

  1. FuzzedDataProvider converts the bytes obtained from the fuzzer into a string.
  2. Instrumentation applied to the Java byte code of your fuzz test reports a comparison of that string against "administrator" to Jazzer, which in turn translates this into a hint for the fuzzer to generate that particular string. The relevant parts are in https://github.com/CodeIntelligenceTesting/jazzer/blob/main/src/main/java/com/code_intelligence/jazzer/runtime/TraceDataFlowNativeCallbacks.java and https://github.com/CodeIntelligenceTesting/jazzer/blob/be1a7e56d71d4d8dfe71c08f216e0314b4c2f6e6/src/main/java/com/code_intelligence/jazzer/runtime/TraceCmpHooks.java#L81.