How to identify the set of APIs of the Libray you want to Fuzz？

[xiaozhouqi]

Hi, the GraphFuzz tool is very fantastic. I have replayed all the demos in the experiment directory. So i decides to apply the tool to fuzz many other libraries. The first question i meets is that there many functions inside a project, what are fuctions that i want to fuzz? Are there principals that i can follow, for example, the function that is decorated with export key word. Thank you.

[NikLeberg]

Hi @xiaozhouqi I'm not the author but have used this excellent project as well. I'd suggest you define the use case that you want to address.

You may use GraphFuzz to fuzz the library internal functions and test if they comply with how they should work. This could help in making the library more stable if it is your own.

But generally fuzzing is more used to test and brute force errors in externally accessible inferfaces/APIs. So fuzzing the exported and visible functions would be the way to go. With those you can test the safety and security of the library.

[xiaozhouqi]

Thank you for the useful suggestions. Next, it will give a use case. By the way, for the complex c++'s class object, GraphFuzz uses reinterpret_cast operator to cast a memory region to that class type. It may fail to go into the depths of code.

[hgarrereyn]

Hi @xiaozhouqi the reinterpret_cast is only used on pointers in order to convert to and from void *. For compatibility reasons, all of the shim functions that get generated store objects as opaque void * but the runtime engine will ensure that the pointers have the correct type.

For example, if you have an endpoint that takes a Foo *, the runtime will ensure that it was properly created by a different endpoint that constructed a Foo *. I.e. we never just take a region of memory and cast it to the target type.

The only time when we cast arbitrary bytes into memory is for primative types (e.g. int, float, char, and arrays int[10], etc...)