Skip to content

Fuzzing

Jump to bottom Edit New page
Alon Zakai edited this page Aug 18, 2017 · 14 revisions

Binaryen has built-in fuzzing and reducing capabilities. They can be used both on either Binaryen itself or other compilers, VM, or toolchains.

Fuzzing

The main tool here is Binaryen's wasm-opt tool which is the --translate-to-fuzz / -ttf option. When set, it considers the input as a stream of arbitrary bytes that it converts into a valid wasm module - somehow. That is, the input is sort of like a random seed to a deterministic random number generator, and instead of numbers we generate wasm modules.

In other words, you can give wasm-opt -ttf any input file with any contents, and it will create a wasm file. You can then save it (using -o) and run that in another tool. For example, you can run a fuzzing script that generates a random string, feeds that to wasm-opt -ttf, and runs a VM on that output.

Some additional useful options:

  • --emit-js-wrapper: Emit a JavaScript file that loads the wasm module and runs it, printing out some results from calling its exports. This is helpful for testing a JavaScript/WebAssembly VM: just run the VM on that JavaScript file and pass it the wasm file as a parameter.
  • --emit-spec-wrapper: Similar, but emits s-expression commands that can be run in the WebAssembly spec interpreter.

For fuzzing of Binaryen itself, the following options are useful:

  • --fuzz-exec: This runs the generated wasm module in the Binaryen interpreter, printing out results from calling its methods, similar to the JS wrapper from --emit-js-wrapper. This will also do that another time after optimizations, which lets you check if they broke anything.
  • --fuzz-binary: In addition to the previous option, this will write to binary and read it back before running the second time. This helps find binary format bugs.

These two options are not strictly necessary, but can greatly improve execution times, as a single invocation can do a full random module generation + optimization + binary test. For example,

wasm-opt input.dat -ttf --fuzz-exec --fuzz-binary -O3

Even on a fairly low-powered machine this lets afl-fuzz do hundreds of iterations per second.

Add a custom footer
Add a custom sidebar
Clone this wiki locally