Dr. Memory
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Groups Pages
Dr. Fuzz: Dynamic Fuzz Testing Extension

The Dr. Fuzz DynamoRIO Extension provides fuzz testing features. Dr. Fuzz is part of the Dr. Memory Framework.

Setup

To use Dr. Fuzz with your client, first locate the Dr. Memory Framework. Then use the standard method of using an Extension with the name drfuzz. The two steps will look like this in your client's CMakeLists.txt file:

find_package(DrMemoryFramework)
use_DynamoRIO_extension(clientname drfuzz)

To point CMake at the framework, set the DrMemoryFramework_DIR variable to point at the drmf subdirectory of the Dr. Memory package that you are using. For example:

cmake -G"Ninja" -DDynamoRIO_DIR=c:/path/to/DynamoRIO-Windows-4.1.0-8/cmake -DDrMemoryFramework_DIR=c:/path/to/DrMemory-Windows-1.6.0-2/drmf ../mysrcs/

That will automatically set up the include path and library dependence.

Your client must call drfuzz_init() prior to accessing any API routines in drfuzz, and should call drfuzz_exit() at process exit time.

Dr. Fuzz API

Dr. Fuzz provides the following key features:

  1. Repeat execution of the test target function with fuzzed arguments
  2. Mutate argument values using bit flipping or random number algorithms
  3. Schedule fuzz iterations for a target function and set of arguments
  4. Report state information on a crash caused by fuzz inputs

The client can use the provided Dr. Fuzz APIs to fuzz test the target application. The most flexible approach is to register fuzz target functions and directly control the fuzzing cycle using the callbacks. This approach also requires the most effort, so Dr. Fuzz additionally provides mutator and scheduler modules which can be leveraged to simplify the fuzzing procedure into a few higher level operations (pending completion of issue #1734).