a coverage-guided, native Lua fuzzer.
Fuzzing is a type of automated testing which continuously manipulates inputs to
a program to find bugs. luzer uses coverage guidance to intelligently walk
through the code being fuzzed to find and report failures to the user. Since it
can reach edge cases which humans often miss, fuzz testing can be particularly
valuable for finding security exploits and vulnerabilities.
luzer is a coverage-guided Lua fuzzing engine. It supports fuzzing of Lua
code, but also C extensions written for Lua. Luzer is based off of
libFuzzer. When fuzzing native code, luzer can be used in
combination with Address Sanitizer or Undefined Behavior Sanitizer to catch
extra bugs.
To use luzer in your own project follow these few simple steps:
- Setup
luzermodule:
$ luarocks --local install luzer
$ eval $(luarocks path)- Create a fuzz target invoking your code:
local luzer = require("luzer")
local function TestOneInput(buf)
local b = {}
buf:gsub(".", function(c) table.insert(b, c) end)
if b[1] == 'c' then
if b[2] == 'r' then
if b[3] == 'a' then
if b[4] == 's' then
if b[5] == 'h' then
assert(nil)
end
end
end
end
end
end
luzer.Fuzz(TestOneInput)- Start the fuzzer using the fuzz target
$ luajit examples/example_basic.lua
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1557779137
INFO: Loaded 1 modules (151 inline 8-bit counters): 151 [0x7f0640e706e3, 0x7f0640e7077a),
INFO: Loaded 1 PC tables (151 PCs): 151 [0x7f0640e70780,0x7f0640e710f0),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 17 ft: 18 corp: 1/1b exec/s: 0 rss: 26Mb
#32 NEW cov: 17 ft: 24 corp: 2/4b lim: 4 exec/s: 0 rss: 26Mb L: 3/3 MS: 5 ShuffleBytes-ShuffleBytes-CopyPart-ChangeByte-CMP- DE: "\x00\x00"-
...
While fuzzing is in progress, the fuzzing engine generates new inputs and runs
them against the provided fuzz target. By default, it continues to run until a
failing input is found, or the user cancels the process (e.g. with Ctrl^C).
The first lines indicate that the "baseline coverage" is gathered before fuzzing begins.
To gather baseline coverage, the fuzzing engine executes both the seed corpus and the generated corpus, to ensure that no errors occurred and to understand the code coverage the existing corpus already provides.
See tests that uses luzer library in:
- Tarantool Lua API tests, https://github.com/ligurio/tarantool-lua-api-tests
- Lua standard library tests, https://github.com/ligurio/lua-stdlib-tests
- https://github.com/ligurio/snippets/tree/master/luzer-tests
See documentation.
Copyright © 2022-2023 Sergey Bronnikov.
Distributed under the ISC License.
