1. Documentation
  2. Fuzzing C/C++
  3. Finding your first bug in C++

Create a C++ Fuzz Test

How to Create Your First C/C++ Fuzz Test

After the initialization is completed:

it is time to create our first fuzz test. To do so, we recommend using our “Fuzz This Function” helper. “Fuzz This Function” is a decorator that appears over function definitions and allows you to quickly set up fuzzing for the corresponding function.

This easy to use approach is described below.

Fuzz targets can also be created manually. With manual fuzz target creation, users have to take care of specifying the required build flags and includes. Manual creation is explained below.

Fuzz This Function

A common workflow is to inspect already existing unit tests, find the functions they are testing, and then use “Fuzz This Function” on these function definitions. “Fuzz This Function” automatically takes care of including required headers and linking the fuzz target against the correct libraries.

In the case of CppCMS there are many unit tests in the “tests” subfolder. For this tutorial, we want to fuzz test the built in JSON parser. The corresponding unit test is defined in json_test.cpp:

The function json::value::load() is the function being tested, so we go to its definition and make use of “Fuzz This Function”

Clicking on “Fuzz This Function” will automatically generate a minimal fuzz target for you. For CppCMS json::value::load() it looks like this:

This still needs some fine tuning. While we at Code Intelligence are working hard to further automate the process of generating fully working fuzz targets for C++ (as we have already done for different frameworks, such as Springboot). Most of the time the remaining manual effort is very low. In this example, we only need to change the type of the incoming random data from const uint8_t * to const char * and fill in the missing method arguments. The complete fuzz target then looks like this:

Manual Fuzz Test Creation

Fuzz Targets can be created manually with CI Fuzz. To do so, click on the “Add Fuzz Test” button in the sidebar menu.

Click on API Fuzz Test to create a fuzz test which targets a function call, then create the fuzz target by filling out the “New API Fuzz Test” Form.

Target Name is a name that you can choose to identify the fuzz test.

Run arguments will be passed to the fuzzer during runtime. Most of the time, these can stay empty.

The Build Flags are important for the compilation of the fuzz target. With “Fuzz This Function” these would be filled out automatically for you. With "Manual Fuzz Target Creation", you have to fill in the included paths -I, library paths -L and libraries -l needed to build the fuzz target. Enter one build flag per line, like this example for cppcms:

-Ibuild
-Ibooster
-Isrc
-Iprivate
-Icppcms_boost
-Ibuild/booster
-I.
-Lbuild
-lpthread
-lpcre
-licuuc
-licui18n
-licudata
-ldl
-lcppcms

After saving the fuzz target configuration, click on the fuzz test you created in the fuzz tests sidebar. Then click on “GO TO FILE” to edit the fuzz target.

 

Now a basic C++ Fuzz target was created. You can make use of C++ features in the fuzz test itself. Just remember to surround the C function calls with extern "C" (see the official Documentation on how to mix C and C++)

In the same directory, you will find a corresponding yaml file, which can be used to edit various properties of the fuzz test:

We can leave it as is for now. Attention: if you edit this, please be careful about yaml syntax. It is sensitive to indentation (2 spaces per indent). If you introduce a syntax error there, the fuzz test will not be started.

Read next: Run your first C++ Fuzz Test

To see more capabilities of C/C++ fuzz tests, see Advanced Techniques.