How to Install CI Fuzz Locally for Initial Project Setup
CI Fuzz is a software system including a fuzzing backend as well as a user interface.
Its fuzzing backend relies on docker to encapsulate different tasks such as building, running, and monitoring components. The user can interact with the system through a command line interface (CLI) or via the CI Fuzz extension for Visual Studio Code.
CI Fuzz contains three main components:
- CI-Daemon: The CI-Server is responsible for backend tasks such as project compilation, managing fuzz-targets and operating the docker infrastructure and interacts with the CI-Client and the UI.
User-Interface: The CI Fuzz extension for Visual Studio Code helps the user to create and manage fuzz-targets and reproduce crash.
- CI-Client: The CI-Client is the command line interface to initialize, build, and run fuzzers.
CI Fuzz has the following requirements
- Any modern Linux distribution (Windows support is experimental, see below)
- Docker for building and running the fuzzers
- Visual Studio Code for setup and configuration
- The Java Runtime Environment for Java API fuzzing (not needed for C/C++ fuzzing or Java web app out of process fuzzing)
We use docker to execute the fuzz tests. This makes it easier to migrate existing fuzz tests into cloud and continuous integration systems and prevents the tests from corrupting data on your local machine.
Installing docker differs from distribution to distribution, as explained here: https://docs.docker.com/engine/install/
It usually boils down to one of the following:
sudo [apt install/yum install/pacman -S] docker
Make sure to also follow the post-install steps described here.
Create a group called docker and add your own user to this group:
sudo groupadd docker
sudo usermod -aG docker $USER
Log out and log back in so that your group membership is re-evaluated. Then, verify that you can run docker commands without sudo:
docker run hello-world
In order to test your Java applications, or any services that use Java frameworks like Spring Boot / JEE / XCF, you will need to install a current Java Runtime Environment. We suggest installing at least version 10 of the OpenJDK Java Runtime. Other versions may very well work too, but your mileage may vary.
sudo [apt install/yum install/pacman -S] jre10-openjdk
Visual Studio Code
If you want to use the CI Fuzz IDE extension, you need to have Visual Studio Code installed. You can install VS Code via packages provided on their website: https://code.visualstudio.com/#alt-downloads
You can use Microsoft’s official distribution independent Visual Studio Code snap at https://snapcraft.io/code
sudo snap install code --classic
Don’t run the installer with sudo directly, as this will break some functionality because of the installed files belonging to the root user. Instead, enter the sudo password, when prompted by the installer.
In order to test your code with CI Fuzz you need to install our Suite. You will be provided with a distribution independent installer named something like: ci-installer-<version>-linux
Just execute this installer and it will ask you to enter your sudo password. You can also install it with root privileges, but then symbolic links to the software will be created in /root/bin:
The installer is interactive and will guide you through some additional settings. Per default, it will install the CI Suite in a sub-directory of /opt/ like /opt/ci-release-<version>/ and create symbolic links in $HOME/bin. To use the installed software without using the full path, you can add one of these directories to your PATH environment. Open the suitable configuration file, like ~/.profile and add the following line.
Windows support is currently experimental. The ci-daemon will be installed inside WSL 2 running Ubuntu.
- In Windows, set up WSL 2 running Ubuntu
- In WSL 2, execute the installer but skip the Visual Studio Code extension installation
- In Windows again, install Visual Studio Code and manually install the extension from the extracted location (usually /opt/ci-<version>/share/code-intelliegence/vscode-fuzzing-ui.vsix)
For a quick start, CI Fuzz is also available as a VirtualBox VM image. This image has everything set up for fuzzing, including Visual Studio Code. You can then load your source code into it through a shared folder.
Read next: Post-installation steps before fuzzing