Using the CI Fuzz Web Interface

How to Run Your Fuzz Tests Using CI Fuzz SaaS

Preparation

You can run your fuzz tests in the Code Intelligence cloud using our web app. In the following, it is assumed that you already have set up a fuzzing project and created fuzz tests.

The easiest way to do this is by using the CI Fuzz plugin for Visual Studio Code. You have to push your fuzz tests to your project repository.

$ git add .code-intelligence
$ git commit -m "Add ci-fuzz project setup and fuzz tests"
$ git push

The CI Fuzz server will pull the build docker image you configured in VS Code automatically. So make sure it is available at a docker registry like docker hub or gcr.io.

Sign In to the Web App

Open https://app.code-intelligence.com in your web browser. To sign in to the web app, you can use your GitHub, GitLab, or bitbucket account.

login-screen

If you want to work on a project together with others, you can use an organization. To learn more about how organizations work, read Work Together Using Organizations.

organization_details

 

 

Importing Your Project

When you click "New Project" you can decide if you want the project to be owned by your organization or if you want to create a personal project.

new_project_select_owner

In the next step, you need to provide the git URL of your project repository.

 

Repository Token

This is needed for authentication if you want to check out from a private git repository. You can create a personal access token in your account settings in GitHub, GitLab, or BitBucket. For GitLab, using a deploy token is also supported. This feature is disabled in the SaaS since it is currently intended for open source projects only.

After the project has been initialized successfully, you see an overview showing the findings and the code coverage. Since we haven't run any fuzz tests, there are no findings yet.

project_overview

Pull Script

If you tick off "Git Repository" (not recommended unless necessary), you can provide an arbitrary shell script.

This script should result in the project with the fuzzing configuration (.code_intelligence directory) ending up in the current working directory. Also, it should work if the project is already there but needs updating.  An example of a working pull script (replace parts surrounded by <>):

git clone  --depth=100 https://<username>:<githubtoken>@github.com/<yourproject>/<somerepo>.git . || git pull

In this example, a pull script is necessary, because git commit history is need when the SUT is being built, but by default, CI Fuzz does not clone older commits (it uses --depth=0).

Docker Image

This docker image will be used to spawn containers that will:

  • Clone/pull the project repository or run the pull script. For this reason, the image must have git installed and if your git server's certificate is not signed by a public CA, then it's custom CA certificate must be in the system certificate store in the container. Example dockerfile:
    FROM ubuntu 20.04
    RUN apt-get -y install git
    COPY git_server_ca_cert.crt /usr/local/share/ca-certificates/git/git_server_ca_cert.crt
    RUN update-ca-certificates
  • Build the SUT (with the exception of Java Web Application fuzz tests). For this reason, the image must contain all the dependencies needed to build your project.
  • Run the fuzz tests (with the exception of Java Web Application fuzz tests)

Running fuzz tests

Choose which Test Collection you want to run in the left column. Clicking start will build and execute the corresponding fuzz tests. As an example project, we use the ZINT Barcode Generator, in which we found and reported several vulnerabilities.

For Java out of process fuzzing, you must first configure your Web App for fuzzing with CI-Fuzz server.

zint_select_fuzz_test

zint_fuzz_test_run_build_pipeline_with_logs

After the build is completed and the fuzz tests start running, you can watch the coverage increasing. The fuzz test runs until a bug is found or the configured time limit is reached.

zint_coverga_graphs_with_finding

Viewing findings and coverage reports

To view the details of the finding, click "All Findings". Here you can see a list of all findings. If you are only interested in findings of a specific type or severity, you can use the filters.

zint_all_findings

By selecting a finding, you see all details like the source file containing the bug, the crashing input, and the full address sanitizer log, which are very useful for further investigating the finding.

zint_buffer_overflow_details_1

zint_buffer_overflow_details_2

If you are interested in more details about the code coverage, click "Code Coverage" in the overview tab to get a list of all source files and their coverage.

zint_coverage_details

 

You can continue with Continuous Fuzzing Setup.