Add AFL++ Fuzzing support for Posix platforms #103685
Description
Problem Description
This RFC proposes first steps to integrate AFL++, a popular fuzzing engine (https://aflplus.plus/) , into zephyr.
Fuzzing is an efficient dynamic analysis technique to find security vulnerabilities. Currently, zephyr has libfuzzer integrated. However, it fuzzes at API level. AFL++ can fuzz at system level which can help in identifying vulnerabilities due to system level interactions.
Proposed Change (Summary)
Fuzzing embedded applications have their challenges since they require peripheral modelling. However, if the application has a Posix port, it works like a general application, and this can be leveraged for setting up fuzzing with AFL++ support on zephyr.
As a first step, the toolchain required for AFL++ to fuzz a program (AFL works on instrumented code) can be integrated and fuzzing support be provided for Posix supported applications. Here is a snippet of AFL++ running on zephyr hello_world sample for Posix 64 platform (native_sim/native/64) that I set up.
Proposed Change (Detailed)
Adding AFL++ fuzzing support to Posix platforms can be achieved by adding the new toolchain and making the relevant changes to west to introduce fuzz option.
- Add afl-clang-fast toolchain support in zephyr as an extension to the llvm toolchain.
- Using macros to restrict fuzzing support to Posix platforms only for now.
- Include afl-fuzz option in west infrastructure (possibly) to run the fuzzer.
Dependencies
No response
Concerns and Unresolved Questions
As a future roadmap, some things to be considered are as follows:
- Add AFL++ QEMU mode fuzzing option for fuzzing in binary mode.
- Create an method to create peripheral models so that fuzzing can be done with better accuracy.
Of course, this will need further discussion as to how it can be implemented.
Alternatives Considered
No response
Metadata
Metadata
Assignees
Type
Projects
Status