Fuzzing in Rust

Fuzz testing, or fuzzing, is a powerful automated software testing technique that involves providing invalid, unexpected, or random data as input to a program. The goal is to discover bugs or potential vulnerabilities that might not be caught through traditional testing methods, particularly those that could be exploited for security breaches. Rust, known for its focus on safety and performance, supports fuzzing through several tools and libraries designed to integrate seamlessly with its ecosystem. Here are some notable fuzzing tools and libraries in the Rust ecosystem:

1. cargo-fuzz

  • DEMO
  • GitHub: https://github.com/rust-fuzz/cargo-fuzz
  • Description: cargo-fuzz is a command-line tool for fuzzing Rust code. It is built on top of libFuzzer, which is a library for in-process, coverage-guided evolutionary fuzzing of other libraries. cargo-fuzz makes it easy to start fuzzing a Rust project by integrating with Cargo, Rust's package manager and build system. It automatically sets up the fuzzing target and provides a straightforward way to run the fuzzer on your code. This project requires the nightly compiler since it uses the -Z compiler flag (-Zsanitizer=address) to provide address sanitization.
  • Usage: Based on: https://rust-fuzz.github.io/book/introduction.html
cd fuzzing
# Set up rust nightly version
rustup default nightly
# Install cargo-fuzz
cargo install cargo-fuzz
cargo fuzz init
cargo fuzz add fuzz_wc_tool
# Modify `fuzzing/fuzz/fuzz_targets/fuzz_wc_tool.rs`
# Start fuzzing
cargo fuzz run fuzz_wc_tool
# Set back to stable version
rustup default stable

2. afl.rs

  • DEMO
  • GitHub: https://github.com/rust-fuzz/afl.rs
  • Description: afl.rs is a Rust wrapper around American Fuzzy Lop (AFL), one of the most popular fuzzers available. AFL is known for its efficiency in generating test cases that uncover deeply hidden bugs. afl.rs makes AFL's capabilities available to Rust projects, enabling developers to leverage AFL's fuzzing techniques to improve the security and reliability of their Rust code.
  • Usage: Based on: https://rust-fuzz.github.io/book/introduction.html
cd fuzzing
# Install cargo-afl
cargo install cargo-afl
cargo new --bin wc-tool-fuzz-afl-target
cd wc-tool-fuzz-afl-target
# Modify `fuzzing/wc-tool-fuzz-afl-target/Cargo.toml` by adding:
# [dependencies]
# afl = "*"
# url = "*"

# Modify `fuzzing/wc-tool-fuzz-afl-target/src/main.rs`
# Build project
cargo afl build
# Start fuzzing
cargo afl fuzz -i in -o out target/debug/wc-tool-fuzz-afl-target

3. honggfuzz-rs

  • GitHub: https://github.com/rust-fuzz/honggfuzz-rs
  • Description: honggfuzz-rs allows Rust developers to use honggfuzz, a security-oriented fuzzer with powerful analysis options, to fuzz their Rust code. It provides features like automatic crash detection, memory leak detection, and coverage-guided fuzzing to help identify vulnerabilities. honggfuzz-rs integrates with Rust projects to make the fuzzing process as straightforward as possible.

4. proptest

  • GitHub: https://github.com/AltSysrq/proptest
  • Description: While not a fuzzer in the traditional sense, proptest is a property testing library for Rust inspired by the Hypothesis framework for Python. It allows developers to specify the properties that a program should have, then automatically generates test cases to try and falsify these properties. proptest can be used in conjunction with fuzzers to create more comprehensive testing strategies.

5. Arbitrary

  • GitHub: https://github.com/rust-fuzz/arbitrary
  • Description: The arbitrary library provides a trait for defining how to generate arbitrary instances of data from structured input. This is particularly useful in fuzzing scenarios where you want to generate a wide variety of inputs to test your program's behavior under unexpected or edge-case conditions. It's often used in combination with fuzzers like cargo-fuzz to provide structured, yet randomized, input data for testing.

Fuzzing in Rust aims to leverage the language's type safety and memory safety guarantees while uncovering potential issues that static analysis tools might miss. These tools and libraries make fuzzing accessible to Rust developers, helping to identify and fix bugs early in the development process and enhance software security.