Bug: 211030211

Clone this repo:
  1. 2d23a4a Add janitors to the OWNERS file by Sadaf Ebrahimi · 5 weeks ago main master
  2. 33edd67 Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa am: e73be1680d am: 54819157ea am: f1ff6ce482 by Mark · 1 year, 7 months ago android14-qpr2-release android14-qpr2-s1-release android14-qpr2-s2-release android14-qpr2-s3-release android14-qpr2-s4-release android14-qpr2-s5-release android14-qpr3-d1-release android14-qpr3-d1-s1-release android14-qpr3-d1-s2-release android14-qpr3-d1-s3-release android14-qpr3-release android14-qpr3-s10-release android14-qpr3-s11-release android14-qpr3-s12-release android14-qpr3-s13-release android14-qpr3-s14-release android14-qpr3-s15-release android14-qpr3-s2-release android14-qpr3-s3-release android14-qpr3-s4-release android14-qpr3-s5-release android14-qpr3-s6-release android14-qpr3-s7-release android14-qpr3-s8-release android14-qpr3-s9-release android15-automotiveos-dev android15-platform-release android15-prebuilt-test android15-qpr1-release android15-qpr1-s3-release android15-qpr1-s4-release android15-qpr1-s5-release android15-release android15-s1-release android15-security-release android15-tests-dev android15-tests-release aml_cfg_351010000 aml_hef_350921160 aml_hef_351016140 aml_hef_351120040 aml_rkp_350910000 aml_rkp_351011000 aml_tz6_351010000 android-14.0.0_r29 android-14.0.0_r30 android-14.0.0_r31 android-14.0.0_r32 android-14.0.0_r33 android-14.0.0_r34 android-14.0.0_r35 android-14.0.0_r36 android-14.0.0_r37 android-14.0.0_r50 android-14.0.0_r51 android-14.0.0_r52 android-14.0.0_r53 android-14.0.0_r54 android-14.0.0_r55 android-14.0.0_r56 android-14.0.0_r57 android-14.0.0_r58 android-14.0.0_r59 android-14.0.0_r60 android-14.0.0_r61 android-14.0.0_r62 android-14.0.0_r63 android-14.0.0_r64 android-14.0.0_r65 android-14.0.0_r66 android-14.0.0_r67 android-14.0.0_r68 android-14.0.0_r69 android-14.0.0_r70 android-14.0.0_r71 android-14.0.0_r72 android-14.0.0_r73 android-14.0.0_r74 android-14.0.0_r75 android-15.0.0_r1 android-15.0.0_r10 android-15.0.0_r11 android-15.0.0_r12 android-15.0.0_r13 android-15.0.0_r2 android-15.0.0_r3 android-15.0.0_r4 android-15.0.0_r5 android-15.0.0_r6 android-15.0.0_r7 android-15.0.0_r8 android-15.0.0_r9 android-cts-15.0_r1 android-cts-15.0_r2 android-platform-15.0.0_r1 android-platform-15.0.0_r2 android-platform-15.0.0_r3 android-platform-15.0.0_r4 android-security-15.0.0_r1 android-security-15.0.0_r2 android-security-15.0.0_r3 android-security-15.0.0_r4 android-vts-15.0_r1 android-vts-15.0_r2
  3. f1ff6ce Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa am: e73be1680d am: 54819157ea by Mark · 1 year, 7 months ago
  4. 5481915 Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa am: e73be1680d by Mark · 1 year, 7 months ago
  5. e73be16 Sync jazzer in AOSP with upstream repo (new SHA: 30decf81a147c66fa5a098072c38ab6924ba0aa6) am: 9350e0ab03 am: 99d9a79746 am: 34a8e5c8aa by Mark · 1 year, 7 months ago

Website | Blog | Twitter

Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.

Jazzer currently supports the following platforms:

  • Linux x86_64
  • macOS 12+ x86_64 & arm64
  • Windows x86_64

Quick start

You can use Docker to try out Jazzer's Autofuzz mode, in which it automatically generates arguments to a given Java function and reports unexpected exceptions and detected security issues:

docker run -it cifuzz/jazzer-autofuzz \
   com.mikesamuel:json-sanitizer:1.2.0 \
   com.google.json.JsonSanitizer::sanitize \
   --autofuzz_ignore=java.lang.ArrayIndexOutOfBoundsException

Here, the first two arguments are the Maven coordinates of the Java library and the fully qualified name of the Java function to be fuzzed in “method reference” form. The optional --autofuzz_ignore flag takes a list of uncaught exception classes to ignore.

After a few seconds, Jazzer should trigger an AssertionError, reproducing a bug it found in this library that has since been fixed.

Using Jazzer via...

JUnit 5

The following steps assume that JUnit 5 is set up for your project, for example based on the official junit5-samples.

  1. Add a dependency on com.code-intelligence:jazzer-junit:<latest version>. All Jazzer Maven artifacts are signed with this key.
  2. Add a new fuzz test to a new or existing test class: a method annotated with @FuzzTest and at least one parameter. Using a single parameter of type FuzzedDataProvider, which provides utility functions to produce commonly used Java values, or byte[] is recommended for optimal performance and reproducibility of findings.
  3. Assuming your test class is called com.example.MyFuzzTests, create the inputs directory src/test/resources/com/example/MyFuzzTestsInputs.
  4. Run a fuzz test with the environment variable JAZZER_FUZZ set to 1 to let the fuzzer rapidly try new sets of arguments. If the fuzzer finds arguments that make your fuzz test fail or even trigger a security issue, it will store them in the inputs directory.
  5. Run the fuzz test without JAZZER_FUZZ set to execute it only on the inputs in the inputs directory. This mode, which behaves just like a traditional unit test, ensures that issues previously found by the fuzzer remain fixed and can also be used to debug the fuzz test on individual inputs.

A simple property-based fuzz test could look like this (excluding imports):

class ParserTests {
   @Test
   void unitTest() {
      assertEquals("foobar", SomeScheme.decode(SomeScheme.encode("foobar")));
   }

   @FuzzTest
   void fuzzTest(FuzzedDataProvider data) {
      String input = data.consumeRemainingAsString();
      assertEquals(input, SomeScheme.decode(SomeScheme.encode(input)));
   }
}

A complete Maven example project can be found in examples/junit.

CI Fuzz

The open-source CLI tool cifuzz makes it easy to set up Maven and Gradle projects for fuzzing with Jazzer. It provides a command-line UI for fuzzing runs, deduplicates and manages findings, and provides coverage reports for fuzz tests. Moreover, you can use CI Fuzz to run your fuzz tests at scale in the CI App.

GitHub releases

You can also use GitHub release archives to run a standalone Jazzer binary that starts its own JVM configured for fuzzing:

  1. Download and extract the latest release from the GitHub releases page.
  2. Add a new class to your project with a public static void fuzzerTestOneInput(FuzzedDataProvider data) method.
  3. Compile your fuzz test with jazzer_standalone.jar on the classpath.
  4. Run the jazzer binary (jazzer.exe on Windows), specifying the classpath and fuzz test class:
./jazzer --cp=<classpath> --target_class=<fuzz test class>

If you see an error saying that libjvm.so has not been found, make sure that JAVA_HOME points to a JDK.

The examples directory includes both toy and real-world examples of fuzz tests.

Docker

The “distroless” Docker image cifuzz/jazzer includes a recent Jazzer release together with OpenJDK 17. Mount a directory containing your compiled fuzz target into the container under /fuzzing and use it like a GitHub release binary by running:

docker run -v path/containing/the/application:/fuzzing cifuzz/jazzer --cp=<classpath> --target_class=<fuzz test class>

If Jazzer produces a finding, the input that triggered it will be available in the same directory.

Bazel

Support for Jazzer is available in rules_fuzzing, the official Bazel rules for fuzzing. See the README for instructions on how to use Jazzer in a Java Bazel project.

OSS-Fuzz

Code Intelligence and Google have teamed up to bring support for Java, Kotlin, and other JVM-based languages to OSS-Fuzz, Google's project for large-scale fuzzing of open-souce software. Read the OSS-Fuzz guide to learn how to set up a Java project.

Further documentation

Findings

A list of security issues and bugs found by Jazzer is maintained here. If you found something interesting and the information is public, please send a PR to add it to the list.

Credit

The following developers have contributed to Jazzer before its public release:

Sergej Dechand, Christian Hartlage, Fabian Meumertzheim, Sebastian Pöplau, Mohammed Qasem, Simon Resch, Henrik Schnor, Khaled Yakdan

The LLVM-style edge coverage instrumentation for JVM bytecode used by Jazzer relies on JaCoCo. Previously, Jazzer used AFL-style coverage instrumentation as pioneered by kelinci.