Overcoming Fuzzing Obstacles
Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, global state (like time-seeded PRNGs), and validation checks can block the fuzzer from exploring deeper code paths. This technique shows how to patch your System Under Test (SUT) to bypass these obstacles during fuzzing while preserving production behavior.
Overview
Many real-world programs were not designed with fuzzing in mind. They may:
- Verify checksums or cryptographic hashes before processing input
- Rely on global state (e.g., system time, environment variables)
- Use non-deterministic random number generators
- Perform complex validation that makes it difficult for the fuzzer to generate valid inputs
These patterns make fuzzing difficult because:
- **Checksums:** The fuzzer must guess correct hash values (astronomically unlikely)
- **Global state:** Same input produces different behavior across runs (breaks determinism)
- **Complex validation:** The fuzzer spends effort hitting validation failures instead of exploring deeper code
The solution is conditional compilation: modify code behavior during fuzzing builds while keeping production code unchanged.
Key Concepts
| Concept | Description | |---------|-------------| | SUT Patching | Modifying System Under Test to be fuzzing-friendly | | Conditional Compilation | Code that behaves differently based on compile-time flags | | Fuzzing Build Mode | Special build configuration that enables fuzzing-specific patches | | False Positives | Crashes found during fuzzing that cannot occur in production | | Determinism | Same input always produces same behavior (critical for fuzzing) |
When to Apply
**Apply this technique when:**
- The fuzzer gets stuck at checksum or hash verification
- Coverage reports show large blocks of unreachable code behind validation
- Code uses time-based seeds or other non-deterministic global state
- Complex validation makes it nearly impossible to generate valid inputs
- You see the fuzzer repeatedly hitting the same validation failures
**Skip this technique when:**
- The obstacle can be overcome with a good seed corpus or dictionary
- The validation is simple enough for the fuzzer to learn (e.g., magic bytes)
- You're doing grammar-based or structure-aware fuzzing that handles validation
- Skipping the check would introduce too many false positives
- The code is already fuzzing-friendly
Quick Reference
| Task | C/C++ | Rust | |------|-------|------| | Check if fuzzing build | `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` | `cfg!(fuzzing)` | | Skip check during fuzzing | `#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION return -1; #endif` | `if !cfg!(fuzzing) { return Err(...) }` | | Common obstacles | Checksums, PRNGs, time-based logic | Checksums, PRNGs, time-based logic | | Supported fuzzers | libFuzzer, AFL++, LibAFL, honggfuzz | cargo-fuzz, libFuzzer |
Step-by-Step
Step 1: Identify the Obstacle
Run the fuzzer and analyze coverage to find code that's unreachable. Common patterns:
- Look for checksum/hash verification before deeper processing
- Check for calls to `rand()`, `time()`, or `srand()` with system seeds
- Find validation functions that reject most inputs
- Identify global state initialization that differs across runs
**Tools to help:**
- Coverage reports (see coverage-analysis technique)
- Profiling with `-fprofile-instr-generate`
- Manual code inspection of entry points
Step 2: Add Conditional Compilation
Modify the obstacle to bypass it during fuzzing builds.
**C/C++ Example:**
// Before: Hard obstacle
if (checksum != expected_hash) {
return -1; // Fuzzer never gets past here
}
// After: Conditional bypass
if (checksum != expected_hash) {
#ifndef FUZZI
<!-- truncated -->