Adds fuzzing target to fuzz the ParameterValue and ReturnType. Rename

existing target to host_print. Move fuzz directory to root directory.

Signed-off-by: Ludvig Liljenberg <[email protected]>

Author: ludfjig

.github/workflows/Fuzzing.yml

@@ -14,5 +14,13 @@ jobs:
   fuzzing:
     uses: ./.github/workflows/dep_fuzzing.yml
     with:
+      target: "host_print"
+      max_total_time: 18000 # 5 hours in seconds
+    secrets: inherit
+
+  fuzzing:
+    uses: ./.github/workflows/dep_fuzzing.yml
+    with:
+      target: "guest_call"
       max_total_time: 18000 # 5 hours in seconds
     secrets: inherit

.github/workflows/dep_fuzzing.yml

@@ -7,6 +7,10 @@ on:
         description: Maximum total time for the fuzz run in seconds
         required: true
         type: number
+      target:
+        description: Fuzz target to run
+        required: true
+        type: string
       docs_only:
         description: Skip fuzzing if docs only
         required: false
@@ -44,7 +48,7 @@ jobs:
         run: cargo install cargo-fuzz
 
       - name: Run Fuzzing
-        run: cargo +nightly fuzz run --release fuzz_target_1 -- -max_total_time=300
+        run: just fuzz-timed ${{inputs.target}} ${{ inputs.max_total_time }}
         working-directory: src/hyperlight_host
 
       - name: Upload Crash Artifacts

.vscode/settings.json

@@ -3,6 +3,7 @@
         "Cargo.toml", 
         // guest crates for testing, not part of the workspace
         "src/tests/rust_guests/simpleguest/Cargo.toml",
-        "src/tests/rust_guests/callbackguest/Cargo.toml"
+        "src/tests/rust_guests/callbackguest/Cargo.toml",
+        "src/hyperlight_host/fuzz/Cargo.toml"
     ]
 }

Cargo.lock

@@ -11,7 +11,7 @@ members = [
     "src/hyperlight_host",
     "src/hyperlight_guest_capi",
     "src/hyperlight_testing",
-    "src/hyperlight_host/fuzz",
+    "fuzz",
 ]
 # Because hyperlight-guest has custom linker flags,
 # we exclude it from the default-members list

Cargo.toml

@@ -186,8 +186,11 @@ bench target=default-target features="":
     cargo bench --profile={{ if target == "debug" { "dev" } else { target } }} {{ if features =="" {''} else { "--features " + features } }} -- --verbose
 
 # FUZZING
-fuzz:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1
 
-fuzz-timed:
-    cd src/hyperlight_host && cargo +nightly fuzz run fuzz_target_1 -- -max_total_time=300
+# Fuzzes the given target
+fuzz fuzz-target:
+    cargo +nightly fuzz run {{ fuzz-target }} --release
+
+# Fuzzes the given target. Stops after `max_time` seconds
+fuzz-timed fuzz-target max_time:
+    cargo +nightly fuzz run {{ fuzz-target }} --release -- -max_total_time={{ max_time }}

Justfile

@@ -0,0 +1,27 @@
+[package]
+name = "hyperlight-fuzz"
+version = "0.0.0"
+publish = false
+edition = { workspace = true }
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+hyperlight-testing = { workspace = true }
+hyperlight-host = { workspace = true, default-features = true, features = ["fuzzing"]}
+
+[[bin]]
+name = "host_print"
+path = "fuzz_targets/host_print.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "guest_call"
+path = "fuzz_targets/guest_call.rs"
+test = false
+doc = false
+bench = false

src/hyperlight_host/fuzz/.gitignore renamed to fuzz/.gitignore

@@ -4,23 +4,19 @@ This directory contains the fuzzing infrastructure for Hyperlight. We use `cargo
 
 You can run the fuzzers with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name>
+just fuzz
 ```
-
-> Note: Because nightly toolchains are not stable, we pin the nightly version to `2023-11-28`. To install this toolchain, run:
-> ```sh
-> rustup toolchain install nightly-2023-11-28-x86_64-unknown-linux-gnu
-> ```
+which evaluates to the following command `cargo +nightly fuzz run host_print --release`. We use the release profile to make sure the release-optimized guest is used. The default fuzz profile which is release+debugsymbols would cause our debug guests to be loaded, since we currently determine which test guest to load based on whether debug symbols are present.
 
 As per Microsoft's Offensive Research & Security Engineering (MORSE) team, all host exposed functions that receive or interact with guest data must be continuously fuzzed for, at least, 500 million fuzz test cases without any crashes. Because `cargo-fuzz` doesn't support setting a maximum number of iterations; instead, we use the `--max_total_time` flag to set a maximum time to run the fuzzer. We have a GitHub action (acting like a CRON job) that runs the fuzzers for 24 hours every week.
 
-Currently, we only fuzz the `PrintOutput` function. We plan to add more fuzzers in the future.
+Currently, we fuzz the parameters and return type to a hardcoded `PrintOutput` guest function, and the `HostPrint` host function. We plan to add more fuzzers in the future.
 
 ## On Failure 
 
 If you encounter a failure, you can re-run an entire seed (i.e., group of inputs) with:
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release <fuzzer_name> -- -seed=<seed-number>
+cargo +nightly fuzz run <fuzzer_name> -- -seed=<seed-number>
 ```
 
 The seed number can be seed in a specific run, like:
@@ -29,5 +25,5 @@ The seed number can be seed in a specific run, like:
 Or, if repro-ing a failure from CI, you can download the artifact from the fuzzing run, and run it like:
 
 ```sh
-cargo +nightly-2023-11-28-x86_64-unknown-linux-gnu fuzz run --release -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
+cargo +nightly fuzz run -O <fuzzer_name> <fuzzer-input (e.g., fuzz/artifacts/fuzz_target_1/crash-93c522e64ee822034972ccf7026d3a8f20d5267c>
 ```