A tool designed to synthesise semantically correct JavaScript snippets given arbitrary data.
Useful for fuzzing.
- docker
- make
- (optional) Check if you have access to docker (run
docker info
) - (optional) Specify desired version of JS runtime in
Makefile.conf
- Run
make (jerryscript | njs | duktape | v8)
- If everything builds correctly the process will result in:
- build/fluff_* - binary to fuzz
- build/fluff_*_dry - binary that will convert Fluff bytecode to JS testcase (stdout)
- build/grammars
- js_grammar.yaml - es5.1 grammar file
- js_grammar_es6.yaml - es6 grammar file
Typical fuzzing setup:
- Create input folder and sample testcase, i.e.
mkdir in && echo "420" >> in/testcase
- Start fuzzing using
afl-fuzz
, for example:afl-fuzz -m none -i in -o out ./fluff_njs @@ js_grammar.yaml
- (optional) you can use build container to run fuzzing, requires some manual work
docker run -it -d -v path/to/fluff/repository/build:/home/build/fluff identifier /bin/bash
docker exec -it container_number bash
# afl-fuzz is preinstalled in /home/build/afl
- Enjoy your cup of tea/coffee and wait for crashes
Detailed information about the design of Fluff can be read in the whitepaper.
Patches, additions and other contributions are welcome! If you see a feature which you could implement or a bug which you could fix please send us a message or a pull request. If you have found some interesting bug with this tool, please leave us a message/github issue for the future Hall Of Fame.
If you want to drop us a message, feel free to send a mail to [email protected] or [email protected].