测试助手
- 作者仓库星标 5,723
- 叉子 499
- 作者更新于 2026年6月15日 16:05
- 作者仓库 skills
- 领域
- 通用
- 兼容 Agent
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- 信任分
- 88 / 100 · 社区维护
- 作者 / 版本 / 许可
- @trailofbits · 未声明 license
- Token 消耗评级
- 低消耗
- 接入复杂程度
- 需简单配置
- 是否需要外部 API Key
- 不需要
- 兼容的系统
- 未声明(默认跨平台)
- 底层运行要求
- 无特殊要求
- 文件与系统权限
-
- 只读
- 允许写入 / 修改
- Shell 执行
- 读取环境变量
- 网络行为
- 仅限本地
- 安装命令数
- 26 条
档案由构建时根据 SKILL.md 与安装命令自动衍生,可能与作者实际意图存在差异。
需要注意: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: fuzzing-obstacles
description: > Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, glob…
category: 通用
runtime: 无特殊运行时
---
# fuzzing-obstacles 输出预览
## PART A: 任务判断
- 适用问题:通用任务拆解、检查和交付。
- 输入要求:目标材料、限制条件、期望输出和验收方式。
- 证据边界:围绕“Overview / Key Concepts / When to Apply”读取原文规则,不把推断写成作者承诺。
## PART B: 执行结果
- **01** 任务判断:确认你的需求是否属于通用任务拆解、检查和交付,并标出输入、限制和预期结果。
- **02** 执行计划:优先按“Overview / Key Concepts / When to Apply”拆成步骤,说明每一步会读取什么、修改什么、产出什么。
- **03** 交付结果:给出可复制的命令、文件改动、检查清单或内容草稿,并说明如何继续迭代。
- **04** 风险边界:结合 读取文件、写入/修改文件、执行终端命令、读取环境变量、主要在本地完成、通常不需要额外 API Key 给出执行前确认项。
## Running Rules
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;主要在本地完成;通常不需要额外 API Key。
- 先小样例验证,再放大到真实任务。
- 交付时同时给结果、检查口径和下一步迭代建议。 原文没有稳定的斜杠命令要求。安装验证后通常全局生效,直接在对话里点名这个 Skill 并描述任务即可。
告诉 Agent 目标文件或材料、期望结果、不可改范围、是否允许联网或执行命令。本 Skill 的权限画像是:读取文件、写入/修改文件、执行终端命令、读取环境变量。
先用一个小任务确认它会围绕“Overview / Key Concepts / When to Apply”工作;涉及文件或命令时,先看 diff、日志、预览或测试结果。
检查最终产物是否包含明确结果、必要证据和下一步动作;如果输出泛泛而谈,就补充输入、边界和验收标准后重跑。
---
name: fuzzing-obstacles
description: > Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, glob…
category: 通用
source: trailofbits/skills
---
# fuzzing-obstacles
## 什么时候使用
- fuzzing-obstacles 是一个通用扩展技能,按 SKILL 适合处理通用任务拆解、检查、交付和复盘,核心价值是把输入、判断、执行、验证和交付边界固定下来,避免 Agent 泛泛回答。 把任务拆成可执行、可检查、可继续迭代的步…
- 面向通用任务拆解、检查和交付,优先处理能明确输入、步骤和验收标准的工作。
## 需要提供什么
- 目标材料、目录范围、期望结果和不可改动内容。
- 是否允许联网、执行命令、读写文件或调用外部服务。
## 执行规则
- 围绕「Overview / Key Concepts / When to Apply」组织步骤,不把推断写成作者事实。
- 读取文件、写入/修改文件、执行终端命令、读取环境变量;主要在本地完成;通常不需要额外 API Key。
- 先跑小样例,确认结果可检查后再扩大任务范围。
## 输出要求
- 给出最终产物、关键证据、验证方式和下一步动作。
- 信息不足时标记 unknown,不编造命令、平台或依赖。 作者原文负责流程事实;仓库文件负责来源和命令;流狐只补充适用场景、限制和质量判断。
skill "fuzzing-obstacles" {
输入层 -> 用户目标 + 目标文件 + 禁止范围 + 验收标准
上下文层 -> Overview / Key Concepts / When to Apply
规则层 -> SKILL.md 触发条件 / 执行顺序 / 输出格式
运行层 -> 无特殊运行时 | 读取文件、写入/修改文件、执行终端命令、读取环境变量 | 主要在本地完成
安全层 -> 通常不需要额外 API Key + 小任务验证 + diff / 日志复核
输出层 -> 可复制结果 + 检查清单 + 下一步迭代
} Overcoming Fuzzing Obstacles
Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, global state (like time-seeded PRNGs), and validation checks can block the fuzzer from exploring deeper code paths. This technique shows how to patch your System Under Test (SUT) to bypass these obstacles during fuzzing while preserving production behavior.
Overview
Many real-world programs were not designed with fuzzing in mind. They may:
- Verify checksums or cryptographic hashes before processing input
- Rely on global state (e.g., system time, environment variables)
- Use non-deterministic random number generators
- Perform complex validation that makes it difficult for the fuzzer to generate valid inputs
These patterns make fuzzing difficult because:
- Checksums: The fuzzer must guess correct hash values (astronomically unlikely)
- Global state: Same input produces different behavior across runs (breaks determinism)
- Complex validation: The fuzzer spends effort hitting validation failures instead of exploring deeper code
The solution is conditional compilation: modify code behavior during fuzzing builds while keeping production code unchanged.
Key Concepts
| Concept | Description |
|---|---|
| SUT Patching | Modifying System Under Test to be fuzzing-friendly |
| Conditional Compilation | Code that behaves differently based on compile-time flags |
| Fuzzing Build Mode | Special build configuration that enables fuzzing-specific patches |
| False Positives | Crashes found during fuzzing that cannot occur in production |
| Determinism | Same input always produces same behavior (critical for fuzzing) |
When to Apply
Apply this technique when:
- The fuzzer gets stuck at checksum or hash verification
- Coverage reports show large blocks of unreachable code behind validation
- Code uses time-based seeds or other non-deterministic global state
- Complex validation makes it nearly impossible to generate valid inputs
- You see the fuzzer repeatedly hitting the same validation failures
Skip this technique when:
- The obstacle can be overcome with a good seed corpus or dictionary
- The validation is simple enough for the fuzzer to learn (e.g., magic bytes)
- You're doing grammar-based or structure-aware fuzzing that handles validation
- Skipping the check would introduce too many false positives
- The code is already fuzzing-friendly
Quick Reference
| Task | C/C++ | Rust |
|---|---|---|
| Check if fuzzing build | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
cfg!(fuzzing) |
| Skip check during fuzzing | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION return -1; #endif |
if !cfg!(fuzzing) { return Err(...) } |
| Common obstacles | Checksums, PRNGs, time-based logic | Checksums, PRNGs, time-based logic |
| Supported fuzzers | libFuzzer, AFL++, LibAFL, honggfuzz | cargo-fuzz, libFuzzer |
Step-by-Step
Step 1: Identify the Obstacle
Run the fuzzer and analyze coverage to find code that's unreachable. Common patterns:
- Look for checksum/hash verification before deeper processing
- Check for calls to
rand(),time(), orsrand()with system seeds - Find validation functions that reject most inputs
- Identify global state initialization that differs across runs
Tools to help:
- Coverage reports (see coverage-analysis technique)
- Profiling with
-fprofile-instr-generate - Manual code inspection of entry points
Step 2: Add Conditional Compilation
Modify the obstacle to bypass it during fuzzing builds.
C/C++ Example:
// Before: Hard obstacle
if (checksum != expected_hash) {
return -1; // Fuzzer never gets past here
}
// After: Conditional bypass
if (checksum != expected_hash) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return -1; // Only enforced in production
#endif
}
// Fuzzer can now explore code beyond this check
Rust Example:
// Before: Hard obstacle
if checksum != expected_hash {
return Err(MyError::Hash); // Fuzzer never gets past here
}
// After: Conditional bypass
if checksum != expected_hash {
if !cfg!(fuzzing) {
return Err(MyError::Hash); // Only enforced in production
}
}
// Fuzzer can now explore code beyond this check
Step 3: Verify Coverage Improvement
After patching:
- Rebuild with fuzzing instrumentation
- Run the fuzzer for a short time
- Compare coverage to the unpatched version
- Confirm new code paths are being explored
Step 4: Assess False Positive Risk
Consider whether skipping the check introduces impossible program states:
- Does code after the check assume validated properties?
- Could skipping validation cause crashes that cannot occur in production?
- Is there implicit state dependency?
If false positives are likely, consider a more targeted patch (see Common Patterns below).
Common Patterns
Pattern: Bypass Checksum Validation
Use Case: Hash/checksum blocks all fuzzer progress
Before:
uint32_t computed = hash_function(data, size);
if (computed != expected_checksum) {
return ERROR_INVALID_HASH;
}
process_data(data, size);
After:
uint32_t computed = hash_function(data, size);
if (computed != expected_checksum) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return ERROR_INVALID_HASH;
#endif
}
process_data(data, size);
False positive risk: LOW - If data processing doesn't depend on checksum correctness
Pattern: Deterministic PRNG Seeding
Use Case: Non-deterministic random state prevents reproducibility
Before:
void initialize() {
srand(time(NULL)); // Different seed each run
}
After:
void initialize() {
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
srand(12345); // Fixed seed for fuzzing
#else
srand(time(NULL));
#endif
}
False positive risk: LOW - Fuzzer can explore all code paths with fixed seed
Pattern: Careful Validation Skip
Use Case: Validation must be skipped but downstream code has assumptions
Before (Dangerous):
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
if (!validate_config(&config)) {
return -1; // Ensures config.x != 0
}
#endif
int32_t result = 100 / config.x; // CRASH: Division by zero in fuzzing!
After (Safe):
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
if (!validate_config(&config)) {
return -1;
}
#else
// During fuzzing, use safe defaults for failed validation
if (!validate_config(&config)) {
config.x = 1; // Prevent division by zero
config.y = 1;
}
#endif
int32_t result = 100 / config.x; // Safe in both builds
False positive risk: MITIGATED - Provides safe defaults instead of skipping
Pattern: Bypass Complex Format Validation
Use Case: Multi-step validation makes valid input generation nearly impossible
Rust Example:
// Before: Multiple validation stages
pub fn parse_message(data: &[u8]) -> Result<Message, Error> {
validate_magic_bytes(data)?;
validate_structure(data)?;
validate_checksums(data)?;
validate_crypto_signature(data)?;
deserialize_message(data)
}
// After: Skip expensive validation during fuzzing
pub fn parse_message(data: &[u8]) -> Result<Message, Error> {
validate_magic_bytes(data)?; // Keep cheap checks
if !cfg!(fuzzing) {
validate_structure(data)?;
validate_checksums(data)?;
validate_crypto_signature(data)?;
}
deserialize_message(data)
}
False positive risk: MEDIUM - Deserialization must handle malformed data gracefully
Advanced Usage
Tips and Tricks
| Tip | Why It Helps |
|---|---|
| Keep cheap validation | Magic bytes and size checks guide fuzzer without much cost |
| Use fixed seeds for PRNGs | Makes behavior deterministic while exploring all code paths |
| Patch incrementally | Skip one obstacle at a time and measure coverage impact |
| Add defensive defaults | When skipping validation, provide safe fallback values |
| Document all patches | Future maintainers need to understand fuzzing vs. production differences |
Real-World Examples
OpenSSL: Uses FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to modify cryptographic algorithm behavior. For example, in crypto/cmp/cmp_vfy.c, certain signature checks are relaxed during fuzzing to allow deeper exploration of certificate validation logic.
ogg crate (Rust): Uses cfg!(fuzzing) to skip checksum verification during fuzzing. This allows the fuzzer to explore audio processing code without spending effort guessing correct checksums.
Measuring Patch Effectiveness
After applying patches, quantify the improvement:
- Line coverage: Use
llvm-covorcargo-covto see new reachable lines - Basic block coverage: More fine-grained than line coverage
- Function coverage: How many more functions are now reachable?
- Corpus size: Does the fuzzer generate more diverse inputs?
Effective patches typically increase coverage by 10-50% or more.
Combining with Other Techniques
Obstacle patching works well with:
- Corpus seeding: Provide valid inputs that get past initial parsing
- Dictionaries: Help fuzzer learn magic bytes and common values
- Structure-aware fuzzing: Use protobuf or grammar definitions for complex formats
- Harness improvements: Better harness can sometimes avoid obstacles entirely
Anti-Patterns
| Anti-Pattern | Problem | Correct Approach |
|---|---|---|
| Skip all validation wholesale | Creates false positives and unstable fuzzing | Skip only specific obstacles that block coverage |
| No risk assessment | False positives waste time and hide real bugs | Analyze downstream code for assumptions |
| Forget to document patches | Future maintainers don't understand the differences | Add comments explaining why patch is safe |
| Patch without measuring | Don't know if it helped | Compare coverage before and after |
| Over-patching | Makes fuzzing build diverge too much from production | Minimize differences between builds |
Tool-Specific Guidance
libFuzzer
libFuzzer automatically defines FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION during compilation.
# C++ compilation
clang++ -g -fsanitize=fuzzer,address -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
harness.cc target.cc -o fuzzer
# The macro is usually defined automatically by -fsanitize=fuzzer
clang++ -g -fsanitize=fuzzer,address harness.cc target.cc -o fuzzer
Integration tips:
- The macro is defined automatically; manual definition is usually unnecessary
- Use
#ifdefto check for the macro - Combine with sanitizers to detect bugs in newly reachable code
AFL++
AFL++ also defines FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION when using its compiler wrappers.
# Compilation with AFL++ wrappers
afl-clang-fast++ -g -fsanitize=address target.cc harness.cc -o fuzzer
# The macro is defined automatically by afl-clang-fast
Integration tips:
- Use
afl-clang-fastorafl-clang-ltofor automatic macro definition - Persistent mode harnesses benefit most from obstacle patching
- Consider using
AFL_LLVM_LAF_ALLfor additional input-to-state transformations
honggfuzz
honggfuzz also supports the macro when building targets.
# Compilation
hfuzz-clang++ -g -fsanitize=address target.cc harness.cc -o fuzzer
Integration tips:
- Use
hfuzz-clangorhfuzz-clang++wrappers - The macro is available for conditional compilation
- Combine with honggfuzz's feedback-driven fuzzing
cargo-fuzz (Rust)
cargo-fuzz automatically sets the fuzzing cfg option during builds.
# Build fuzz target (cfg!(fuzzing) is automatically set)
cargo fuzz build fuzz_target_name
# Run fuzz target
cargo fuzz run fuzz_target_name
Integration tips:
- Use
cfg!(fuzzing)for runtime checks in production builds - Use
#[cfg(fuzzing)]for compile-time conditional compilation - The fuzzing cfg is only set during
cargo fuzzbuilds, not regularcargo build - Can be manually enabled with
RUSTFLAGS="--cfg fuzzing"for testing
LibAFL
LibAFL supports the C/C++ macro for targets written in C/C++.
# Compilation
clang++ -g -fsanitize=address -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
target.cc -c -o target.o
Integration tips:
- Define the macro manually or use compiler flags
- Works the same as with libFuzzer
- Useful when building custom LibAFL-based fuzzers
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Coverage doesn't improve after patching | Wrong obstacle identified | Profile execution to find actual bottleneck |
| Many false positive crashes | Downstream code has assumptions | Add defensive defaults or partial validation |
| Code compiles differently | Macro not defined in all build configs | Verify macro in all source files and dependencies |
| Fuzzer finds bugs in patched code | Patch introduced invalid states | Review patch for state invariants; consider safer approach |
| Can't reproduce production bugs | Build differences too large | Minimize patches; keep validation for state-critical checks |
Related Skills
Tools That Use This Technique
| Skill | How It Applies |
|---|---|
| libfuzzer | Defines FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION automatically |
| aflpp | Supports the macro via compiler wrappers |
| honggfuzz | Uses the macro for conditional compilation |
| cargo-fuzz | Sets cfg!(fuzzing) for Rust conditional compilation |
Related Techniques
| Skill | Relationship |
|---|---|
| fuzz-harness-writing | Better harnesses may avoid obstacles; patching enables deeper exploration |
| coverage-analysis | Use coverage to identify obstacles and measure patch effectiveness |
| corpus-seeding | Seed corpus can help overcome obstacles without patching |
| dictionary-generation | Dictionaries help with magic bytes but not checksums or complex validation |
Resources
Key External Resources
OpenSSL Fuzzing Documentation
OpenSSL's fuzzing infrastructure demonstrates large-scale use of FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION. The project uses this macro to modify cryptographic validation, certificate parsing, and other security-critical code paths to enable deeper fuzzing while maintaining production correctness.
LibFuzzer Documentation on Flags Official LLVM documentation for libFuzzer, including how the fuzzer defines compiler macros and how to use them effectively. Covers integration with sanitizers and coverage instrumentation.
Rust cfg Attribute Reference
Complete reference for Rust conditional compilation, including cfg!(fuzzing) and cfg!(test). Explains compile-time vs. runtime conditional compilation and best practices.
先判断是否适合
作者设计意图
作者的方法与取舍
边界和复核