Important
Hello users!
We are thrilled to announce that Jazzer is now back under the Apache 2.0 license!
A year ago, we temporarily stopped maintaining Jazzer as open source. During this time, we received incredible feedback, support, and ideas from the community, which motivated us to find a way to bring Jazzer back to the open-source world.
Thanks to your enthusiasm and contributions, and a special callout to the OSS-Fuzz team 🚀.
Visit code-intelligence.com for more information.
The Code Intelligence team
Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM.
Jazzer currently supports the following platforms:
- Linux x86_64
- macOS 12+ x86_64 & arm64
- Windows x86_64
The following steps assume that JUnit 5.9.0 or higher is set up for your project, for example based on the official junit5-samples.
- Add a dependency on
com.code-intelligence:jazzer-junit:<latest version>. All Jazzer Maven artifacts are signed with this key. - Add a new fuzz test to a new or existing test class: a method annotated with
@FuzzTestand at least one parameter. Using a single parameter of typeFuzzedDataProvider, which provides utility functions to produce commonly used Java values, orbyte[]is recommended for optimal performance and reproducibility of findings. - Assuming your test class is called
com.example.MyFuzzTests, create the inputs directorysrc/test/resources/com/example/MyFuzzTestsInputs. - Run a fuzz test with the environment variable
JAZZER_FUZZset to1to let the fuzzer rapidly try new sets of arguments. If the fuzzer finds arguments that make your fuzz test fail or even trigger a security issue, it will store them in the inputs directory. In this mode, only a single fuzz test is executed per test run (see #599 for details). - Run the fuzz test without
JAZZER_FUZZset to execute it only on the inputs in the inputs directory. This mode, which behaves just like a traditional unit test, ensures that issues previously found by the fuzzer remain fixed and can also be used to debug the fuzz test on individual inputs.
A simple property-based fuzz test could look like this (excluding imports):
class ParserTests {
@Test
void unitTest() {
assertEquals("foobar", SomeScheme.decode(SomeScheme.encode("foobar")));
}
@FuzzTest
void fuzzTest(FuzzedDataProvider data) {
String input = data.consumeRemainingAsString();
assertEquals(input, SomeScheme.decode(SomeScheme.encode(input)));
}
}A complete Maven example project can be found in examples/junit.
You can also use GitHub release archives to run a standalone Jazzer binary that starts its own JVM configured for fuzzing:
- Download and extract the latest release from the GitHub releases page.
- Add a new class to your project with a
public static void fuzzerTestOneInput(FuzzedDataProvider data)method. - Compile your fuzz test with
jazzer_standalone.jaron the classpath. - Run the
jazzerbinary (jazzer.exeon Windows), specifying the classpath and fuzz test class:
./jazzer --cp=<classpath> --target_class=<fuzz test class>If you see an error saying that libjvm.so has not been found, make sure that JAVA_HOME points to a JDK.
The examples directory includes both toy and real-world examples of fuzz tests.
Support for Jazzer is available in rules_fuzzing, the official Bazel rules for fuzzing. See the README for instructions on how to use Jazzer in a Java Bazel project.
Code Intelligence and Google have teamed up to bring support for Java, Kotlin, and other JVM-based languages to OSS-Fuzz, Google's project for large-scale fuzzing of open-source software. Read the OSS-Fuzz guide to learn how to set up a Java project.
Information on building and testing Jazzer for development can be found in CONTRIBUTING.md
A list of security issues and bugs found by Jazzer is maintained here. If you found something interesting and the information is public, please send a PR to add it to the list.
The following developers have contributed to Jazzer before its public release:
Sergej Dechand, Christian Hartlage, Fabian Meumertzheim, Sebastian Pöplau, Mohammed Qasem, Simon Resch, Henrik Schnor, Khaled Yakdan
The LLVM-style edge coverage instrumentation for JVM bytecode used by Jazzer relies on JaCoCo. Previously, Jazzer used AFL-style coverage instrumentation as pioneered by kelinci.
