RPG: Rust Library Fuzzing with Pool-based Fuzz Target Generation and Generic Support

# Rust Library Fuzzing based on Sensitive API Dependency Graph

## Build

### Local Build

#### Install the tool dependencies

For MacOS, install the tool dependencies with

```sh
brew install python3 expect tmux
```

For Ubuntu, install the tool dependencies with

```sh
sudo apt install python3 expect tmux
```

Install the rustup tool with

```sh
curl https://sh.rustup.rs -sSf | sh
```

Then reload your PATH environment with (or following the command provided by rustup installation)

```sh
curl source "$HOME/.cargo/env"
```

#### Tool Installation (One-click build)

For simplicity, we provide shell script for the whole installation. Navigate to the root of the cloned repository and run the following script (you must see the "exit 0" on your terminal after the installation)

```
$ scripts/build.sh init
```

This will clone rust-1.65.0 from the gitclone. you can use `scripts/build.sh init0` to clone rust-1.65.0 from github.

In case the installation process is interrupted due to network timeouts or other reasons, it may be necessary to run the installation process again.

If rust-1.65.0 has been built, you can use `scripts/build.sh build` to build the tool fast.

### Docker Build

You can use Docker to quickly set up the development environment. Follow these steps:

1. Install Docker on your machine (if you haven't already).

2. Navigate to the root of the cloned repository.

3. Run the following command to build the Docker image:
   
   ```sh
   docker build -t <image-name> .
   ```
   
   Replace `<image-name>` with the name you want to give to the Docker image.

4. Run the following command to start a Docker container with the built image:
   
   ```sh
   docker run -it <image-name> bash
   ```

In case the installation process is interrupted due to network timeouts or other reasons, it may be necessary to run the installation process again. 

Alternatively, you can remove the last two commands from the docker file and built the image:

```
WORKDIR /Rust-Lib-Testing
RUN scripts/build.sh init
```

Next, you can run with the built image and navigate to the root of the cloned repository (i.e., /Rust-Lib-Testing). Then run the following script until success (do not forget to commit it to save the iamge).

```
$ scripts/build.sh init
```

----------

## Tool Usage

### Setup Environmental Variable

You will find a script file `rustGen` in the root directory of the repository. You can add this directory to your environmental variable `$PATH`,or use the following script to quickly set environment variables.

```sh
# Every time you open a new terminal, you need to re-execute this command.
$ source scripts/init_env.sh
```

### Sequence Traversal Strategy

You can select a sequence traversal strategy by setting `strategy` environment variable. Default strategy is `bfs`. 

```sh
# Currently supported:
# 1. bfs(origin)
# 2. unsafe
# 3. ubfs
# 4. wubfs
# 5. pattern
$ export Strategy=wubfs
```

### Compile with Address Sanitizer

You can compile the prgrom with Adress Sanitizer, which helps with finding bugs. Then, nightly symbol is necessary when compiling.

```sh
$ export RUSTFLAGS=-Zsanitizer=address
$ export RUSTDOCFLAGS=-Zsanitizer=address
```

### Generate Raw API Call Sequences for the Tested Library

In the following, we use the `queue_string` examples in the `tests` folder to explain how to use the tool. If you want to generate fuzz targets for `queue_string`, you can use the following instructions.

```sh
$ cd tests/queue_string
$ rustgen init
```

Then you will get fuzz targets under the folder `tests/queue_string/fuzz_target/queue_string_fuzz`.

### Generate Compileable Fuzz Targets for [AFL.rs](https://github.com/rust-fuzz/afl.rs)

Next, we deploy the Compileable fuzz targets that can be used by afl.rs. You need to make sure you have correctly install [AFL.rs](https://github.com/rust-fuzz/afl.rs) and [AFL.rs](https://github.com/rust-fuzz/afl.rs) can run properly. You can follow the instructions on [rust-fuzz-book](https://rust-fuzz.github.io/book/afl.html).

```sh
$ cd tests/queue_string
$ rustgen target
```

**[Mac OS Note]**: According to the [issue 858](https://giters.com/AFLplusplus/AFLplusplus/issues/858) of AFLplusplus, MacOS has a ridiculous small default shared memory size. Try `ipcs -m | cut -f2 -d' ' | xargs -I {} sudo ipcrm -m {}; ipcs -m | cut -f3 -d' ' | xargs -I {} sudo ipcrm -m {}` to remove old maps, then `sudo sysctl -w kern.sysv.shmall=65536` and `sudo sysctl -w kern.sysv.shmmax=16777216`.

### Fuzzing with [AFL.rs](https://github.com/rust-fuzz/afl.rs)

Once you get fuzz targets, you can fuzz these targets with [AFL.rs](https://github.com/rust-fuzz/afl.rs). You can follow the instructions of [AFL.rs](https://rust-fuzz.github.io/book/afl/tutorial.html) on your own. Or use our prepared command line scripts.

```sh
$ cd tests/queue_string
$ rustgen fuzz
```