CODEBROWSER

KDAB|Training

Expertise

Trusted Software Excellence across Desktop and Embedded

Take a glance at the areas of expertise where KDAB excels ranging from swift troubleshooting, ongoing consulting and training to multi-year, large-scale software development projects.

Find out why customers from innovative industries rely on our extensive expertise, including Medical, Biotech, Science, Renewable Energy, Transportation, Mobility, Aviation, Automation, Electronics, Agriculture and Defense.

Embedded DevicesEmbedded Devices

High-quality Embedded Engineering across the Stack

To successfully develop an embedded device that meets your expectations regarding quality, budget and time to market, all parts of the project need to fit perfectly together.

Learn more about KDAB's expertise in embedded software development.

Read More

Cross-Platform Desktop ApplicationsCross-Platform Desktop Applications

Create complex Applications for the Desktop

Where the capabilities of modern mobile devices or web browsers fall short, KDAB engineers help you expertly architect and build high-functioning desktop and workstation applications.

Read More

Medical DevicesMedical Devices

Extensible, Safety-compliant Software for the Medical Sector

Create intelligent, patient-focused medical software and devices and stay ahead with technology that adapts to your needs.

KDAB offers you expertise in developing a broad spectrum of clinical and home-healthcare devices, including but not limited to, internal imaging systems, robotic surgery devices, ventilators and non-invasive monitoring systems.

Read More

Vehicle DashboardsVehicle Dashboards

Fluid animations and gesture-controlled UIs

Building digital dashboards and cockpits with fluid animations and gesture-controlled touchscreens is a big challenge.

In over two decades of developing intricate UI solutions for cars, trucks, tractors, scooters, ships, airplanes and more, the KDAB team has gained market leading expertise in this realm.

Read More

Custom Industrial HMICustom Industrial HMI

Build on Advanced Expertise when creating Modern UIs

KDAB assists you in the creation of user-friendly interfaces designed specifically for industrial process control, manufacturing, and fabrication.

Our specialties encompass the custom design and development of HMIs, enabling product accessibility from embedded systems, remote desktops, and mobile devices on the move.

Read More

Modernizing Legacy SoftwareModernizing Legacy Software

Reduce Technical Debt

Legacy software is a growing but often ignored problem across all industries. KDAB helps you elevate your aging code base to meet the dynamic needs of the future.

Whether you want to migrate from an old to a modern GUI toolkit, update to a more recent version, or modernize your code base, you can rely on over 25 years of modernization experience.

Read More

Services

Software Consulting, Development and Training

KDAB offers a wide range of services to address your software needs including consulting, development, workshops and training tailored to your requirements.

Our expertise spans cross-platform desktop, embedded and 3D application development, using the proven technologies for the job.

Software ConsultingSoftware Consulting

Guidance for your Software Project across the Stack

Get expert advice on any phase of your project's journey, from inception to execution, across multiple platforms and hardware.

KDAB provides guidance on architectural approach, UI strategy, development tooling, test infrastructure, deployment model, runtime execution and more.

Read More

Code Modernization

UI Modernization

Development processes and tooling

Performance optimization

Software Architecture

Migration from legacy frameworks

Qt ServicesQt Services

Expert Qt Solutions for Your Needs

When working with KDAB, the first-ever Qt consultancy, you benefit from a deep understanding of Qt internals, that allows us to provide effective solutions, irrespective of the depth or scale of your Qt project.

Qt Services include developing applications, building runtimes, mixing native and web technologies, solving performance issues, and porting problems.

Read More

Embedded DevelopmentEmbedded Development

Build rich embedded applications for your embedded UI

Turn your vision into reality and unleash the potential of your embedded development projects.

KDAB helps you navigate the complex landscape of embedded development, ensuring your software performs optimally on your chosen hardware.

Read More

Cross-Platform Desktop DevelopmentCross-Platform Desktop Development

Get help with all Aspects of Desktop Applications

KDAB helps create commercial, scientific or industrial desktop applications from scratch, or update its code or framework to benefit from modern features.

Discover clean, efficient solutions that precisely meet your requirements.

Read More

3D Software Development3D Software Development

Simplify the complexity of 3D

Creating 3D applications can be overwhelming due to terminology, visual concepts, and advanced math.

KDAB simplifies this task, providing you with the best solution for your 3D project, easing complexities and maximizing efficiency.

Read More

OpenGL Expert Services

Vulkan Integration

Developer TrainingDeveloper Training

Professional Developer Training Courses

Boost your team's programming skills with in-depth, constantly updated, hands-on training courses delivered by active software engineers who love to teach and share their knowledge.

Our courses cover Modern C++, Qt/QML, Rust, 3D programming, Debugging, Profiling and more.

Read More

Technologies

Make the right Technology Choices

The collective expertise of KDAB's engineering team is at your disposal to help you choose the software stack for your project or master domain-specific challenges.

Our particular focus is on software technologies you use for cross-platform applications or for embedded devices.

Qt / QMLQt / QML

Leading Qt Expertise

Since 1999, KDAB has been the largest independent Qt consultancy worldwide and today is a Qt Platinum partner. Our experts can help you with any aspect of software development with Qt and QML.

Read More

Modern C++Modern C++

Deep understanding of Modern C++

KDAB specializes in Modern C++ development, with a focus on desktop applications, GUI, embedded software, and operating systems.

Our experts are industry-recognized contributors and trainers, leveraging C++'s power and relevance across these domains to deliver high-quality software solutions.

Read More

RustRust

Integrate Rust into your application

KDAB can guide you incorporating Rust into your project, from as overlapping element to your existing C++ codebase to a complete replacement of your legacy code.

Read More

How to build Hybrid Rust and C++ Applications

Enhance Software Safety and Performance with Rust Integration

Platforms for Applications and DevicesPlatforms for Applications and Devices

Unique Expertise for Desktop and Embedded Platforms

Whether you are using Linux, Windows, MacOS, Android, iOS or real-time OS, KDAB helps you create performance optimized applications on your preferred platform.

Read More

Windows

macOS / iOS

QNX

Unix / X11 (Motif)

Android

Web Engines

Linux Desktop

Embedded Linux

SlintSlint

A lightweight GUI toolkit

If you are planning to create projects with Slint, a lightweight alternative to standard GUI frameworks especially on low-end hardware, you can rely on the expertise of KDAB being one of the earliest adopters and official service partner of Slint.

Read More

FlutterFlutter

Flutter for Embedded and Desktop

KDAB has deep expertise in embedded systems, which coupled with Flutter proficiency, allows us to provide comprehensive support throughout the software development lifecycle.

Our engineers are constantly contributing to the Flutter ecosystem, for example by developing flutter-pi, one of the most used embedders.

Read More

3D Technologies3D Technologies

Cutting-edge 3D / XR

Incorporating 3D into 2D UIs or creating compelling XR experiences can be challenging.

Create visually stunning, ultra-realistic 3D graphics, dynamic 2D user interfaces, or leveraging the power of hardware-accelerated computation.

The 3D experts at KDAB bring incisive know-how for your project.

Read More

Qt 3D

Vulkan – next generation graphics & compute

OpenGL expert services

KDAB ToolsKDAB Tools

Developer Tools from KDAB

The right tools and libraries can skyrocket developers' productivity.

Take advantage of KDAB's popular open source tools for tasks including profiling, debugging and continuous integration (CI).

Read More

GammaRay

KD Reports

KD Chart

Hotspot

KD SOAP

KDDockWidgets

KDAB LabsKDAB Labs

Research & Development at KDAB

KDAB invests significant time in exploring new software technologies to maintain its position as software authority. Benefit from this research and incorporate it eventually into your own project.

Read More

KDGpu

Resources

Start here to browse infos on the KDAB website(s) and take advantage of useful developer resources like blogs, publications and videos about Qt, C++, Rust, 3D technologies like OpenGL and Vulkan, the KDAB developer tools and more.

BlogsBlogs

KDAB engineers and designers constantly share cutting-edge technology insights with regard to Qt, QML, C++, Rust, Linux, Vulkan, OpenGL, Qt 3D, scalable UIs and more topics.

Stay up-to-date and be inspired with their blogs.

Read More

EventsEvents

Get a quick overview of events relevant to the software industry and with involvment of KDAB, be it as speakers, sponsors, exhibitors or organizer.

Take the opportunity to reach out to our experts directly. See you there!

Read More

PublicationsPublications

KDAB regularly publishes in-depth papers, brochures and other material on topics relevant to software developers and desicion makers.

Have a look at the list of KDAB publictions.

Read More

VideosVideos

The KDAB Youtube channel has become a go-to source for developers looking for high-quality tutorial and information material around software development with Qt/QML, C++, Rust and other technologies.

Click to navigate the all KDAB videos directly on this website.

Read More

Why KDAB

A software supplier you can rely on

In over 25 years KDAB has served hundreds of customers from various industries, many of them having become long-term customers who value our unique expertise and dedication.

Learn more about KDAB as a company, understand why we are considered a trusted partner by many and explore project examples in which we have proven to be the right supplier.

About KDABAbout KDAB

Committed, compassionate, trustworthy

The KDAB Group is a globally recognized provider for software consulting, development and training, specializing in embedded devices and complex cross-platform desktop applications.

Read more about the history, the values, the team and the founder of the company.

Read More

Proven ExcellenceProven Excellence

Customer Success Stories

When working with KDAB you can expect quality software and the desired business outcomes thanks to decades of experience gathered in hundreds of projects of different sizes in various industries.

Have a look at selected examples where KDAB has helped customers to succeed with their projects.

Read More

Trusted PartnerTrusted Partner

Benefit from a strong partner network

Lasting relationships reduce frictions in software development projects and help to guarantee success.

Benefit from the established relationships KDAB has with well-selected hardware suppliers and specialized domain experts.

Read More

Software Excellence for Texas Instruments

Better SoftwareBetter Software

Constantly improving Software Quality

KDAB is committed to developing high-quality and high-performance software, and helping other developers deliver to the same high standards.

We create software with pride to improve your engineering and your business, making your products more resilient and maintainable with better performance.

Read More

ISO 9001ISO 9001

ISO 9001 certified software services

KDAB has been the first certified Qt consulting and software development company in the world, and continues to deliver quality processes that meet or exceed the highest expectations.

Read More

Working at KDABWorking at KDAB

Looking for a new challenge?

In KDAB we value practical software development experience and skills higher than academic degrees. We strive to ensure equal treatment of all our employees regardless of age, ethnicity, gender, sexual orientation, nationality.

Interested? Read more about working at KDAB and how to apply for a job in software engineering or business administration.

Read More

Contact

Search

Better_Software_Header_MobileBetter_Software_Header_Web

Find what you need - explore our website and developer resources

Fuzzing Qt for fun and profit

A brief introduction to fuzzing and how we successfully use it in Qt

3 comments

Giuseppe D’Angelo

29 November 2016

Advanced Search

Tags

blogc++kdab on qt

Many KDAB engineers are part of the Qt Security Team. The purpose of this team is to get notified of security-related issues, and then decide the best course of action for the Qt project.

Most of the time, this implies identifying the problem, creating and submitting a patch through the usual Qt contribution process, waiting for it to be merged in all the relevant branches, and then releasing a notice to the users about the extent of the security issue. We also work together with downstreams, such as our customers, Linux distributions and so on, in order to minimize the risks for Qt users of exposing the security vulnerability.

However, that's only part of the story. As part of the security team, we can't simply wait for reports to fall in our laps; we also need to have a proactive approach and constantly review our code base and poke it in order to find problems. For that, we use a variety of tools: the excellent Coverity Scan service; the sanitizers available in GCC and Clang; clazy, maintained by KDAB's engineer Sérgio Martins; and so on.

Note that all these tools help catch any sorts of bugs, not only the security-related ones. For instance, take a look at the issues found and fixed by looking at the Undefined Behavior Sanitizer's reports, and the issues fixed by looking at Coverity Scan's reports.

Today I want to tell you a little more about one of the tools used to test Qt's code: the American Fuzzy Lop, or AFL to friends.

Fuzzing

What is AFL? It's a fuzzer: a program that keeps changing the input to a test in order to make it crash (or, in general, misbehave). This "mutation" of the input goes on forever -- AFL never ends, just keeps finding more stuff, and optimizes its own searching process.

AFL gained a lot of popularity because:

  • it is very fast (it instruments your binaries);
  • it uses state-of-the-art algorithms to mutate the input in ways that maximize the effect on the target program;
  • the setup is immediate;
  • it has a very nice text-based UI.

The results speaks for themselves: AFL has found security issues in all major libraries out there. Therefore, I decided to give it a try on Qt.

The setup

Setting up AFL is straightforward: just download it from its website and run make. That's it -- this will produce a series of executables that will act as a proxy for your compiler, instrumenting the generated binaries with information that AFL will need. So, after this step, we will end up with afl-gcc, afl-g++ and so on.

You can go ahead and build an instrumented Qt. If you've never built Qt from source, here's the relevant documentation. On Unix systems it's really a matter of running configure with some options, followed by make and optionally make install. The problem at this step is making Qt use AFL's compilers, not the system ones. This turns out to be very simple, however: just export a few environment variables, pointing them to AFL's binaries:

export CC=/path/to/afl-gcc
export CXX=/path/to/afl-g++
./configure ...
make

And that's it, this will build an instrumented Qt. (A more thorough solution would involve creating a custom mkspec for qmake; this would have the advantage of making the final testscase application also use AFL automatically. For this task, however, I felt it was not worth it.)

Creating a testcase

What you need here is to create a very simple application that takes an input file from the command line (or stdin) and uses it to stress the code paths you want to test.

Now, when looking at a big library like Qt, there are many places where Qt reads untrusted input from the user and tries to parse it: image loading, QML parsing, (binary) JSON parsing, and so on. I decided to give a shot at binary JSON parsing, feeding it with AFL's mutated input. The testcase I built was straightforward:

#include <QtCore>

int main(int argc, char **argv)
{
    QCoreApplication app(argc, argv);

    QFile file(app.arguments().at(1));
    if (!file.open(QIODevice::ReadOnly))
        return 1;

    QJsonDocument jd = QJsonDocument::fromBinaryData(file.readAll());

    return 0;
}

Together with the testcase, you will also need a few test files to bootstrap AFL's finding process. These files should be extremely small (ideally, 1-2KB at maximum) to let the fuzzer do its magic. For this, just dump a few interesting files somewhere next to your testcase. I've taken random JSON documents, converted them to binary JSON and put the results in a directory.

Running the fuzzer

Once the testcase is ready, you can run it into the fuzzer like this:

afl-fuzz -m memorylimit \
         -t timeoutlimit \
         [master/slave options] \
         -i testcases/ \
         -o findings/ \
         -- ./test @@

A few explanatory remarks:

  • The testcases directory contains your reference input files, while the findings of the fuzzers will be written in findings.
  • To avoid blowing up your system, AFL sets very strict limits for execution of your test: it is allowed to allocate at most memorylimit megabytes of virtual memory and it is allowed to run for at most timeoutlimit milliseconds. You will typically want to raise the memory limit from its default (50MB) to something bigger, depending on your system and on the test.
  • One instance of afl-fuzz is single threaded; in order to maximize the search throughput on a machine with multiple cores/CPUs, you must manually launch it multiple times with the same -i and -o arguments. You should also give each instance a unique name and, if you want, elect one instance to do a deterministic search rather than a random one. This is all expressed through the master/slave options: pass to one instance the -M fuzzername option, and to all the others pass the -S fuzzername option. (All the fuzzernames must be unique).
  • Last but not least, @@ gets replaced by the name of a file generated by AFL, containing the mutated input.

For reference, I've launched my master like this:

afl-fuzz -m 512 -t 20 -i testcases -o findings-json -M fuzzer00 -- ./afl-qjson @@

The output is a nice colored summary of what's going on, updated in real time:

AFL running over a testcase.

AFL running over a testcase.

Now: go do something else. This is supposed to run for days! So remember to launch it in a screen session, and maybe launch it via nice so that it runs with a lower priority.

Findings

After running for a while, the first findings started to appear: inputs that crashed the test program or made it run for too long. Once AFL sees such inputs, it will save them for later inspection; you will find them under the findings/fuzzername subdirectories:

findings-json/fuzzer00/crashes/id:000000,sig:06,src:000445,op:arith8,pos:168,val:+6
findings-json/fuzzer00/crashes/id:000001,sig:11,src:000445,op:arith8,pos:168,val:+7
findings-json/fuzzer00/crashes/id:000002,sig:11,src:000449,op:arith8,pos:196,val:+6
findings-json/fuzzer00/crashes/id:000003,sig:11,src:000489,op:flip1,pos:435
findings-json/fuzzer01/crashes/id:000000,sig:06,src:000526,op:havoc,rep:2
findings-json/fuzzer01/crashes/id:000001,sig:11,src:000532,op:havoc,rep:2
findings-json/fuzzer01/crashes/id:000002,sig:06,src:000533,op:havoc,rep:4

If you're lucky (well, I guess it depends how you look at it...), you will end up with inputs that indeed crash your testcase. Time to fix something!

You may also get false positives, in the form of crashes because the testcase runs out of memory. Remember that AFL imposes a strict memory limit on your executable, so if your testcase allocates too much memory and does not know how to recover from OOM it will crash. If you see many inputs crashing into AFL but not crashing when running normally, maybe your testcase is behaving properly, but just running out of memory, and increasing the memory limit passed to AFL will fix this.

The sig part in the name of each saved input should give you a hint, telling you which Unix signal caused the crash. In the listing above, signal number 11 is a SIGSEGV, which is indeed a problem. The signal 06 is SIGABRT (that is, an abort), which was generated due to running out of memory.

To reproduce this last case, just manually run the test over that input, and check that it doesn't misbehave; then rerun it, but this time limiting its available memory via ulimit -v memory_available_in_kilobytes. If the testcase works normally but crashes under a stricter ulimit, it's likely that you're in an out-of-memory scenario. This may or may not require a fix in your code; it really depends whether it makes sense for your application/library to recover from an OOM.

Fixing upstream

After reporting the findings to the Security Team, it was a matter of a few days before a fix was produced, tested and merged into Qt. You can find the patches here and here.

Tips and tricks

If you want to play with AFL, I would recommend you to do a couple of things:

  • Set your CPU scaling governor to "performance". This is for a couple of reasons: it makes no sense for the kernel to try to throttle down your CPUs if AFL is running; and it is actually a bad thing because it interferes with AFL measurements. AFL complains about this, so keep it happy and disable "powersave" or "ondemand" or similar governors.
  • Use a ramdisk for the tests. AFL needs to write a new input file every time it runs your application; for the JSON testcase above, AFL was achieving about 1000 executions/second/core. Each of this run needs a new test file as input; in addition to that, AFL needs to write stuff for its own bookkeeping.This will put your disk under very considerable stress, possibly even wear it out. Now, any modern filesystem will still flush data to disk only a few times every second (at most), but still, why hit the disk at all? One can simply create a ramdisk, and run AFL in there:
$ mkdir afl
# mount -t tmpfs -o size=1024M tmpfs afl/
$ cd afl/
$ afl-fuzz -i inputs -o findings ...
  • Do not let this run on a laptop or some other computer which may overheat. AFL is tremendously resource intensive and runs for days. If you want to get liquid cooling for your workstation, this is the perfect excuse.

Conclusions

Fuzzing is an excellent technique for testing code that needs to accept untrusted inputs. It is straightforward to set up and run, requires no modifications to the tested code, and it can find issues in a relatively short timespan. If your application feature parsers (especially of binary data), consider to keep AFL running over it for a while, as it may discover some serious problems. Happy fuzzing!

About KDAB

Trusted software excellence across embedded and desktop platforms

The KDAB Group is a globally recognized provider for software consulting, development and training, specializing in embedded devices and complex cross-platform desktop applications. In addition to being leading experts in Qt, C++ and 3D technologies for over two decades, KDAB provides deep expertise across the stack, including Linux, Rust and modern UI frameworks. With 100+ employees from 20 countries and offices in Sweden, Germany, USA, France and UK, we serve clients around the world.

Tags

blogc++kdab on qtperformanceqmlqttools

3 Comments

30 - Nov - 2016

Litb

Nice article, thanks. Have you considered to apply AFL to Qt GUI components. Like, perhaps fuzzing sequences of events onto a dialog that consists of a bunch of widgets?

5 - Dec - 2016

Giuseppe D'Angelo

Hi, that seems in interesting idea, but what would it accomplish? If it's for "monkey testing", that's already available in Squish.

More in general, I'd also like to explore libFuzzer and how to stress test things such as the CSS parser in QStyleSheetStyle, the HTML parser in QTextDocument and other similar textual-based inputs.

13 - Dec - 2016

Leslie Zhai

And libFuzzer http://llvm.org/docs/LibFuzzer.html for QTBUG-57553 https://bugreports.qt.io/browse/QTBUG-57553 AFL can also test for it ;-)

I have read and agree to the privacy policy.

KDAB is committed to ensuring that your privacy is protected.

  • Only the above data is collected about you when you fill out this form.
  • The data will be stored securely.
  • If you wish for us to erase it, email us at info@kdab.com.

For more information about our Privacy Policy, please read our privacy policy.

GiuseppeD'Angelo

Giuseppe D’Angelo

Senior Software Engineer

Senior Software Engineer at KDAB. Giuseppe is a long-time contributor to Qt, having used Qt and C++ since 2000, and is an Approver in the Qt Project. His contributions in Qt range from containers and regular expressions to GUI, Widgets, and OpenGL. A free software passionate and UNIX specialist, before joining KDAB, he organized conferences on opensource around Italy. He holds a BSc in Computer Science.

Related Content

Uncovering 32 Qt best practices at compile time with clazy

Generating compile-time warnings and automatic refactoring for Qt best practices

Efficient barcode scanning with QZXing

Profiling Qt Zebras Crossing

Nailing 13 signal and slot mistakes with clazy 1.3

Create better Qt code by automatically uncovering easy-to-miss errors

Learn Modern C++

Our hands-on Modern C++ training courses are designed to quickly familiarize newcomers with the language. They also update professional C++ developers on the latest changes in the language and standard library introduced in recent C++ editions.

Learn more