Fuzzing is an automated testing technique that helps identify vulnerabilities and bugs by feeding random, invalid, or unexpected data into the application. This is especially important for PowerToys modules that handle file input/output or user input, such as Hosts File Editor, Registry Preview, and others.
PowerToys integrates Microsoft's OneFuzz service to systematically discover edge cases and unexpected behaviors that could lead to crashes or security vulnerabilities. Fuzzing testing is a requirement from the security team to ensure robust and secure modules.
## Why Fuzzing Matters
- **Security Enhancement**: Identifies potential security vulnerabilities before they reach production
- **Stability Improvement**: Discovers edge cases that might cause crashes
- **Automated Bug Discovery**: Finds bugs that traditional testing might miss
- **Reduced Manual Testing**: Automates the process of testing with unusual inputs
## Types of Fuzzing in PowerToys
PowerToys supports two types of fuzzing depending on the module's implementation language:
1.**.NET Fuzzing** - For C# modules (using [OneFuzz](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/fuzzing-dotnet-code))
2.**C++ Fuzzing** - For native C++ modules using [libFuzzer](https://llvm.org/docs/LibFuzzer.html)
## Setting Up .NET Fuzzing Tests
### Step 1: Add a Fuzzing Test Project
Create a new test project within your module folder. Ensure the project name follows the format `*.FuzzTests`.
### Step 2: Configure the Project
1. Set up a `.NET 8 (Windows)` project
- Note: OneFuzz currently supports only .NET 8 projects. The Fuzz team is working on .NET 9 support.
2. Add the required files to your fuzzing test project:
- Create fuzzing test code
- Add `OneFuzzConfig.json` configuration file
### Step 3: Configure OneFuzzConfig.json
The `OneFuzzConfig.json` file provides critical information for deploying fuzzing jobs. For detailed guidance, see the [OneFuzzConfig V3 Documentation](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/onefuzzconfig/onefuzzconfigv3).
1. Update the `targetAssembly`, `targetClass`, `targetMethod`, and `FuzzingTargetBinaries` fields
2. Set the `AssignedTo` and `jobNotificationEmail` to your Microsoft email
3. Update the `projectName` and `targetName` fields
4. Define job dependencies pointing to your compiled fuzzing tests
### Step 4: Configure the OneFuzz Pipeline
Modify the patterns in the job steps within [job-fuzz.yml](https://github.com/microsoft/PowerToys/blob/main/.pipelines/v2/templates/job-fuzz.yml) to match your fuzzing project name:
```yaml
- download: current
displayName: Download artifacts
artifact: $(ArtifactName)
patterns: |-
**/tests/*.FuzzTests/**
```
## Setting Up C++ Fuzzing Tests
### Step 1: Create a New C++ Project
- Use the **Empty Project** template
- Name it `<ModuleName>.FuzzingTest`
### Step 2: Update Build Configuration
- In **Configuration Manager**, uncheck Build for both Release|ARM64, Debug|ARM64 and Debug|x64 configurations
- ARM64 is not supported for fuzzing tests
### Step 3: Enable ASan and libFuzzer in .vcxproj
Edit the project file to enable fuzzing:
```xml
<PropertyGroup>
<EnableASAN>true</EnableASAN>
<EnableFuzzer>true</EnableFuzzer>
</PropertyGroup>
```
### Step 4: Add Fuzzing Compiler Flags
Add these to `AdditionalOptions` under the `Fuzzing` configuration:
```xml
/fsanitize=address
/fsanitize-coverage=inline-8bit-counters
/fsanitize-coverage=edge
/fsanitize-coverage=trace-cmp
/fsanitize-coverage=trace-div
%(AdditionalOptions)
```
### Step 5: Link the Sanitizer Coverage Runtime
In `Linker → Input → Additional Dependencies`, add:
To run .NET fuzzing tests locally, follow the [Running a .NET Fuzz Target Locally](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/fuzzing-dotnet-code#extra-running-a-net-fuzz-target-locally) guide:
To submit a job to the OneFuzz cloud service, follow the [OneFuzz Cloud Testing Walkthrough](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/faq/notwindows/walkthrough):
1. Run the pipeline:
- Navigate to the [fuzzing pipeline](https://microsoft.visualstudio.com/Dart/_build?definitionId=152899&view=runs)
- Click "Run pipeline"
- Choose your branch and start the run
2. Alternative: Use [OIP (OneFuzz Ingestion Preparation) tool](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/oip/onefuzzingestionpreparationtool):
- Use `--do-not-file-bugs` to prevent automatic bug creation during initial testing
-`--duration` specifies the number of hours (default is 48 if not specified)
3. OneFuzz will send you an email when the job has started with a link to view results
## Reviewing Results
1. You'll receive an email notification when your fuzzing job starts
2. Click the link in the email to view the job status on the [OneFuzz Web UI](https://onefuzz-ui.microsoft.com/)
3. The OneFuzz platform will show statistics like inputs processed, coverage, and any crashes found
4. If the final status is "success," your fuzzing test is working correctly
## Current Status
PowerToys has implemented fuzzing for several modules:
- Hosts File Editor
- Registry Preview
- Fancy Zones
Modules that still need fuzzing implementation:
- Environmental Variables
- Keyboard Manager
## Requesting Access to OneFuzz
To log into the production instance of OneFuzz with the [CLI](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/downloading-cli), you must request access. Visit the [OneFuzz Access Request Page](https://myaccess.microsoft.com/@microsoft.onmicrosoft.com#/access-packages/6df691eb-e3d1-444b-b4b2-9e944dc794be).
