Follow

Dear fediverse: tell me about your favourite fuzzers for code. Or the ones you hated. Or fuzzing that's fun for command line tools.

I know about Google Atheris but I haven't investigated anything else yet

(I'm looking for stuff to try against github.com/intel/cve-bin-tool if that helps.)

@terri question: SPECIFICALLY fuzzers? Because I saw a presentation by Preston Moore cyber.nyu.edu/profile/preston- recently about a slightly different approach that uses system calls rather than user input to help guard against, e.g., "you're running this on a different environment than the author anticipated"

@brainwane hah, my academic lineage includes the folk with the early system call security work! But no, I'm looking to generate bad input and new test cases, specifically for software bills of materials and package files like java jar or python eggs. Fuzzing isn't the only way to do that but i think it'll get me there faster than system calls.

@terri Much thanks for your patience with my whataboutism here. :-) I hope you get some useful answers!

@terri I asked around and Alex mentioned python-afl and sent alexgaynor.net/2015/apr/13/int as well as github.com/alex/httpfuzz for Atheris

Nelhage sent hypofuzz.com/ but added that Python usually is too slow to usefully fuzz.

@ehashman thanks, those are helpful! Lucky for me I work at a processor company so slowness can be addressed with MOAR CPU pretty easily around here. ⚡⚡⚡

@terri — worst was a custom fuzzer written at a former employer by their rockstar hire. Did nothing other fuzzers didn't, but oh wow did it do it badly. "There's spooky action at a distance, and there's 'I took a shower and the act of turning on the hot water tore apart the fabric of spacetime and replaced the Second Law of Thermodynamics with reruns of 'Hee-Haw'", as one co-worker memorably described the codebase...

@rob wow. At least it sounds like I'm unlikely to encounter that one near the top of my search results!

@terri I should also say: this wasn't a fuzzer for Python code, it was a fuzzer written in Python. So it doesn't quite meet your requirements anyway, sorry to say.

Still, the humorous point remains: it was the craziest codebase I've ever seen, from a spooky action at a distance perspective.

Sign in to participate in the conversation
A Social Front Organization

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!