LLVM’s New libFuzzer
Fuzzing (or fuzz testing) is becoming increasingly popular. Fuzzing Clang and fuzzing with Clang is not new: Clang-based AddressSanitizer has been used for fuzz-testing the Chrome browser for several years and Clang itself has been extensively fuzzed using csmithand, more recently, using AFL. Now we’ve closed the loop and started to fuzz parts of LLVM (including Clang) using LLVM itself.
LibFuzzer, recently added to the LLVM tree, is a library for in-process fuzzing that uses Sanitizer Coverage instrumentation to guide test generation. With LibFuzzer one can implement a guided fuzzer for some library by writing one simple function:
extern "C" void TestOneInput(const uint8_t *Data, size_t Size);
Update (2015-05-02): Mike Ash:
With computer security high on everyone’s minds these days, tools that help assess and improve the security of our code are extremely useful. Today I’m going to talk about one such tool,
afl-fuzz
, which has seen a lot of attention lately and produces some interesting results. I’ll discuss how it works and how to use it on your own code.
Update (2015-05-04): John Regehr:
American fuzzy lop is a polished and effective fuzzing tool. It has found tons of bugs and there are any number of blog posts talking about that. Here we’re going to take a quick look at what it isn’t good at. For example, here’s a program that’s trivial to crash by hand, that afl-fuzz isn’t likely to crash in an amount of time you’re prepared to wait[…]