Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Go Fuzz

Oleg Kovalov
January 15, 2019
Programming
0
44

Go Fuzz

Oleg Kovalov

January 15, 2019
Tweet

More Decks by Oleg Kovalov

See All by Oleg Kovalov
Hedged requests in Go
olegkovalov
0
12
Writing faster Redis client
olegkovalov
0
34
Moments before main()
olegkovalov
0
47
За пару мгновений до main() [RUS]
olegkovalov
1
530
Bencode - serializer and deserializer in Go
olegkovalov
0
370
impguard - protect your project structure
olegkovalov
0
520
Versioning
olegkovalov
0
78
Modifiability
olegkovalov
0
52
Server-Sent Events in Go
olegkovalov
0
630

Other Decks in Programming

See All in Programming
まず Container より始めよ
honey32
10
4.6k
Next.js × AWS App Runner × AWS AppSyncで進めるクライアントファーストのWEB開発
okaharuna
6
3.1k
Context Window のお話
schroneko
1
160
CDK Day 2023 - Configure cross-account deployment using CDK
hassaku63
0
160
ノーコードE2Eテストで実現する高速開発
nozomiito
0
240
技術選定の審美眼(2023年版) / Understanding the Spiral of Technologies 2023 edition
twada
PRO
57
18k
アジャイルのライトウィングとレフトウィングはひとりで両方できなくてもいいんじゃない? - “ひとりでできるもん”から“みんなでできるもん”への道のり
psj59129
0
260
2023/09/23 「AIキャラクターの言動に深みを持たせる」
sr2mg4
1
640
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
190
はじめてのPHPコマンドラインオプション〜PHP開発を今よりちょっと楽しくする〜
kotomin_m
2
110
ZennにみるCloudRunとBigQueryによるアプリケーション構築 / zenn-cloudrun-bigquery-serverless
wadayusuke
14
3.9k
Unveiling Nano Stores
ninoid
0
140

Featured

See All Featured
Producing Creativity
orderedlist
PRO
336
38k
What the flash - Photography Introduction
edds
64
11k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
The Brand Is Dead. Long Live the Brand.
mthomps
48
5.1k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
Code Review Best Practice
trishagee
53
13k
We Have a Design System, Now What?
morganepeng
40
6.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Designing for humans not robots
tammielis
246
24k
Happy Clients
brianwarren
92
6.1k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k

Transcript

  1. go-fuzz
    or new unit testing
    WARSAW, JAN 15 2019
    Oleg Kovalov
    Allegro
    Twitter:
    oleg_kovalov
    Github: cristaloleg

    View Slide

  2. Me
    - Gopher for ~3 years
    - Open-source contributor
    - Engineer at Allegro.pl core team
    Twitter: @oleg_kovalov
    Github: @cristaloleg

    View Slide

  3. Everything start from the Wikipedia
    Fuzzing is a software testing technique, often
    automated or semi-automated, that involves
    providing invalid, unexpected, or random data to
    the inputs of a computer program.

    View Slide

  4. go-fuzz
    - Made by The Dmitry Vyukov
    aka Bug Slaughterer at Google
    - 300+ fixes in Go compiler and stdlib
    - +inf in the wild, or more
    - See AFL and syzkaller

    View Slide

  5. What to test?
    - text format/media codecs
    - crypto
    - network protocols
    - compression
    - compilers, interpreters, databases
    - or anything where you can pass []byte

    View Slide

  6. - horribly easy to use
    - no human interaction
    - designed for computers
    But why fuzzing?

    View Slide

  7. - out-of-bounds accesses
    - nil derefs
    - division by 0/floating-point
    - infinite loops
    - Segfaults (CGo)
    - …
    What it may (and will) find?

    View Slide

  8. How does it work?
    1. Instrument program for code coverage
    2. Collect initial corpus of inputs
    for {
    3. Randomly mutate an input from the corpus
    4. Execute and collect coverage
    if the input gives new coverage {
    5. Add the input to corpus
    }
    }
    One cozy loop

    View Slide

  9. func SafeFunc(input string) {
    if input[0] == 'A' {
    if input[1] == 'B' {
    if input[2] == 'C' {
    if input[3] == 'D' {
    print(input[4]) //
    }}}}}
    Brute force generation O(2^8^4) = O(2^32) tries.
    Bruteforce
    “SafeFunc”

    View Slide

  10. func SafeFunc(input string) {
    if input[0] == 'A' {
    if input[1] == 'B' {
    if input[2] == 'C' {
    if input[3] == 'D' {
    print(input[4]) //
    }}}}}
    Brute force generation O(2^8^4) = O(2^32) tries.
    0. {}
    1. {"A"}
    2. {"A", "AB"}
    3. {"A", "AB", "ABC"}
    4. {"A", "AB", "ABC", "ABCD"}
    Coverage-guided fuzzer needs O(4 * 2^8) = O(2^10)
    tries.
    Smartforce
    “SafeFunc”

    View Slide

  11. So how to run it?
    $ go get github.com/dvyukov/go-fuzz/go-fuzz
    $ go get github.com/dvyukov/go-fuzz/go-fuzz-build
    # build an executable
    $ go-fuzz-build github.com/pkg/mypkg
    # run fuzzing
    $ go-fuzz -bin=./mypkg-fuzz.zip -workdir=workdir
    # and follow the logs
    workers: 8, corpus: 1525 (6s ago), crashers: 6, execs:
    0 (0/sec), cover: 1651, uptime: 6s
    workers: 8, corpus: 1525 (9s ago), crashers: 6, execs:
    16787 (1860/sec), cover: 1651, uptime: 9s
    workers: 8, corpus: 1525 (12s ago), crashers: 6,
    execs: 29840 (2482/sec), cover: 1651, uptime: 12s
    Fuzzing

    View Slide

  12. func Fuzz([]byte) int
    // +build gofuzz
    package mypkg
    func Fuzz(data []byte) int {
    _, err := WellTestedFunc(string(data))
    if err != nil {
    return 0
    }
    return 1
    }
    95% fuzz funcs

    View Slide

  13. - do not run on each build
    - but run regularly
    - fuzz 1 func at time
    - it’s not unit test replacement
    - SecOps be aware
    (doesn’t work with go modules?)
    Best practices

    View Slide

  14. That’s all folks
    Thank you
    Questions?
    Twitter: @oleg_kovalov
    Github: @cristaloleg

    View Slide