Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Fuzz Testing and go-fuzz
Poga Po
April 18, 2017
Programming
0
220
Fuzz Testing and go-fuzz
Poga Po
April 18, 2017
Tweet
Share
More Decks by Poga Po
See All by Poga Po
Spacer - iThome Serverless All-Star
poga
2
220
civic-notebook
poga
0
47
everything is log
poga
12
1.6k
g0v intro
poga
0
69
新聞產生器
poga
0
440
RESTful API @ Front-End Developers Taiwan 2014-04-23
poga
3
110
Dependency Management in Go
poga
4
540
Redis: based on real story
poga
16
1.2k
Other Decks in Programming
See All in Programming
[DevTrends - Jun/2022] Arquitetura baseada em eventos
camilacampos
0
160
チームでカレーを作ろう!アジャイルカレークッキング
akitotsukahara
0
880
Reactは何を提供するLibraryなのか?
taro28
3
570
Node-RED 3.0 新機能紹介
utaani
0
140
NEWT.net: Frontend Technology Selection
xpromx
0
280
iOS 16からのロック画面Widget争奪戦に備える
tsuzuki817
0
260
Meet Swift Regex
usamik26
0
370
Get Ready for Jakarta EE 10
ivargrimstad
0
2.8k
Beyond Micro Frontends: Frontend Moduliths for the Enterprise @wad2022
manfredsteyer
PRO
0
140
オブジェクト指向で挫折する初学者へ
deepoil
0
190
設計ナイト2022 トランザクションスクリプト
shinpeim
11
2.1k
git on intellij
hiroto_kitamura
0
170
Featured
See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
27
1.5k
Unsuck your backbone
ammeep
659
55k
Facilitating Awesome Meetings
lara
29
4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
119
28k
Writing Fast Ruby
sferik
612
57k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
100
5.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
49k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
7
1.1k
Support Driven Design
roundedbygravity
86
8.5k
5 minutes of I Can Smell Your CMS
philhawksworth
196
18k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Transcript
Fuzz Testing and go- fuzz
Testing • Unit Test • Integration Test
Hard-to-test • Combination • Uncontrolled Input • hard to define
"Corner cases"
Randomized Test?
Parsing email address Any string that doesn't contains @ will
be ignored. func parseAddress(address string) { if (!address.contains("@")) return .... }
Fuzzing Feeding programs with automatically generated inputs to trigger unexpected
behaviour.
Coverage-guided Fuzzing assume we have a huge function func parseAddress(address
string) { // ----------------- switch .... { case : // ----------------- // ----------------- if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ----------------- // ----------------- } }
Coverage-guided Fuzzing First input func parseAddress(address string) { // *****************
switch .... { case : // ----------------- // ----------------- if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ***************** // ***************** } }
Coverage-guided Fuzzing Any input that changed the coverage is an
effective input func parseAddress(address string) { // ***************** switch .... { case : // ***************** // ***************** if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ----------------- // ----------------- } }
American Fuzz Lop
American Fuzz Lop American Fuzzy Lop is a brute-force fuzzer
coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. It uses a modified form of edge coverage to effortlessly pick up subtle, local-scale changes to program control flow.
go-fuzz
Trophy ... * 50 pages
Setup project for go-fuzz Use AST-rewrite to get coverage information
$ go get github.com/dvyukov/go-fuzz/go-fuzz $ go get github.com/dvyukov/go-fuzz/go-fuzz-build
Write the fuzz function // +build gofuzz // application-level fuzzing
func Fuzz(data []byte) int { img, err := png.Decode(bytes.NewReader(data)) if err != nil { if img != nil { panic("img != nil on error") } return 0 } var w bytes.Buffer err = png.Encode(&w, img) if err != nil { panic(err) } return 1 }
Build fuzzer // put initial corpus to go-fuzz/examples/png/corpus $ go-fuzz-build
github.com/dvyukov/go-fuzz/examples/png // generate png-fuzz.zip
Run the test $ go-fuzz -bin=./png-fuzz.zip -workdir=examples/png $ tree examples/png
examples/png/ !"" corpus # !"" 00184ecf083019781fa3cd954f07ae5f6f8996c5-4 # !"" 00694592b23b147b3ed48fdd58ad93190495c0e1-6 # !"" e1ffccce440e7d27f9f8f4f21b57e1092d5701bc-13 # !"" f1c9f52119ce4f4086ce39c50c84c88373284bb9-9 # !"" f4b5fde0975f447920100b63ca8faa811cd084e5-10 # !"" f4fcdc199b808050a943d900e04e5507d8ccc0f1-7 # $"" f84b0521ed4ee32fcc6f87f1af486efab81986cb-13 # $"" ... !"" crashers $"" suppressions
Examine the output [~/projects/fuzz-test] $ go-fuzz -bin=./png-fuzz.zip -workdir=examples/png 2017/04/17 00:10:44
slaves: 4, corpus: 19 (0s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s 2017/04/17 00:10:47 slaves: 4, corpus: 20 (2s ago), crashers: 0, restarts: 1/3370, execs: 10110 (1681/sec), cover: 173, uptime: 6s 2017/04/17 00:10:50 slaves: 4, corpus: 20 (5s ago), crashers: 0, restarts: 1/4501, execs: 54021 (5964/sec), cover: 173, uptime: 9s ... • slave: concurrent test count • corpus: generated corpus • crashers: corpus which crash the program • restarts: restart rate (due to crashes) • execs: total number of execution • cover: coverage bits
• When should I run fuzz test?: CI • Fuzz
test is only for security issue?: NO • How do I know which corpus crashed my program?: quoted input • Who should write Fuzz test?: You!
Thank you! @devpoga poga.po@gmail.com