Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Fuzz Testing and go-fuzz
Search
Poga Po
April 18, 2017
Programming
390
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Fuzz Testing and go-fuzz
Poga Po
April 18, 2017
More Decks by Poga Po
See All by Poga Po
Spacer - iThome Serverless All-Star
poga
2
310
civic-notebook
poga
0
110
everything is log
poga
12
1.9k
g0v intro
poga
0
120
新聞產生器
poga
0
690
RESTful API @ Front-End Developers Taiwan 2014-04-23
poga
3
200
Dependency Management in Go
poga
4
670
Redis: based on real story
poga
16
1.4k
Other Decks in Programming
See All in Programming
アルゴリズムは何を圧縮しているのか ─ Haskell から育った「圧縮代数」というメンタルモデル
naoya
15
3.2k
その問い、本当に正しいですか?AI時代のエンジニアに必要な哲学と認知科学 / ai-philosophy-cognitive-science
minodriven
14
6.8k
Embedded SREと共に達成した会員管理システムのAWS移行 - SRE NEXT 2026 ランチスポンサーセッション
niftycorp
PRO
0
2.1k
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
840
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
150
エンジニアと一緒にテストコードの設計と実装を改善した話
mototakatsu
0
260
act1-costs.pdf
sumedhbala
0
200
AI がコードを書く時代における新卒エンジニアの仕事風景 (2026) / New Graduate Engineers in the Era of AI Coding (2026)
sushichan044
0
210
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.8k
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
manfredsteyer
PRO
0
220
Hunting Vulnerabilities in Symfony with LLMs
vinceamstoutz
0
580
はてなアカウント基盤 State of the Union
cockscomb
1
1.3k
Featured
See All Featured
The #1 spot is gone: here's how to win anyway
tamaranovitovic
3
1.1k
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
180
Ruling the World: When Life Gets Gamed
codingconduct
0
280
30 Presentation Tips
portentint
PRO
1
340
Producing Creativity
orderedlist
PRO
348
40k
Crafting Experiences
bethany
1
210
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
260
Designing for Timeless Needs
cassininazir
1
290
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Abbi's Birthday
coloredviolet
3
8.6k
BBQ
matthewcrist
89
10k
A better future with KSS
kneath
240
18k
Transcript
Fuzz Testing and go- fuzz
Testing • Unit Test • Integration Test
Hard-to-test • Combination • Uncontrolled Input • hard to define
"Corner cases"
Randomized Test?
Parsing email address Any string that doesn't contains @ will
be ignored. func parseAddress(address string) { if (!address.contains("@")) return .... }
Fuzzing Feeding programs with automatically generated inputs to trigger unexpected
behaviour.
Coverage-guided Fuzzing assume we have a huge function func parseAddress(address
string) { // ----------------- switch .... { case : // ----------------- // ----------------- if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ----------------- // ----------------- } }
Coverage-guided Fuzzing First input func parseAddress(address string) { // *****************
switch .... { case : // ----------------- // ----------------- if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ***************** // ***************** } }
Coverage-guided Fuzzing Any input that changed the coverage is an
effective input func parseAddress(address string) { // ***************** switch .... { case : // ***************** // ***************** if (...) { // ----------------- // ----------------- } case : if (...) { // ----------------- // ----------------- } case : // ----------------- // ----------------- } }
American Fuzz Lop
American Fuzz Lop American Fuzzy Lop is a brute-force fuzzer
coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. It uses a modified form of edge coverage to effortlessly pick up subtle, local-scale changes to program control flow.
go-fuzz
Trophy ... * 50 pages
Setup project for go-fuzz Use AST-rewrite to get coverage information
$ go get github.com/dvyukov/go-fuzz/go-fuzz $ go get github.com/dvyukov/go-fuzz/go-fuzz-build
Write the fuzz function // +build gofuzz // application-level fuzzing
func Fuzz(data []byte) int { img, err := png.Decode(bytes.NewReader(data)) if err != nil { if img != nil { panic("img != nil on error") } return 0 } var w bytes.Buffer err = png.Encode(&w, img) if err != nil { panic(err) } return 1 }
Build fuzzer // put initial corpus to go-fuzz/examples/png/corpus $ go-fuzz-build
github.com/dvyukov/go-fuzz/examples/png // generate png-fuzz.zip
Run the test $ go-fuzz -bin=./png-fuzz.zip -workdir=examples/png $ tree examples/png
examples/png/ !"" corpus # !"" 00184ecf083019781fa3cd954f07ae5f6f8996c5-4 # !"" 00694592b23b147b3ed48fdd58ad93190495c0e1-6 # !"" e1ffccce440e7d27f9f8f4f21b57e1092d5701bc-13 # !"" f1c9f52119ce4f4086ce39c50c84c88373284bb9-9 # !"" f4b5fde0975f447920100b63ca8faa811cd084e5-10 # !"" f4fcdc199b808050a943d900e04e5507d8ccc0f1-7 # $"" f84b0521ed4ee32fcc6f87f1af486efab81986cb-13 # $"" ... !"" crashers $"" suppressions
Examine the output [~/projects/fuzz-test] $ go-fuzz -bin=./png-fuzz.zip -workdir=examples/png 2017/04/17 00:10:44
slaves: 4, corpus: 19 (0s ago), crashers: 0, restarts: 1/0, execs: 0 (0/sec), cover: 0, uptime: 3s 2017/04/17 00:10:47 slaves: 4, corpus: 20 (2s ago), crashers: 0, restarts: 1/3370, execs: 10110 (1681/sec), cover: 173, uptime: 6s 2017/04/17 00:10:50 slaves: 4, corpus: 20 (5s ago), crashers: 0, restarts: 1/4501, execs: 54021 (5964/sec), cover: 173, uptime: 9s ... • slave: concurrent test count • corpus: generated corpus • crashers: corpus which crash the program • restarts: restart rate (due to crashes) • execs: total number of execution • cover: coverage bits
• When should I run fuzz test?: CI • Fuzz
test is only for security issue?: NO • How do I know which corpus crashed my program?: quoted input • Who should write Fuzz test?: You!
Thank you! @devpoga
[email protected]