oss-fuzz
libfuzzer
Our great sponsors
oss-fuzz | libfuzzer | |
---|---|---|
29 | 1 | |
9,598 | 42 | |
2.6% | - | |
9.9 | 0.0 | |
about 18 hours ago | about 1 year ago | |
Shell | Nim | |
Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
oss-fuzz
-
Ask HN: Any Good Fuzzer for gRPC?
Have you tried Googles grpc fuzzer?
https://github.com/google/oss-fuzz/blob/master/projects/grpc...
-
Pacemaker should be running open source software
https://www.fda.gov/medical-devices/digital-health-center-ex...
oss-fuzz: https://github.com/google/oss-fuzz :
> We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.
> Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.
-
Fuzz Testing Is the Best Thing to Happen to Our Application Tests
I love fuzzing as a technique and use it quite regularly, but running AFL++ on even a single program occupies all threads of a high end AMD server for weeks. I'm running it locally so only paying for the electricity. If it was a cloud instance it would cost a small fortune. I think this is a reason it is not used more widely.
I will note that Google have a programme for doing fuzz testing on open source projects using computer from their cloud: https://google.github.io/oss-fuzz/
- ELI5: How can downloading a pdf or word file give you a virus?
- OSS-Fuzz β continuous fuzzing for open source software
-
Java Fuzzing with Jazzer compared to Symflower
We will explore how Jazzer is used to automatically generate malicious inputs for Java programs, and how it compares to Symflower, which can automatically generate unit tests to uncover bugs and errors in your code. With the help of Jazzer, many bugs - some of them even in the OpenJDK - were found already. Also, as of March 2021, Jazzer is officially part of OSS-Fuzz, Google's cloud fuzzing engine. It should be noted that Jazzer is a pure "bug detection" utility that finds reproducers for errors in user code. Symflower can do the same, but provides additional functionalities to boost developer productivity, like generating high coverage unit tests and providing test templates for the software developer or tester.
-
OpenSSL added new C parser code [...] without doing any basic security testing
I find it odd that Google's oss-fuzz didn't find this a long time ago.
https://github.com/google/oss-fuzz/blob/master/projects/open...
- Learnings from 5 Years of Tech Startup Code Audits
-
Google supports Monero in new OSS security initiative
Element of truth in it.. https://github.com/google/oss-fuzz/blob/master/projects/monero/project.yaml
libfuzzer
We haven't tracked posts mentioning libfuzzer yet.
Tracking mentions began in Dec 2020.
What are some alternatives?
AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
boofuzz - A fork and successor of the Sulley Fuzzing Framework
fuzzilli - A JavaScript Engine Fuzzer
ffmpeg-libav-tutorial - FFmpeg libav tutorial - learn how media works from basic to transmuxing, transcoding and more. Translations: πΊπΈ π¨π³ π°π· πͺπΈ π»π³ π§π·
uafuzz - UAFuzz: Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
ffmpeg-tutorial - A set of tutorials that demonstrates how to write a video player based on FFmpeg
FFmpeg - Mirror of https://git.ffmpeg.org/ffmpeg.git
Awesome-Hacking - A collection of various awesome lists for hackers, pentesters and security researchers
concise-encoding - The secure data format for a modern world
Av1an - Cross-platform command-line AV1 / VP9 / HEVC / H264 encoding framework with per scene quality encoding
American Fuzzy Lop - american fuzzy lop - a security-oriented fuzzer
vmaf - Perceptual video quality assessment based on multi-method fusion.