sandsifter
fuzzing
Our great sponsors
sandsifter | fuzzing | |
---|---|---|
15 | 11 | |
4,823 | 3,337 | |
- | 1.5% | |
0.0 | 2.2 | |
2 months ago | 3 months ago | |
Python | C++ | |
BSD 3-clause "New" or "Revised" License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sandsifter
- Cascade: CPU Fuzzing via Intricate Program Generation
- Sandsifter: The x86 Processor Fuzzer
- How would undocummented, private ISA extensions work in Linux-based systems?
- I found a bug in Intel Skylake processors
-
Is there any opensource switch brand?
This has some background.
- Clever Hack Finds Mystery CPU Instructions
- Sandsifter – The x86 Processor Fuzzer
-
The Cursed Computer Iceberg Meme
sandsifter
-
Speculating the Entire x86-64 Instruction Set in Seconds with One Weird Trick
This is a really clever technique! I was impressed by sandsifter[1] when it originally came out, and this seems an awful lot faster and less prone to false negatives (since it's purely speculative and doesn't require sandsifter's `#PF` hack).
At the risk of unwarranted self-promotion: the other side of this equation is fidelity in software instruction set decoders. x86's massive size and layers of historical complexity make it among the most difficult instruction formats to accurately decode; I've spent a good part of the last two years working on a fuzzer that's discovered thousands of bugs in various popular x86 decoders[2][3].
[1]: https://github.com/xoreaxeaxeax/sandsifter
[2]: https://github.com/trailofbits/mishegos
[3]: https://ww.easychair.org/publications/preprint_download/1LHr
-
Capstone Disassembler Framework
Idea:
If any assembler/disassembler author/team out there wants to produce an assembler/disassembler which is authoritative (difficult to do on x86, because there are so many different possible combinations of instruction encoding, https://github.com/xoreaxeaxeax/sandsifter : "Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups.") -- then what they'd do is to create a third program -- which "pits" the output of Assembler A vs. Assembler B, Disassembler A vs. Disassembler B...
That is, between any two assemblers (for the same CPU architecture/instruction set), or any two disassemblers, where are the anomalies?
If we think about an assembler as a simple function, y=f(x), that is, I give it a string of ascii bytes as input (x), and I get a string (1..n) binary bytes as output (y),
fuzzing
- Structure-Aware Fuzzing with Libfuzzer
- GitHub - google/fuzzing: Tutorials, examples, discussions, research proposals, and other resources related to fuzzing
-
ok so i am kinda new to fuzzin/security research and ive just done this
so I just wanted to start to fuzz a little bit and I used libfuzzer for that. and as you can tell in this tutorial https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md it tells you that if you leave it running like that you will get a bounty. and so I did exactly this, I followed the exact instructions listed there(I fuzzed this woff thing they mentioned) and my fuzzer said "SUMMARY: AddressSanitizer: heap-buffer-overflow" can I report that? or is this woff thing just for testing?
- I found a bug in Intel Skylake processors
- SiliFuzz: Fuzzing CPUs by proxy
- SiliFuzz: Fuzzing CPUs by Proxy [pdf]
- SiliFuzz - a work-in-progress system that finds CPU defects by fuzzing software proxies, like CPU simulators or disassemblers, and then executing the accumulated test inputs on actual CPUs on a large scale.
-
An implementation of CBOR in C
For a project like this, fuzz testing is also crucial. The issue pointed out by gremolata would have been trivial to find with fuzzing.
-
Address Sanitizer for MSVC Now Generally Available | C++ Team Blog
Another is testing: Many C++ projects use sanitizers regularly together with fuzzing, https://github.com/google/fuzzing/blob/master/docs/why-fuzz.md, https://github.com/google/fuzzing/blob/master/docs/intro-to-fuzzing.md#sanitizers
-
Jazzer brings modern fuzz testing to the JVM
Maybe a bit biased opinion here, but you could start with this blog post, and see whether you go more into C/C++ fuzzing or web fuzzing from there:
https://blog.code-intelligence.com/the-magic-behind-feedback...
https://github.com/google/fuzzing
What are some alternatives?
trapcc - Computing with traps
CMake - Mirror of CMake upstream repository
tatradas - Disassembler for x86 executables (16-bit and 32-bit) which supports PE, NE, MZ, COM and ELF file formats
JQF - JQF + Zest: Coverage-guided semantic fuzzing for Java.
lazarus - Free Pascal Lazarus Project - Sync'ed with Lazarus SubVersion trunk every 15 minutes
meson - The Meson Build System
capstone - Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings. [Moved to: https://github.com/capstone-engine/capstone]
cmake-init - The missing CMake project initializer
docs - Hardware and software docs / wiki
javan-warty-pig - AFL-like fuzzer for the Java Virtual Machine
wcc - The Witchcraft Compiler Collection
cbor - An implementation of CBOR in C