https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/Recent content in Fuzzing on Testing HandbookHugoen-ushttps://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/python/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/python/Python # We recommend using Atheris to fuzz Python code. Installation # Atheris supports 32-bit and 64-bit Linux, and macOS. We recommend fuzzing on Linux because it’s simpler to manage and often faster. If you’d like to run Atheris in a Linux environment on a Mac or Windows system, we recommend using Docker Desktop. If you’d like a fully operational Linux environment, see the Dockerfile section below. If you’d like to install Atheris locally, first install a recent version of clang, preferably the latest release, then run the following command:https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/ruby/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/ruby/Ruby # We recommend using Ruzzy to fuzz Ruby code. Installation # Ruzzy supports Linux x86-64 and AArch64/ARM64. If you’d like to run Ruzzy on a macOS or Windows, you can build the Dockerfile and/or use the development environment. Ruzzy requires a recent version of clang (tested back to 14.0.0), preferably the latest release. Install Ruzzy with the following command: MAKE="make --environment-overrides V=1" \ CC="/path/to/clang" \ CXX="/path/to/clang++" \ LDSHARED="/path/to/clang -shared" \ LDSHAREDXX="/path/to/clang++ -shared" \ gem install ruzzy There’s a lot going on here, so let’s break it down:https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/oss-fuzz/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/oss-fuzz/OSS-Fuzz # OSS-Fuzz is an open-source project developed by Google that aims to improve the security and stability of open-source software by providing free distributed infrastructure for continuous fuzz testing. Using a pre-existing framework like OSS-Fuzz has many advantages over manually running harnesses: it streamlines the process and facilitates simpler modifications. Although only select projects are accepted into OSS-Fuzz, because the project’s core is open-source, anyone can host their own instance of OSS-Fuzz and use it for private projects!https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/snapshot-fuzzing/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/snapshot-fuzzing/Snapshot fuzzing enables security engineers to effectively test software that is traditionally difficult to analyze, such as kernel-level software (though the technique is not limited to such software). Whether you’re auditing drivers or other kernel-mode components, including antivirus software, snapshot fuzzing provides a robust way to discover critical vulnerabilities. Consult this section for a walkthrough on how to conduct snapshot fuzzing on your system.https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/resources/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/resources/Additional resources # Learning # Awesome fuzzing list 1: GitHub-hosted list focused on scientific publications about fuzzing. Awesome fuzzing list 2: GitHub-hosted list about fuzzers and fuzzing related books. Fuzzing handbook: A fuzzing handbook written from an academic perspective. CNCF-Fuzzing handbook: Handbook created by the CNCF. Fuzzing101: Tutorial and training for various fuzzing methods by GitHub Security Lab. “How to Spot Good Fuzzing Research”: ToB blogpost 39c3 “Demystifying Fuzzer Behaviour”: interesting perspective on fuzz testing How to Build a Fuzzing Corpus Fuzzing corpus data # https://github.