https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/Recent content in Techniques on Testing HandbookHugoen-ushttps://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/writing-harnesses/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/writing-harnesses/Writing harnesses # The following section showcases some techniques to successfully write a fuzzing harness—the most important part of any fuzzing setup. If written poorly, critical parts of your application may not be covered. Beyond byte arrays # Often the code you want to fuzz not only takes a plain byte array as input, but has more complex input. A very basic example is the following fuzz test that contains a division by 0.https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/dictionary/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/dictionary/Fuzzing dictionary # A dictionary can be used to guide the fuzzer. A dictionary is usually passed as a file to the fuzzer. The simplest input accepted by libFuzzer is a ASCII text file where each line consists of a quoted string. Strings can contain escaped byte sequences like “\xF7\xF8". Optionally, a key-value pair like hex_value="\xF7\xF8" can be used for documentation purposes. Comments are supported by starting a line with #.https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/asan/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/asan/AddressSanitizer # AddressSanitizer (ASan) is a widely adopted tool in the realm of software testing, particularly during fuzzing. Fuzzing greatly benefits from the use of ASan because it helps detect memory errors that might otherwise go unnoticed, such as buffer overflows and use-after-free errors. While ASan is a standard practice in fuzzing due to its effectiveness in identifying such vulnerabilities, it does come with certain drawbacks. One significant downside is that it can make the fuzzing process approximately 2–4 times slower.https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/environments/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/environments/Fuzzing environments # Like any software, the choice of fuzzer will depend on factors such as the operating system, architecture, software versions, and hardware. This section will review factors that influence the choice of the environment used for fuzzing. Choice of hardware. If your fuzzer supports running on multiple cores, choose hardware that has many cores available. Renting or purchasing a bare-metal server might be worthwhile if you plan to run campaigns regularly.https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/faq/Mon, 01 Jan 0001 00:00:00 +0000https://trailofbits.github.io/testing-handbook-preview/pr-preview/pr-128/docs/fuzzing/techniques/faq/FAQ (Fuzzily Asked Questions) # The fuzzer is showing crashes, but when I run the SUT on the test cases outside of the fuzzer, then no crash is shown. What is happening? # There are several potential reasons: The SUT is behaving nondeterministically. The SUT depends on global state (e.g., it may read or write to disk or use in-memory singletons). You are experiencing crashes because your system is running out of memory and killing processes.