Blame - testing/libfuzzer/README.md - chromium/src.git

blob: 60bc0a96c1683010f960605285c9d246da82a5d6 [file] [log] [blame] [view]

Kevin Plybon	cea94cf	2019-09-12 18:18:37	[diff] [blame]	1	# Fuzz testing in Chromium
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	2
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	3	[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing)
aizatsky	88a677d	2016-03-18 23:18:24	[diff] [blame]	4
Kevin Plybon	cea94cf	2019-09-12 18:18:37	[diff] [blame]	5	[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece
				6	of target code in an attempt to crash the code. It's one of the most effective
				7	methods we have for finding security and stability issues (see
				8	[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the
				9	benefits of fuzzing at [go/why-fuzz](http://go/why-fuzz).
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	10
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	11	This documentation covers the in-process guided fuzzing approach employed by
				12	different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about
				13	out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the
				14	ClusterFuzz documentation.
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	15
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	16	[TOC]
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	17
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	18	## Getting Started
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	19
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	20	In Chromium, you can easily create and submit fuzz targets. The targets are
				21	automatically discovered by buildbots, built with different fuzzing engines,
				22	then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale.
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	23
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	24	Create your first fuzz target and submit it by stepping through our [Getting
				25	Started Guide].
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	26
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	27	## Advanced Topics
				28
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	29	* [Improving fuzz target efficiency].
				30	* [Creating a fuzz target that expects a protobuf] instead of a byte stream as
				31	input.
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	32
Max Moroz	4a8415a	2019-08-02 17:46:51	[diff] [blame]	33	*** note
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	34	Note: You can also fuzz code that needs multiple mutated
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	35	inputs, or to generate inputs defined by a grammar.
Max Moroz	4a8415a	2019-08-02 17:46:51	[diff] [blame]	36	***
				37
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	38	* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz.
Mark Brand	453081ca	2020-06-08 08:46:06	[diff] [blame]	39	* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers.
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	40
				41	## Further Reading
				42
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	43	* [LibFuzzer integration] with Chromium and ClusterFuzz.
				44	* [AFL integration] with Chromium and ClusterFuzz.
				45	* [Detailed references] for other integration parts.
				46	* Writing fuzzers for the [non-browser parts of Chrome OS].
aizatsky	a6f8629	2016-03-18 00:22:24	[diff] [blame]	47
aizatsky	9c8c5b0	2016-03-30 22:09:09	[diff] [blame]	48	## Trophies
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	49	* [Issues automatically filed] by ClusterFuzz.
				50	* [Issues filed manually] after running fuzz targets.
				51	* [Bugs found in PDFium] by manual fuzzing.
				52	* [Bugs found in open-source projects] with libFuzzer.
aizatsky	9c8c5b0	2016-03-30 22:09:09	[diff] [blame]	53
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	54	## Other Links
				55	* [Guided in-process fuzzing of Chrome components] blog post.
				56	* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and
				57	libFuzzer.
aizatsky	6855132	2016-08-06 00:21:18	[diff] [blame]	58
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	59	[AFL]: http://lcamtuf.coredump.cx/afl/
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	60	[AFL integration]: AFL_integration.md
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	61	[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	62	[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies
				63	[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	64	[ClusterFuzz]: https://clusterfuzz.com/
Max Moroz	13c2318	2018-11-17 00:23:22	[diff] [blame]	65	[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	66	[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md
				67	[Detailed references]: reference.md
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	68	[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing
Max Moroz	3aa30e9a	2020-06-25 23:46:39	[diff] [blame]	69	[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	70	[Getting Started Guide]: getting_started.md
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	71	[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	72	[Improving fuzz target efficiency]: efficient_fuzzing.md
				73	[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1
				74	[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids
				75	[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md
				76	[Reproducing bugs]: reproducing.md
Max Moroz	13c2318	2018-11-17 00:23:22	[diff] [blame]	77	[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572
Max Moroz	74aad913	2019-07-26 21:11:57	[diff] [blame]	78	[go/fuzzing-success]: https://goto.google.com/fuzzing-success
Max Moroz	13c2318	2018-11-17 00:23:22	[diff] [blame]	79	[libFuzzer]: http://llvm.org/docs/LibFuzzer.html
Kevin Plybon	8824b2fa	2019-08-30 21:42:46	[diff] [blame]	80	[libFuzzer integration]: libFuzzer_integration.md