| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 1 | # Fuzzing in Chromium |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 2 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 3 | [go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) (Googler only) |
| aizatsky | 88a677d | 2016-03-18 23:18:24 | [diff] [blame] | 4 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 5 | [Fuzzing] is a testing technique that feeds randomized inputs to a target code |
| 6 | in an attempt to crash it. It's one of the most effective methods we have for |
| 7 | finding security and stability issues ([go/fuzzing-success]). |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 8 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 9 | This documentation covers the in-process guided fuzzing approach employed by |
| 10 | different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about |
| 11 | out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the |
| 12 | ClusterFuzz documentation. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 13 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 14 | [TOC] |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 15 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 16 | ## Getting Started |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 17 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 18 | In Chromium, you can easily create and submit fuzz targets. The targets are |
| 19 | automatically discovered by buildbots, built with different fuzzing engines, |
| 20 | then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 21 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 22 | Create your first fuzz target and submit it by stepping through our [Getting |
| 23 | Started Guide]. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 24 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 25 | ## Advanced Topics |
| 26 | |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame^] | 27 | * Improving fuzz target effectiveness: [Efficient Fuzzing Guide]. |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 28 | * Creating a fuzz target that expects a protobuf (instead of a byte steam) as |
| 29 | input: [Guide to libprotobuf-mutator (LPM)]. |
| 30 | |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame^] | 31 | *** note |
| 32 | **Note:** you can also use LPM to fuzz code that needs multiple mutated |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 33 | inputs, or to generate inputs defined by a grammar. |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame^] | 34 | *** |
| 35 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 36 | * Reproducing bugs found by libFuzzer/AFL and reported by ClusterFuzz: |
| 37 | [Reproducing Bugs]. |
| 38 | |
| 39 | ## Further Reading |
| 40 | |
| 41 | * LibFuzzer's integration with Chromium and ClusterFuzz: [LibFuzzer |
| 42 | Integration]. |
| 43 | * AFL's integration with Chromium and ClusterFuzz: [AFL Integration]. |
| 44 | * Detailed references for other integration parts: [Reference]. |
| 45 | * Writing fuzzers for the non-browser parts of Chrome OS: [Fuzzing on Chrome |
| 46 | OS]. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 47 | |
| aizatsky | 9c8c5b0 | 2016-03-30 22:09:09 | [diff] [blame] | 48 | ## Trophies |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 49 | * Issues found with in-process fuzzing and automatically filed by ClusterFuzz: |
| 50 | [ClusterFuzz Bugs]. |
| 51 | * Issues filed manually after running fuzz targets: [Manual Bugs]. |
| 52 | * Bugs found in PDFium by manual fuzzing: [PDFium Bugs]. |
| 53 | * Bugs found with libFuzzer in open-source projects: [OSS Trophies]. |
| aizatsky | 9c8c5b0 | 2016-03-30 22:09:09 | [diff] [blame] | 54 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 55 | ## Other Links |
| 56 | * [Guided in-process fuzzing of Chrome components] blog post. |
| 57 | * [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and |
| 58 | libFuzzer. |
| aizatsky | 6855132 | 2016-08-06 00:21:18 | [diff] [blame] | 59 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 60 | [AFL]: http://lcamtuf.coredump.cx/afl/ |
| 61 | [AFL Integration]: AFL_integration.md |
| 62 | [Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/ |
| 63 | [ClusterFuzz]: https://clusterfuzz.com/ |
| 64 | [ClusterFuzz Bugs]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1 |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 65 | [ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame^] | 66 | [Efficient Fuzzing Guide]: efficient_fuzzing.md |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 67 | [Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing |
| 68 | [Fuzzing on Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md |
| 69 | [Getting Started Guide]: getting_started.md |
| 70 | [Guide to libprotobuf-mutator (LPM)]: libprotobuf-mutator.md |
| 71 | [Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html |
| aizatsky | 9c8c5b0 | 2016-03-30 22:09:09 | [diff] [blame] | 72 | [Manual Bugs]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids |
| 73 | [OSS Trophies]: http://llvm.org/docs/LibFuzzer.html#trophies |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 74 | [PDFium Bugs]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles |
| 75 | [Reference]: reference.md |
| 76 | [Reproducing Bugs]: reproducing.md |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 77 | [crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572 |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 78 | [go/fuzzing-success]: https://goto.google.com/fuzzing-success |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 79 | [libFuzzer]: http://llvm.org/docs/LibFuzzer.html |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 80 | [libFuzzer Integration]: libFuzzer_integration.md |
