| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 1 | # Fuzzing in Chromium |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 2 | |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 3 | [go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) |
| aizatsky | 88a677d | 2016-03-18 23:18:24 | [diff] [blame] | 4 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 5 | [Fuzzing] is a testing technique that feeds randomized inputs to a target code |
| 6 | in an attempt to crash it. It's one of the most effective methods we have for |
| 7 | finding security and stability issues ([go/fuzzing-success]). |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 8 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 9 | This documentation covers the in-process guided fuzzing approach employed by |
| 10 | different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about |
| 11 | out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the |
| 12 | ClusterFuzz documentation. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 13 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 14 | [TOC] |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 15 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 16 | ## Getting Started |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 17 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 18 | In Chromium, you can easily create and submit fuzz targets. The targets are |
| 19 | automatically discovered by buildbots, built with different fuzzing engines, |
| 20 | then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 21 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 22 | Create your first fuzz target and submit it by stepping through our [Getting |
| 23 | Started Guide]. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 24 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 25 | ## Advanced Topics |
| 26 | |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 27 | * [Improving fuzz target efficiency]. |
| 28 | * [Creating a fuzz target that expects a protobuf] instead of a byte stream as |
| 29 | input. |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 30 | |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame] | 31 | *** note |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 32 | **Note:** You can also fuzz code that needs multiple mutated |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 33 | inputs, or to generate inputs defined by a grammar. |
| Max Moroz | 4a8415a | 2019-08-02 17:46:51 | [diff] [blame] | 34 | *** |
| 35 | |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 36 | * [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz. |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 37 | |
| 38 | ## Further Reading |
| 39 | |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 40 | * [LibFuzzer integration] with Chromium and ClusterFuzz. |
| 41 | * [AFL integration] with Chromium and ClusterFuzz. |
| 42 | * [Detailed references] for other integration parts. |
| 43 | * Writing fuzzers for the [non-browser parts of Chrome OS]. |
| aizatsky | a6f8629 | 2016-03-18 00:22:24 | [diff] [blame] | 44 | |
| aizatsky | 9c8c5b0 | 2016-03-30 22:09:09 | [diff] [blame] | 45 | ## Trophies |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 46 | * [Issues automatically filed] by ClusterFuzz. |
| 47 | * [Issues filed manually] after running fuzz targets. |
| 48 | * [Bugs found in PDFium] by manual fuzzing. |
| 49 | * [Bugs found in open-source projects] with libFuzzer. |
| aizatsky | 9c8c5b0 | 2016-03-30 22:09:09 | [diff] [blame] | 50 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 51 | ## Other Links |
| 52 | * [Guided in-process fuzzing of Chrome components] blog post. |
| 53 | * [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and |
| 54 | libFuzzer. |
| aizatsky | 6855132 | 2016-08-06 00:21:18 | [diff] [blame] | 55 | |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 56 | [AFL]: http://lcamtuf.coredump.cx/afl/ |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 57 | [AFL integration]: AFL_integration.md |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 58 | [Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/ |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 59 | [Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies |
| 60 | [Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 61 | [ClusterFuzz]: https://clusterfuzz.com/ |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 62 | [ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 63 | [Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md |
| 64 | [Detailed references]: reference.md |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 65 | [Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 66 | [Getting Started Guide]: getting_started.md |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 67 | [Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 68 | [Improving fuzz target efficiency]: efficient_fuzzing.md |
| 69 | [Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1 |
| 70 | [Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids |
| 71 | [non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md |
| 72 | [Reproducing bugs]: reproducing.md |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 73 | [crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572 |
| Max Moroz | 74aad913 | 2019-07-26 21:11:57 | [diff] [blame] | 74 | [go/fuzzing-success]: https://goto.google.com/fuzzing-success |
| Max Moroz | 13c2318 | 2018-11-17 00:23:22 | [diff] [blame] | 75 | [libFuzzer]: http://llvm.org/docs/LibFuzzer.html |
| Kevin Plybon | 8824b2fa | 2019-08-30 21:42:46 | [diff] [blame] | 76 | [libFuzzer integration]: libFuzzer_integration.md |
