FuzzIntrospector – a tool in OpenSSF to improve fuzz test coverage

On October 15, 2022October 15, 2022

By Oliver Chang (Google), Navid Emamdoost (Google), Adam Korczynski (ADA Logics), and David Korczynski (ADA Logics)

Translator: Little Brother Proofreader: Zhao Zhenhua

In recent years, many development workflows have relied on fuzz testing, an automated technique that discovers defects by feeding unwanted data into software that triggers crashes or causes other problems. Fuzz testing plays an important role in vulnerability mining, and it also supports one of the main goals of OpenSSF, which is to improve vulnerability detection and response in open source software. However, the effectiveness of fuzzing tests depends on how much code is covered with fuzzing methods, and writing fuzzy tests (“fuzzers”) that achieve high coverage remains challenging. Today’s fuzz tests often encounter coverage blocks (“blocking points”) that hinder effective fuzz testing for some code snippets. Manual analysis is still required to identify and remove obstacles, and there is no simple or consistent way to do so. Recent vulnerabilities such as SigSig[1] and NSO iMessage[2] indicate that there is some room for improvement in fuzzing projects, even if they already use conventional fuzzing methods.

To address these issues, we are pleased to announce the first release of Fuzz Introspector[3], a collaborative effort from OpenSSF members. Fuzz Introspector provides developers with actionable insights by analyzing functions, static call graphs, and runtime coverage information to identify blocking points for fuzz test coverage. Addressing these blocking points will help unlock the increase in fuzz coverage, which can lead to more vulnerabilities and give users more confidence in the reliability of their fuzz testing. There are two types of developers who use this:

Currently, Fuzz Introspector only supports C/C++ projects. For every project, Fuzz Introspector offers:

An overview of the sample project using the libdwarf[4] project as an example

An early milestone for Fuzz Introspector was its recent integration with the free OSS-Fuzz[5] service, where reports can be accessed through the public index[6] and project maintainers through the OSS-Fuzz project homepage. As part of this development, we used the results of Fuzz Introspector to improve several OSS-Fuzz projects, including directly addressing a problem in the xpdf project,[8] as detailed in Google Project Zero’s blog. You can find more sample reports in our project [10] and how they can be used to improve them.

Fuzz Introspector is actively under development. Some future plans include support for more programming languages, improved accuracy of coverage point recognition, and automated coverage interpretation of blocking points (more automated blocking point elimination has been achieved). We welcome the community’s contributions to achieving these goals and encourage anyone interested in getting involved to review the current report, help improve the vague goals and provide more feedback through https://github.com/ossf/fuzz-introspector. Together, we hope that Fuzz Introspector will be able to provide blurter developers with an easier way to evaluate and improve their fuzzers, making this vulnerability detection technique more effective in the broader open source community.”

SigSig: https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html

NSO iMessage: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

Fuzz Introspector: https://github.com/ossf/fuzz-introspector

libdwarf: https://github.com/google/oss-fuzz/tree/master/projects/libdwarf

OSS-Fuzz: https://github.com/google/oss-fuzz

Public index: https://oss-fuzz-introspector.storage.googleapis.com/index.html

OSS-Fuzz Project Home: https://oss-fuzz.com/

Solve an issue in xpdf projects: https://github.com/ossf/fuzz-introspector/blob/main/doc/CaseStudies.md#xpdf

Blog: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

Item: https://github.com/ossf/fuzz-introspector/blob/main/doc/CaseStudies.md

Click [Read the original] to browse the English version

Founded in August 2020 by the Linux Foundation, the OpenSSF Open Source Security Foundation is a cross-industry international open source security partnership that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. It combines the Linux Foundation’s Core Infrastructure Initiative (CII) to address the 2014 Heartbleed Vulnerability and the Github-wide Open Source Security Alliance to build an open source security community to address open source security needs for decades to come. OpenSSF is committed to working together and with upstream and existing open source communities to advance open source security for all.

Anyone can contribute to the Open Source Security Foundation. You can get involved by visiting: https://openssf.org/getinvolved/ and https://github.com/ossf. Learn more about open source security. Please long press the QR code below to follow.

The article is reproduced from OpenSSF Open Source Security. Click here to read the original article to learn more.

Contact the Linux Foundation APAC

The Linux Foundation is a non-profit organization that is an important part of the technology ecosystem.

The Linux Foundation supports the creation of a sustainable open source ecosystem by providing financial and intellectual resources, infrastructure, services, events, and training. In the creation of shared technology, the Linux Foundation and its projects have formed an exceptionally successful investment through joint efforts. Please long press the QR code below to follow the Linux Foundation APAC (LFAPAC) WeChat public account.