Google Git
Sign in
chromium / chromium / src / main / . / testing / libfuzzer / README.md
blob: 8db1c7ef2f0973d53807b7bbc3a008b9ec23b8cc [file] [log] [blame] [view]
Kevin Plyboncea94cf2019-09-12 18:18:37[diff] [blame]1# Fuzz testing in Chromium
aizatskya6f86292016-03-18 00:22:24[diff] [blame]2
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]3[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing)
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]4
Kevin Plyboncea94cf2019-09-12 18:18:37[diff] [blame]5[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece
6of target code in an attempt to crash the code. It's one of the most effective
7methods we have for finding security and stability issues (see
8[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the
9benefits of fuzzing at [go/why-fuzz](http://go/why-fuzz).
aizatskya6f86292016-03-18 00:22:24[diff] [blame]10
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]11This documentation covers the in-process guided fuzzing approach employed by
12different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about
13out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the
14ClusterFuzz documentation.
aizatskya6f86292016-03-18 00:22:24[diff] [blame]15
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]16[TOC]
aizatskya6f86292016-03-18 00:22:24[diff] [blame]17
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]18## Getting Started
aizatskya6f86292016-03-18 00:22:24[diff] [blame]19
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]20In Chromium, you can easily create and submit fuzz targets. The targets are
21automatically discovered by buildbots, built with different fuzzing engines,
22then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale.
aizatskya6f86292016-03-18 00:22:24[diff] [blame]23
Adrian Taylor52578312023-10-25 07:49:23[diff] [blame]24You should fuzz any code which absorbs inputs from untrusted sources, such
25as the web. If the code parses, decodes, or otherwise manipulates that input,
26it's an especially good idea to fuzz it.
27
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]28Create your first fuzz target and submit it by stepping through our [Getting
29Started Guide].
aizatskya6f86292016-03-18 00:22:24[diff] [blame]30
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]31## Advanced Topics
32
Adrian Taylor6a886ec62023-10-25 23:45:27[diff] [blame]33* [Using libfuzzer instead of FuzzTest].
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]34* [Improving fuzz target efficiency].
35* [Creating a fuzz target that expects a protobuf] instead of a byte stream as
36 input.
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]37
Max Moroz4a8415a2019-08-02 17:46:51[diff] [blame]38 *** note
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]39 **Note:** You can also fuzz code that needs multiple mutated
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]40 inputs, or to generate inputs defined by a grammar.
Max Moroz4a8415a2019-08-02 17:46:51[diff] [blame]41 ***
42
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]43* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz.
Mark Brand453081ca2020-06-08 08:46:06[diff] [blame]44* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers.
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]45
46## Further Reading
47
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]48* [LibFuzzer integration] with Chromium and ClusterFuzz.
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]49* [Detailed references] for other integration parts.
50* Writing fuzzers for the [non-browser parts of Chrome OS].
Adrian Taylor41b18372023-03-22 18:34:14[diff] [blame]51* [Fuzzing browsertests] if you need to fuzz multiple Chrome subsystems.
aizatskya6f86292016-03-18 00:22:24[diff] [blame]52
aizatsky9c8c5b02016-03-30 22:09:09[diff] [blame]53## Trophies
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]54* [Issues automatically filed] by ClusterFuzz.
55* [Issues filed manually] after running fuzz targets.
56* [Bugs found in PDFium] by manual fuzzing.
57* [Bugs found in open-source projects] with libFuzzer.
aizatsky9c8c5b02016-03-30 22:09:09[diff] [blame]58
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]59## Other Links
60* [Guided in-process fuzzing of Chrome components] blog post.
61* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and
62 libFuzzer.
aizatsky68551322016-08-06 00:21:18[diff] [blame]63
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]64[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]65[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies
66[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]67[ClusterFuzz]: https://clusterfuzz.com/
Max Moroz13c23182018-11-17 00:23:22[diff] [blame]68[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]69[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md
70[Detailed references]: reference.md
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]71[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing
Adrian Taylor41b18372023-03-22 18:34:14[diff] [blame]72[Fuzzing browsertests]: fuzzing_browsertests.md
Max Moroz3aa30e92020-06-25 23:46:39[diff] [blame]73[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]74[Getting Started Guide]: getting_started.md
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]75[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]76[Improving fuzz target efficiency]: efficient_fuzzing.md
77[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1
78[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids
Glen Robertson57bd25b2021-03-19 03:05:27[diff] [blame]79[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/main/testing/fuzzing.md
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]80[Reproducing bugs]: reproducing.md
Max Moroz13c23182018-11-17 00:23:22[diff] [blame]81[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572
Max Moroz74aad9132019-07-26 21:11:57[diff] [blame]82[go/fuzzing-success]: https://goto.google.com/fuzzing-success
Max Moroz13c23182018-11-17 00:23:22[diff] [blame]83[libFuzzer]: http://llvm.org/docs/LibFuzzer.html
Kevin Plybon8824b2fa2019-08-30 21:42:46[diff] [blame]84[libFuzzer integration]: libFuzzer_integration.md
Adrian Taylor6a886ec62023-10-25 23:45:27[diff] [blame]85[Using libfuzzer instead of FuzzTest]: getting_started_with_libfuzzer.md