Hacker News new | past | comments | ask | show | jobs | submit login
OSS-Fuzz – Continuous Fuzzing for Open Source Software (github.com/google)
74 points by based2 on March 1, 2018 | hide | past | favorite | 5 comments



I'm a huge fan of this project - we're using it to fuzz TensorFlow [1]. (I wrote the initial fuzzers and Frank Chen got the running under OSS-Fuzz). It was surprisingly easy:

https://github.com/tensorflow/tensorflow/tree/master/tensorf...

and has, thus far, found bugs in the linkages to libpng, libjpeg, strtonum, the proto parser, and some of the internal utility types. I strongly recommend testing out one of the fuzzers on your own code -- libfuzzer and AFL are the most popular.

And -- shameless plugs here -- if anyone's looking for ways to learn about fuzzing and contribute to an open-source project, we'd welcome more fuzzers being contributed to TensorFlow. grins (if you find any nasty bugs that seem exploitable, see the new SECURITY.md readme for how to tell us.)

[1] Links to some of the changes from the bugs we found are in a writeup I did based upon the experience: https://da-data.blogspot.com/2017/01/finding-bugs-in-tensorf...


they really should have called this Biz Fuzz.


Or (American) Fuzzy Loop


There's already a fuzzer called "american fuzzy lop"¹, and in fact it's one of the OSS-Fuzz's fuzzing engines.

¹ http://lcamtuf.coredump.cx/afl/


I believe that's why the parent called it "Loop". :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: