[dev] Fuzz testing tools

Christian Franke chris at opensourcerouting.org
Wed May 10 18:08:35 EDT 2017


Hello everyone,

as I mentioned during yesterdays call when we discussed fuzz testing, I
have made very positive experience with using AFL. [1]

In contrast to more basic fuzzers, afl uses instrumentation on the code
that is added at compile time. The instrumentation is used to more
efficiently generate fuzz input that causes the use of new branches in
the code. An example to that effect is that when fuzzing libjpeg and
using an 'a' point for fuzzing, afl will quickly come up with various
broken and valid jpeg files, something most simple fuzzers wouldn't.

Also, afl can generate a minimized corpus of input files from the
fuzzing process that still has the maximum branch coverage achieved
during fuzzing, which is useful to test for regressions without running
the complete fuzzing process again.

I wrote a small tool called wuschl which wraps around afl and collects
the minimized corpus to use it for regression testing. [2]

To make use of wuschl one needs to install afl and wuschl and write one
test function that passes its input to the function to be fuzzed.

Having that, one can run fuzzing and then collect the minimal corpus.

After that, regression tests based on the corpus can be run without any
need for wuschl or afl.

Just wanted to point out the existance of AFL and also wuschl since I
think that they might be useful to implement fuzzing for FRR and get the
test coverage up.

-Christian

[1] http://lcamtuf.coredump.cx/afl/
[2] https://github.com/cfra/wuschl



More information about the dev mailing list