LLVM's LibFuzzer Is Uncovering New Bugs With Fuzzing
LibFuzzer was recently added to LLVM as a library for in-process fuzzing. LibFuzzer combined with other open-source fuzzing capabilities make it easy for uncovering new bugs within LLVM and other projects.
LibFuzzer can provide a guided fuzzer for independent libraries by writing just one simple function. There's also the clang-format-fuzzer and clang-fuzzer utilities that have been built atop LibFuzzer.
In a new LLVM.org blog post about LLVM fuzzing, Kostya Serebryany explained, "We have implemented two fuzzers on top of LibFuzzer: clang-format-fuzzer and clang-fuzzer. Clang-format is mostly a lexical analyzer, so giving it random bytes to format worked perfectly and discovered over 20 bugs. Clang however is more than just a lexer and giving it random bytes barely scratches the surface, so in addition to testing with random bytes we also fuzzed Clang in token-aware mode. Both modes found bugs; some of them were previously detected by AFL, some others were not: we’ve run this fuzzer with AddressSanitizer and some of the bugs are not easily discoverable without it."
LibFuzzer is already being used to find bugs in other software projects and as a test it was able to find OpenSSL's Heartbleed bug in less than one minute. More details on LibFuzzer and LLVM fuzzing in general can be found via this blog post.
LibFuzzer can provide a guided fuzzer for independent libraries by writing just one simple function. There's also the clang-format-fuzzer and clang-fuzzer utilities that have been built atop LibFuzzer.
In a new LLVM.org blog post about LLVM fuzzing, Kostya Serebryany explained, "We have implemented two fuzzers on top of LibFuzzer: clang-format-fuzzer and clang-fuzzer. Clang-format is mostly a lexical analyzer, so giving it random bytes to format worked perfectly and discovered over 20 bugs. Clang however is more than just a lexer and giving it random bytes barely scratches the surface, so in addition to testing with random bytes we also fuzzed Clang in token-aware mode. Both modes found bugs; some of them were previously detected by AFL, some others were not: we’ve run this fuzzer with AddressSanitizer and some of the bugs are not easily discoverable without it."
LibFuzzer is already being used to find bugs in other software projects and as a test it was able to find OpenSSL's Heartbleed bug in less than one minute. More details on LibFuzzer and LLVM fuzzing in general can be found via this blog post.
6 Comments