• Home
Name Date Size #Lines LOC

..--

fuzzer_support_ios/03-May-2024-316270

fuzzers/03-May-2024-8,0276,855

proto/03-May-2024-4,9493,947

tests/03-May-2024-340250

AFL_integration.mdD03-May-20242.9 KiB5644

BUILD.gnD03-May-20243.4 KiB10492

README.mdD03-May-20244.1 KiB8366

archive_corpus.pyD03-May-20241.8 KiB5839

dictionary_generator.pyD03-May-20247.8 KiB237158

efficient_fuzzing.mdD03-May-202411.1 KiB304230

expose_fuzzer_run_driver.ccD03-May-2024692 187

fuzzer_test.gniD03-May-202410.3 KiB307267

fuzzing_browsertests.mdD03-May-20242.3 KiB5339

gen_fuzzer_config.pyD03-May-20242.9 KiB9667

gen_fuzzer_owners.pyD03-May-20247.1 KiB226154

getting_started.mdD03-May-202413.6 KiB346271

libFuzzer_integration.mdD03-May-20242.3 KiB5138

libfuzzer_exports.hD03-May-20242 KiB4830

libprotobuf-mutator.mdD03-May-202414.1 KiB370295

reference.mdD03-May-20247.3 KiB198145

reproducing.mdD03-May-20245.1 KiB13495

unittest_main.ccD03-May-20241.6 KiB6041

zip_sources.pyD03-May-20241.9 KiB6543

README.md

1# Fuzz testing in Chromium
2
3[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing)
4
5[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece
6of target code in an attempt to crash the code. It's one of the most effective
7methods we have for finding security and stability issues (see
8[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the
9benefits of fuzzing at [go/why-fuzz](http://go/why-fuzz).
10
11This documentation covers the in-process guided fuzzing approach employed by
12different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about
13out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the
14ClusterFuzz documentation.
15
16[TOC]
17
18## Getting Started
19
20In Chromium, you can easily create and submit fuzz targets. The targets are
21automatically discovered by buildbots, built with different fuzzing engines,
22then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale.
23
24Create your first fuzz target and submit it by stepping through our [Getting
25Started Guide].
26
27## Advanced Topics
28
29* [Improving fuzz target efficiency].
30* [Creating a fuzz target that expects a protobuf] instead of a byte stream as
31  input.
32
33  *** note
34  **Note:** You can also fuzz code that needs multiple mutated
35  inputs, or to generate inputs defined by a grammar.
36  ***
37
38* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz.
39* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers.
40
41## Further Reading
42
43* [LibFuzzer integration] with Chromium and ClusterFuzz.
44* [AFL integration] with Chromium and ClusterFuzz.
45* [Detailed references] for other integration parts.
46* Writing fuzzers for the [non-browser parts of Chrome OS].
47* [Fuzzing browsertests] if you need to fuzz multiple Chrome subsystems.
48
49## Trophies
50* [Issues automatically filed] by ClusterFuzz.
51* [Issues filed manually] after running fuzz targets.
52* [Bugs found in PDFium] by manual fuzzing.
53* [Bugs found in open-source projects] with libFuzzer.
54
55## Other Links
56* [Guided in-process fuzzing of Chrome components] blog post.
57* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and
58  libFuzzer.
59
60[AFL]: http://lcamtuf.coredump.cx/afl/
61[AFL integration]: AFL_integration.md
62[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/
63[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies
64[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
65[ClusterFuzz]: https://clusterfuzz.com/
66[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan
67[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md
68[Detailed references]: reference.md
69[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing
70[Fuzzing browsertests]: fuzzing_browsertests.md
71[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md
72[Getting Started Guide]: getting_started.md
73[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
74[Improving fuzz target efficiency]: efficient_fuzzing.md
75[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1
76[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids
77[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/main/testing/fuzzing.md
78[Reproducing bugs]: reproducing.md
79[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572
80[go/fuzzing-success]: https://goto.google.com/fuzzing-success
81[libFuzzer]: http://llvm.org/docs/LibFuzzer.html
82[libFuzzer integration]: libFuzzer_integration.md
83