Fuzz testing in ChromeOS (dupe)

Fuzzing is a testing technique that feeds auto-generated inputs to a piece of target code in an attempt to crash the code. It's one of the most effective methods we have for finding security and non-security bugs (also see go/fuzzing-success). This guide introduces ChromeOS developers to fuzz testing.

You can learn more about the benefits of fuzzing at go/why-fuzz.

Getting Started

For more information about ChromeOS kernel fuzzing, see here. Userspace fuzzing on ChromeOS will be discussed below.

In ChromeOS, you can easily create and submit fuzz targets. The targets are automatically built by buildbots, and then uploaded to the distributed ClusterFuzz fuzzing system to run at scale.

Create your first fuzz target and submit it by stepping through our Quickstart Guide.

Getting help

You can chat or send an email to [chromeos-fuzzing@google.com] if you get stuck, or to ask questions.

Further Reading

• Detailed guide to fuzzing on ChromeOS.
• Improving fuzz target effectiveness.
• Creating a fuzz target that expects a protobuf (instead of a byte stream) as input.
• Debugging a fuzzer using gdb.
• Reproducing bugs found by libFuzzer and reported by ClusterFuzz.

Trophies

• Issues found with in-process fuzzing and automatically filed by ClusterFuzz.

Other Links

• Fuzzing for Chrome Browser.
• Guided in-process fuzzing of Chrome components blog post.