The two types of fuzzing supported on ClusterFuzz are coverage guided fuzzing (using libFuzzer and AFL) and blackbox fuzzing.
Coverage guided fuzzingCoverage guided fuzzing (also known as greybox fuzzing) uses program instrumentation to trace the code coverage reached by each input fed to a fuzz target. Fuzzing engines use this information to make informed decisions about which inputs to mutate to maximize coverage.
For every target, the fuzzing engine builds a corpus of inputs. These grow in coverage over time as the engine discovers new inputs through mutation.
The fuzzing engines supported on ClusterFuzz are libFuzzer (recommended) and AFL.
When should I use coverage guided fuzzing?Coverage guided fuzzing is recommended as it is generally the most effective. This works best when:
For example, binary format (e.g. image format) parsers are very well suited to this.
Blackbox fuzzingA blackbox fuzzer generates inputs for a target program without knowledge of its internal behaviour or implementation.
A blackbox fuzzer may generate inputs from scratch, or rely on a static corpus of valid input files to base mutations on. Unlike coverage guided fuzzing, the corpus does not grow here.
When should I use blackbox fuzzing?Blackbox fuzzing works well when:
For example, a browser DOM fuzzer may generate HTML inputs that are run against a target such as Chrome, without any coverage feedback to guide its mutations.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4