The Open Source Security Foundation (OpenSSF) has just released a tool to improve fuzzing coverage by providing actionable insights to developers and helping them identify coverage blockers.
Fuzz testing is a technique that can help find security exploits and vulnerabilities by reaching edge cases hard to encounter for human testers. While promising, fuzz testing has its own complexity:
The effectiveness of fuzzing depends on how much of the code is covered by it, and writing effective tools to implement fuzzing (“fuzzers”) with good coverage is still challenging.
This is attested by the fact that two open source projects like Mozilla NSS and NSO iMessage have been recently found vulnerable to attacks in spite of using fuzzing techniques, say Fuzz Introspector's authors.
To make it easier for developers to extend their projects' fuzz coverage, Fuzz Introspector can analyze functions, static call graphs, and runtime coverage information with the aim to help developers understand which blockers may be limiting fuzzing as much of their code as possible.
Fuzz Introspector has two main parts: compiler-based static analysis, aimed to collect data about the code under analysis through an LLVM link-time optimizations (LTO) pass; and post-processing, which is responsible for analyzing the data produced in the first step along with coverage reports generated by llvm-cov
.
After this processing, Fuzz Introspector is able to show a number of interesting properties of each function in a project, such as its cyclomatic complexity, how many other functions it reaches, its function call-depth, the number of fuzzers that reach it, and more. Additionally, it can show which functions in a project are not reached by a given fuzzer and which ones should be targeted for fuzzing based on their potential to increase coverage.
Fuzz Introspector generates an HTML report including an overview of reachability by all fuzzers, a summary of the performance of each fuzzer, a call tree showing in red all functions that have not been covered yet, and more. The tool also attempts to suggest which new fuzzers could be added to the project, although this feature is still naive according to the authors.
The primary output of the post-processing logic is an HTML report that can be interpreted by humans. However, there is currently development taking place in extracting data that is useful by fuzzers to improve the fuzzing, e.g. the analysis plugin fuzz_engine_input.py
Fuzz Introspector works at the moment with C/C++ codebases but support for additional languages is already in the roadmap.