[webkit-dev] Fuzzinator, a mutation based web fuzzer
Renáta Hodován
hodovan at inf.u-szeged.hu
Wed Jun 26 09:46:40 PDT 2013
On 06/25/2013 09:48 PM, Benjamin Poulain wrote:
> On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován
> <hodovan at inf.u-szeged.hu <mailto:hodovan at inf.u-szeged.hu>> wrote:
>
> as many of you know already I'm working on an universal web
> fuzzer, which is able to generate random test cases for both svg,
> html, css and js, and test them against any browser. With this
> method we can catch crashes, assertions, memory corruptions and
> all the funny things.
>
> A few words about it: Fuzzinator learns from existing test cases
> and based on this information it generates new tests that are
> syntactically correct. Beside this randomized step I also put some
> language specific knowledge into the tests too. Further details
> about the theoretical background will be shared in a blogpost soon.
>
> However the results are available in public already and they are
> collected under a metabug in bugzilla:
> https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of
> you feel like browsing or fixing them, don't hesitate to start
> with it ;)
>
>
> First, I would like to say welcome to our new fuzzing overlords. :)
>
Thanks :)
> What is your plan for the tool itself? Is it opensource? Will it be
> added to webkit.org <http://webkit.org>?
> Experience shows our tools are the most useful when they are
> completely automated behind maintained bots doing most of the jobs. Do
> you have any long term plans like that?
>
Ultimately the goal of this project is to have an automated tool that is
running all day long and is reporting the discovered bugs. Actually this
is working locally on a few computers already, however automatically
sharing the results has technical and security issues. Currently the
received failing tests are too large to post without minimization to
bugzilla. On the other hand, reporting every found bug automatically and
immediately, regardless of its type (security or not), might not be a
wise thing. However, what's sure for now is that all found bugs will be
reported: security issues tagged appropriately, and others as publicly
visible.
Further plans are:
* extension with WebGL support
* mixing the a current fuzzers and generating complex but still coherent
webpages
* adding automatism to rebuild the browser under testing regularly
(e.g., fetching a binary built by a build bot slave linked to
webkit.org on a daily (or whatever) basis.)
* implementing automatism to minimise the found bugous input
Cheers,
Reni
> Benjamin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130626/141f9ed3/attachment.html>
More information about the webkit-dev
mailing list