[webkit-dev] Fuzzinator, a mutation based web fuzzer

Renáta Hodován hodovan at inf.u-szeged.hu
Wed Jun 26 09:46:40 PDT 2013

On 06/25/2013 09:48 PM, Benjamin Poulain wrote:
> On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován 
> <hodovan at inf.u-szeged.hu <mailto:hodovan at inf.u-szeged.hu>> wrote:
>     as many of you know already I'm working on an universal web
>     fuzzer, which is able to generate random test cases for both svg,
>     html, css and js, and test them against any browser. With this
>     method we can catch crashes, assertions, memory corruptions and
>     all the funny things.
>     A few words about it: Fuzzinator learns from existing test cases
>     and based on this information it generates new tests that are
>     syntactically correct. Beside this randomized step I also put some
>     language specific knowledge into the tests too. Further details
>     about the theoretical background will be shared in a blogpost soon.
>     However the results are available in public already and they are
>     collected under a metabug in bugzilla:
>     https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of
>     you feel like browsing or fixing them, don't hesitate to start
>     with it ;)
> First, I would like to say welcome to our new fuzzing overlords. :)
Thanks :)

> What is your plan for the tool itself? Is it opensource? Will it be 
> added to webkit.org <http://webkit.org>?
> Experience shows our tools are the most useful when they are 
> completely automated behind maintained bots doing most of the jobs. Do 
> you have any long term plans like that?
Ultimately the goal of this project is to have an automated tool that is 
running all day long and is reporting the discovered bugs. Actually this 
is working locally on a few computers already, however automatically 
sharing the results has technical and security issues. Currently the 
received failing tests are too large to post without minimization to 
bugzilla. On the other hand, reporting every found bug automatically and 
immediately, regardless of its type (security or not), might not be a 
wise thing. However, what's sure for now is that all found bugs will be 
reported: security issues tagged appropriately, and others as publicly 

Further plans are:
* extension with WebGL support
* mixing the a current fuzzers and generating complex but still coherent 
* adding automatism to rebuild the browser under testing regularly
    (e.g., fetching a binary built by a build bot slave linked to 
webkit.org on a daily (or whatever) basis.)
* implementing automatism to minimise the found bugous input


> Benjamin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130626/141f9ed3/attachment.html>

More information about the webkit-dev mailing list