OpenSSF Releases Fuzz Introspector 

OpenSSF-Releases-Fuzz-Introspector-to-Improve-CC++-Fuzz-Testing-Coverage

Fuzz testing is a technique that can help find security exploits and vulnerabilities by reaching edge cases hard to encounter for human testers

The Open Source Security Foundation (OpenSSF) has released a tool to improve fuzzing coverage by providing actionable insights to developers and helping them identify coverage blockers. Fuzz testing is a technique that can help find security exploits and vulnerabilities by reaching edge cases hard to encounter for human testers.

While promising, fuzz testing has its complexity: The effectiveness of fuzzing depends on how much of the code is covered by it, and writing effective tools to implement fuzzing (“fuzzers”) with good coverage is still challenging.

This is attested by the fact that two open-source projects Mozilla NSS and NSO iMessage have been recently found vulnerable to attacks despite using fuzzing techniques, say Fuzz Introspector.

To make it easier for developers to extend their projects’ fuzz coverage, Fuzz Introspector can analyse functions, static call graphs, and runtime coverage information with the aim to help developers understand which blockers may be limiting fuzzing as much of their code as possible.

Fuzz Introspector has two main parts: compiler-based static analysis, aimed to collect data about the code under analysis through an LLVM link-time optimisations (LTO) pass; and post-processing, which is responsible for analysing the data produced in the first step along with coverage reports generated by llvm-cov.

After this processing, Fuzz Introspector is able to show a number of interesting properties of each function in a project, such as its cyclomatic complexity, how many other functions it reaches, its function call-depth, and the number of fuzzers that reach it, and more. Additionally, it can show which functions in a project are not reached by a given fuzzer and which ones should be targeted for fuzzing based on their potential to increase coverage.

Fuzz Introspector generates an HTML report including an overview of reachability by all fuzzers, a summary of the performance of each fuzzer, a call tree showing in red all functions that have not been covered yet, and more. The tool also attempts to suggest which new fuzzers could be added to the project, although this feature is still naive according to the authors.

The primary output of the post-processing logic is an HTML report that humans can interpret. However, there is currently development taking place in extracting data that is useful by fuzzers to improve the fuzzing, e.g. the analysis plugin fuzz_engine_input.py

Fuzz Introspector works at the moment with C/C++ codebases but support for additional languages is already in the roadmap.