2019-08-07 14:37:16 +00:00
|
|
|
---
|
|
|
|
layout: default
|
|
|
|
title: FAQ
|
|
|
|
has_children: true
|
|
|
|
nav_order: 7
|
|
|
|
permalink: /faq/
|
|
|
|
---
|
|
|
|
|
2016-10-24 20:42:53 +00:00
|
|
|
# Frequently Asked Questions
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
- TOC
|
|
|
|
{:toc}
|
|
|
|
---
|
|
|
|
|
2020-01-13 01:14:20 +00:00
|
|
|
## Where can I learn more about fuzzing?
|
|
|
|
|
|
|
|
We recommend reading [libFuzzer tutorial] and the other docs in [google/fuzzing]
|
|
|
|
repository. These and some other resources are listed on the
|
|
|
|
[useful links]({{ site.baseurl }}/reference/useful-links/#tutorials) page.
|
|
|
|
|
|
|
|
[google/fuzzing]: https://github.com/google/fuzzing/tree/master/docs
|
|
|
|
[libFuzzer tutorial]: https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md
|
|
|
|
|
2016-12-30 06:35:40 +00:00
|
|
|
## What kind of projects are you accepting?
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
We accept established projects that have a critical impact on infrastructure and
|
|
|
|
user security. We will consider each request on a case-by-case basis, but some
|
|
|
|
things we keep in mind are:
|
2016-12-30 06:35:40 +00:00
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
- Exposure to remote attacks (e.g. libraries that are used to process
|
|
|
|
untrusted input).
|
2016-12-30 06:35:40 +00:00
|
|
|
- Number of users/other projects depending on this project.
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
We hope to relax this requirement in the future though, so keep an eye out even
|
|
|
|
if we are not able to accept your project at this time!
|
2016-12-30 06:35:40 +00:00
|
|
|
|
2018-03-09 05:30:58 +00:00
|
|
|
## How can I find potential fuzz targets in my open source project?
|
|
|
|
|
|
|
|
You should look for places in your code that:
|
|
|
|
|
|
|
|
- consume un-trusted data from users or from the network.
|
|
|
|
- consume complex data input or event if it's 'trusted'.
|
2019-08-07 14:37:16 +00:00
|
|
|
- use an algorithm that has two or more implementations
|
|
|
|
(to verify their equivalence).
|
|
|
|
- look for existing fuzz target [examples](https://github.com/google/oss-fuzz/tree/master/projects)
|
|
|
|
and find similarities.
|
2018-03-09 05:30:58 +00:00
|
|
|
|
2019-06-06 16:49:21 +00:00
|
|
|
## My project is not open source. Can I use OSS-Fuzz?
|
|
|
|
|
|
|
|
You cannot use OSS-Fuzz, but you can use [ClusterFuzz] which OSS-Fuzz is based
|
|
|
|
on. ClusterFuzz is an open-source fuzzing infrastructure that you can deploy in
|
|
|
|
your own environment and run continuously at scale.
|
|
|
|
|
|
|
|
OSS-Fuzz is a production instance of ClusterFuzz, plus the code living in
|
|
|
|
[OSS-Fuzz repository]: build scripts, `project.yaml` files with contacts, etc.
|
|
|
|
|
|
|
|
[OSS-Fuzz repository]: https://github.com/google/oss-fuzz
|
|
|
|
|
2016-11-29 19:41:37 +00:00
|
|
|
## Why do you use a [different issue tracker](https://bugs.chromium.org/p/oss-fuzz/issues/list) for reporting bugs in OSS projects?
|
2016-10-24 20:42:53 +00:00
|
|
|
|
2016-11-16 17:56:10 +00:00
|
|
|
Security access control is important for the kind of issues that OSS-Fuzz detects.
|
2018-04-30 02:04:09 +00:00
|
|
|
We will reconsider the GitHub issue tracker once the
|
2016-11-19 00:55:22 +00:00
|
|
|
[access control feature](https://github.com/isaacs/github/issues/37) is available.
|
2016-10-25 21:40:30 +00:00
|
|
|
|
2017-08-17 20:02:14 +00:00
|
|
|
## Why do you require a Google account for authentication?
|
2016-12-02 22:53:14 +00:00
|
|
|
|
2019-08-21 22:10:15 +00:00
|
|
|
Our [ClusterFuzz]({{ site.baseurl }}/further-reading/clusterfuzz) fuzzing
|
2019-08-07 14:37:16 +00:00
|
|
|
infrastructure and [issue tracker](https://bugs.chromium.org/p/oss-fuzz/issues/list)
|
|
|
|
require a Google account for authentication. Note that an alternate email
|
|
|
|
address associated with a Google account does not work due to appengine api
|
|
|
|
limitations.
|
2016-12-02 22:53:14 +00:00
|
|
|
|
2016-10-25 21:40:30 +00:00
|
|
|
## Why do you use Docker?
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
Building fuzzers requires building your project with a fresh Clang compiler and
|
|
|
|
special compiler flags. An easy-to-use Docker image is provided to simplify
|
|
|
|
toolchain distribution. This also simplifies our support for a variety of Linux
|
|
|
|
distributions and provides a reproducible and secure environment for fuzzer
|
2016-10-25 21:40:30 +00:00
|
|
|
building and execution.
|
2016-12-09 18:48:45 +00:00
|
|
|
|
2016-12-30 06:37:33 +00:00
|
|
|
## How do you handle timeouts and OOMs?
|
2016-12-25 04:46:16 +00:00
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
If a single input to a [fuzz target]({{ site.baseurl }}/reference/glossary/#fuzz-target)
|
2020-01-08 03:50:44 +00:00
|
|
|
requires more than **~25 seconds** or more than **2.5GB RAM** to process, we
|
2016-12-27 09:25:11 +00:00
|
|
|
report this as a timeout or an OOM (out-of-memory) bug
|
2016-12-25 04:46:16 +00:00
|
|
|
(examples: [timeouts](https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=%22Crash+Type%3A+Timeout%22),
|
|
|
|
[OOMs](https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q="Crash+Type%3A+Out-of-memory")).
|
|
|
|
This may or may not be considered as a real bug by the project owners,
|
|
|
|
but nevertheless we treat all timeouts and OOMs as bugs
|
|
|
|
since they significantly reduce the efficiency of fuzzing.
|
|
|
|
|
2016-12-25 04:52:24 +00:00
|
|
|
Remember that fuzzing is executed with AddressSanitizer or other
|
2016-12-30 06:13:10 +00:00
|
|
|
sanitizers which introduces a certain overhead in RAM and CPU.
|
2016-12-25 04:52:24 +00:00
|
|
|
|
2016-12-25 04:46:16 +00:00
|
|
|
We currently do not have a good way to deduplicate timeout or OOM bugs.
|
2016-12-30 06:13:10 +00:00
|
|
|
So, we report only one timeout and only one OOM bug per fuzz target.
|
|
|
|
Once that bug is fixed, we will file another one, and so on.
|
2016-12-25 04:52:24 +00:00
|
|
|
|
|
|
|
Currently we do not offer ways to change the memory and time limits.
|
2017-02-07 17:24:38 +00:00
|
|
|
|
|
|
|
## Can I launch an additional process (e.g. a daemon) from my fuzz target?
|
|
|
|
|
2017-02-08 03:15:53 +00:00
|
|
|
No. In order to get all the benefits of in-process, coverage-guided fuzz testing,
|
2019-08-07 14:37:16 +00:00
|
|
|
it is required to run everything inside a single process. Any child processes
|
|
|
|
created outside the main process introduces heavy launch overhead and is not
|
|
|
|
monitored for code coverage.
|
2017-02-07 17:24:38 +00:00
|
|
|
|
|
|
|
Another rule of thumb is: "the smaller fuzz target is, the better it is". It is
|
2019-08-07 14:37:16 +00:00
|
|
|
expected that your project will have many fuzz targets to test different
|
|
|
|
components, instead of a single fuzz target trying to cover everything.
|
|
|
|
Think of fuzz target as a unit test, though it is much more powerful since it
|
|
|
|
helps to test millions of data permutations rather than just one.
|
2017-02-08 17:17:50 +00:00
|
|
|
|
|
|
|
## What if my fuzz target finds a bug in another project (dependency) ?
|
|
|
|
|
|
|
|
Every bug report has a crash stack-trace that shows where the crash happened.
|
|
|
|
Using that, you can debug the root cause and see which category the bug falls in:
|
|
|
|
|
|
|
|
- If this is a bug is due to an incorrect usage of the dependent project's API
|
|
|
|
in your project, then you need to fix your usage to call the API correctly.
|
2019-08-07 14:37:16 +00:00
|
|
|
- If this is a real bug in the dependent project, then you should CC the
|
|
|
|
maintainers of that project on the bug. Once CCed, they will get automatic
|
|
|
|
access to all the information necessary to reproduce the issue. If this project
|
|
|
|
is maintained in OSS-Fuzz, you can search for contacts in the respective
|
|
|
|
project.yaml file.
|
2017-03-02 05:55:07 +00:00
|
|
|
|
|
|
|
## What if my fuzzer does not find anything?
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
If your fuzz target is running for many days and does not find bugs or new
|
|
|
|
coverage, it may mean several things:
|
|
|
|
- We've covered all reachable code. In order to cover more code we need more
|
|
|
|
fuzz targets.
|
|
|
|
- The [seed corpus]({{ site.baseurl }}/getting-started/new-project-guide#seed-corpus) is not good enough and the
|
|
|
|
fuzzing engine(s) are not able to go deeper based on the existing seeds.
|
|
|
|
Need to add more seeds.
|
|
|
|
- There is some crypto/crc stuff in the code that will prevent any fuzzing
|
|
|
|
engine from going deeper, in which case the crypto should be disabled in
|
|
|
|
[fuzzing mode](http://libfuzzer.info#fuzzer-friendly-build-mode).
|
|
|
|
Examples: [openssl](https://github.com/openssl/openssl/tree/master/fuzz#reproducing-issues),
|
|
|
|
[boringssl](https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md#Fuzzer-mode)
|
|
|
|
- It is also possible that the fuzzer is running too slow
|
|
|
|
(you may check the speed of your targets at https://oss-fuzz.com/)
|
|
|
|
|
|
|
|
In either case, look at the
|
2019-08-21 22:10:15 +00:00
|
|
|
[coverage reports]({{ site.baseurl }}/further-reading/clusterfuzz#coverage-reports)
|
2019-08-07 14:37:16 +00:00
|
|
|
for your target(s) and figure out why some parts of the code are not covered.
|
2018-04-22 06:02:24 +00:00
|
|
|
|
2018-08-20 13:42:45 +00:00
|
|
|
## Why are code coverage reports public?
|
|
|
|
|
|
|
|
We work with open source projects and try to keep as much information public as
|
|
|
|
possible. We believe that public code coverage reports do not put users at risk,
|
|
|
|
as they do not indicate the presence of bugs or lack thereof.
|
|
|
|
|
2018-04-22 06:02:24 +00:00
|
|
|
## What happens when I rename a fuzz target ?
|
2019-08-07 14:37:16 +00:00
|
|
|
If you rename your fuzz targets, the existing bugs for those targets will get
|
|
|
|
closed and fuzzing will start from scratch from a fresh corpora
|
|
|
|
(seed corpus only). Similar corpora will get accumulated over time depending on
|
|
|
|
the number of cpu cycles that original fuzz target has run. If this is not
|
|
|
|
desirable, make sure to copy the accumulated corpora from the original fuzz
|
|
|
|
target (instructions to download
|
|
|
|
[here]({{ site.baseurl }}/advanced-topics/corpora/#downloading-the-corpus)) and
|
|
|
|
restore it to the new GCS location later (instruction to find the
|
|
|
|
new location [here]({{ site.baseurl }}/advanced-topics/corpora/#viewing-the-corpus-for-a-fuzz-target)).
|
2018-04-22 06:02:24 +00:00
|
|
|
|
2020-02-19 23:27:58 +00:00
|
|
|
## Does OSS-Fuzz support AFL or honggfuzz?
|
2020-03-20 14:50:16 +00:00
|
|
|
OSS-Fuzz *uses* both [AFL](https://lcamtuf.coredump.cx/afl/) and
|
2020-02-19 23:27:58 +00:00
|
|
|
[honggfuzz](https://github.com/google/honggfuzz)
|
|
|
|
[fuzzing engines]({{ site.baseurl }}/reference/glossary/#fuzzing-engine).
|
|
|
|
Follow the
|
2019-08-07 14:37:16 +00:00
|
|
|
[ideal integration guide]({{ site.baseurl }}/advanced-topics/ideal-integration/)
|
|
|
|
and OSS-Fuzz will use all its fuzzing engines on your code.
|
2017-06-02 00:55:01 +00:00
|
|
|
|
2018-10-22 06:40:58 +00:00
|
|
|
## What are the specs on your machines?
|
|
|
|
OSS-Fuzz builders have 32CPU/28.8GB RAM.
|
|
|
|
|
2019-08-07 14:37:16 +00:00
|
|
|
Fuzzing machines only have a single core and fuzz targets should not use more
|
2020-01-08 03:50:44 +00:00
|
|
|
than 2.5GB of RAM.
|
2020-02-19 23:27:58 +00:00
|
|
|
|
|
|
|
## Are there any restrictions on using test cases / corpora generated by OSS-Fuzz?
|
|
|
|
|
|
|
|
No, you can freely use (i.e. share, add to your repo, etc.) the test cases and
|
|
|
|
corpora generated by OSS-Fuzz. OSS-Fuzz infrastructure is fully open source
|
|
|
|
(including [ClusterFuzz], various fuzzing engines, and other dependencies). We
|
|
|
|
have no intent to restrict the use of the artifacts produced by OSS-Fuzz.
|
|
|
|
|
|
|
|
[ClusterFuzz]: https://github.com/google/clusterfuzz
|