dergoegge/fuzzor

# Fuzzor 正在开发中的持续 fuzzing 基础设施。构建和维护的主要目的是 持续 fuzz [Bitcoin Core](https://github.com/bitcoin/bitcoin)， 但也支持添加和 fuzz 其他项目（参见 `projects/`）。 ## 快速开始 ``` docker build --tag fuzzor-base:latest --file infra/Dockerfile.base . cd projects/bitcoin docker build --tag fuzzor-bitcoin:latest . docker run -it fuzzor-bitcoin:latest FUZZ=txgraph ./out/libfuzzer_asan/fuzz ``` ## 功能 - 自动化 bug 报告 - 自动化覆盖率报告生成 - 支持主流的 fuzzing 引擎 ([`AFL++`](https://github.com/AFLplusplus/AFLplusplus), [`libFuzzer`](https://llvm.org/docs/LibFuzzer.html), [`honggfuzz`](https://github.com/google/honggfuzz), [`原生 Golang`](https://go.dev/doc/security/fuzz/)) - Crash 去重 - 使用所有支持的引擎进行 Corpus 最小化 - 实时集成 fuzzing - 基于覆盖率的调度策略 - 支持实验性 fuzzing 引擎（例如，使用 [SemSan](https://github.com/dergoegge/semsan) 进行 fuzz 驱动的特征测试） ### 计划功能 - 支持更多 fuzzing 引擎（例如 [`Radamsa`](https://gitlab.com/akihe/radamsa), [`libafl_libfuzzer`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_libfuzzer), [`libafl-fuzz`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/forkserver/libafl-fuzz), ...） - Snapshot fuzzing 支持（例如，使用全系统 [`libafl_qemu`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_qemu) 和/或 [`nyx`](https://nyx-fuzz.com/)） - Concolic fuzzing 引擎支持 - 自动化 bug 分类 - 自动化 pull request fuzzing ## Fuzzor 发现的 bug - core-lightning: fuzz-connectd-handshake-act2: Assertion 'write_count == 1 && "too many calls to io_write()"' ([详情]()) - core-lightning: fuzz-cryptomsg: Assertion 'cryptomsg_decrypt_body(buf, &cs_in, buf) == NULL' ([详情]()) - core-lightning: fuzz-bolt12-bech32-decode: index 128 out of bounds for type 'const int8_t[128]' ([详情](https://github.com/ElementsProject/lightning/pull/7322)) - lnd: FuzzProbability: normalization factor is zero ([详情](https://github.com/lightningnetwork/lnd/issues/9085)) - lnd: FuzzReplyChannelRange: failed to encode message to buffer ([详情](https://github.com/lightningnetwork/lnd/pull/9084)) - bitcoin: wallet_bdb_parser: BDB builtin encryption is not supported ([详情](https://github.com/bitcoin/bitcoin/issues/30166)) - bitcoin: rpc: runtime error: reference binding to null pointer of type 'const value_type' ([详情](https://github.com/bitcoin/bitcoin/pull/29855)) - bitcoin: script: Assertion '!extract_destination_ret' failed ([详情](https://github.com/bitcoin/bitcoin/issues/30615)) - bitcoin: scriptpubkeyman: heap-buffer-overflow miniscript.cpp in CScript BuildScript ([详情](https://github.com/bitcoin/bitcoin/issues/30864)) - bitcoin: p2p_headers_presync: Assertion 'total_work < chainman.MinimumChainWork()' failed ([详情](https://github.com/bitcoin/bitcoin/pull/31213)) - bitcoin: connman: terminate called after throwing an instance of 'std::bad_alloc' ([详情]()) - bitcoin #30243: mocked_descriptor_parse: Assertion '(leaf_version & ~TAPROOT_LEAF_MASK) == 0' failed ([详情](https://github.com/bitcoin/bitcoin/pull/30243#issuecomment-2169240015)) - bitcoin #31244: various descriptor parsing crashes ([详情](https://github.com/bitcoin/bitcoin/pull/31244#issuecomment-2527475671)) - bitcoin #28584: null-ptr deref ([详情](https://github.com/bitcoin/bitcoin/pull/28584#issuecomment-2527495228)) - bitcoin #28584: use of uninitialized memory ([详情](https://github.com/bitcoin/bitcoin/pull/28584#issuecomment-2531288821))

标签：Docker, UML, 安全防御评估, 开源框架, 持续集成, 请求拦截, 通知系统