Cargo Fuzz

Cargo Fuzz is a community skill for fuzz testing Rust projects using cargo-fuzz and libFuzzer, covering fuzz target creation, corpus management, crash triage, coverage-guided fuzzing configuration, and integration into CI pipelines for automated Rust code security testing.

What Is This?

Overview

Cargo Fuzz provides patterns for setting up and running coverage-guided fuzz testing on Rust code. It covers fuzz target creation that writes harness functions exercising parsing, serialization, and input handling code, corpus management that maintains seed inputs and minimizes crash reproduction sets, crash triage that deduplicates and analyzes discovered crashes to identify root causes, coverage-guided configuration that tunes fuzzer parameters for maximum code path exploration, and CI integration that runs fuzz campaigns as part of continuous testing. The skill enables systematic discovery of memory safety and logic bugs in Rust code through automated fuzzing.

Who Should Use This

This skill serves Rust developers testing parsers, serializers, and input handling code for robustness, security teams running fuzz campaigns against Rust libraries, and open source maintainers adding continuous fuzzing to their projects. Teams working on cryptographic libraries or network-facing code will find fuzzing particularly valuable for uncovering subtle edge cases.

Why Use It?

Problems It Solves

Unit tests cover expected inputs but miss edge cases that trigger panics or logic errors. Manual testing cannot explore the full input space of complex parsers. Rust prevents memory unsafety in safe code but logic bugs and panics still cause crashes. Integrating fuzzing into existing Rust projects requires boilerplate setup. Discovering bugs in production parsers before attackers find them reduces security incident risk. Projects that accept untrusted external input are especially vulnerable to these classes of bugs.

Core Highlights

Target scaffolder generates fuzz harness boilerplate for Rust functions. Corpus builder seeds the fuzzer with meaningful initial inputs. Crash analyzer deduplicates findings and extracts minimal reproduction cases. CI runner executes time-boxed fuzz campaigns in pipelines.

How to Use It?

Basic Usage

// fuzz/fuzz_targets/parse.rs
#![no_main]
use libfuzzer_sys::fuzz_target;
use my_crate::parse_input;

fuzz_target!(|data: &[u8]| {
    if let Ok(s) =
        std::str::from_utf8(
            data)
    {
        let _ =
            parse_input(s);
    }
});

Real-World Examples

cargo install cargo-fuzz
cargo fuzz init

mkdir -p fuzz/corpus/parse
echo '{"key": "value"}' \
  > fuzz/corpus/parse/seed1
echo '<root>text</root>' \
  > fuzz/corpus/parse/seed2

cargo fuzz run parse \
  -- -max_total_time=300

cargo fuzz tmin parse \
  fuzz/artifacts/parse/crash1

cargo fuzz coverage parse

Advanced Tips

Use the arbitrary crate to generate structured inputs instead of raw byte slices for more effective fuzzing of typed APIs. Set max_len to limit input size and prevent the fuzzer from wasting cycles on unrealistically large inputs. Run multiple fuzz targets in parallel across different CPU cores to maximize coverage per hour. Add sanitizer flags like AddressSanitizer and UndefinedBehaviorSanitizer for detecting memory corruption in unsafe blocks during fuzz runs. When using AddressSanitizer, review the output carefully because it provides precise stack traces that significantly accelerate root cause analysis.

When to Use It?

Use Cases

Fuzz a JSON parser to discover panic-inducing edge cases in malformed input handling. Run continuous fuzzing on a network protocol library to catch deserialization bugs. Add cargo-fuzz targets to an open source project for integration with OSS-Fuzz, which provides free continuous fuzzing infrastructure for qualifying projects.

Related Topics

Fuzz testing, Rust testing, libFuzzer, coverage-guided fuzzing, and software security.

Important Notes

Requirements

Rust nightly toolchain for cargo-fuzz compilation. cargo-fuzz installed via cargo install. Linux or macOS environment as libFuzzer has limited Windows support. Sufficient disk space for corpus storage which can grow to several gigabytes during extended campaigns.

Usage Recommendations

Do: seed the corpus with valid and near-valid inputs to help the fuzzer reach deeper code paths faster. Minimize crash inputs before filing bug reports to isolate the trigger. Run fuzzing for extended periods as some bugs only surface after hours of exploration.

Don't: fuzz only with empty corpus as the fuzzer will spend excessive time on trivial input mutations. Ignore panics in fuzz targets assuming they are harmless since panics indicate unhandled error conditions. Run fuzzing in production environments where crashes could affect service availability.

Limitations

Coverage-guided fuzzing is most effective on input parsing code and less effective on stateful logic. Fuzz campaigns may run for hours without finding bugs giving no guarantee of completeness. Unsafe Rust blocks can still contain memory safety bugs that fuzzing may not reliably trigger. Fuzz targets testing async code require additional setup to run within a synchronous harness context.