Ossfuzz

Ossfuzz automation and integration for continuous fuzz testing of open source projects

Source: trailofbits/skills

OSS-Fuzz is a community skill for integrating open source projects with Google OSS-Fuzz continuous fuzzing infrastructure, covering fuzz target development, build integration, corpus management, crash triage, and coverage analysis for automated vulnerability discovery.

What Is This?

Overview

OSS-Fuzz provides tools for connecting open source software with continuous fuzzing services that automatically discover bugs and security vulnerabilities. It covers fuzz target development that writes test harnesses exercising specific code paths with generated inputs, build integration that configures project builds for fuzzing with sanitizer instrumentation, corpus management that maintains and evolves seed input collections for effective coverage growth, crash triage that processes discovered crashes into minimized reproducible test cases, and coverage analysis that measures which code paths fuzzing reaches to identify gaps. The skill enables maintainers to find bugs through automated testing.

Who Should Use This

This skill serves open source maintainers integrating projects with OSS-Fuzz, security researchers writing fuzz targets for vulnerability discovery, and software teams adding continuous fuzzing to their testing pipelines.

Why Use It?

Problems It Solves

Manual testing cannot explore the vast input space that fuzzing covers through automated generation. Memory safety bugs like buffer overflows and use-after-free errors hide in code paths that unit tests do not exercise. Setting up fuzzing infrastructure from scratch requires significant compute resources and operational effort. Crash reports from fuzzing need automated triage to deduplicate and prioritize findings.

Core Highlights

Target builder creates fuzz harnesses that exercise specific parsing and processing functions. Build configurator sets up sanitizer-instrumented builds for fuzzing. Corpus manager maintains seed inputs and tracks coverage growth. Crash processor triages findings into minimized reproducible reports.

How to Use It?

Basic Usage

// Fuzz target example
#include <stdint.h>
#include <stddef.h>
#include "parser.h"

extern "C" int
LLVMFuzzerTestOneInput(
  const uint8_t *data,
  size_t size) {

  // Skip tiny inputs
  if (size < 4) return 0;

  // Create parser
  Parser *p =
    parser_create();
  if (!p) return 0;

  // Feed fuzzed data
  parser_parse(
    p, data, size);

  // Get result
  ParseResult *r =
    parser_get_result(p);
  if (r) {
    // Exercise output
    parser_result_str(r);
    parser_result_free(r);
  }

  // Cleanup
  parser_destroy(p);
  return 0;
}

Real-World Examples

FROM gcr.io/oss-fuzz-base\
  /base-builder

RUN apt-get update && \
  apt-get install -y \
    make cmake \
    pkg-config

RUN git clone \
  --depth 1 \
  https://github.com\
  /example/project.git

COPY build.sh \
  $SRC/build.sh
COPY fuzz_*.cpp \
  $SRC/
WORKDIR $SRC/project
#!/bin/bash -eu

cd $SRC/project
mkdir build && cd build

cmake .. \
  -DCMAKE_C_COMPILER=\
    $CC \
  -DCMAKE_CXX_COMPILER=\
    $CXX \
  -DCMAKE_C_FLAGS=\
    "$CFLAGS" \
  -DCMAKE_CXX_FLAGS=\
    "$CXXFLAGS"

make -j$(nproc)

$CXX $CXXFLAGS \
  $SRC/fuzz_parser.cpp \
  -I$SRC/project/include \
  -o $OUT/fuzz_parser \
  $LIB_FUZZING_ENGINE \
  build/libproject.a

cp -r $SRC/project\
  /test/corpus \
  $OUT/fuzz_parser_seed\
    _corpus

Advanced Tips

Write fuzz targets that exercise one specific function or parser to keep coverage focused and crashes easy to diagnose. Include seed corpus files from existing test suites to give the fuzzer a starting point with valid input structure. Enable multiple sanitizers including address, memory, and undefined behavior for comprehensive bug detection.

When to Use It?

Use Cases

Integrate a parsing library with OSS-Fuzz to continuously test for memory safety issues. Write fuzz targets for a serialization format handler to discover edge cases in input processing. Set up coverage-guided fuzzing for a network protocol implementation to find security vulnerabilities.

Related Topics

Fuzzing, OSS-Fuzz, libFuzzer, security testing, vulnerability discovery, sanitizers, and continuous testing.

Important Notes

Requirements

C or C++ project with functions suitable for fuzz target wrapping. Docker build environment compatible with OSS-Fuzz base images. Seed corpus files providing initial valid inputs for the fuzzer.

Usage Recommendations

Do: keep fuzz targets simple with minimal setup to maximize the proportion of time spent fuzzing actual logic. Include dictionary files with tokens relevant to the input format to help the fuzzer generate structured inputs. Monitor coverage reports to identify code regions that fuzzing has not reached.

Don't: write fuzz targets that exit early for most inputs since this wastes fuzzing cycles without exercising code. Ignore timeout crashes since they may indicate algorithmic complexity vulnerabilities. Commit seed corpus files that contain sensitive data from production systems.

Limitations

OSS-Fuzz is available only for open source projects that meet the inclusion criteria. Fuzzing effectiveness depends on fuzz target quality and how well the harness exercises relevant code paths. Some bug classes like logic errors and race conditions are difficult for coverage-guided fuzzing to detect without specialized oracles.

More Skills You Might Like

Explore similar skills to enhance your workflow

imap-smtp-email

Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search

Gh Address Comments

Automate and integrate GitHub Address Comments workflows efficiently

Botpress Automation

Automate Botpress operations through Composio's Botpress toolkit via

Aryn Automation

Automate Aryn operations through Composio's Aryn toolkit via Rube MCP

Security Ownership Map

Automate and integrate Security Ownership Map tracking and management

Boost Prompt

Boost Prompt skill for enhancing AI and tech tools with smarter prompt engineering