1*6777b538SAndroid Build Coastguard Worker# Fuzz testing in Chromium 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard Worker[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece 6*6777b538SAndroid Build Coastguard Workerof target code in an attempt to crash the code. It's one of the most effective 7*6777b538SAndroid Build Coastguard Workermethods we have for finding security and stability issues (see 8*6777b538SAndroid Build Coastguard Worker[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the 9*6777b538SAndroid Build Coastguard Workerbenefits of fuzzing at [go/why-fuzz](http://go/why-fuzz). 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard WorkerThis documentation covers the in-process guided fuzzing approach employed by 12*6777b538SAndroid Build Coastguard Workerdifferent fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about 13*6777b538SAndroid Build Coastguard Workerout-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the 14*6777b538SAndroid Build Coastguard WorkerClusterFuzz documentation. 15*6777b538SAndroid Build Coastguard Worker 16*6777b538SAndroid Build Coastguard Worker[TOC] 17*6777b538SAndroid Build Coastguard Worker 18*6777b538SAndroid Build Coastguard Worker## Getting Started 19*6777b538SAndroid Build Coastguard Worker 20*6777b538SAndroid Build Coastguard WorkerIn Chromium, you can easily create and submit fuzz targets. The targets are 21*6777b538SAndroid Build Coastguard Workerautomatically discovered by buildbots, built with different fuzzing engines, 22*6777b538SAndroid Build Coastguard Workerthen uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale. 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard WorkerYou should fuzz any code which absorbs inputs from untrusted sources, such 25*6777b538SAndroid Build Coastguard Workeras the web. If the code parses, decodes, or otherwise manipulates that input, 26*6777b538SAndroid Build Coastguard Workerit's an especially good idea to fuzz it. 27*6777b538SAndroid Build Coastguard Worker 28*6777b538SAndroid Build Coastguard WorkerCreate your first fuzz target and submit it by stepping through our [Getting 29*6777b538SAndroid Build Coastguard WorkerStarted Guide]. 30*6777b538SAndroid Build Coastguard Worker 31*6777b538SAndroid Build Coastguard Worker## Advanced Topics 32*6777b538SAndroid Build Coastguard Worker 33*6777b538SAndroid Build Coastguard Worker* [Using libfuzzer instead of FuzzTest]. 34*6777b538SAndroid Build Coastguard Worker* [Improving fuzz target efficiency]. 35*6777b538SAndroid Build Coastguard Worker* [Creating a fuzz target that expects a protobuf] instead of a byte stream as 36*6777b538SAndroid Build Coastguard Worker input. 37*6777b538SAndroid Build Coastguard Worker 38*6777b538SAndroid Build Coastguard Worker *** note 39*6777b538SAndroid Build Coastguard Worker **Note:** You can also fuzz code that needs multiple mutated 40*6777b538SAndroid Build Coastguard Worker inputs, or to generate inputs defined by a grammar. 41*6777b538SAndroid Build Coastguard Worker *** 42*6777b538SAndroid Build Coastguard Worker 43*6777b538SAndroid Build Coastguard Worker* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz. 44*6777b538SAndroid Build Coastguard Worker* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers. 45*6777b538SAndroid Build Coastguard Worker 46*6777b538SAndroid Build Coastguard Worker## Further Reading 47*6777b538SAndroid Build Coastguard Worker 48*6777b538SAndroid Build Coastguard Worker* [LibFuzzer integration] with Chromium and ClusterFuzz. 49*6777b538SAndroid Build Coastguard Worker* [Detailed references] for other integration parts. 50*6777b538SAndroid Build Coastguard Worker* Writing fuzzers for the [non-browser parts of Chrome OS]. 51*6777b538SAndroid Build Coastguard Worker* [Fuzzing browsertests] if you need to fuzz multiple Chrome subsystems. 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Worker## Trophies 54*6777b538SAndroid Build Coastguard Worker* [Issues automatically filed] by ClusterFuzz. 55*6777b538SAndroid Build Coastguard Worker* [Issues filed manually] after running fuzz targets. 56*6777b538SAndroid Build Coastguard Worker* [Bugs found in PDFium] by manual fuzzing. 57*6777b538SAndroid Build Coastguard Worker* [Bugs found in open-source projects] with libFuzzer. 58*6777b538SAndroid Build Coastguard Worker 59*6777b538SAndroid Build Coastguard Worker## Other Links 60*6777b538SAndroid Build Coastguard Worker* [Guided in-process fuzzing of Chrome components] blog post. 61*6777b538SAndroid Build Coastguard Worker* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and 62*6777b538SAndroid Build Coastguard Worker libFuzzer. 63*6777b538SAndroid Build Coastguard Worker 64*6777b538SAndroid Build Coastguard Worker[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/ 65*6777b538SAndroid Build Coastguard Worker[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies 66*6777b538SAndroid Build Coastguard Worker[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles 67*6777b538SAndroid Build Coastguard Worker[ClusterFuzz]: https://clusterfuzz.com/ 68*6777b538SAndroid Build Coastguard Worker[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan 69*6777b538SAndroid Build Coastguard Worker[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md 70*6777b538SAndroid Build Coastguard Worker[Detailed references]: reference.md 71*6777b538SAndroid Build Coastguard Worker[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing 72*6777b538SAndroid Build Coastguard Worker[Fuzzing browsertests]: fuzzing_browsertests.md 73*6777b538SAndroid Build Coastguard Worker[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md 74*6777b538SAndroid Build Coastguard Worker[Getting Started Guide]: getting_started.md 75*6777b538SAndroid Build Coastguard Worker[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html 76*6777b538SAndroid Build Coastguard Worker[Improving fuzz target efficiency]: efficient_fuzzing.md 77*6777b538SAndroid Build Coastguard Worker[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1 78*6777b538SAndroid Build Coastguard Worker[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids 79*6777b538SAndroid Build Coastguard Worker[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/main/testing/fuzzing.md 80*6777b538SAndroid Build Coastguard Worker[Reproducing bugs]: reproducing.md 81*6777b538SAndroid Build Coastguard Worker[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572 82*6777b538SAndroid Build Coastguard Worker[go/fuzzing-success]: https://goto.google.com/fuzzing-success 83*6777b538SAndroid Build Coastguard Worker[libFuzzer]: http://llvm.org/docs/LibFuzzer.html 84*6777b538SAndroid Build Coastguard Worker[libFuzzer integration]: libFuzzer_integration.md 85*6777b538SAndroid Build Coastguard Worker[Using libfuzzer instead of FuzzTest]: getting_started_with_libfuzzer.md 86