Hacker News new | ask | show | jobs
by evmunro 2672 days ago
P.s. Know someone who maintains an open-source project, written in C, C++, Go or Python, that should be fuzzed? Please send an email to oss@fuzzbuzz.io. We’d love to fuzz your code for free on our platform and make the world’s open-source software more secure.
2 comments
wyldfire 2672 days ago
Can't they do this w/oss-fuzz already?
link
evmunro 2672 days ago
They certainly could if their project is large enough! Every widely-used C/C++ project should use OSS-Fuzz, it's an awesome service.

We support a couple of languages that OSS-Fuzz doesn't (Go & Python as of now), which is why I thought this was worth mentioning :)

link
treis 2672 days ago
>We support a couple of languages that OSS-Fuzz doesn't (Go & Python as of now), which is why I thought this was worth mentioning :)

I thought the main benefit of fuzzing was finding memory security bugs. If your program is crashing or otherwise erroring out given crazy input that's something you want to fix because it is potentially exploitable. With Python/Go that's not really an attack vector. So what's the benefit from finding out that some crazy input crashes my Python program?

link
evmunro 2672 days ago
Memory security issues have been the main focus of fuzzing, but it's really useful for other use cases as well, such as: slowness/hangs, assert failures, panics, excessive resource consumption and DOS attacks. We've also done some work with Go to detect race conditions while fuzzing.

You can also do differential fuzzing to compare 2 different implementations that solve the same problem, or fuzz for invariant violations/assertion failures. I think the possibilities extend far beyond just memory safety, and I'm really looking forward to finding other areas in which fuzzing is applicable.

link
treis 2671 days ago
Have you guys run FuzzBuzz against FuzzBuzz? If so, how many bugs did you find?
link
nemo1618 2672 days ago
Crashes are exploitable too -- you definitely don't want someone to be able to take your website offline just by sending it a malformed packet. You might not leak user data, but being DoS'd is no fun either.
link
lamby 2672 days ago
Debian Developer here.. I wonder how much of our core infrastructure this could cover given the Python support.
link
evmunro 2672 days ago
If you're interested in giving it a go, I could set you up with an OSS plan & some free CPU power - let me know!

everest@fuzzbuzz.io

link