Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On 07/02/2013 11:23 PM, Dean Jackson wrote: Is it out yet? Yes, you can find the first post of the series here: http://webkit.sed.hu/blog/20130710/fuzzinator-mutation-and-generation-based-browser-fuzzer Cheers, Reni ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On 27/06/2013, at 2:48 AM, Renáta Hodován hodo...@inf.u-szeged.hu wrote: On 06/26/2013 12:30 AM, Zoltan Horvath wrote: Hey Reni, This project sounds cool! I think you will answer some of my questions in your blog post, so I don't ask just one now... Do you know the date it's going to be published? Hopefully next week you can read it ;) Is it out yet? Dean ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Actually yes. If you wrote the language specific parts, you can extend it arbitrarily. Reni On 06/27/2013 11:28 AM, Balazs Kelemen wrote: On 06/27/2013 10:21 AM, Renáta Hodován wrote: Hi Dave, This is a good idea! What's more it seems it's not so hard to add MathML support to the fuzzer. Maybe in a few days (or in worst case next week) I can put it into it. I think the question was about whether your system is modularized well enough that it is easy for other people to extend it. Long term this is a very valid goal. Br, Balazs ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Hi Dave, This is a good idea! What's more it seems it's not so hard to add MathML support to the fuzzer. Maybe in a few days (or in worst case next week) I can put it into it. Cheers, Reni On 06/27/2013 01:01 AM, David Kilzer wrote: This is great! You mentioned in a follow-up that you were going to write an extension for WebGL. Is it easy to write extensions for Fuzzinator? I'm curious how much effort it would be to write a MathML extension as well. Thanks! Dave ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On 06/27/2013 10:21 AM, Renáta Hodován wrote: Hi Dave, This is a good idea! What's more it seems it's not so hard to add MathML support to the fuzzer. Maybe in a few days (or in worst case next week) I can put it into it. I think the question was about whether your system is modularized well enough that it is easy for other people to extend it. Long term this is a very valid goal. Br, Balazs ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On 06/25/2013 09:48 PM, Benjamin Poulain wrote: On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.hu mailto:hodo...@inf.u-szeged.hu wrote: as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) First, I would like to say welcome to our new fuzzing overlords. :) Thanks :) What is your plan for the tool itself? Is it opensource? Will it be added to webkit.org http://webkit.org? Experience shows our tools are the most useful when they are completely automated behind maintained bots doing most of the jobs. Do you have any long term plans like that? Ultimately the goal of this project is to have an automated tool that is running all day long and is reporting the discovered bugs. Actually this is working locally on a few computers already, however automatically sharing the results has technical and security issues. Currently the received failing tests are too large to post without minimization to bugzilla. On the other hand, reporting every found bug automatically and immediately, regardless of its type (security or not), might not be a wise thing. However, what's sure for now is that all found bugs will be reported: security issues tagged appropriately, and others as publicly visible. Further plans are: * extension with WebGL support * mixing the a current fuzzers and generating complex but still coherent webpages * adding automatism to rebuild the browser under testing regularly (e.g., fetching a binary built by a build bot slave linked to webkit.org on a daily (or whatever) basis.) * implementing automatism to minimise the found bugous input Cheers, Reni Benjamin ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Hi Renáta, Thanks for undertaking this effort. Is it possible for your fuzzer to run under guard malloc or ASAN(AddressSanitizer) and catch security problems? We could also improve our annotation in the codebase to use ASSERT_WITH_SECURITY_IMPLICATION if that helps. - R. Niwa On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.huwrote: Hi folks, as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) Cheers, Reni ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On 06/26/2013 12:30 AM, Zoltan Horvath wrote: Hey Reni, This project sounds cool! I think you will answer some of my questions in your blog post, so I don't ask just one now... Do you know the date it's going to be published? Hopefully next week you can read it ;) ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Hey, On 06/26/2013 06:51 PM, Ryosuke Niwa wrote: Hi Renáta, Thanks for undertaking this effort. Is it possible for your fuzzer to run under guard malloc or ASAN(AddressSanitizer) and catch security problems? ofc it's possible. You can run it with any browser and with any options. We could also improve our annotation in the codebase to use ASSERT_WITH_SECURITY_IMPLICATION if that helps. Yeah, it'd be great. I've already found a failure on such assertion and was much easier to identify the reason of the problem. Reni - R. Niwa On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.hu mailto:hodo...@inf.u-szeged.hu wrote: Hi folks, as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) Cheers, Reni ___ webkit-dev mailing list webkit-dev@lists.webkit.org mailto:webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On Jun 25, 2013, at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.hu wrote: Hi folks, as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. This is great! You mentioned in a follow-up that you were going to write an extension for WebGL. Is it easy to write extensions for Fuzzinator? I'm curious how much effort it would be to write a MathML extension as well. Thanks! Dave ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.huwrote: as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) First, I would like to say welcome to our new fuzzing overlords. :) What is your plan for the tool itself? Is it opensource? Will it be added to webkit.org? Experience shows our tools are the most useful when they are completely automated behind maintained bots doing most of the jobs. Do you have any long term plans like that? Benjamin ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Hey Reni, This project sounds cool! I think you will answer some of my questions in your blog post, so I don't ask just one now... Do you know the date it's going to be published? Cheers, Zoltan On Tue, Jun 25, 2013 at 1:14 PM, Philip Rogers p...@google.com wrote: +1 to fuzzing! If this could be setup as a continuously running bot, we could remove several fuzzer Layouttests which unnecessarily stress the testing infrastructure. Philip On Tue, Jun 25, 2013 at 12:48 PM, Benjamin Poulain benja...@webkit.orgwrote: On Tue, Jun 25, 2013 at 1:56 AM, Renáta Hodován hodo...@inf.u-szeged.huwrote: as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) First, I would like to say welcome to our new fuzzing overlords. :) What is your plan for the tool itself? Is it opensource? Will it be added to webkit.org? Experience shows our tools are the most useful when they are completely automated behind maintained bots doing most of the jobs. Do you have any long term plans like that? Benjamin ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Fuzzinator, a mutation based web fuzzer
Renáta Hodován skrev 2013-06-25 11:56: Hi folks, as many of you know already I'm working on an universal web fuzzer, which is able to generate random test cases for both svg, html, css and js, and test them against any browser. With this method we can catch crashes, assertions, memory corruptions and all the funny things. A few words about it: Fuzzinator learns from existing test cases and based on this information it generates new tests that are syntactically correct. Beside this randomized step I also put some language specific knowledge into the tests too. Further details about the theoretical background will be shared in a blogpost soon. However the results are available in public already and they are collected under a metabug in bugzilla: https://bugs.webkit.org/show_bug.cgi?id=116980. So should any of you feel like browsing or fixing them, don't hesitate to start with it ;) Cheers, Reni ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev sounds all fuzzy;-) ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev