Comments (5)
Why do you want it? Adding it has a cost and there will be a cost to maintain it.
from clusterfuzzlite.
Well, simple reason for wanting it is to find more bugs faster.
Really?? What cost?? The AFL fuzzer was displayed in your DevSecCon 2022 talk, so I know you are definitely still using it internally, why not add it to ClusterFuzzLite then and let everyone use it?
from clusterfuzzlite.
Well, simple reason for wanting it is to find more bugs faster.
I think libFuzzer is probably good enough at finding bugs. It finds most of our bugs in OSS-Fuzz so I tend to think it's a bit better.
Really?? What cost?? The AFL fuzzer was displayed in your DevSecCon 2022 talk,
Well if there is no cost to making this change you would have been able to make it yourself right? I would have to change our code to support this use case, and then fix it when it breaks etc.
Are you using ClusterFuzzLite somewhere and have found libFuzzer insufficient?
so I know you are definitely still using it internally, why not add it to ClusterFuzzLite then and let everyone use it?
We do use AFL++ in ClusterFuzz but the idea behind ClusterFuzzLite is to be lightweight even at the expense of finding more bugs. If you want to find as many bugs as possible use ClusterFuzz. I want ClusterFuzzLite to be as easy to use as possible even, and having multiple engines would confuse users and possibly burden them by having to support multiple builds (as in OSS-Fuzz there's sometimes effort required to support AFL++ in addition to libFuzzer for projects)
from clusterfuzzlite.
I just started exploring clusterfuzzlite, and a mere glance at the Lite tool showed a lot of promise (at scale) which made me ask for an addition of AFL++ thinking it is comparatively easier for the original repo owner to add fuzzers than for others to start from scratch.
Also the DevSecCon talk you presented clearly mentioned adding AFLGo in “Future Work” slide.
Hence the Ask here.
Nevertheless, I completely understand the somewhat additional work involved and if it’s too cumbersome then please don’t add AFL++ AFLGo or any other AFL-variant in future.
from clusterfuzzlite.
Also the DevSecCon talk you presented clearly mentioned adding AFLGo in “Future Work” slide.
I think I meant more the idea behind AFLGo which can target changed code more effectively.
Nevertheless, I completely understand the somewhat additional work involved and if it’s too cumbersome then please don’t add AFL++ AFLGo or any other AFL-variant in future.
Yeah, good to keep this issue open but I don't think it is likely to be added. Though we might change over to google/centipede (probably no sooner than a year from now) but this change probably wont even be visible to users.
from clusterfuzzlite.
Related Issues (20)
- Gitlab instructions do not just work. HOT 14
- Investigate providing reusable workflows for GitHub users
- build.sh example for go test -fuzz HOT 16
- Failing to build python project HOT 1
- run fuzzers with -jobs (or -workers?) for parallelism HOT 6
- ClusterfuzzLite does not check out submodules HOT 2
- Affordances for "local maxima" in coverage HOT 4
- Document how to provide dictionaries and seed corpus to fuzzers HOT 6
- Empty Coverage Reports using ClusterFuzzLite with Prow and GO
- Allow to customize FUZZ_SECONDS option per target HOT 2
- Minimal gitlab configuration is failing to cp to default $OUT HOT 13
- Demo or sample project for Python? HOT 2
- Timeout in pruning job HOT 2
- Possible to continue fuzzing despite errors? HOT 2
- CFLite seems to fail to download the latest builds due to "Bad credentials" HOT 2
- Undefined references to C++ standard library symbols HOT 13
- There doesn't seem to be a way to use the latest docker images (without the "v1" tag) HOT 4
- Mention in docs that OSS-Fuzz has a lot of examples to learn from
- jazzer_driver not available in local infra/helper.py run_fuzzer command HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clusterfuzzlite.