Awesome

OSS-Sydr-Fuzz: Hybrid Fuzzing for Open Source Software

This repository is a fork of OSS-Fuzz project. OSS-Sydr-Fuzz contains open source software targets for sydr-fuzz that combines fuzzing (libFuzzer, AFL++) with the power of dynamic symbolic execution (Sydr).

Project Structure

Each open source target project provides:

• Fuzz target for libFuzzer
• Fuzz target for AFL++
• Fuzz target for Sydr
• Target built with llvm-cov
• Build script
• Dictionary
• Initial seed corpus
• Dockerfile that installs dependencies, builds targets, creates initial corpus, etc.
• Hybrid fuzzing configuration file for sydr-fuzz
• Instructions to start hybrid fuzzing

NOTE: Some listed above files may not be present or can be gathered from external repositories.

Supported Open Source Projects

Supported projects are located here. In addition to C/C++ projects Sydr-Fuzz currently supports:

• Rust: capstone-rs, image-rs, goblin, libhtp-rs, vector-rs, rust-regex, serde-json, gdb-command;
• Go: image-go;
• Python: crunch, h5py, msgspec, pillow, pytorch-py, ruamel-yaml, tensorflow-py, ultrajson, langchain;
• Java: hsqldb, json-sanitizer;
• JavaScript: fast-xml-parser, node-xml2js;
• С#: yamldotnet, cppsharp.

Contributing

Feel free to support new fuzz targets. The workflow is following:

1. Compose targets for libFuzzer and Sydr.
2. Prepare build script.
3. Build Dockerfile with all targets.
4. Provide sydr-fuzz configuration files.
5. Write README with commands to run fuzzing.

Trophies

The list of discovered bugs can be found here.

Cite Us

Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle [paper] [demo] [slides]

Vishnyakov A., Kuts D., Logunova V., Parygina D., Kobrin E., Savidov G., Fedotov A. Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle. 2022 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2022, pp. 111-123. DOI: 10.1109/ISPRAS57371.2022.10076861

@inproceedings{vishnyakov22-sydr-fuzz,
  title = {{{Sydr-Fuzz}}: Continuous Hybrid Fuzzing and Dynamic Analysis for
           Security Development Lifecycle},
  author = {Vishnyakov, Alexey and Kuts, Daniil and Logunova, Vlada and
            Parygina, Darya and Kobrin, Eli and Savidov, Georgy and Fedotov,
            Andrey},
  booktitle = {2022 Ivannikov ISPRAS Open Conference (ISPRAS)},
  pages = {111--123},
  year = {2022},
  publisher = {IEEE},
  doi = {10.1109/ISPRAS57371.2022.10076861},
}