[Automated Fuzz Driver Generation] GraphFuzz on JsonBox

Thoughts while Testing

Targetting a Function

• With 1 process of 6 hours of test, GraphFuzz only covered 50.9% line coverage.
• Some endpoint drivers are called a significantly smaller amount of times than others (due to randomness).
• I have experimented by removing other endpoint driver in schema in hopes of testing certain function more.
• By doing so, GraphFuzz was able to cover more lines in that specific function than when it was tested with all the other API functions written in schema.
• Maybe the downfall of GraphFuzz is that we cannot target a specific function to test.

 

Leakage

• Libfuzzer counts the amount of malloc and free calls when executing a mutation.
• When the numbers don't match, libfuzzer invokes leaksanitizer exitting the process.
• GraphFuzz creates graphs with mismatching count of malloc and free.
• Testing is restricted whenever such graphs are formed.
• I have changed settings of detect_leaks to 0.
• seems address sanitizer detect true leakage.

 

Input Dictionary

• Some conditions in JsonBox contain comparison with defined characters.
• through writing a dictionary in libfuzzer
• guide random selection to select inputs in given dictionary

 

More Process

• with 32 process of 1 hour 30 minute test, GraphFuzz covered 85.8% line coverage.

 

Things to consider in future testing

• Recording which kind of crash ocurrs
• How long it took to find first crash
• Knowing how many crashes it finds in given time costs
• Reasons to why some line or branch are not covered