QuickFuzz

An experimental grammar fuzzer in Haskell using QuickCheck

View project on GitHub

QuickFuzz

QuickFuzz, a tool written in Haskell designed for testing unexpected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers. Unlike other generational fuzzers, QuickFuzz does not require to write specifications for the file formats in question since it relies on existing file-format-handling libraries available on the Haskell code repository. QuickFuzz is open-source (GPL3) and it can use other bug detection tools like zzuf, radamsa, honggfuzz and valgrind.

News

  • We will be presenting QuickFuzz in C◦mp◦se 2017!
  • Our intern, Franco Costantini improved a lot the generation of random source code enforcing variable coherence. This feature is enabled in Javascript, Lua, Python and Bash, but it can easily extended for other languages.
  • QuickFuzz is now included in Gentoo!
  • An academic article on QuickFuzz will be presented at the Haskell Symposium 2016 (preprint)!

Bugs lost and found

Quick introduction to QuickFuzz

In this example, we uncover a null pointer dereference in gif2webp from libwebp 0.5:

$ QuickFuzz test gif "./gif2webp @@ -o /dev/null" -l 1 -u 10 -f radamsa
...
Test case number 4481 has failed. 
Moving to outdir/QuickFuzz.68419739009.4481.3692945303624111961.1.gif
...

We found a crash. We can inspect it manually to verify it is a null pointer issue:

$ ./gif2webp outdir/QuickFuzz.68419739009.4481.3692945303624111961.1.gif
==10953== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 
(pc 0x000000403ff9 sp 0x7fffffffd6e0 bp 0x7fffffffded0 T0)
AddressSanitizer can not provide additional info.
#0 0x403ff8 (examples/gif2webp+0x403ff8)
#1 0x7ffff437af44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
#2 0x401b18 (examples/gif2webp+0x401b18)
==10953== ABORTING

Finally, we can shrink the crashing input to obtain a smaller file:

$ QuickFuzz test gif "./gif2webp @@ -o /dev/null" -l 1 -s 3692945303624111961 -f radamsa -r
Test case number 1 has failed. 
Moving to outdir/QuickFuzz.68997856397.1.3692945303624111961.1.gif
Shrinking over bytes has begun...
Testing shrink of size 48
Testing shrink of size 47
...
Testing shrink of size 15
Shrinking finished
Reduced from 48 bytes to 16 bytes
After executing 554 shrinks with 33 failing shrinks. 
Saving to outdir/QuickFuzz.68997856397.1.3692945303624111961.1.gif.reduced
Finished!

List of file types to generate

Downloads

Pre-compiled and compressed (bzexe) binaries supporting all the file formats are available here:

Otherwise QuickFuzz can be easily compiled using stack.

CircleCI

Mailing list

You can join the QuickFuzz mailing group to get notifications of new features and releases. To join, you can send an empty email to QuickFuzz-users+subscribe@googlegroups.com.

Authors

The QuickFuzz team

Students

  • Franco Costantini
  • Lucas Salvatore

Former Members

Acknowledgements

  • ayberkt and NineFx for the bug reports and pull requests.
  • Sergei Trofimovich for adding QuickFuzz to the official Gentoo repository and porting it to GHC8!
  • Special thanks go to all the developers of the Hackage packages that make it possible for QuickFuzz to generate several complex file-formats.