fuzzing NTPsec with afl
royce at tycho.org
Mon Nov 21 23:34:58 UTC 2016
On Mon, Nov 21, 2016 at 2:18 PM, Kurt Roeckx <kurt at roeckx.be> wrote:
> On Mon, Nov 21, 2016 at 02:11:12PM -0900, Royce Williams wrote:
>> If those minimal changes are turned into a compile-time option, this
>> would enable adding fuzzing to the rolling test suite, perhaps using
>> some of Susan's resources.
> Google also provides resources via oss-fuzz. If you can read from
> stdin, it should also be easy to fuzz with other fuzzers like
Indeed. And my understanding is that stdin is often much faster than
equivalent network-level testing, which translates to a lot more
coverage per wall-clock hour (which is important for this kind of
Ideally, we could enable some kind of basic coverage for both methods
-- stdin and network-based. This would more closely model the actual
threat landscape and attackers' capabilities.
But between the two, stdin would be the best bang for the buck.
More information about the devel