My blog post about #fuzzing #go project golang/image: https://github.com/ispras/oss-sydr-fuzz/wiki/Fuzzing-golang-image-%28Go%29-project-with--sydr-fuzz-%28go-fuzz-backend%29
0. Changing existing fuzz target to find new bugs.
1. Creating target for symbolic execution.
2. Approach for code coverage collection after fuzzing with go-fuzz libFuzzer.
3. Go panic triage with #casr.
4. Fix: https://github.com/golang/image/pull/14

New casr 2.4.0 is available!
https://github.com/ispras/casr/releases/tag/v2.4.0
casr-cli now provides a joint statistics all over reports!
casr-afl now copies crashes next to reports, produces casr reports in parallel and prints casr-cli joint statistics!
#casr #AFLplusplus

Today is a good day! I decided to postpone my preparation for lectures and do more interesting things like #fuzzing. Several weeks ago, I finished the #go language crash course at #exercism. I couldn't say I'm a Go developer now, but LinkedIn has already offered some job vacancies (that's looks funny as for me🤣). But this story is about Go fuzzing. Before the new year, I succeeded in building libFuzzer target with go-fuzz for go-toml, but I failed in building target for symbolic executor. This target just needs to read raw file and feed it to FuzzToml function. I know, it sounds simple, but not for me, the person who only wrote Go code in browser:). But today, I have managed to build a target and start hybrid fuzzing with libFuzzer and Sydr! Now I want to find a victim: some some #go project that is not being fuzzed hard. I need to get some crashes to test our #casr crash triage tool. How it deals with Go projects. If you have an idea about such a project, please let me know:).

Just played a bit with Atheris. Looks very familiar, because I used libFuzzer before a lot. #casr was as always helpful (400+ crashes narrowed down to 8 clusters). Some details of my experiments could be found here: https://github.com/ispras/oss-sydr-fuzz/wiki/Fuzzing-ruamel-yaml-(Python)-project-with--sydr-fuzz-(Atheris-backend)
P.S. Do we have something similar to Atheris but based on @aflplusplus or #libafl?
#fuzzing #python

@insanitybit I use @aflplusplus as fuzzer, sometimes libfuzzer. We have Sydr - a dynamic symbolic execution tool, and we have sydr-fuzz that provides integration between AFL++ and Sydr, but Sydr isn't open source (we have some research papers about Sydr and sydr-fuzz). From open source DSE, I'll recommend Fuzzolic. It's fast and has integration with AFL++. For crash triaging, I use #casr https://github.com/ispras/casr. It also has integration with AFL++.

I found out that using ‐C panic=abort for #fuzzing #rust fuzz targets with @aflplusplus, for example, could produce more accurate and compact stacktraces for further triaging with #casr.

Checkout new #casr 2.3.0 release!!!
https://github.com/ispras/casr
- rust panic support in casr-san/casr-gdb
- c++ exceptions support in casr-san/casr-gdb
- casr-python for creating CASR reports from python crashes🔥​

P. S. Merry Christmas! ❄️​❄️​❄️​
#fuzzing #afl #aflplusplus #python

At last, new casr 2.2.0 release with casr-afl!!!
Triaging crashes found by @aflplusplus as simple as it could be:
$ cargo install casr
$ casr-afl -i afl-out -o casr-out
$ casr-cli casr-out/cl1/<report_name>

https://github.com/ispras/casr

#casr #fuzzing #afl #AFLplusplus

I just read #libafl paper. I'm so excited! @andreafioraldi @dmnk @aflplusplus @thc It's awesome! I also have already played with baby_fuzzers, so nice:)).
I definitely need to go deeper and build my own fuzzer! Also, I'm thinking about opportunities in integration #libafl with #casr (https://github.com/ispras/casr).

#fuzzing #rust

I've just finished my work on casr-afl! Now it's possible to create casr crash reports from @aflplusplus output directory! Awaiting review, @VishnyaSweet ;). Here are some pics!
https://github.com/ispras/casr/pull/17
#casr #fuzzing #afl

A little bit late for #Introduction, but anyway:).
Hi! I'm a computer scientist interested in developing software analysis tools, programming languages and algorithms, dynamic symbolic execution and fuzzing, crash analysis and severity estimation of software bugs.
I work for the Compiler Technology Department at ISP RAS as a research team lead. I with my incredible team work on dynamic analysis tools (Sydr, sydr-fuzz) and crash triage tool #casr https://github.com/ispras/casr . Also, we applying hybrid fuzzing approaches to open source software and found 80+ bugs already (https://github.com/ispras/oss-sydr-fuzz/blob/master/TROPHIES.md).
My Ph.D thesis is dedicated to automated exploit generation using dynamic symbolic execution, but now I focused on hybrid fuzzing:).
My first steps in computer science (it was at school) I made due to cracking tutorials by Ricardo Narvaja (they are awesome!).

About half a year ago we began our work in improving security for machine learning frameworks (TensorFlow, PyTorch) by applying static and dynamic analysis. We managed to fix some warnings generated by Svace static analyzer:
https://github.com/tensorflow/tensorflow/pull/57892
https://github.com/pytorch/pytorch/pull/85705
There are still a lot of warrings awaiting to be analyzed, but this work is going on step by step.
Applying dynamic analysis (fuzzing) to machine learning frameworks it is not an easy task. There are many nice fuzz targets in TensorFlow, and it is already well fuzzed by https://github.com/google/oss-fuzz. We applied successfully #sydr-fuzz to TensorFlow. It was very nice to see that DSE helps fuzzer on a such complex target. After several runs of fuzzing in our CI system, we managed to find an interesting infinite loop: https://github.com/tensorflow/tensorflow/pull/56455.
I couldn't say was it due to dynamic symbolic execution or we were just so highly motivated:).
Applying hybrid fuzzing to PyTorch, we had to develop fuzz targets from scratch. Of course, new fuzz targets produce lots of crashes. Thanks to #casr (https://github.com/ispras/casr) we managed to convert them into several bugs (https://github.com/ispras/oss-sydr-fuzz/blob/master/TROPHIES.md). Lot's of interesting parsing that could be fuzzed is located in torchvision. We focused on image parsing (https://github.com/pytorch/vision/pull/6456). All fuzz targets for PyTorch and TorchVision could be find here: https://github.com/ispras/oss-sydr-fuzz.
We are open for some new ideas about fuzzing TensorFlow and PyTorch!
#fuzzing #machinelearning #tensorflow #pytorch

Two years ago we started to develop our dynamic analysis tools: Sydr (Dynamic symbolic executor), sydr-fuzz (hybrid fuzzer), CASR (crash triage tool, open-sourced). At first we needed to answer an important question: which program language to choose?
Sydr is based on Triton (c++), and DynamoRIO (C), so the answer was easy, we chose C++ and a little bit C. But what is about sydr-fuzz & CASR? This tools are written from scratch.
My colleague and friend told me about Rust. He was very found of this language and already used it in his work. Rust attracted me from the beginning. And I decided that sydr-fuzz and CASR would be written in Rust. Although it was hard decision, because neither me nor my team haven't been familiar with this language. But it was the right choice!
Rust provide not only safety and performance, but very cool std and core libs, that have many useful APIs. Very powerful package manager : cargo, with linters (cargo clippy), formater (cargo fmt), or even fuzzers (cargo fuzz). When you write code in Rust, you spend less time for debugging it. As the result you get working tools faster and they are still safe and stable!
#rust #fuzzing #casr