hngopher.com

       [HN Gopher] Jazzer brings modern fuzz testing to the JVM
       ___________________________________________________________________
        
       Jazzer brings modern fuzz testing to the JVM
        
       Author : lrngjcb
       Score  : 65 points
       Date   : 2021-02-10 15:09 UTC (7 hours ago)
        
 (HTM) web link (blog.code-intelligence.com)
 (TXT) w3m dump (blog.code-intelligence.com)
        
       | asicsp wrote:
       | I feel the current title "Jazzer brings modern fuzz testing to
       | the JVM" should include "open source" as well, since article
       | title is "Fuzz Testing for JVM is now Open Source"
        
       | invokestatic wrote:
       | Interesting. I had a project that I wanted to use libFuzzer with
       | custom instruction instrumentation. I never quite figured out how
       | to pass back the custom instrumentation data back to libFuzzer.
       | 
       | This project seems to do just that by calling
       | __sanitizer_cov_trace_cmp4. In retrospect, this seems like the
       | obvious solution, and quite brilliant of this project to do that!
        
       | kodablah wrote:
       | A little while back I wrote something similar[0]. Basically I
       | applied AFL principles to the JVM by similarly implementing
       | bytecode instrumentation in the lightest way I could and having
       | "passes" of sorts that manipulated inputs using stages like AFL
       | does. The readme explains the implementation details (I don't
       | really maintain it or use it anymore and I never even published
       | it to Maven, so it has old invalid jitpack links, but the code is
       | quite solid).
       | 
       | 0 - https://github.com/cretz/javan-warty-pig
        
       | bArray wrote:
       | I've not personally ever tried fuzzing - is there some nice
       | introduction to the concept?
        
       | The_rationalist wrote:
       | This talks about mutation testing, how does this compare to
       | pitest? It would be nice to run Jazzer on core JVM projects such
       | as Graalvm, spring, apache projects, etc
        
       | jgalt212 wrote:
       | Does anyone have any fun stories about fuzzers they ran that
       | broke production systems that were inadvertently connected to the
       | system under test?
        
         | khaledyakdan wrote:
         | We've actually had a project where the customer had a testing
         | environment for their web application. The fuzzer overwhelmed
         | the system and we were asked to slow the fuzzer down so that
         | the system can handle the load.
        
       | fhenneke wrote:
       | I'm one of the engineers behind Jazzer and happy to answer any
       | questions about it.
       | 
       | We also have a blogpost that talks about the most interesting
       | technical aspects of Jazzer: https://blog.code-
       | intelligence.com/engineering-jazzer
        
         | layer8 wrote:
         | I couldn't find any information on what specific kinds of
         | errors are recognized (except JNI memory handling), or how
         | (mechanism) one specifies to the tool what constitutes an
         | error. Can you shed some light on that, or give a pointer to
         | relevant documentation?
        
       | ekiwi wrote:
       | If you are interested in fuzzing your Java code, you should also
       | have a look at the JQF project which directly integrates with
       | junit tests: https://github.com/rohanpadhye/JQF
        
       ___________________________________________________________________
       (page generated 2021-02-10 23:02 UTC)