Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/codeintelligencetesting/gofuzz

Bug detectors for Golang
https://github.com/codeintelligencetesting/gofuzz

bug-detection fuzzing golang security

Last synced: about 1 month ago
JSON representation

Bug detectors for Golang

Host: GitHub
URL: https://github.com/codeintelligencetesting/gofuzz
Owner: CodeIntelligenceTesting
License: apache-2.0
Created: 2022-06-10T14:08:01.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-08-08T00:40:55.000Z (over 1 year ago)
Last Synced: 2024-06-19T23:14:16.427Z (6 months ago)
Topics: bug-detection, fuzzing, golang, security
Language: Go
Homepage:
Size: 186 KB
Stars: 4
Watchers: 4
Forks: 1
Open Issues: 4
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        


  gofuzz

  Bug detectors for Golang

  

    

  

  

    

  

  

    

  

  


Website

|

Blog

|

Twitter



## gofuzz

**gofuzz** is a CLI tool to add bug detection capabilities into your Go code.

It transforms the source code and replaces calls to functions/methods of interest by calls to corresponding hooks in the `github.com/CodeIntelligenceTesting/gofuzz/sanitizers` module.

**gofuzz** does not change the code in-place, but generates the instrumented source code in a temporary directory.

It produces an [overlay file](https://go.dev/doc/go1.16) that can be used by Go's standard build tools.

## How to use

1. (Once) Install the **gofuzz** CLI

   ```shell

   go install github.com/CodeIntelligenceTesting/gofuzz/cmd/gofuzz@latest

   ```

   The minimum required Golang version is Go 1.18.

2. (Once) Add the **sanitizers** package as a dependency for the code base you want to test.

   This package contains the implementation of the hooks inserted by **gofuzz** into your code,

   and therefore must be available when the instrumented code is being compiled.

   ```shell

   cd 

   go get -u github.com/CodeIntelligenceTesting/gofuzz/sanitizers@latest

   ```

   This command also adds the **sanitizers** package as a dependency in the `go.mod` file.

3. Instrument your code using the **sanitize** subcommand

   ```shell

   gofuzz sanitize  -o 

   ```

   This instruments the specified package and writes the instrumented file into a temporary

   directory. The corresponding file replacements are stored in the  file.

   By default, **gofuzz** writes a file named overlay.json in the current directory.

4. Instrument your code for fuzzing using [go114-fuzz-build](https://github.com/kyakdan/go114-fuzz-build).

   Note that we use a fork of the original [repo](https://github.com/mdempsky/go114-fuzz-build)

   because we need a change that has not yet been merged upstream.

   ```shell

   go114-fuzz-build -o target.a -func  -overlay  

   ```

   This tool uses the host Go to instrument the code using the libFuzzer mode. We recommend using

   a Go version later than 1.19 as it contains [several improvements](https://www.code-intelligence.com/blog/golang-fuzzing-1.19) to make fuzzing considerably more effective.

5. Link the created archive with libFuzzer

   ```shell

   clang -fsanitize=fuzzer target.a -o fuzzer

   ```

6. Run the fuzzer

   ```shell

   ./fuzzer [fuzzer args]

   ```