AgentSkillsCN

fuzzer-generator

构建模糊测试工具,通过生成随机输入来发现程序中的缺陷与安全漏洞。

SKILL.md
--- frontmatter
name: fuzzer-generator
description: "Creates fuzzing tools that generate random inputs to find bugs and security vulnerabilities."
version: "1.0.0"
tags: [fuzzing, security, testing, bug-finding, random-generation]
difficulty: intermediate
languages: [python, rust, c, go]
dependencies: [property-based-tester, taint-analysis]

Fuzzer Generator

Creates fuzzing tools that automatically generate random inputs to discover bugs, crashes, and security vulnerabilities in programs.

When to Use This Skill

  • Finding crashes and memory safety issues
  • Discovering input validation bugs
  • Security vulnerability discovery
  • Compiler bug finding

What This Skill Does

  1. Input Generation: Creates random valid inputs for target programs
  2. Coverage Tracking: Monitors code coverage to guide fuzzing
  3. Mutation Strategies: Implements mutation and generation-based fuzzing
  4. Crash Analysis: Triages and minimizes crashing inputs

Key Concepts

ConceptDescription
Coverage-guided fuzzingUses coverage to prioritize inputs
CorpusSet of interesting inputs
MutationSmall changes to existing inputs
Crash minimizationReducing inputs to minimal forms

Tips

  • Build with AddressSanitizer for memory safety bugs
  • Use libFuzzer for C/C++, Atheris for Python
  • Maintain corpus of interesting inputs
  • Minimize crashes to find root causes

Related Skills

  • property-based-tester - Structured property testing
  • taint-analysis - Track untrusted input
  • sandbox-builder - Safe fuzzing environment

Canonical References

ReferenceWhy It Matters
libFuzzer: in-process coverage-guided fuzzingLLVM fuzzing engine
AFL: American Fuzzy LopPopular greybox fuzzer
Finding Bugs in JavaScript EnginesFuzzing case study

Tradeoffs and Limitations

ApproachProsCons
Coverage-guidedEfficient, finds deep bugsRequires instrumentation
BlackboxNo source neededLess effective
Grammar-basedGenerates valid inputsRequires grammar

Assessment Criteria

CriterionWhat to Look For
CoverageEfficient code coverage
Bug findingDiscovers real bugs
PerformanceHigh tests/second

Quality Indicators

Good: Good coverage, finds bugs, high throughput ⚠️ Warning: Limited coverage, slow ❌ Bad: No bugs found, crashes

Research Tools & Artifacts

Fuzzing tools and frameworks:

ToolLanguageWhat to Learn
libFuzzerC/C++In-process coverage-guided
AFL++CGreybox fuzzing
HonggfuzzCFeedback-driven
FuzzilliJavaScriptJavaScript engine fuzzing
OathbreakerPythonGrammar-based

Fuzzing Infrastructure

  • OSS-Fuzz - Continuous fuzzing service
  • Fuzzbench - Fuzzer evaluation framework

Research Frontiers

1. Fuzzing with LLMs

  • Approach: Use language models for input generation
  • Papers: "Fuzzing with LLMs" (2023+)
  • Tools: ChatGPT-assisted fuzzing

2. Hybrid Fuzzing

  • Approach: Combine symbolic execution with fuzzing
  • Papers: "Driller" (Shoshitaishvili)
  • Tools: QSYM, Angora

Implementation Pitfalls

PitfallReal ConsequenceSolution
Coverage plateauStops finding new pathsAdd corpus, mutations
Crash duplicationToo many similar crashesMinimize inputs