The command line tool CI Fuzz CLI for detecting vulnerabilities via fuzzing should be as beginner-friendly as possible.
With CI Fuzz CLI, the German company Code Intelligence has released a tool that starts fuzz tests from the command line. The open source tool is said to be particularly easy to use and is therefore primarily aimed at those who have not yet used fuzzing to test their projects.
Simple and connected
The tool is intended to reduce the barrier to entry into fuzzing, since a few commands and small adjustments in the editor are sufficient for the first fuzz test. At the same time, the command line tool can be integrated into continuous integration processes, build tools and development environments.
The project page shows the integration into a simple project: Initializing via
cifuzz init creates the cifuzz.yaml file with the test configuration. The command creates the actual test
cifuzz createwhich creates a stub file like my_fuzz_test_1.cpp.
Developers then have to configure the file so that it tests the appropriate functions in the program. They must also configure the CMake directives appropriately. Eventually the command comes across
cifuzz run my_fuzz_test_1 the fuzz test. Anyone who needs a test coverage report can join
cifuzz coverage my_fuzz_test_1 generate a coverage report.
Fuzzing as an alternative to classic code analysis
In contrast to static code analysis, fuzzing tools do not look at the source code, but feed the software to be tested with input data that is accidentally or deliberately incorrect or incomplete. In this way, fuzz testing finds bugs like buffer overflows that can slip through when human testers only use plausible data. Code Intelligence is a German start-up specializing in fuzzing.
Internationally, Google is a strong advocate of fuzzing. In 2016, the Internet giant presented OSS Fuzz, a project for testing open source software with fuzzing. In addition, with ClusterFuzz, he has a commercial fuzzing tool for integration into the CI/CD pipeline (Continuous Integration / Continuous Delivery) in his portfolio, of which a slimmed-down open source version was released in 2021.
Google’s programming language Go has included fuzzing in the toolchain since version 1.18, but according to the latest survey by the team responsible for the language, it has so far been little used.
For more details on CI Fuzz CLI, see the GitHub repository readme and the Code Intelligence project page.