Testing: Code Intelligence brings fuzzing to the command line

0
20
testing code intelligence brings fuzzing to the command line.jpg
testing code intelligence brings fuzzing to the command line.jpg

The command line tool CI Fuzz CLI for detecting vulnerabilities via fuzzing should be as beginner-friendly as possible.

 

With CI Fuzz CLI, the German company Code Intelligence has released a tool that starts fuzz tests from the command line. The open source tool is said to be particularly easy to use and is therefore primarily aimed at those who have not yet used fuzzing to test their projects.

 

In the first act, CI Fuzz CLI examines C and C++ code in conjunction with CMake. In the medium term, the tool should also examine code in Go, JavaScript and JVM languages. For the latter, the company released Jazzer, an open-source fuzzing tool, in early 2021.

The tool is intended to reduce the barrier to entry into fuzzing, since a few commands and small adjustments in the editor are sufficient for the first fuzz test. At the same time, the command line tool can be integrated into continuous integration processes, build tools and development environments.

The project page shows the integration into a simple project: Initializing via cifuzz init creates the cifuzz.yaml file with the test configuration. The command creates the actual test cifuzz createwhich creates a stub file like my_fuzz_test_1.cpp.

Developers then have to configure the file so that it tests the appropriate functions in the program. They must also configure the CMake directives appropriately. Eventually the command comes across cifuzz run my_fuzz_test_1 the fuzz test. Anyone who needs a test coverage report can join cifuzz coverage my_fuzz_test_1 generate a coverage report.

SEE ALSO  YouTube is testing a green, red and blue timeline. Nobody knows exactly what it is for

In contrast to static code analysis, fuzzing tools do not look at the source code, but feed the software to be tested with input data that is accidentally or deliberately incorrect or incomplete. In this way, fuzz testing finds bugs like buffer overflows that can slip through when human testers only use plausible data. Code Intelligence is a German start-up specializing in fuzzing.

Internationally, Google is a strong advocate of fuzzing. In 2016, the Internet giant presented OSS Fuzz, a project for testing open source software with fuzzing. In addition, with ClusterFuzz, he has a commercial fuzzing tool for integration into the CI/CD pipeline (Continuous Integration / Continuous Delivery) in his portfolio, of which a slimmed-down open source version was released in 2021.

Google’s programming language Go has included fuzzing in the toolchain since version 1.18, but according to the latest survey by the team responsible for the language, it has so far been little used.

For more details on CI Fuzz CLI, see the GitHub repository readme and the Code Intelligence project page.