firefox/security/nss/fuzz

Build

The fuzz targets can be build with ./build.sh --fuzz [--disable-tests]. They compile with ASan and UBSan by default, see coreconf/fuzz.sh.

OSS-Fuzz

All fuzz targets run continuously on oss-fuzz, the respective project.yaml can be found at https://github.com/google/oss-fuzz/blob/master/projects/nss/project.yaml. An overview with code coverage is available at https://introspector.oss-fuzz.com/project-profile?project=nss, as well as a link to a more detailed fuzz introspector report.

MozillaSecurity/orion

We regularly run two services, one to collect coverage information ourselves and another one to mirror the public oss-fuzz corpora and populate the private bucket with new testcases. Code coverage reports can be found at https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/.

• nss-coverage service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-coverage
• nss-corpus-update service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-corpus-update

Adding a new fuzz target

The fuzz targets are located at fuzz/targets. Some additional things to keep in my mind when adding a new fuzz target:

• Every fuzz target needs a .options file at fuzz/options, other fuzz tooling depends on it.
• For CI integration, schedule the corresponding fuzzing runs at automation/taskcluster/graph/src/extend.js.
• Testcases can be extracted from the existing tests by adding hooks to fuzz/config/frida_corpus/hooks.js and fuzz/config/frida_corpus/cli.py.

Useful Links

• https://oss-fuzz.com/
• https://introspector.oss-fuzz.com/project-profile?project=nss
• https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/
• https://github.com/MozillaSecurity/orion
• https://treeherder.mozilla.org/jobs?repo=nss-try