Platform Overview
Fuzzing Terminology
Install the Fuzzbuzz CLI
Find your first C/C++ bug
Find your first Python bug
Find your first Rust bug
Find your first Go bug
Protocol Fuzzing
Seeding your fuzzer
Integrating with libFuzzer
Heartbleed in 5 Minutes
GitHub Integration
GitLab Integration
CLI Integration
fuzzbuzz.yaml reference
Fuzzer Reference
Bug Types
Self-Hosted Fuzzbuzz
Overview
Getting Started
Guides
Tutorials
Integrations
Reference
Fuzzing Terminology
Corpus
Fuzzers run millions of procedurally generated inputs in an attempt to try and find inputs that cause bugs. The corpus is the set of inputs that the fuzzer considers "interesting", because they cover some code or program state that was previously untested. The fuzzer saves these inputs as "checkpoints" that it can use for further generation of test cases in the future.
Fuzzbuzz saves the fuzz corpus as regression tests, and runs all old corpus values whenever a new job is started, to ensure no regressions are introduced.
Fuzz Test
Also known as: fuzz target, fuzz function.
A function or class that receives arbitrary input from a fuzzer, and uses it to execute & test code.
Fuzzer
Also known as: fuzzing engine.
A fuzzer is the test framework responsible for generating new inputs, executing the fuzz test with the generated input, reading code coverage instrumentation, managing the corpus, and reporting bugs.
Sanitizer
A form of instrumentation that reports specific bugs at runtime, usually injected into code at compile-time or runtime. Examples include: Address Sanitizer, Leak Sanitizer, Memory Sanitizer, Thread Sanitizer, Undefined Behavior Sanitizer.
Seed input
Seed inputs are a set of user-provided inputs to a fuzz test. Usually a set of hand-built inputs created by the developer to cover interesting parts of their code, to give the fuzzer a starting point from which to begin testing more of the program.