C++ Weekly - Ep 352 - Not Doing This Should Be Illegal! (Always Fuzz Your C++!)

I prefer the less clickbaity titles personally.

Coming from an FPGA background, constrained random verification, or fuzz testing, as you're calling it, is a known technique since the mid 2000s. When it gained popularity there was a push to integrate random tests into all designs, as can be read from some books at that time. But simply put, not every design stands to benefit much from fuzzing.
If you're testing a public API for a large popular project and you have the manpower to integrate, and, more importantly automate fuzz test handling, yes, this is an incredibly useful feature. But for a small project with well known and understood input/output limitations a few directed tests will bring much more immediate benefit. The main benefit of fuzzing is finding unusual input sequences. If your inputs are constrained, you will need to constrain the fuzzer and automatically discern false positives from real errors. This is a task that can cost a non trivial amount of manpower for small teams, and the potential benefit will simply not always be there, when compared to directed tests.
Anyway, this definetly shouldn't be illegal, not even the first recommended tool in many situations.

Sadly, also gonna agree. The clickbait title is terrible for ever finding this video again :(

Thanks Jason for the great video. I have to say, contrary to what you say at 7:20, there is (at least) one static tool that can detect this problem. It's Polyspace Code Prover from MathWorks (disclaimer : I am working for this company).

An empty string should also trip the fuzz testing instrumentation, since you check for the open brace without first checking that the string has a front() character.

Yes! Recently, CppCon video of Herb Sutter's cppfront talk was released. I said to myself "how hard could it be to fuzz it?" it turned out, not much. I'm only on Windows with Visual Studio, but I already managed to find a bug in his tool in hour or two thanks to fuzzing. It was not security vulnerability, it was infinite loop while parsing bad input. Now, when I'm thinking about it, it could be used to DoS/timeout/increase cost of CompilerExplorer virtual machines.

Excellent vid, thank you Jason.

From the legal perspective, it is somewhat defined what you need to do should your project be deployed in an environment where public safety/security is at risk.
The standards I know of that describe, among much much more, all the testing techniques you need to do to conform to this standard. For safety, the standard is IEC 61508 - it defines Safety Integrity Levels (SIL) where SIL4 (the highest level) requires you to do fuzzing. Then, for security, there is IEC 62443 - it defines Security Levels, where each level also mandates you to do certain kinds of tests (including fuzzing). In some applications, conformity to those two standards is required.

The description has zero information in it

I’d love to see you also cover property based testing in C++ with RapidCheck, which uses similar techniques but for correctness rather than vulnerabilities, (though it can also catch vulnerabilities, of course)

people know they should fuzz but everyone knows you also cant just go "open fuzzer, open exe, run" you have to manually go in and edit your code to tie the fuzzer into the input field. The sanitizers are not like this so they get more use.

How would you start fuzzing in a big legacy codebase (closed source code)?
I have limited resources so I would like to get the most out of this.

Most click-bait title you’ve ever had… like button immediately clicked.

One question about fuzzing: a lot of high-performance code is about contracts to omit unnecessary checks. How can this code be fuzz-tested? For example, an algorithm could have some documented (or even debug-asserted) conditions on the input. The fuzz-tester however does not care for those. Should I just write some code that does a check before calling the function and "discard" the fuzz input if necessary or are there other approaches?
I'd be glad for any hint on how these cases are handled, thanks!

I use AFL++ to fuzz C++ code. I'm planning to develop in Rust and Haskell as well. Can programs in them be set up so that AFL++ can fuzz them?

Any good tutorials on fuzz testing for self-taught programmers?

I don't think I have a project ready to be published that would require fuzz testing but I have no idea how to implement fuzz test. I understand the principle, heard about it since many years, I am already convinced but I never found good tutorial/resource to get fuzz testing right and nice (unit testing is also not fun/easy in C++ compared with other modern language, catch2 was actually bad when I used it compared to GTest). The boilerplate code doesn't look great to me, actually my main concern is code structure.
Still a very nice video, pushing me to be a better coder. I will take the time one day to get it right.

You have shown std apply, you used to have a much wilder example prior to apply showing being a thing where you would dispatch code with make tuple and eventually you showed how to do std apply instead

Compilers can't report this code can hidden assumption could be that `}` need to exists (like you check it before function call).
Recently I avoided checking if my algorithm exit working area by guarantying that data that it work with have encoded borders in it and processing end before I reach border. If I could not fully control this data then checking for borders would be required.

I may not fully understand fuzzing, but I find it hard to apply it in the projects I'm working on at present. Right now I'm writing a C function that takes a char* string. I could try to pass garbage to it, but I don't see the point because (1) my function expects a valid JSON string, (2) it's a private function and when I call it in other places of the code, I know for a fact that I pass a JSON-formatted string because the string comes from another library that returns a JSON string, (3) if it's not a JSON string, it's going to trip the call to a JSON parser (implemented in a third-party lib) at the beginning of the function and just return an error code. Overall, the only way to trip the rest of my function is to provide a valid JSON string (to pass the first couple of lines which are just parsing it) but with specific things that could trip it (such as having a JSON array instead of an object, having a key that I'm expecting not be present, or have the wrong type of value, etc.).
Overall if I wanted to fuzz-test this function I would need to write something that generates a JSON string that's invalid in some specific way, and this is exactly what I'm doing in my unit tests. How could fuzz-testing help in this case?

Using that nasty libpng code in modern C++ should be illegal too! 😂

Chill out with the clickbait

I know I should fuzz. I feel like it'd be easier if I was a linux native. Also my code doesn't compile on clang. So maybe I need to rewrite it.

It's not just open-source software. "Security researchers" constantly fuzz every aspect of commercial products that they can think of.

Oh no, why is Jason click baiting us :<
Still good video though, 5/7 would recommend.

Hmmmm...well your click bait is on base but your avatar needs a big smile to let the viewer know they're about to watch an awesome video also high contrast thumbnails with no more than 3 words

Fuzzing?
Nah, will not help..... we are using clang-tidy and some other checks and they are DISABLED on big chunks of the code-base cause it is "legacy"-code and has too many warnings/errors. I would be surprised if you couldn't find 10 ways of crashing the entire system and 4 ways of getting complete control in the time it would take you to write and compile a single test. (There are still 5 year old bug-tickets open about unsanitised user-input being added directly into SQL-statments or bash )

May be I've always worked in incorrect environments (badly managed teams, not so "smart" managers, etc), but I've never seen a project where the tests were included in the estimation of development cost (time). The only time there was automated tests, the tests themselves were never considered as part of the dev. And coding these tests takes time, doesn't it ?
In this case, they were "fuzzy tests" in a way, more something like very far away things, you know they exists, but you never see them ...
Don't worry, I never worked on open source software ! Nothing I/we made is public.
At least, I hope. It would bother me if some train begins to have random behaviors, or if some metal coils were cut in strange directions ...
Tel me, I'm not the only one who worked on projets that cut corners on testing ?
May be it really needs to be put in a criminal law ...

A fuzztesting crash is not necessarily a bug. For performant code, and sometimes as a method of catching bugs, you don't necessarily want to sanitize all the inputs coming into a function. For example, if you have some robot running on micro-controllers, and you need to squeeze every cycle out of the processor, you might not range check your array accesses. The fuzz tester will die, but that doesn't mean there is a bug. There will only be a bug if something in the program actually causes an out of bounds access. So yes, the fuzz tester found a set of inputs that will crash the program, but those inputs might not be possible in the full context of the program.
Also, just because the fuzz tester found a set of inputs to crash your program doesn't mean you want to address it, even if you aren't trying to squeeze out extra performance. At my job, we intentionally leave divide by zero risks and things like that in the code if it SHOULD be impossible for the divisor to be zero. That way, if a bug is introduced that sets the divisor to 0, the program crashes, which is a good thing, because it lets us know that some thing is very wrong. If you sanitize all division to make sure you never divide by zero, you could cause the introduced bug not to be noticed. No one checks every log statement after every test of every code change, so it is possible that sanitizing your division leads to a bug in the code that is only noticeable by a log statement that says "Error: division by zero", and then the program continues on, effectively treating the divisor as 1 instead of 0, which may lead to less noticeable, but still very serious, bugs. You wouldn't want to use this sort of intentional crash debugging technique on like a cpap machine, or an oxygen system on a space station, because you want those things to continue to try to run no matter what is going wrong in the software, but for something like a trading bot or accounting software, you DEFINITELY do want the program to crash rather than continue purring along silently in an error state.
So if you use fuzz testing, don't necessarily fix every single crash that the fuzz tester finds unless you have a well thought out policy to do so that has a method for detecting crashes avoided by sanitation.

You may not be being hyperbolic, but I'm certain that _some_ conic section is involved here.

I don't agree with calling it clickbait. While I don't believe it should be illegal as a blanket statement, certainly for high value targets to not perform fuzz testing on the software they use should be. Consider how many hospitals and small governmental entities such as city and county governments have had their security compromised and thusly compromised the security and sometimes safety of people who can't merely delete their data from someone else's database. It seems to happen more and more these days to the point where the utter negligence should be punished in some way. Although, obviously governments are going to exempt themselves, so it'll never happen that the most culpable will actually be punished.

I use your channel as a useful reference. The clickbait titles are really not appreciated.

c++ shud be illegal

std::uint32_t rot32(std::uint32_t x, std::uint8_t r){return (x > (32 - (r & 0x1f)))}