Launch HN: Fuzzbuzz (YC W19) – Fuzzing as a Service

171 pointsby evmunroover 6 years ago

Hey HN,We’re Everest, Andrei and Sabera, the founders behind Fuzzbuzz (<a href="https://fuzzbuzz.io" rel="nofollow">https://fuzzbuzz.io</a>) - a fuzzing as a service platform that makes fuzzing your code as easy as writing a unit test, and pushing to GitHub.Fuzzing is a type of software testing that generates & runs millions of tests per day on your code, and is great at finding edge cases & vulnerabilities that developers miss. It’s been used to find tens of thousands of critical bugs in open-source software (<a href="https://bugs.chromium.org/p/oss-fuzz/issues/list" rel="nofollow">https://bugs.chromium.org/p/oss-fuzz/issues/list</a>), and is a great way to generate tests that cover a lot of code, without requiring your developers to think of every possibility. It achieves such great results by applying genetic algorithms to generate new tests from some initial examples, and using code coverage to track and report interesting test cases. Combining these two techniques with a bit of randomness, and running tests thousands of times every second has proven to be an incredibly effective automated bug finding technique.I was first introduced to fuzzing a couple years ago while working on the Clusterfuzz team at Google, where I built Clusterfuzz Tools v1 (<a href="https://github.com/google/clusterfuzz-tools" rel="nofollow">https://github.com/google/clusterfuzz-tools</a>). I later built Maxfuzz (<a href="https://github.com/coinbase/maxfuzz" rel="nofollow">https://github.com/coinbase/maxfuzz</a>), a set of tools that makes it easier to fuzz code in Docker containers, while on the Coinbase security team.As we learned more about fuzzing, we found ourselves wondering why very few teams outside of massive companies like Microsoft and Google were actively fuzzing their code - especially given the results (teams at Google that use fuzzing report that it finds 80% of their bugs, with the other 20% uncovered by normal tests, or in production).It turns out that many teams don’t want to invest the time and money needed to set up automated fuzzing infrastructure, and using fuzzing tools in an ad-hoc way on your own computer isn’t nearly as effective as continuously fuzzing your code on multiple dedicated CPUs.That’s where Fuzzbuzz comes in! We’ve built a platform that integrates with your existing GitHub workflow, and provide an open API for integrations with CI tools like Jenkins and TravisCI, so the latest version of your code is always being fuzzed. We manage the infrastructure, so you can fuzz your code on any number of CPUs with a single click. When bugs are found, we’ll notify you through Slack and create Jira tickets or GitHub Issues for you. We also solve many of the issues that crop up when fuzzing, such as bug deduplication, and elimination of false positives.Fuzzbuzz currently supports C, C++, Go and Python, with more languages like Java and Javascript on the way. Anyone can sign up for Fuzzbuzz and fuzz their code on 1 dedicated CPU, for free.We’ve noticed that the HN community has been increasingly interested in fuzzing, and we’re really looking forward to hearing your feedback! The entire purpose of Fuzzbuzz is to make fuzzing as easy as possible, so all criticism is welcome.

27 comments

tptacekover 6 years ago

Can you talk a bit about what you're fuzzing for in Python programs? I feel like I have a good understanding of what cluster fuzzing is accomplishing for C/C++ libraries, but less clarity about the goals for managed languages.

评论 #19267736 未加载

评论 #19270316 未加载

评论 #19268348 未加载

evmunroover 6 years ago

P.s. Know someone who maintains an open-source project, written in C, C++, Go or Python, that should be fuzzed? Please send an email to oss@fuzzbuzz.io. We’d love to fuzz your code for free on our platform and make the world’s open-source software more secure.

评论 #19266236 未加载

评论 #19266501 未加载

chubotover 6 years ago

FWIW I separated my Oil shell parser into a standalone stdin/stdout filter, which is ready to be fuzzed:<a href="https://github.com/oilshell/oil/blob/master/bin/osh_parse.py" rel="nofollow">https://github.com/oilshell/oil/blob/master/bin/osh_parse.py</a><a href="https://github.com/oilshell/oil/issues/171" rel="nofollow">https://github.com/oilshell/oil/issues/171</a>I'm already testing it by running it on more than a million lines of shell [1], which I imagine should provide a very good starting point for the AFL algorithm. I've only fuzzed one thing before but that's my understanding.If anyone is itching to try out Python fuzzing, this might be a nice and realistic intro.I made note of Fuzzbuzz on the bug.[1] <a href="http://www.oilshell.org/blog/2017/11/10.html" rel="nofollow">http://www.oilshell.org/blog/2017/11/10.html</a>

评论 #19266957 未加载

souprockover 6 years ago

I know of a company, called Security Innovation, that tried this in 2002. It went very badly at times. They added training and pen testing, and today they bring in just $20 million per year.They opened an office in Seattle to fuzz for Microsoft. As soon as they proved that they could succeed, Microsoft hired away all the people, leaving the company with a lease for an empty office.Generally, companies don't trust outsiders and/or don't see a need. You're up against internal politics too. People within the company don't want to compete with you and don't want to be embarrassed by you.

评论 #19267618 未加载

评论 #19268043 未加载

评论 #19266905 未加载

benatkinover 6 years ago

This is a great name, because at least 90% of your customers will find it funny. Some friends in Boulder made a company called RaffleCopter, and its meme-inspired name (based on ROFLcopter) seemed to help it get much more attention than it drove away. <a href="https://www.rafflecopter.com/" rel="nofollow">https://www.rafflecopter.com/</a> Another good thing about both names is they work even if you don't get the reference. I think that could be a must.I don't know much about fuzzing but I'm inspired to give your tool a try if/when I get a chance.

评论 #19267014 未加载

lumengxiover 6 years ago

This looks great, congrats on the launch! All enterprise software companies should take notes, having a "Buy vs. Build" section on the website is incredibly useful and saves time on both sides.

评论 #19266330 未加载

js2over 6 years ago

Some feedback going through the docs. For each of the languages you demonstrate a "BrokenMethod" but I don't understand what's broken about it. e.g.:<pre><code> func BrokenMethod(Data string) bool { return len(Data) >= 3 && Data[0] == 'F' && Data[1] == 'U' && Data[2] == 'Z' && Data[3] == 'Z' } </code></pre> What's broken about this? It returns true for strings that start with "FUZZ", false otherwise, does it not? Python example:<pre><code> def BrokenMethod(strInput): if len(strInput) >= 2: return strInput[0] == 'F' and strInput[1] == 'U' </code></pre> Other than not being idiomatic I don't see what's wrong with this method.Next, it's not clear to me how you indicate success/failure of a test. Is success just any program than exits 0 and failure any program that exits non-zero? That would be my guess but the docs don't say.Typo: <a href="https://github.com/fuzzbuzz/docs/pull/3" rel="nofollow">https://github.com/fuzzbuzz/docs/pull/3</a>This page is missing a link to the find-your-first-bug-in-Python example:<a href="https://github.com/fuzzbuzz/docs/blob/master/getting-started/introduction-to-fuzzbuzz.md" rel="nofollow">https://github.com/fuzzbuzz/docs/blob/master/getting-started...</a>The docs site loads slowly for me on an older iPad, and there's even a slight delay on a recent Macbook. Looks like it's maybe a font loading issue? (Oh, it's gitbook. How awful. I guess there's nothing you can do about that other than use a different doc provider.)

评论 #19268721 未加载

评论 #19268724 未加载

评论 #19268742 未加载

aboutrubyover 6 years ago

That's awesome! Would love to use it on popular ruby gems to make sure they are secure (including Rails). Also having a free plan is perfect for experimenting. I predict this company will be a huge success.

评论 #19266469 未加载

kbeckmannover 6 years ago

This is awesome! I wish you all the best and hope that this takes off.I am curious about how you use AFL under the hood - how do you scale? Do you use a shared kernel and run a worker process for each physical core, or do you do some virtualization or perhaps run with a kernel patch such as <a href="https://github.com/sslab-gatech/perf-fuzz/" rel="nofollow">https://github.com/sslab-gatech/perf-fuzz/</a> ? My experience is that you will hit a wall pretty quickly unless you start multiple kernels by using virtualization, or simply having a very slow binary so you don't get a high number of execs/s to start with.

评论 #19266754 未加载

rixraxover 6 years ago

Have you thought of integrating some form of exploitability analysis[0][1] for the crashes|etc. fuzzing locates?So let's say I upload some FOSS project and end-up finding some crashes|potential vulnerabilities. Have you considered some sort of tie-in|integration to bug bounty programs so that I could get a small pay-out without having to go through the trouble of figuring out how exploitable a given crash might be, and more importantly to actually have to deal with trying to get the attention of the project?[0] <a href="https://www.microsoft.com/security/blog/2013/06/13/exploitable-crash-analyzer-version-1-6/" rel="nofollow">https://www.microsoft.com/security/blog/2013/06/13/exploitab...</a> [1] <a href="https://github.com/jfoote/exploitable" rel="nofollow">https://github.com/jfoote/exploitable</a>

评论 #19267012 未加载

pestsover 6 years ago

I thought someone had finally done it. Fizzbuzz as a service.This is even better.

评论 #19265871 未加载

sk221over 6 years ago

This looks awesome. Wish it integrated with Ruby projects.

评论 #19265767 未加载

评论 #19266185 未加载

taninover 6 years ago

This is such an awesome service.Congrats Everest (and team) for making it easier to make software more secure!

tofflosover 6 years ago

This looks very nice. I will definitely try it out once support for Java becomes available.

评论 #19266734 未加载

technics256over 6 years ago

As a somewhat newbie, how would I use this on say my javascript web app and react native apps?Thanks!

评论 #19265967 未加载

rixraxover 6 years ago

Godspeed!I recall there is|was a company based out Santa Cruz, CA called Fuzz Stati0n with a pretty similar concept. Might be good idea to ‘compare’ experiences.

评论 #19269375 未加载

yingw787over 6 years ago

A number of questions:Do you guys support fuzzing by protocols? Syscalls, REST, or SQL? It might be faster to extend protocol fuzzing than fuzzing by language (I'm not sure though). It'd be cool to have a fuzzer for Apache Calcite; it's a library to slap on a SQL interface to your database.Any plans to extend fuzzing to property-based testing?Do you guys fuzz your fuzzer (dogfood)? Probably useful, but also funny :)

评论 #19265888 未加载

drwlover 6 years ago

A small nit: the video is set with these dimensions: width: 940px; height: 529px;On scaled display it shows up fairly small and so it's hard to see what's going on without going to full screen. As a quick fix could you enable the full screen button. And as a longer term fix consider recording another version where the windows are smaller or there's some sort of magnification?

评论 #19266203 未加载

jawnsover 6 years ago

I started learning about this type of testing by writing Hypothesis tests for Python code: <a href="https://hypothesis.readthedocs.io/en/latest/" rel="nofollow">https://hypothesis.readthedocs.io/en/latest/</a>One of the things that became a source of frustration is writing the specs that define the shape of the inputs.Does FuzzBuzz make that any easier?

评论 #19265940 未加载

bhargav_over 6 years ago

This looks really cool! Fuzzing is something I've been looking into more and more as I learn about it. I'll definitely keep this in mind for the future. Have you guys considered Rust support?

评论 #19267120 未加载

myroon5over 6 years ago

Can you add support for social login like GitHub OAuth? Thanks!

评论 #19266021 未加载

webgoatover 6 years ago

Why do this in the cloud? Wouldn't it make more sense to make standalone software that does the fuzzing?

评论 #19270754 未加载

Kkoalaover 6 years ago

Sounds interesting! At least I learned something new, fuzzing.

kdmedevover 6 years ago

Can this be done in Rust?

评论 #19269602 未加载

jimbo1167over 6 years ago

Obligatory plug for the OG of Fuzz Testing, Barton Miller: <a href="http://pages.cs.wisc.edu/~bart/fuzz/" rel="nofollow">http://pages.cs.wisc.edu/~bart/fuzz/</a>#OnWisconsin

maybeiambatmanover 6 years ago

Fascinating!

prcobolover 6 years ago

wewlad!

27 comments

tptacekover 6 years ago

评论 #19267736 未加载

评论 #19270316 未加载

评论 #19268348 未加载

evmunroover 6 years ago

评论 #19266236 未加载

评论 #19266501 未加载

chubotover 6 years ago

评论 #19266957 未加载

souprockover 6 years ago

评论 #19267618 未加载

评论 #19268043 未加载

评论 #19266905 未加载

benatkinover 6 years ago

评论 #19267014 未加载

lumengxiover 6 years ago

This looks great, congrats on the launch! All enterprise software companies should take notes, having a "Buy vs. Build" section on the website is incredibly useful and saves time on both sides.

评论 #19266330 未加载

js2over 6 years ago

评论 #19268721 未加载

评论 #19268724 未加载

评论 #19268742 未加载

aboutrubyover 6 years ago

评论 #19266469 未加载

kbeckmannover 6 years ago

评论 #19266754 未加载

rixraxover 6 years ago

评论 #19267012 未加载

pestsover 6 years ago

I thought someone had finally done it. Fizzbuzz as a service.This is even better.

评论 #19265871 未加载

sk221over 6 years ago

This looks awesome. Wish it integrated with Ruby projects.

评论 #19265767 未加载

评论 #19266185 未加载

taninover 6 years ago

This is such an awesome service.Congrats Everest (and team) for making it easier to make software more secure!

tofflosover 6 years ago

This looks very nice. I will definitely try it out once support for Java becomes available.

评论 #19266734 未加载

technics256over 6 years ago

As a somewhat newbie, how would I use this on say my javascript web app and react native apps?Thanks!

评论 #19265967 未加载

rixraxover 6 years ago

Godspeed!I recall there is|was a company based out Santa Cruz, CA called Fuzz Stati0n with a pretty similar concept. Might be good idea to ‘compare’ experiences.

评论 #19269375 未加载

yingw787over 6 years ago

评论 #19265888 未加载

drwlover 6 years ago

评论 #19266203 未加载

jawnsover 6 years ago

评论 #19265940 未加载

bhargav_over 6 years ago

This looks really cool! Fuzzing is something I've been looking into more and more as I learn about it. I'll definitely keep this in mind for the future. Have you guys considered Rust support?

评论 #19267120 未加载

myroon5over 6 years ago

Can you add support for social login like GitHub OAuth? Thanks!

评论 #19266021 未加载

webgoatover 6 years ago

Why do this in the cloud? Wouldn't it make more sense to make standalone software that does the fuzzing?

评论 #19270754 未加载

Kkoalaover 6 years ago

Sounds interesting! At least I learned something new, fuzzing.

kdmedevover 6 years ago

Can this be done in Rust?

评论 #19269602 未加载

jimbo1167over 6 years ago

Obligatory plug for the OG of Fuzz Testing, Barton Miller: <a href="http://pages.cs.wisc.edu/~bart/fuzz/" rel="nofollow">http://pages.cs.wisc.edu/~bart/fuzz/</a>#OnWisconsin

maybeiambatmanover 6 years ago

Fascinating!

prcobolover 6 years ago

wewlad!