[HN Gopher] Browser Fuzzing at Mozilla ___________________________________________________________________ Browser Fuzzing at Mozilla Author : gbrown_ Score : 145 points Date : 2021-02-09 18:01 UTC (4 hours ago) (HTM) web link (hacks.mozilla.org) (TXT) w3m dump (hacks.mozilla.org) | eigenvalue wrote: | They don't seem to be using a fuzzer that uses a "smart" way of | creating new inputs based on previous inputs that revealed novel | execution paths, as done in the AFL fuzzer ( | https://en.m.wikipedia.org/wiki/American_fuzzy_lop_(fuzzer) ). | | I wonder why that is-- that always struck me as a particular | elegant approach, and I know AFL has been used to find tons of | bugs in various popular open source projects. There was a popular | article on HN a while back where AFL even "learned" how to | generate valid jpg image file headers. | andrei wrote: | I believe they use libfuzzer to test isolated components [0], | but seems like they wanted to specifically focus on browser | fuzzing for this post (it's probably more interesting, too). | | [0]: https://firefox-source- | docs.mozilla.org/tools/fuzzing/fuzzin... | _j3sse wrote: | The state space is too large for these algorithms to be | effective on Firefox as a whole, and there are many libraries | we just don't care about when browser fuzzing. | | eg. if AFL/libFuzzer manages to hit a path that makes an input | appear as gz encoded, the "novel" zlib coverage is very | attractive to the algorithm, but that's a very inefficient way | to fuzz zlib. | | Most of these libraries are targeted specifically by OSS-Fuzz | [0] and their integration into Firefox is fuzzed with libFuzzer | using the fuzzing interface andrei mentioned. | | 0: https://google.github.io/oss-fuzz/ | butz wrote: | Might be a bit off topic, but does building Firefox from source | use your default profile, or is it separate? | cpeterso wrote: | A local build of Firefox can use any profile you like, but by | default, the "mach run" build script will create a separate new | profile for testing. | jwatt wrote: | It depends on which branch you checked out before you built. By | default you'll normally end up with a checkout of 'mozilla- | central', in which case it will use a separate profile. | f430 wrote: | does mozilla or chrome have some sort of sandbox containership? | cjohansson wrote: | yes but only for Windows it seems | saagarjha wrote: | Firefox uses seccomp-bpf on Linux and the platform sandbox on | macOS. | danlugo92 wrote: | "firefox containers" | sstangl wrote: | Yes, Firefox uses the same sandbox as Chromium. | https://wiki.mozilla.org/Security/Sandbox/Specifics | est31 wrote: | Note that there are some holes in the Firefox sandbox that | don't exist in the Chromium one: | https://bugzilla.mozilla.org/show_bug.cgi?id=1129492 ___________________________________________________________________ (page generated 2021-02-09 23:00 UTC)