hngopher.com

       [HN Gopher] Browser Fuzzing at Mozilla
       ___________________________________________________________________
        
       Browser Fuzzing at Mozilla
        
       Author : gbrown_
       Score  : 145 points
       Date   : 2021-02-09 18:01 UTC (4 hours ago)
        
 (HTM) web link (hacks.mozilla.org)
 (TXT) w3m dump (hacks.mozilla.org)
        
       | eigenvalue wrote:
       | They don't seem to be using a fuzzer that uses a "smart" way of
       | creating new inputs based on previous inputs that revealed novel
       | execution paths, as done in the AFL fuzzer (
       | https://en.m.wikipedia.org/wiki/American_fuzzy_lop_(fuzzer) ).
       | 
       | I wonder why that is-- that always struck me as a particular
       | elegant approach, and I know AFL has been used to find tons of
       | bugs in various popular open source projects. There was a popular
       | article on HN a while back where AFL even "learned" how to
       | generate valid jpg image file headers.
        
         | andrei wrote:
         | I believe they use libfuzzer to test isolated components [0],
         | but seems like they wanted to specifically focus on browser
         | fuzzing for this post (it's probably more interesting, too).
         | 
         | [0]: https://firefox-source-
         | docs.mozilla.org/tools/fuzzing/fuzzin...
        
         | _j3sse wrote:
         | The state space is too large for these algorithms to be
         | effective on Firefox as a whole, and there are many libraries
         | we just don't care about when browser fuzzing.
         | 
         | eg. if AFL/libFuzzer manages to hit a path that makes an input
         | appear as gz encoded, the "novel" zlib coverage is very
         | attractive to the algorithm, but that's a very inefficient way
         | to fuzz zlib.
         | 
         | Most of these libraries are targeted specifically by OSS-Fuzz
         | [0] and their integration into Firefox is fuzzed with libFuzzer
         | using the fuzzing interface andrei mentioned.
         | 
         | 0: https://google.github.io/oss-fuzz/
        
       | butz wrote:
       | Might be a bit off topic, but does building Firefox from source
       | use your default profile, or is it separate?
        
         | cpeterso wrote:
         | A local build of Firefox can use any profile you like, but by
         | default, the "mach run" build script will create a separate new
         | profile for testing.
        
         | jwatt wrote:
         | It depends on which branch you checked out before you built. By
         | default you'll normally end up with a checkout of 'mozilla-
         | central', in which case it will use a separate profile.
        
       | f430 wrote:
       | does mozilla or chrome have some sort of sandbox containership?
        
         | cjohansson wrote:
         | yes but only for Windows it seems
        
           | saagarjha wrote:
           | Firefox uses seccomp-bpf on Linux and the platform sandbox on
           | macOS.
        
         | danlugo92 wrote:
         | "firefox containers"
        
         | sstangl wrote:
         | Yes, Firefox uses the same sandbox as Chromium.
         | https://wiki.mozilla.org/Security/Sandbox/Specifics
        
           | est31 wrote:
           | Note that there are some holes in the Firefox sandbox that
           | don't exist in the Chromium one:
           | https://bugzilla.mozilla.org/show_bug.cgi?id=1129492
        
       ___________________________________________________________________
       (page generated 2021-02-09 23:00 UTC)