czz: Whole-Program Fuzzing

czz is a whole-program, scriptable, multi-language, coverage-guided fuzzer.

Whole-program: Instead of feeding input to the target program via a file or stdin, czz executes target from main and provides it with manufactured data by intercepting calls to library functions like recv, fopen, and rand. This approach does not require users to write a fuzzing harness and can exercise effectful, non-deterministic code that is not amenable to traditional fuzzing techniques.

Scriptable: czz can be scripted in Scheme. Capabilities include overriding the behavior of functions in the target program, e.g., to make a checksum function always pass. Use-cases that we plan to support in the future include writing custom power schedules and mutations.

Multi-language: czz currently targets languages that compile to LLVM (e.g., C, C++, Rust, etc.), but is built on the language-agnostic Crucible library, and also includes a proof-of-concept fuzzer for JVM code. Webassembly support is planned.

Read more at the Overview.

Indices and tables

• Index

• Module Index

• Search Page