czz: Whole-Program Fuzzing
Contents
czz: Whole-Program Fuzzing#
czz is a whole-program, scriptable, multi-language, coverage-guided fuzzer.
Whole-program: Instead of feeding input to the target program via a file or
stdin, czz executes target from main
and provides it with manufactured data
by intercepting calls to library functions like recv
, fopen
, and
rand
. This approach does not require users to write a fuzzing harness and
can exercise effectful, non-deterministic code that is not amenable to
traditional fuzzing techniques.
Scriptable: czz can be scripted in Scheme. Capabilities include overriding the behavior of functions in the target program, e.g., to make a checksum function always pass. Use-cases that we plan to support in the future include writing custom power schedules and mutations.
Multi-language: czz currently targets languages that compile to LLVM (e.g., C, C++, Rust, etc.), but is built on the language-agnostic Crucible library, and also includes a proof-of-concept fuzzer for JVM code. Webassembly support is planned.
Read more at the Overview.