Blog
Tech blog on web, security & embedded
testing
Select allIoTadvanced-UIsalgorithmsautomotivecc++data-compressiondata-engineeringdevelopmentdevopseducationembeddedenergygointeropirmajavajavascriptkotlinluameet-the-teammeetupmemory-safetymicroservicesntpd-rsopen-dataopen-sourcependulumprivacypythonreactresearchrustsecuritystatimestm32technologytestingtimingtoolstypescriptweb-developmentwhy-rust
May 6, 2025
What is my fuzzer doing?
Fuzz testing is incredibly useful: it has caught many a bug during the development of NTP packet parsing and gzip/bzip2 (de)compression.
But I've always been unsatisfied with the fuzzer being a black box. When it runs for hours and reports no issues, what do we actually learn from that? In ntpd-rs we've previously had a bug fly under the radar because the fuzzer just did not reach a large chunk of code. So, does my fuzzer actually exercise the code paths that I think it should?