Blog
Tech blog on web, security & embedded
testing
Select allIoTadvanced-UIsalgorithmsautomotivecc++data-compressiondata-engineeringdevelopmentdevopseducationembeddedenergygointeropirmajavajavascriptkotlinluameet-the-teammeetupmemory-safetymicroservicesntpd-rsopen-dataopen-sourcependulumprivacypythonreactresearchrustsecuritystatimestm32technologytestingtimingtoolstypescriptweb-developmentwhy-rust
The Dutch Electoral Council (known as the Kiesraad in Dutch) are developing Abacus: new open-source software for computing election results. We looked into how we can verify the correctness of the algorithm used for seat apportionment. In this blog post, we will discuss various ways of verifying software in Rust, from unit testing to model-based verification and fuzzing. In particular, property-based fuzzing turned out to be very useful for finding bugs in the seat apportionment algorithm.
May 6, 2025
What is my fuzzer doing?
Fuzz testing is incredibly useful: it has caught many a bug during the development of NTP packet parsing and gzip/bzip2 (de)compression.
But I've always been unsatisfied with the fuzzer being a black box. When it runs for hours and reports no issues, what do we actually learn from that? In ntpd-rs we've previously had a bug fly under the radar because the fuzzer just did not reach a large chunk of code. So, does my fuzzer actually exercise the code paths that I think it should?