

Releasing jsfunfuzz and DOMFuzz - dbaupp
https://www.squarefree.com/2015/07/28/releasing-jsfunfuzz-and-domfuzz/

======
Lazare
I was fascinated by the link[1] in this line "As a result, instead of being
hostile to fuzzing, Firefox developers actively help me fuzz their code."

It almost reads like a parody, but it's clearly quite serious; a detailed,
thoughtful discussion of how you can ensure your continued ability to ship
buggy products. (I know, that's not how the authors see it. But I know which
philosophy I hope the people developing the software I have to use have, and
it looks a lot more like Firefox than RIM.)

[1]: [https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/uk/about-us/newsroom-and-
events/blogs/2014/january/introduction-to-anti-fuzzing-a-defence-in-depth-
aid/)

~~~
WalterGR
And in the meantime:

    
    
        Over the last 11 years, these fuzzers have found 6450 Firefox bugs,
        including 790 bugs that were rated as security-critical.

------
nnethercote
Jesse's fuzzers are wonderful. When Mozilla developers make a big change to
SpiderMonkey they'll often ask the QA folks to run the change through
jsfunfuzz for a few hours, and very often it'll uncover real bugs.

------
detaro
Very interesting. Does anyone know if V8 and derived products are regularly
tested with similar tools?

~~~
Moral_
V8 gets tested on clusterfuzz

~~~
rectangletangle
Best name ever!

------
pvnick
I worked with Jesse a few years ago doing penetration testing on Firefox. He
always amazed me with his brilliance. I learned a lot from his work, and he's
a really nice person as well.

------
resc1440
Jesse's "stir DOM" fuzzer, which fits in a tweet & a bookmarklet:

    
    
        pick = a => a[a.length * Math.random() | 0];
        elts = document.all;
        stir = () => pick(elts).appendChild(pick(elts));
        setInterval(stir, 1);
    

Fun background information:
[https://twitter.com/jruderman/status/626381997850632192](https://twitter.com/jruderman/status/626381997850632192)

------
serve_yay
Honest q: what is meant by "modern Firefox"?

~~~
ndesaulniers
FF 39-42, as opposed to say, FF 4.

~~~
serve_yay
OK, thanks. And is that because of a large architectural difference starting
around v39, compared to earlier versions?

~~~
ehsanakhgari
Yes. Over the years we have worked on projects that would reduce the impact of
bugs found by this fuzzer. For example we have prevented whole classes of
security bugs that this fuzzer would find, which would reduce the priority of
fixing them compared to a benign crash.

