
Running LibFuzzer in a Browser, via WASM [pdf] - DyslexicAtheist
https://github.com/jonathanmetzman/wasm-fuzzing-demo/blob/master/meetup-Fuzzing-Native-Applications-in-Browsers-With-WASM.pdf
======
guidovranken
Nice!

One application could be distributed fuzzing, where anyone can partake in
fuzzing important software (eg. OpenSSL) by just running a web page in their
browser. Native binaries are less suited for this because adequate sandboxing
is hard, but the security properties offered by WASM and browsers make this no
less secure than running any other web page. With this, anyone can contribute
to the quality of OSS without any technical skills, anonymously and
free/cheap. For vendors willing to pay bounties for (OSS) software bugs, their
current process can be automated and participation is incentivized. Offering
bounties (like Google does now for OSS-Fuzz integrations) for new bugs or code
coverage incentivizes development of superior fuzzing/static analysis/symbolic
execution tech and submission of custom-made inputs; without a centralized
tracking and verification system, this would be much more tedious to organize.
WebTorrent might be used for distribution of corpora/new inputs.

~~~
metzmanj
Right I think WASM offers some nice advantages over native for distributed
fuzzing.

It's also worth pointing out that Mozilla made a (non-WASM) distributed
fuzzing project, virgo:
[https://github.com/MozillaSecurity/virgo](https://github.com/MozillaSecurity/virgo)
but it appears to be inactive.

------
saagarjha
Are there any benefits of running the fuzzer in-browser rather than on a
native binary? Does the fizzier exercise different code paths for each? Do
other bugs pop up?

~~~
roddux
The potential application is hinted at with the slide "OSS-Fuzz@Home". Akin to
the SETI@Home* mass-distributed computing project, this has the potential to
scale in a HUGE way. Anyone with a web browser could simply load the fuzzer
and contribute cycles... No need for any big downloads, any installs, special
software, configuration or anything! Just visit a page and you're golden.

I wonder if Google will actually build on this. It's a great idea.

[1]:
[https://en.wikipedia.org/wiki/SETI@home](https://en.wikipedia.org/wiki/SETI@home)

~~~
metzmanj
I don't think we have plans to build this for now.

I find it a really cool idea, but for now, running fuzzers natively on Google
Cloud with ClusterFuzz
([https://github.com/google/clusterfuzz](https://github.com/google/clusterfuzz))
suits our needs.

One challenge for the WASM approach is it will always be at least as hard to
build a project for WASM as it is for native.

