Getting started with fuzzing
This tutorial introduces the basics of fuzzing in Go. With fuzzing, random data is run against your test in an attempt to find vulnerabilities or crash-causing inputs. Some examples of vulnerabilities that can be found by fuzzing are SQL injection, buffer overflow, denial of service and cross-site scripting attacks.
In this tutorial, you'll write a fuzz test for a simple function, run the go command, and debug and fix issues in the code.
For help with terminology throughout this tutorial, see the Go Fuzzing glossary.
You'll progress through the following sections:
- Create a folder for your code.
- Add code to test.
- Add a unit test.
- Add a fuzz test.
- Fix two bugs.
- Explore additional resources.
Note: Go fuzzing currently supports a subset of built-in types, listed in the Go Fuzzing docs, with support for more built-in types to be added in the future.
Prerequisites
- An installation of Go 1.18 or later. For installation instructions, see Installing Go.
- A tool to edit your code. Any text editor you have will work fine.
- A command terminal. Go works well using any terminal on Linux and Mac, and on PowerShell or cmd in Windows.
- An environment that supports fuzzing. Go fuzzing with coverage instrumentation is only available on AMD64 and ARM64 architectures currently.
Create a folder for your code
To begin, create a folder for the code you’ll write.
-
Open a command prompt and change to your home directory.
On Linux or Mac:
On Windows:
The rest of the tutorial will show a $ as the prompt. The commands you use will work on Windows too.
-
From the command prompt, create a directory for your code called fuzz.
-
Create a module to hold your code.
Run the
go mod initcommand, giving it your new code’s module path.Note: For production code, you’d specify a module path that’s more specific to your own needs. For more, be sure to see Managing dependencies.
Next, you'll add some simple code to reverse a string, which we’ll fuzz later.
Add code to test
In this step, you’ll add a function to reverse a string.
Write the code
-
Using your text editor, create a file called main.go in the fuzz directory.
-
Into main.go, at the top of the file, paste the following package declaration.
A standalone program (as opposed to a library) is always in package
main. -
Beneath the package declaration, paste the following function declaration.
This function will accept a
string, loop over it abyteat a time, and return the reversed string at the end.Note: This code is based on the
stringutil.Reversefunction within golang.org/x/example. -
At the top of main.go, beneath the package declaration, paste the following
mainfunction to initialize a string, reverse it, print the output, and repeat.This function will run a few
Reverseoperations, then print the output to the command line. This can be helpful for seeing the code in action, and potentially for debugging. -
The
mainfunction uses the fmt package, so you will need to import it.The first lines of code should look like this:
Run the code
From the command line in the directory containing main.go, run the code.
You can see the original string, the result of reversing it, then the result of reversing it again, which is equivalent to the original.
Now that the code is running, it’s time to test it.
Add a unit test
In this step, you will write a basic unit test for the Reverse function.
Write the code
-
Using your text editor, create a file called reverse_test.go in the fuzz directory.
-
Paste the following code into reverse_test.go.
This simple test will assert that the listed input strings will be correctly reversed.
Run the code
Run the unit test using go test
Next, you will change the unit test into a fuzz test.
Add a fuzz test
The unit test has limitations, namely that each input must be added to the test by the developer. One benefit of fuzzing is that it comes up with inputs for your code, and may identify edge cases that the test cases you came up with didn’t reach.
In this section you will convert the unit test to a fuzz test so that you can generate more inputs with less work!
Note that you can keep unit tests, benchmarks, and fuzz tests in the same *_test.go file, but for this example you will convert the unit test to a fuzz test.
Write the code
In your text editor, replace the unit test in reverse_test.go with the following fuzz test.
Fuzzing has a few limitations as well. In your unit test, you could predict the
expected output of the Reverse function, and verify that the actual output met
those expectations.
For example, in the test case Reverse("Hello, world") the unit test specifies
the return as "dlrow ,olleH".
When fuzzing, you can't predict the expected output, since you don't have control over the inputs.
However, there are a few properties of the Reverse function that you can
verify in a fuzz test. The two properties being checked in this fuzz test are:
- Reversing a string twice preserves the original value
- The reversed string preserves its state as valid UTF-8.
Note the syntax differences between the unit test and the fuzz test:
- The function begins with FuzzXxx instead of TestXxx, and takes
*testing.Finstead of*testing.T - Where you would expect to see a
t.Runexecution, you instead seef.Fuzzwhich takes a fuzz target function whose parameters are*testing.Tand the types to be fuzzed. The inputs from your unit test are provided as seed corpus inputs usingf.Add.
Ensure the new package, unicode/utf8 has been imported.
With the unit test converted to a fuzz test, it’s time to run the test again.
Run the code
-
Run the fuzz test without fuzzing it to make sure the seed inputs pass.
You can also run
go test -run=FuzzReverseif you have other tests in that file, and you only wish to run the fuzz test. -
Run
FuzzReversewith fuzzing, to see if any randomly generated string inputs will cause a failure. This is executed usinggo testwith a new flag,-fuzz, set to the parameterFuzz. Copy the command below.Another useful flag is
-fuzztime, which restricts the time fuzzing takes. For example, specifying-fuzztime 10sin the test below would mean that, as long as no failures occurred earlier, the test would exit by default after 10 seconds had elapsed. See this section of the cmd/go documentation to see other testing flags.Now, run the command you just copied.
A failure occurred while fuzzing, and the input that caused the problem is written to a seed corpus file that will be run the next time
go testis called, even without the-fuzzflag. To view the input that caused the failure, open the corpus file written to the testdata/fuzz/FuzzReverse directory in a text editor. Your seed corpus file may contain a different string, but the format will be the same.The first line of the corpus file indicates the encoding version. Each following line represents the value of each type making up the corpus entry. Since the fuzz target only takes 1 input, there is only 1 value after the version.
-
Run
go testagain without the-fuzzflag; the new failing seed corpus entry will be used:Since our test has failed, it’s time to debug.
Fix the invalid string error
In this section, you will debug the failure, and fix the bug.
Feel free to spend some time thinking about this and trying to fix the issue yourself before moving on.
Diagnose the error
There are a few different ways you could debug this error. If you are using VS Code as your text editor, you can set up your debugger to investigate.
In this tutorial, we will log useful debugging info to your terminal.
First, consider the docs for
utf8.ValidString.
The current Reverse function reverses the string byte-by-byte, and therein
lies our problem. In order to preserve the UTF-8-encoded runes of the original
string, we must instead reverse the string rune-by-rune.
To examine why the input (in this case, the Chinese character 泃) is causing
Reverse to produce an invalid string when reversed, you can inspect the number
of runes in the reversed string.
Write the code
In your text editor, replace the fuzz target within FuzzReverse with the
following.
This t.Logf line will print to the command line if an error occurs, or if
executing the test with -v, which can help you debug this particular issue.
Run the code
Run the test using go test
The entire seed corpus used strings in which every character was a single byte. However, characters such as 泃 can require several bytes. Thus, reversing the string byte-by-byte will invalidate multi-byte characters.
Note: If you’re curious about how Go deals with strings, read the blog post Strings, bytes, runes and characters in Go for a deeper understanding.
With a better understanding of the bug, correct the error in the Reverse
function.
Fix the error
To correct the Reverse function, let’s traverse the string by runes, instead
of by bytes.
Write the code
In your text editor, replace the existing Reverse() function with the following.
The key difference is that Reverse is now iterating over each rune in the
string, rather than each byte. Note that this is just an example, and does not
handle combining characters correctly.
Run the code
-
Run the test using
go testThe test now passes!
-
Fuzz it again with
go test -fuzz, to see if there are any new bugs.We can see that the string is different from the original after being reversed twice. This time the input itself is invalid unicode. How is this possible if we’re fuzzing with strings?
Let’s debug again.
Fix the double reverse error
In this section, you will debug the double reverse failure and fix the bug.
Feel free to spend some time thinking about this and trying to fix the issue yourself before moving on.
Diagnose the error
Like before, there are several ways you could debug this failure. In this case, using a debugger would be a great approach.
In this tutorial, we will log useful debugging info in the Reverse function.
Look closely at the reversed string to spot the error. In Go, a string is a
read only slice of bytes, and can contain bytes
that aren’t valid UTF-8. The original string is a byte slice with one byte,
'\x91'. When the input string is set to []rune, Go encodes the byte slice to
UTF-8, and replaces the byte with the UTF-8 character �. When we compare the
replacement UTF-8 character to the input byte slice, they are clearly not equal.
Write the code
-
In your text editor, replace the
Reversefunction with the following.This will help us understand what is going wrong when converting the string to a slice of runes.
Run the code
This time, we only want to run the failing test in order to inspect the logs. To
do this, we will use go test -run.
To run a specific corpus entry within FuzzXxx/testdata, you can provide
{FuzzTestName}/{filename} to -run. This can be helpful when debugging.
In this case, set the -run flag equal to the exact hash of the failing test.
Copy and paste the unique hash from your terminal;
it will be different than the one below.
Knowing that the input is invalid unicode, let’s fix the error in our Reverse
function.
Fix the error
To fix this issue, let's return an error if the input to Reverse isn't valid
UTF-8.
Write the code
-
In your text editor, replace the existing
Reversefunction with the following.This change will return an error if the input string contains characters which are not valid UTF-8.
-
Since the Reverse function now returns an error, modify the
mainfunction to discard the extra error value. Replace the existingmainfunction with the following.These calls to
Reverseshould return a nil error, since the input string is valid UTF-8. -
You will need to import the errors and the unicode/utf8 packages. The import statement in main.go should look like the following.
-
Modify the reverse_test.go file to check for errors and skip the test if errors are generated by returning.
Rather than returning, you can also call
t.Skip()to stop the execution of that fuzz input.
Run the code
-
Run the test using go test
-
Fuzz it with
go test -fuzz=Fuzz, then after a few seconds has passed, stop fuzzing withctrl-C. The fuzz test will run until it encounters a failing input unless you pass the-fuzztimeflag. The default is to run forever if no failures occur, and the process can be interrupted withctrl-C.
-
Fuzz it with
go test -fuzz=Fuzz -fuzztime 30swhich will fuzz for 30 seconds before exiting if no failure was found.Fuzzing passed!
In addition to the
-fuzzflag, several new flags have been added togo testand can be viewed in the documentation.See Go Fuzzing for more information on terms used in fuzzing output. For example, "new interesting" refers to inputs that expand the code coverage of the existing fuzz test corpus. The number of "new interesting" inputs can be expected to increase sharply as fuzzing begins, spike several times as new code paths are discovered, then taper off over time.
Conclusion
Nicely done! You've just introduced yourself to fuzzing in Go.
The next step is to choose a function in your code that you'd like to fuzz, and try it out! If fuzzing finds a bug in your code, consider adding it to the trophy case.
If you experience any problems or have an idea for a feature, file an issue.
For discussion and general feedback about the feature, you can also participate in the #fuzzing channel in Gophers Slack.
Check out the documentation at go.dev/security/fuzz for further reading.
Completed code
--- main.go ---
--- reverse_test.go ---