June 4, 2023

OpenSSF has released a tool to improve fuzzing by providing insights to developers and help them identify coverage blockers.

Fuzz testing help finding security exploits and vulnerabilities by reaching edge cases hard to encounter for human testers. While promising, fuzz testing has its own complexity.

The effectiveness of fuzzing depends on how much of the code is covered by it, and writing effective tools to implement fuzzing (“fuzzers”) with good coverage is still challenging.


The two open source projects Mozilla NSS and NSO iMessage have been recently found vulnerable to attacks in spite of using fuzzing techniques, like Fuzz Introspector’s authors

Fuzz Introspector can analyze functions, static call graphs, and runtime coverage information with the aim to help developers understand which blockers may be limiting fuzzing as much of their code as possible.

Fuzz Introspector has two main parts: compiler-based static analysis, aimed to collect data about the code under analysis through an LLVM link-time optimizations (LTO) pass; and post-processing, which is responsible for analyzing the data produced in the first step along with coverage reports generated by llvm-cov.

Fuzz Introspector can show a number of interesting properties of each function in a project, such as its cyclomatic complexity, It can show which functions in a project are not reached by a given fuzzer and which ones should be targeted for fuzzing based on their potential to increase coverage.


Fuzz Introspector generates an HTML report including an overview of reachability by all fuzzers, a summary of the performance of each fuzzer, a call tree showing in red all functions that have not been covered yet, and more.

The tool also attempts to suggest which new fuzzers could be added to the project, although this feature is still naive. Fuzz Introspector works at the moment with C/C++ codebases but support for additional languages is already in the roadmap.

Leave a Reply

%d bloggers like this: