I already yell around 5-10 times a day at my computer

I love this type of videos where you show a useful tool and an example using this tool, and what's even cooler is the fact that using it you were able to detect a bug that wasn't intentional

Just for fun though, there's a footgun hidden in the example code, too. As the recv buffer has a hardcoded length limit of 1024 bytes, directly casting the input buffer into a struct that contains a user-controlled length field is not really a good idea. If somehow the codebase got updated in a certain way and the memcpy destination was a heap allocation, it may lead to information leak. E.g. ask the server to echo a 65535-byte data chunk from a 1024-byte input.

Why is fuzzing better than boundary tests?...after watching I withdraw my question.

Use -fsanitize=fuzzer,address and you should be able to find another bug in the parse code. If the input is less than the size of the struct you would read outside the memory. Does not always cause crash without address sanitizer. However not a bug in the program due to the receiving buffer size.

"like literally yelling at the code" proceeds not to yell at the code

That's why I used to use unsigned everywhere by default, until negative values are explicitly required by design. And yes, using e.g. -1 magic value to represent things like a non-existent index is a bad design. Don't do it.

Satisfied customer here, been doing this for the last 10 years 10/10 - my code has feared me ever since

Ah, there's a name for it. I do this regularly the manual way in my own projects, though granted those are all smaller projects where my scope of potential issues is "is there some way a user can force invalid data down this thing's throat". Useful to know if I ever manage to get a real job, lol(being a dev without a college degree is the dark souls of job hunting, I swear)

Amazing brother, you have the gift of communicate complex concepts into simple terms. Thanks! Glad to find your channel! ;)

I already do this every day

It would be really funny if he said "there's no more bugs in this code" and libfuzzer just crashed.

why did i think we might actually be yelling at code?

at first we code safely by yelling in time elaborate rituals involving chanting, holy oils and incense is necessary to please the machine spirit and banish demonic bugs

“Port 1337” that took me a second. Very funny

Well, because I am so good at messing up function calls by using function pointers and structs/unions, I need no help. The code would yell either way nevertheless.

Segmentation fault (Core dumped)

2:38 in, I expect your issue is that you didn't check the length argument in your payload. This should pop up with many static analyzers. But I get it, it's just an example. Fuzzing is more for discovering weird edge cases and undefined behaviors as I understand it. Or I'm totally wrong and length was not the issue :D

Also related but not the same: Property-based testing, those who haven't tried it will be amazed at it's usefulness.

I didn't quite catch why 7:45 is an issue. Would anyone mind please clarifying?

Interesting, I have no idea this type of testing exists. Thanks man

I was hoping for Torvalds kind of screaming at someone else code, but I guess this is fine.

As always chef's kiss!

This is so cool, does something like this also exist in the Java world?

id love a video of you describing your linux setup. i use wsl and customize very few things but would love more insight into your setup for vim and tmux/whatever multi shell youre using

oh it's basically baptising your code with fire

Instructions unclear I’ve been yelling at code this whole time

This was awesome. Fuzz all the things.

It reminds me some OOM error bug that got in project that was caused by using msgpack library (Java). The msgpack library deserializes byte stream into some objects - it was deserializing a base64 string to object. Apparently the library supports read a big array of bytes. Msgpack reads the message in sequence - does not know what data comes next - when the byte with flag for huge byte arrays comes in it pre-allocates array of 2^32-1 byte-elements. Found it because we had a malformed string that was not object we wanted to deserialize but rather random string. Later to confirm to architects that any idiot with msgpack documentation, paper and pencil can do it - prepared a base64 string on paper that mimic the good object to deserialize and then put the bytes of memory doom. They wanted to do some happy checking of first few bytes - after short demonstration - they changed their minds. With some java like fuzzer I would do that automatically (and probably the error could be found earlier), but fun of playing with bytes was awesome.

Flag '-g' makes stack traces of gdb or any sanitizer look pretty. Use it.

Those if statements are not very readable, but that is the prefered way, implementations details rather than intensions or requirements, if that is what people do then there is no alternative. Para pensar, señores.

I yell at code all day.

This seems great. I expect those eagle eyed developers saw the h- >len value, and thought to themselves about how user input is always evil :p but hey, the unsigned one did surprise me too! Luckily i like writing u32 u64 et al.

While this tool is awesome as is, is there any way to get it into an IDE? I think productivity would go up a lot of you can just select a function and some extension can do all the work for you returning only the result. Maybe I'm overlooking something that'd make you not want to use an extension like that but I think it'd be cool

I feel like everyone should pen test their code with many other techniques also

0:05 should have been the end lmao

This is cool af

My favorite part of testing is "cat /dev/urandom | ./a.out" But that's specifically for testing proper error handling.

This is how that belt makes your child stronger

I thought you were doing like me and really cursing while programming, well that will prevent me from cursing

What’s that you say? I’m not retarded I’m just left handed. This video just made me literally cry 😭

I'm partial to American Fuzzy Lop, which compiles C++ code so that it knows which branches were taken. Can Rust code be fuzzed the same way, and is there a way to fuzz Haskell code that does something similar?

Does it statically analyze the wrapped function to deduce how to do the fuzzing? I’m struck by how it got the magic word immediately.

6:41 shell users everywhere are screaming at you there's no need to use cat, just use the

Fuzzing is how Zenbleed was found!

I really like the terminal environment you're using, how can I get my setup to look like that?

Hi, sorry of the OT but I have a Rust/C question nobody was able to point me in the right direction. With redhook (unmaintained lib) I used LD_PRELOAD to override getenv which worked fine in NodeJs but Rust did not care about it at all. Do you know what is different or what should I read to understand how this all work? Thank you so much

1:09 I already can guess r will be less than REQ_SIZE because recv doesn't have WAIT_ALL flag.

Wow, sharp transitions should be smoothed out, otherwise this is an ultra-useful video

This guy: "Make your code safer by yelling at it. That's right, LITERALLY yelling at your code, in a very literal sense, can make your code, literally, safer. Legit stretch those vocal chords, open your mouth all the way, and just let out the biggest scream at the very top of your lungs, at your code, to make it safer!" This guy 20 seconds later: "So this process involves feeding random data into your program and..."

Even faster with a switch statement? You are already using a switch statement!

At 2:33 i see the bug. He copies data based on the user inputed length on a buffer that ia limited to 64 bytes. I will watch more to see if this is what the fuzzer finds

simple good video

How does this compare to concolic testing?

pretty cool.

how do i remove the path stuff inside my exe.. i see it exposes my directory in the exe.

can you share the code with the bug ? thanks

Although slightly off-topic, I was wondering if you could make a video explaining how cheat codes function in games like GTA San Andreas or Vice City. How they interact with the memory and what processes occur behind the scenes. I'd really appreciate a deep dive into this. Thank you!

I presume this fuzzer actually looks at the soruce code of the program, to predict how to best gain different outputs? It is not just random text generator?

I could see the bug even before the first test iteration...

Hi ! I don’t understand the unsigned problem. Could someone explain?

Limit the stack size to zero.😂

I'll use Zig

I love Rust

*Pauses video 29 seconds in* You can't say LITERALLY yelling at your code if you don't mean to actually YELL at it vocally. That's the opposite of what LITERALLY means. :/

i = 4; cout

8:27 Wrong. switch statements are not faster than switch statements.

You weren't yelling at the code wth

Rust is good, but confusing for me

go fuzz 🎉

goat

2:30 not validated user input

You need a pump gun to fix your code.😂

Rust is silly.

a

at 0:24 you said tha it's about "literally yelling at your code", but i didnt hear any yelling, though. Literally yelling means moving your face muscles to produce loud noise, yet during all your vide you were very calm. Why did you lie about this technique?

This is too powerful... people should just stick to Python

23h ago

0:24 two incorrect uses of "literally" in less than half a minute. Congrats

First..!!!!😁🤩😍💯💥✨💫🔥👍🏻👏🏻✊🏻🤜🏻🤛🏻🙌🏻🫶🏻🙏🏻👌🏻

third

first