Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications

To: Guus Sliepen <guus@debian.org>, 465204@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications
From: Pierre Chifflier <p.chifflier@inl.fr>
Date: Mon, 11 Feb 2008 14:18:05 +0100
Message-id: <[🔎] 20080211131804.GA14622@piche.inl.fr>
In-reply-to: <[🔎] 20080211120838.GE19663@sliepen.org>
References: <[🔎] 20080211084648.4334.82938.reportbug@piche.inl.fr> <[🔎] 20080211120838.GE19663@sliepen.org>

On Mon, Feb 11, 2008 at 01:08:38PM +0100, Guus Sliepen wrote:
> The description is very unclear to me. After looking at the Fusil
> website, I have some understanding of what fusil does.  It is not a
> stand-alone program like fuzz or zzuf that work directly with any
> program. It rather is a framework that allows you to write Python
> scripts that specifically target a certain program. You should mention
> that in the long description.
> 
> The part about the implementation being based on a multi-agent system
> architecture is not useful information. "multi-agent" is a bit of a
> buzzword that can mean many things. Furthermore, it is not useful for a
> user of a program to know whether it is implemented in C, with a
> multi-agent system or with bananas.
> 
> The list of programs and libraries that Fusil can crash will change over
> time, since the whole point of Fusil is to find bugs so one can fix
> them. If you want to mention it, change the sentence to the past or
> perfect tense, like "Fusil was able to..." or "Fusil has been used
> to...".
> 

Right, the previous description was not clear. I have reworded it, from
the README file, and from the author description:

 Fusil is a fuzzing framework designed to expose bugs in software by
 changing random bits of its input.
 It helps to start process with a prepared environment (limit memory,
 environment variables, redirect stdout, etc.), start network client or
 server, and create mangled files. Fusil has many probes to detect
 program crash: watch process exit code, watch process stdout and syslog
 for text patterns (eg. "segmentation fault"), watch session duration,
 watch cpu usage (process and system load), etc.
 .
 Fusil is based on a modular architecture. It computes a session score
 used to guess fuzzing parameters like number of injected errors to
 input files.
 .
 Available fuzzing projects: ClamAV, Firefox (contains an HTTP server),
 gettext, gstreamer, identify, libc_env, libc_printf, libexif, 
 linux_syscall, mplayer, php, poppler, vim, xterm.

Regards,
Pierre

Reply to:

Follow-Ups:
- Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications
  - From: Guus Sliepen <guus@debian.org>

References:
- Bug#465204: ITP: fusil -- Fuzzing program to test applications
  - From: Pierre Chifflier <pollux@debian.org>
- Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications
  - From: Guus Sliepen <guus@debian.org>

Prev by Date: Re: Re: dash bug which is affecting release goal
Next by Date: Re: dash bug which is affecting release goal
Previous by thread: Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications
Next by thread: Re: Bug#465204: ITP: fusil -- Fuzzing program to test applications
Index(es):
- Date
- Thread