danzin<p>Here's how lafleur works:</p><p>Starts from a corpus of seed files (generated by fusi)l. It runs each file and parses the JIT debug output to record micro ops (UOPs) and edges between them.</p><p>Then it applies mutations to these files and when a mutation results in a new UOP or edge, it adds the mutated file to the corpus.</p><p>All the while, it monitors the execution of these files for crashes.</p><p>And it's smart about which file to mutate next.</p><p>Simple, eh?</p><p><a href="https://mastodon.social/tags/Python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Python</span></a> <a href="https://mastodon.social/tags/CPython" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CPython</span></a> <a href="https://mastodon.social/tags/fuzzer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fuzzer</span></a> <a href="https://mastodon.social/tags/fuzzing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fuzzing</span></a> <a href="https://mastodon.social/tags/fusil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fusil</span></a> <a href="https://mastodon.social/tags/lafleur" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lafleur</span></a></p>
#fuzzing
3 posts2 participants0 posts today
Launching a new project on a Sunday night: lafleur, a CPython JIT fuzzer.
https://github.com/devdanzin/lafleur
It's a feedback driven fuzzer (using JIT debug output) with corpus prioritization and JIT-targeted AST-based mutations. Calling it "evolutionary" may be a stretch, but sounds good.
It's also a fuzzer that so far hasn't found any crashes or bugs. Still working on that ;)
If you want to understand how it works, there is a good amount of docs.
Trying real hard to build a fuzzer targeting the CPython JIT, lots of features implemented but not a single crash or bug discovered so far.
Such is life when hunting for crashes in robust code.
This weekend I'll be spinning off a new fuzzer that grew from fusil. Wish me luck 
Jak testować modele LLM i frameworki ML z pomocą… innych modeli? Kamil Frankowicz pokazał, jak wygląda nowoczesny fuzzing w erze GPT-4o, Gemini i narzędzi AI, a także jak automatyzować testowanie systemów uczących się - ofensywnie i skutecznie.
Zobacz wykład z #OMH 2024 i przygotuj się na tegoroczną edycję: 
https://www.youtube.com/watch?v=rrCzXoTQ7E0 
Rejestracja na #OhMyHack 2025 trwa 
https://bit.ly/OMHbilet
I'm happy to announce the release of a new open-source library we've been working on: Go library for structure-aware fuzzing, designed as an analogue to libprotobuf-mutator. Fuzz your gRPC APIs and integrate into SSDLC.
A new @OpenSecurityTraining2 course just dropped!
#Fuzzing 1001: Introductory white-box fuzzing with AFL++
https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Fuzz1001_Intro_AFL+2025_v1/about
p.ost2.fyiFuzzing 1001: Introductory white-box fuzzing with AFL++Are you looking for an automated way to find bugs in your code? In this course, you'll learn how to use AFL++ to test and identify vulnerabilities, leveraging a white-box approach to make your testing more efficient and targeted. By the end, you'll be ready to start fuzzing real-world software and contribute to improving its security.
AFL++ v4.33c released! Instrumentation of hidden edges (+5% edges), better syncing, corner case features, bug fixes :-) https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.33c #afl #fuzzer #fuzzing
Want to learn how to build your own #libafl components, but never had the right project? Try working through the interactive exercises that I released today: https://github.com/addisoncrump/parking-game-fuzzer
You'll work through building your own LibAFL components with templates, allowing you to understand them progressively through the context of trying to solve "Tokyo Parking" (AKA Thinkfun's "Rush Hour") puzzles with fuzzing.
#fuzzing #aflplusplus #puzzles #rust #rustlang
For more software security: FANDANGO, a new open-source fuzzer,
uses an evolutionary algorithm to automatically generate high-quality test
inputs that satisfy defined constraints. Available on GitHub and developed by CISPA-researchers! #cispa #fuzzing
https://nachrichten.idw-online.de/2025/06/26/survival-of-the-fuzziest-open-source-fuzzer-uses-evolutionary-algorithm-to-produce-customized-test-inputs
nachrichten.idw-online.deSurvival of the fuzziest: Open-source fuzzer uses evolutionary algorithm to produce customized test inputs
Für mehr Softwaresicherheit: FANDANGO, ein neuer Open-Source-Fuzzer, nutzt einen evolutionären Algorithmus, um individuell angepasste Testeingaben zu produzieren. FANDANGO wurde von CISPA-Forschern entwickelt und ist auf GitHub verfügbar! #cispa #fuzzing
https://nachrichten.idw-online.de/2025/06/26/der-staerkere-input-ueberlebt-open-source-fuzzer-mit-evolutionaerem-algorithmus-generiert-individualisierte-inputs
nachrichten.idw-online.deDer stärkere Input überlebt: Open-Source-Fuzzer mit evolutionärem Algorithmus generiert individualisierte Inputs
Attacking #EDRs Part 4: #Fuzzing Defender's Scanning and Emulation Engine (mpengine.dll)
https://labs.infoguard.ch/posts/attacking_edr_part4_fuzzing_defender_scanning_and_emulation_engine/
InfoGuard LabsAttacking EDRs Part 4: Fuzzing Defender's Scanning and Emulation Engine (mpengine.dll) - InfoGuard LabsMultiple out-of-bounds read and null dereference bugs were identified in Microsoft Defender by using Snapshot Fuzzing with WTF and kAFL/NYX. The bugs can be used to crash the main Defender process as soon as the file is scanned. Most are unpatched, but none appear exploitable for code execution.
Continued thread
So, what's next for fuzzing CPython with fusil?
The results point to interesting future ideas, including expanding fuzzing to new environments like subinterpreters, using more tools like Thread Sanitizer, and developing more advanced fuzzing techniques.
A huge thank you to everyone who contributed!
And thank you for reading!
P.S.: if you have a C/Rust extension, we can fuzz it too: https://mastodon.social/@danzin/114383188014599269
(5/5)
Mastodondanzin (@danzin@mastodon.social)Do you maintain or contribute to a #Python package that includes a C extension? Would you like to run a fuzzer against it?
If so, let me know and I will run it, or help you to get it running.
The fuzzer is #fusil, which generates random code calling into your functions and methods. It's useful to check for crashes on invalid inputs or unexpected call patterns.
It has found about 50 crashes in #CPython, 20 in #PyPy, 6 in #Numpy etc.
#fuzzing #fuzzer #testing
See here:
https://github.com/devdanzin/fusil/issues/37
Continued thread
One finding I really like is the bug discovery pattern.
There wasn't a steady stream of bugs, but spikes of findings: 1st, a huge number of crashes as I started testing a CPython that hadn't been fuzzed by fusil in a decade.
Later, a new wave of issues tied to the addition of new features to the fuzzer, like support for "weird classes" and typing objects.
So periodic campaigns may have better cost-benefit than continuous fuzzing.
(4/5)
Continued thread
The credit for fusil's effective design goes all to Victor Stinner (@vstinner), who created it nearly two decades ago. It was responsible for finding release blockers way back in 2008. I just contributed a little to revive and enhance it.
Some enhancements included running generated code in threads and adopting new "interesting" objects and values as inputs, helping to discover more crashes.
(3/5)
Continued thread
All this was only possible due to the great response from the Python community.
Thanks to the developers efforts to triage, diagnose, and fix the problems, the campaign became a collaborative effort to improve Python.
The impact was considerable, mobilizing Core Devs and contributors to create 98 PRs to fix these bugs. The average time to fix an issue was about 20 days, with a median of just five days.
(2/5)
Happy to share the results of a fuzzing campaign targeting CPython that ran from Oct 2024 to May 2025. Using the fusil fuzzer, the goal was to find crashes and improve CPython's robustness.
I really like the results we got: the effort uncovered 52 unique crash-related issues. These reports approached 30% of all "type-crash" issues filed during that period. One of the crashes was classified as a Release Blocker, that was a nice result! :)
(1/5)
So, my technical report on fuzzing CPython with fusil is almost done.
I'd really appreciate some help categorizing the found issues by relevance/severity/importance or any other name for impact.
Do you have the chops to help with that? And do you have time and interest? Please get in touch if so! And please boost if you can :)
A plot, some tables, links to the report and some discussion are available in this thread:
https://discuss.python.org/t/feedback-on-the-recent-fusil-fuzzing-campaign-of-cpython/91737
Discussions on Python.org · Feedback on the recent fusil fuzzing campaign of CPythonGreetings all, For the last six months, I’ve been fuzzing CPython using a tool called fusil, created by @vstinner about 20 years ago. This campaign resulted in 52 issues filed, and in these six months that corresponds to a little less than 30% of all crash issues created. Now that this effort is coming to a (temporary!) end, I’m writing a technical report about it. For that report, core developers’ feedback would be very important to assess this campaign’s: usefulness (e.g. did it help CPyth...