Skip to content
Close
SEARCH
Login
Login

Uncovering Hidden Bugs and Vulnerabilities in C/C++

How to Fuzz Your Code With 3 Commands

What to Expect

CI Fuzz is an open-source solution that lets you run feedback-based fuzz tests from your command line. Every developer can use it to find bugs and vulnerabilities with three simple commands.

In this live stream, our expert Jochen will:

  • Cover the current state of fuzz testing
  • Set up CLI fuzzing within 3 commands
  • Uncover multiple bugs and severe memory corruption vulnerabilities

All code examples and tools used are open-source.

# Initialize fuzzing

$ cifuzz init

# Create your first fuzz test

$ cifuzz create my_fuzz_test

# Run fuzz test and find bugs

$ cifuzz run my_fuzz_test

Jochen Hilgers

Speaker Profile

Your host Jochen Hilgers is one of the maintainers of CI Fuzz. In his work as a Senior Software Engineer at Code Intelligence, he specializes in CLI-integrated software testing solutions. Jochen also holds a master's in Computer Science from Hochschule Trier and has a background in Backend and Web Development with a strong focus on software quality.

  README.md

See README.md on GitHub

cifuzz

makes fuzz tests as easy as unit tests

   

Docs | Glossary | Examples | Website | Blog | Twitter | YouTube

IMPORTANT: This project is under active development. Be aware that the behavior of the commands or the configuration can change.

What is cifuzz

cifuzz is a CLI tool that helps you to integrate and run fuzzing based tests into your project.

Features

  • Easily set up, create and run fuzz tests
  • Generate coverage reports that can be integrated in your IDE
  • Supports multiple programming languages and build systems

Integrations

Coming Soon

Getting started

If you are new to the world of fuzzing, we recommend you to take a look at our Glossary and our example projects.

Read the getting started guide if you just want to learn how to fuzz your applications with cifuzz.

Installation

You can get the latest release from GitHub or by running our install script:

sh -c "$(curl -fsSL https://raw.githubusercontent.com/CodeIntelligenceTesting/cifuzz/main/install.sh)"

If you are using Windows, you can download the latest release and execute it.

By default, CI Fuzz gets installed in your home directory under cifuzz. You can customize the installation directory with ./cifuzz_installer -i /target/dir.

Do not forget to add the installation's bin directory to your PATH.

Prerequisites

C/C++ (with CMake) Installation Prerequisites

Ubuntu / Debian

sudo apt install cmake clang llvm

Arch

sudo pacman -S cmake clang llvm

macOS

brew install cmake llvm

Windows

At least Visual Studio 2022 version 17 is required.

choco install cmake llvm
C/C++ (With Bazle) Installation Prerequisites

Ubuntu / Debian

sudo curl -L https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 -o /usr/local/bin/bazel
sudo chmod +x /usr/local/bin/bazel
sudo apt install clang llvm lcov default-jdk

Arch

sudo pacman -S clang llvm lcov python jdk-openjdk
sudo curl -L https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 -o /usr/local/bin/bazel
sudo chmod +x /usr/local/bin/bazel

macOS

brew install llvm lcov openjdk bazelisk

Windows

At least Visual Studio 2022 version 17 is required.

choco install cmake llvm microsoft-openjdk bazelisk
Java (with Maven)

Installation Prerequisites

Ubuntu / Debian

sudo apt install openjdk maven

Arch

sudo pacman -S jdk-openjdk maven

macOS

brew install openjdk maven

Windows

choco install microsoft-openjdk maven
Java (with Gradle) Installation Prerequisites

Ubuntu / Debian

sudo apt install openjdk gradle

Arch

sudo pacman -S jdk-openjdk gradle

macOS

brew install openjdk gradle

Windows

choco install microsoft-openjdk gradle

Contributing

Want to help improve cifuzz? Check out our contributing documentation. There you will find instructions for building the tool locally.

If you find an issue, please report it on the issue tracker.

Use Case_CARIAD
"Thanks to Code Intelligence fuzzing approaches, our security testing became significantly more effective. All our developers are now able to fix business critical bugs early in the development process, without false-positives."
Andreas Weichselgartner_Rund-1 (1)
Andreas WeichslgartnerDeveloper, Security Professional