Fuzz or lose: why and how to make fuzzing a standard practice for C++
Fuzzing is a family of testing techniques in which test inputs are generated semi-randomly. The memory unsafety of C++ has made fuzzing a popular tool among security researchers. Fuzzing also helps with stability, performance, and equivalence testing; and it’s a great addition to everyone’s CI. Our team has launched OSS-Fuzz, the Google's continuous fuzzing service for open source software, and a similar service for our internal C++ developers. Over 1000 C++ APIs are being fuzzed automatically 24/7, and thousands of bugs have been found and fixed. Now we want to share this experience with the wider C++ community and make fuzzing a part of everyone’s toolbox, alongside unit tests. We will demonstrate how you can fuzz your C++ library with minimal effort, discuss fuzzing of highly structured inputs, and speculate on potential fuzzing-related improvements to C++.