pre-connecting TCP and SSL sockets for HTTP(S) requests in Qt apps
September 29, 2013
Inside the Qt HTTP stack
February 26, 2012
Meet QSkinny, a lightweight Qt UI library
September 18, 2018
Fuzzing Qt with libFuzzer
November 29, 2016
Disclaimer: I had this blog post in the drawer for several weeks now; I just held back with publishing it to give the Qt security team time to fix the reported issues (see below under 4.).
Inspired by the great talk from Hanno Böck about American Fuzzy Lop and Address Sanitizer at QtCon, having a try on fuzzing Qt itself seemed like an interesting thing to do. For fuzzing different parts of a library like Qt, libfuzzer is a good choice: In contrast to e.g. American Fuzzy Lop, libfuzzer runs the test cases in the same process and does not need to spawn a new process for each test, which makes it very fast.
These are the steps to set up libFuzzer and test it on Qt:
1. Compile Qt with address sanitizer and code coverage information:
To get proper output when something is wrong (e.g. "heap user after free"), Qt needs to be built with address sanitizer; in addition, libFuzzer collects information about which code paths it has visited. To enable those two settings with clang on Linux, the following patch has been applied:
This repository contains tests for QImage, QJsonDocument, QtNetwork and QXmlStreamReader, among others.
4. run and report results:
The test cases can be run using all available cores via e.g. "./QSvgRenderer -jobs=4 -workers=4 testcases". Also, the github repository above contains an initial set of test cases the fuzzer can start with. For instance when fuzzing SVG images, it makes sense to start with a valid SVG file as initial input.
The tests from the repository produced some issues in Qt, which have been reported to the Qt security mailing list or the Qt bugtracker (for stack traces and information on how to reproduce see the links):
A good way to improve results seems to look into user-supplied mutators to have more control over which input is fed into the test cases. E.g. flipping bits seems like a good default way for binary data such as images, but when it comes to JSON or XML, there might be smarter ways to produce faulty input.