Subject: Re: [boost] Boost multiprecision differential fuzzer running on Google's oss-fuzz
From: John Maddock (jz.maddock_at_[hidden])
Date: 2018-05-28 12:03:20
On 25/05/2018 16:55, Guido Vranken via Boost wrote:
> Dear list,
> I built a bignum differential fuzzer  that has been running on
> Google's oss-fuzz service  for a while. It performs the same
> mathematical operations (addition, subtraction, multiplication,
> modular exponentation, etc) across multiple bignum libraries (eg.
> OpenSSL + Boost multiprecision), compares their results and crashes if
> they don't match. This effort has so far found a couple of (minor)
> bugs in OpenSSL and Go.
> As soon as a mismatch is found, oss-fuzz will send a notification
> e-mail to the developers of the various bignum libraries so the bug
> can be examined and resolved. At which e-mail address(es) do the
> developers of Boost wish to receive these notifications?
You can send those to me at jz.maddock_at_[hidden]
> Please bear
> in mind that the notifications will contain potentially
> security-sensitive information so the recipient may not be a public
> mailing list. Currently, a potential bug is found only every couple of
> weeks, so recipients do not have to worry about a lot of incoming
> If you wish to write comments to the fuzzer's private bug tracker, the
> e-mail you specify must be linked to a Google account.
> To all others who are reading this, please feel welcome to submit pull
> requests to the Boost multiprecision module of my fuzzer  if these
> modifications increase the scope (code coverage) and probability of
> finding bugs.
>  https://github.com/guidovranken/bignum-fuzzer
>  https://github.com/google/oss-fuzz
>  https://github.com/guidovranken/bignum-fuzzer/tree/master/modules/cpp_boost
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
--- This email has been checked for viruses by AVG. https://www.avg.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk