As interest in fuzzing as a software testing approach increases, Google decided to ride that wave and has open-sourced its Python fuzzing engine Atheris.
The tool is said to follow a coverage-guided approach as opposed to blackbox fuzzing, which mostly generates random inputs for a system to see how it behaves and to uncover bugs. Atheris meanwhile traces how an input influenced the code coverage of a fuzz target and uses this information to decide on which input to mutate next to improve coverage.
According to a blog entry introducing Atheris, it is best used to find discrepancies between libraries that are supposed to do the same thing, acting as a so-called differential fuzzer. Apart from that it is meant to help in all cases where devs can express what sort of behaviour isn’t correct, so that they have a chance of finding unexpected exceptions which can lead a programme to crash.
Atheris’s main interface provides users with one function to configure the fuzzer and one to start the testing process. Source files have to be fitted with a fuzzer entry point function that needs to be passed to atheris.Setup() along with some fuzzer arguments. Optional arguments let users prevent the tool from collecting opcode trace events or coverage information on Python code, which can be helpful if a native extension only contains small bits of Python code.
Currently, Atheris works with Python code in version 2.7 and 3.3+, although using 3.8+ is strongly recommended by Google, and native extensions written for CPython. Windows isn’t amongst the supported operating systems yet, so the engine is only of interest for Linux and Mac OS X users for now.
To employ it on those platforms, developers need to have a current version of compiler frontend Clang installed. Apple Clang, however, doesn’t include the libFuzzer component needed by Atheris, which means Mac aficionados have to install a new version of LLVM from head. Instructions for that can be found in the project’s readme.
Open source projects looking to use Atheris are meant to do so soon via Google’s free OSS-Fuzz service, as the company currently works on adding support for the new engine.
While Google isn’t exactly the first building such a tool, fuzzing instruments for Python code aren’t that common, so it might indeed spark some interest in the associated community, which – given its steady growth – seems like a good place to invest in. End of year reports from organisations such as GitHub and Tiobe keep highlighting the language’s consistent draw, which sees the almost 30 year old Python stably coming in amongst the most popular programming languages.
Python was initially created by Guido van Rossum in the late 1980s, followed by an official first in release in 1991, and is especially known for its easy to read code. Nowadays it is especially popular amongst developers and researchers in the field of scientific computing, and can be found in several web applications such as Reddit, Instagram, and Spotify.