On Mon, Nov 21, 2016 at 2:18 PM, Kurt Roeckx <k...@roeckx.be> wrote: > On Mon, Nov 21, 2016 at 02:11:12PM -0900, Royce Williams wrote: >> >> If those minimal changes are turned into a compile-time option, this >> would enable adding fuzzing to the rolling test suite, perhaps using >> some of Susan's resources. > > Google also provides resources via oss-fuzz. If you can read from > stdin, it should also be easy to fuzz with other fuzzers like > libfuzzer.
Indeed. And my understanding is that stdin is often much faster than equivalent network-level testing, which translates to a lot more coverage per wall-clock hour (which is important for this kind of fuzzing). Ideally, we could enable some kind of basic coverage for both methods -- stdin and network-based. This would more closely model the actual threat landscape and attackers' capabilities. But between the two, stdin would be the best bang for the buck. Royce _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel