libgmp differential fuzzer running on Google's oss-fuzz
guidovranken at gmail.com
Wed Jul 11 03:53:41 UTC 2018
I built a bignum differential fuzzer  that has been running on
Google's oss-fuzz service  for a while. It performs the same
mathematical operations (addition, subtraction, multiplication,
modular exponentation, etc) across multiple bignum libraries (
currently OpenSSL, Go, Rust, C++ Boost, libgmp), compares their
results and crashes if they don't match. This effort has so far
found a couple of (minor) bugs in OpenSSL and Go.
As soon as a mismatch is found, oss-fuzz will send a notification
e-mail to the developers of the various bignum libraries so the bug
can be examined and resolved.
At which e-mail address(es) do the
developers of libgmp wish to receive these notifications?
Please bear in mind that the notifications will contain potentially
security-sensitive information so the recipient may not be a public
mailing list. Currently, a potential bug is found only every couple of
weeks, so recipients do not have to worry about a lot of incoming
If you wish to write comments to the fuzzer's private bug tracker, the
e-mail you specify must be linked to a Google account.
See my libgmp module for bignum-fuzzer here .
More information about the gmp-devel