fuzzing-obstacles

SKILL.md

Patch code to bypass checksums, global state, and validation barriers that block fuzzer progress.

Use conditional compilation (FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION in C/C++, cfg!(fuzzing) in Rust) to skip obstacles during fuzzing builds while preserving production behavior

Common obstacles include checksum verification, non-deterministic PRNGs, time-based seeds, and complex validation that prevents the fuzzer from exploring deeper code paths

Apply incrementally by identifying unreachable code via coverage analysis, patching one obstacle at a time, and measuring coverage improvement

Assess false positive risk by checking whether downstream code depends on assumptions made by skipped validation; use defensive defaults when necessary

Overcoming Fuzzing Obstacles

Codebases often contain anti-fuzzing patterns that prevent effective coverage. Checksums, global state (like time-seeded PRNGs), and validation checks can block the fuzzer from exploring deeper code paths. This technique shows how to patch your System Under Test (SUT) to bypass these obstacles during fuzzing while preserving production behavior.

Overview

Many real-world programs were not designed with fuzzing in mind. They may:

Verify checksums or cryptographic hashes before processing input

Rely on global state (e.g., system time, environment variables)

Use non-deterministic random number generators

Perform complex validation that makes it difficult for the fuzzer to generate valid inputs

These patterns make fuzzing difficult because:

Checksums: The fuzzer must guess correct hash values (astronomically unlikely)

Global state: Same input produces different behavior across runs (breaks determinism)

Complex validation: The fuzzer spends effort hitting validation failures instead of exploring deeper code

The solution is conditional compilation: modify code behavior during fuzzing builds while keeping production code unchanged.