A secure web server must be capable of receiving mass amount of malicious input without misbehaving or performing illegal actions, such as stepping outside of a memory block or otherwise spilling the beans.
Continuous fuzzing under various sanitizers is done as part of the Google OSS-Fuzz project:
- UndefinedBehaviorSanitizer
- AddressSanitizer
- MemorySanitizer
- WebSocket handshake generator
- WebSocket message parser
- WebSocket extensions parser & negotiator
- WebSocket permessage-deflate compression/inflation helper
- Http parser
- Http method/url router
- HelloWorld
- EchoServer
No defects or issues are left unfixed, covered up or otherwise neglected. In fact we cannot cover up security issues as OSS-Fuzz automatically and publicly reports security issues as they happen.
Currently we are at ~80% total fuzz coverage and OSS-Fuzz is reporting zero issues whatsoever. The goal is to approach 90% total coverage.