Protofuzz brings the power of fuzzing to Google’s Protocol Buffers format (protobuf), a common method of serializing data in distributed applications.
Protobufs simplify the error-prone task of parsing binary data by letting developers define the type of data, and by generating all the serialization and deserialization code automatically with a protobuf compiler. As useful as this platform is, it stymies normal fuzzers. Because their data aren’t structured correctly they just bounce out.
So, we created valid protobuf-encoded structures composed of malicious values: protofuzz. The program allows you to apply your testing tools to apps using protobuf in less time. Instead of defining a new fuzzer generator for custom binary formats or mutating randomly, protofuzz automatically creates a fuzzer based on the same format definition that the program already uses.
As a generic protobuf message generator, protofuzz allows for quick tests of message-handling code with minimal ramp up. As a Python3 library with a simple interface, it just needs a protobuf definition to create Python generators for various permutations of all defined messages.
We were careful to implement protofuzz with minimal dependencies so it would work with continuous integration (CI) and testing tools. We’re big fans of CI; we use it extensively for all of our apps. Whenever you make a change to your app, we recommend you re-fuzz it with protofuzz.