Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.
Trail of Bits has released gosentry, an enhanced fork of the Go toolchain designed to significantly improve native Go fuzzing capabilities by integrating LibAFL and Nautilus. The tool allows security researchers and developers to perform struct-aware and grammar-based fuzzing, successfully identifying complex vulnerabilities such as integer overflows, data races, and goroutine leaks that standard Go fuzzing often misses.
Authors: Trail of Bits
Source:
Trail of Bits
Detection / HunterGoogle
What Happened
Security researchers have created a new tool called gosentry to help developers find hidden bugs in software written in the Go programming language. Standard Go testing tools often miss complex errors like memory leaks or math miscalculations, so this new tool upgrades the testing engine to catch them automatically. This matters because these hidden bugs can lead to software crashes or security vulnerabilities if left unfixed. Developers writing Go applications should consider using gosentry to test their code and identify flaws before they can be exploited.
Key Takeaways
- Trail of Bits released 'gosentry', a fuzzing-oriented fork of the Go toolchain that integrates LibAFL and Nautilus.
- The tool enables struct-aware and grammar-based fuzzing natively without requiring developers to rewrite existing Go fuzz harnesses.
- gosentry detects complex bug classes missed by native Go fuzzing, including integer overflows, goroutine leaks, data races, and execution timeouts.
- Differential fuzzing campaigns using gosentry have already uncovered denial-of-service and state mismatch vulnerabilities in Optimism and Revm projects.
Affected Systems
- Go applications
- Go toolchain
Attack Chain
As a defensive vulnerability discovery tool, gosentry operates by taking standard Go fuzzing harnesses and running them through an in-process, Rust-based LibAFL runner. It mutates inputs using struct-aware or grammar-based techniques via Nautilus to explore complex execution paths. During execution, it monitors the target application for crashes, integer overflows, data races, and goroutine leaks, ultimately generating coverage reports to identify insecure behaviors.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
N/A
Detection Engineering Assessment
EDR Visibility: None — This is a developer tool for fuzzing and vulnerability discovery, not malware or an attack framework. Network Visibility: None — Fuzzing occurs locally during the software development and testing lifecycle. Detection Difficulty: N/A — Not applicable as this is a defensive security tool.
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Monitor for unexpected application panics, rapid resource consumption, or goroutine leaks that may indicate an exploited edge case or denial-of-service vulnerability in Go-based services. | Application performance monitoring (APM), crash dumps, application logs | Impact | Medium |
Control Gaps
- Native Go fuzzing limitations regarding struct-aware inputs, grammar generation, and detection of integer overflows or goroutine leaks.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- N/A
Infrastructure Hardening
- N/A
User Protection
- N/A
Security Awareness
- Integrate gosentry into the CI/CD pipeline for Go projects to enhance vulnerability discovery.
- Utilize grammar-based fuzzing for Go applications that parse complex structured data like JSON.
- Enable panic-on flags and race/leak detection during fuzzing to catch non-crashing insecure behaviors.
Additional IOCs
- Command Lines:
- Purpose: Run a fuzzing campaign using gosentry with race and leak detection enabled. | Tools:
go,gosentry| Stage: Testing/Vulnerability Discovery |./bin/go test -fuzz=FuzzHarness --catch-races=true --catch-leaks=true
- Purpose: Run a fuzzing campaign using gosentry with race and leak detection enabled. | Tools: