Go fuzzing was missing half the toolkit. We forked the toolc...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.trailofbits.com/2026/05/12/go-fuzzing-was-missing-half-the-toolkit.-we-forked-the-toolchain-to-fix-it./
• Blog Title: Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.
• Suggested Section: Generic Methodologies & Resources > Fuzzing Methodology, possibly as a subsection/page for Go fuzzing with gosentry, LibAFL, Nautilus grammar fuzzing, and differential fuzzing

🎯 Content Summary

Trail of Bits introduces gosentry, a fuzzing-oriented fork of the Go toolchain that preserves the standard Go testing.F fuzzing workflow while replacing and extending the fuzzing backend with a stronger stack based on LibAFL and Nautilus. The goal is to keep existing go test -fuzz harnesses usable while adding capabilities common in Rust, C, and C++ fuzzing ecosystems, such as better coverage-guided scheduling, gramm...

🔧 Technical Details

Drop-in stronger Go fuzzing: replace the Go binary with gosentry's fork and run existing testing.F harnesses with the familiar ./bin/go test -fuzz=Target workflow. The harness still uses f.Add for seed corpus entries and f.Fuzz for the callback, but gosentry captures that callback, builds a Go archive with libFuzzer-style entry points, and executes it in-process through a Rust LibAFL runner. This allows existing Go fuzz targets to benefit from a stronger coverage-guided engine without rewriting harnesses.

Convert silent or non-crashing bad behavior into fuzzing findings. gosentry inserts integer overflow checks by default, can enable truncation checks through go-panikint, can run Go's native race detector with --catch-races, can detect goroutine leaks with goleak using --catch-leaks, and can treat execution timeouts as fuzzing failures to expose infinite loops or denial-of-service conditions. The <co...

🤖 Agent Actions

Updated src/generic-methodologies-and-resources/fuzzing.md.

Added a new Go fuzzing methodology section covering:

• drop-in use of gosentry with existing testing.F harnesses
• converting silent failures into findings with --panic-on, race/leak catching, and hang detection
• struct-aware fuzzing for typed Go APIs
• Nautilus grammar fuzzing for parser/protocol targets
• grammar-based differential fuzzing patterns
• coverage report replay from the saved fuzz corpus

Also updated the file’s ## References section with:

• the Trail of Bits blog post
• the trailofbits/gosentry repo

Validation:

• reviewed the diff
• checked basic markdown structure invariants
• mdbook build could not be run because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.trailofbits.com/2026/05/12/go-fuzzing-was-missing-half-the-toolkit.-we-forked-the-toolchain-to-fix-it./

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Fuzzing Methodology, possibly as a subsection/page for Go fuzzing with gosentry, LibAFL, Nautilus grammar fuzzing, and differential fuzzing".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0