How does it work?

• NodeBee is a feedback-driven, directed graybox fuzzer. It monitors the execution of the target application and uses an optimization algorithm to iteratively generate test cases that get closer to reaching a vulnerability. NodeBee only reports vulnerabilities with valid testcases, virtually eliminating false positives.

• The analysis begins with instrumenting the target application. This allows NodeBee to track for every testcase what code paths are executed, the distance between any two points in the code and how the data flows inside the application.

• NodeBee then iteratively generates new testcases from existing ones, runs the target application on them, and optimizes for increased code coverage. This optimization can be biased towards “interesting” locations (e.g. to include recently changed code or manually specified locations).

• During testing, NodeBee constructs a probabilistic model of the application state, allowing it to navigate complex, multi-step workflows.

• NodeBee includes customizable detection rules (sanitizers) for common vulnerability classes. These are similar to unit tests but they specify conditions that shouldn’t happen (e.g. an extra apostrophe in an SQL statement or creating an order without payment), so that the optimization engine can attempt to falsify them. Sanitizers are written in the same language as the application itself, making it easier for security engineers to create custom rules and facilitates collaboration between security and development teams.

• NodeBee can be used both to run quick one-off checks or as a Github check for pull requests.