Go's native fuzzing has limitations: it struggles with path constraints, lacks grammar-based fuzzing, and fails to detect several bug classes like integer overflows, goroutine leaks, data races, and execution timeouts. To address these gaps, the authors developed gosentry, a fork of the Go toolchain that replaces the native fuzzing engine with LibAFL. Gosentry maintains the standard testing.F workflow, allowing existing fuzz harnesses to run without modification. It adds structure-aware fuzzing for composite types, grammar-based fuzzing via Nautilus, and additional detectors for bugs such as integer overflows (via go-panikint), data races (using Go's race detector), goroutine leaks (via goleak), and timeouts. Gosentry also simplifies coverage report generation. The tool has already found real bugs in projects like Optimism and Revm, including denial of service vulnerabilities and state root mismatches. Gosentry is available on GitHub and aims to bring Go fuzzing closer to the capabilities of state-of-the-art tools in the Rust, C, and C++ ecosystems.

Key facts

• Gosentry replaces Go's native fuzzing engine with LibAFL while keeping the testing.F API
• Adds structure-aware fuzzing for structs, slices, arrays, and pointers
• Supports grammar-based fuzzing via Nautilus for structured inputs
• Detects integer overflows, data races, goroutine leaks, and timeouts
• Found real bugs in Optimism and Revm including denial of service and state root mismatches

KeyAudit data perspective