-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proof-of-concept for using oss-fuzz as a part of testing #7142
Comments
Hi @adaFPF! We definitely want to add fuzzing to our security tooling, would it make sense to start with local fuzzing first before working on OSS-Fuzz?
I think redwood is probably the easiest place to hook into things just because it's relatively self-contained, but as far as value, I'm not sure how much we'll gain. redwood is a small bridge (~550 LOC) between PyO3 and Sequoia. Sequoia already has their own fuzzing setup (see https://gitlab.com/sequoia-pgp/sequoia/-/tree/main/openpgp/fuzz?ref_type=heads) so I'm skeptical on how much we'd find or value we'd get (would love to be wrong on this!) Other potential fuzzing targets:
Tangentially related, there's also stuff like freedomofpress/securedrop-workstation#614 pending - I don't think we'd be fuzzing webp libraries ourself but might be part of our overall solution. |
re: why oss-fuzzI know very little about how SD does testing, and figuring that out adds time and complexity for me. My thoughts were that OSS-Fuzz would let us get some automated fuzzing while dodging that burden by not requiring changes to our test infra or processes. I figured it struck a good balance between how immediately useful it might be and how much time I'd need with someone explaining stuff to me to make it work. If y'all are hesitant on OSS-Fuzz, I'd like to leave automation a separate concern. Besides the aforementioned knowledge lift I'd need, folks keep talking about moving our CI to GHA and if we do want to automate in our own pipeline the lazy mathematician in me would like to minimize the chance we'd have to implement it twice. Either way, if folks are up for rescoping such that PoC means "proving this is doable and valuable with manual testing," I'm down. If that's the preferred path, any objections to using Atheris? If we do end up wanting to integrate with OSS-Fuzz, that's what they use for testing against python code and would thus make that path smoother. re: good test candidatesRedwood was @zenmonkeykstop 's suggestion when I chatted with him about it. I think the self-contained aspect was part of why he thought it'd make a good use case for a proof-of-concept regardless of whether it would be likely to surface bugs. I'm not wedded to it if you prefer some other options. I'd like our test targets to ideally be:
In other words, if we're de-scoping to manual testing, picking a handful of candidate functions that I can write some harnesses for and try them out within a local dev env would be ideal. |
Reading between the lines of your suggested candidates, I'm guessing you're interested in revisiting #6617. I'm not strictly opposed to it, but given what I already articulated, I'm betting it'd be a pretty heavy lift for now-me on my own. ZAP does lots of stuff besides input fuzzing, so moving forward here wouldn't preclude us from getting value out of it down the line. |
IMO the originally-suggested approach is still sound. Redwood is pretty small LOC-wise but that's what makes it a good option for testing the waters. I'm also thinking in terms of future development - it's very likely that we'll be using Rust for any next-gen SD development, so having experience with fuzzing and oss-fuzz will be of benefit there. I'm also not convinced that we won't get much benefit from it bug-hunt-wise. We (and other folks) got burned by a recent GPG key handling issue in rpm, which is also now wrapping Sequioa iirc. They're out there. |
I had the chance to catch up with @adaFPF today - starting with redwood sounds like a good plan to me. |
Hi @zenmonkeykstop , I'm the author of sequoia and rpm-sequoia. Could you tell me what issue you are talking about. Thanks! |
Oh, sorry @nwalfield, I missed the comment - I was referring to rpm-software-management/rpm#2577, which I believe was recently fixed. |
OSS-fuzz looks like a lightweight avenue for adding some fuzzing into our automated testing. We're going to focus on Redwood as a source of test cases.
We will be creating use-case-specific build configs that will be committed to the linked repo upon project acceptance. Resulting build artifacts will be created by and tested in an OSS-fuzz-managed instance of ClusterFuzz, and findings will be reported there confidentially for up to 90 days, or upon earlier confirmation of closure on our end.
I'll be looking for time with a SecureDrop developer to:
Relevant project docs:
The text was updated successfully, but these errors were encountered: