You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Volkan Yazıcı <vo...@yazi.ci> on 2022/01/10 11:27:43 UTC
Google OSS-Fuzz
I think fuzzing is a really promising practice we should integrate into our
CI pipeline to figure out certain defects. Here is my elevator pitch:
1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is an
automated software testing technique that involves providing invalid,
unexpected, or random data as inputs to a computer program.
2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a
fuzzer for JVM applications and open-sourced by Code Intelligence.
3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated
platform (including Google-provided build nodes!) to fuzz some noteworthy
F/OSS projects.
4. [2021-04-10] OSS-Fuzz adds Jazzer support
<https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html>.
5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j
CVE-2021-44228 in ~5 min with a one-line fuzz target
<https://twitter.com/fhenneke/status/1470377931230875650?s=20>.
6. [2021-12-15] OSS-Fuzz adds Log4j to their suite
<https://github.com/google/oss-fuzz/pull/7016>.
Though this is just the beginning. Somebody needs to spend some serious
amount of time to enrich the fuzz tests and cover as many Log4j entry
points as possible.
I am tinkering with the idea of a Kickstarter-like initiative to sign up
for this. Maybe as a 2-months-long gig?
Thoughts?
Re: Google OSS-Fuzz
Posted by Robert Middleton <rm...@apache.org>.
> I am tinkering with the idea of a Kickstarter-like initiative to sign up
> for this. Maybe as a 2-months-long gig?
>
That sounds like it could be a GSoC thing(if nobody else is
interested). The ASF has participated a number of times before.
-Robert Middleton
Re: Google OSS-Fuzz
Posted by Matt Sicker <bo...@gmail.com>.
OSS-Fuzz would be very interesting to try out. We've tried using it in
Commons, and so far, it's helped discover some bugs in commons-imaging
(several binary file formats) and commons-compress (also several
binary file formats). I'm the current contact point in Commons for our
fuzzing setup, though not much is going on there since the initial
issues were addressed.
On Mon, Jan 10, 2022 at 10:38 AM Gary Gregory <ga...@gmail.com> wrote:
>
> This all sounds great.
>
> On top of real issues, I am sure this will present exceptions being thrown
> here and there where we can make at the very least said exceptions carry
> meaningful messages instead of a mysterious IOOB or AIOBE.
>
> I guess it all depends what I want to do with my nights and weekends :-p
>
> Gary
>
>
> On Mon, Jan 10, 2022, 06:27 Volkan Yazıcı <vo...@yazi.ci> wrote:
>
> > I think fuzzing is a really promising practice we should integrate into our
> > CI pipeline to figure out certain defects. Here is my elevator pitch:
> >
> > 1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is
> > an
> > automated software testing technique that involves providing invalid,
> > unexpected, or random data as inputs to a computer program.
> > 2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a
> > fuzzer for JVM applications and open-sourced by Code Intelligence.
> > 3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated
> > platform (including Google-provided build nodes!) to fuzz some
> > noteworthy
> > F/OSS projects.
> > 4. [2021-04-10] OSS-Fuzz adds Jazzer support
> > <https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html
> > >.
> > 5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j
> > CVE-2021-44228 in ~5 min with a one-line fuzz target
> > <https://twitter.com/fhenneke/status/1470377931230875650?s=20>.
> > 6. [2021-12-15] OSS-Fuzz adds Log4j to their suite
> > <https://github.com/google/oss-fuzz/pull/7016>.
> >
> > Though this is just the beginning. Somebody needs to spend some serious
> > amount of time to enrich the fuzz tests and cover as many Log4j entry
> > points as possible.
> >
> > I am tinkering with the idea of a Kickstarter-like initiative to sign up
> > for this. Maybe as a 2-months-long gig?
> >
> > Thoughts?
> >
Re: Google OSS-Fuzz
Posted by Gary Gregory <ga...@gmail.com>.
This all sounds great.
On top of real issues, I am sure this will present exceptions being thrown
here and there where we can make at the very least said exceptions carry
meaningful messages instead of a mysterious IOOB or AIOBE.
I guess it all depends what I want to do with my nights and weekends :-p
Gary
On Mon, Jan 10, 2022, 06:27 Volkan Yazıcı <vo...@yazi.ci> wrote:
> I think fuzzing is a really promising practice we should integrate into our
> CI pipeline to figure out certain defects. Here is my elevator pitch:
>
> 1. Fuzzing or fuzz testing <https://en.wikipedia.org/wiki/Fuzzing> is
> an
> automated software testing technique that involves providing invalid,
> unexpected, or random data as inputs to a computer program.
> 2. Jazzer <https://github.com/CodeIntelligenceTesting/jazzer> is a
> fuzzer for JVM applications and open-sourced by Code Intelligence.
> 3. OSS-Fuzz <https://github.com/google/oss-fuzz> is Google's automated
> platform (including Google-provided build nodes!) to fuzz some
> noteworthy
> F/OSS projects.
> 4. [2021-04-10] OSS-Fuzz adds Jazzer support
> <https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html
> >.
> 5. [2021-12-13] Fabian Meumertzheim of Code Intelligence detects Log4j
> CVE-2021-44228 in ~5 min with a one-line fuzz target
> <https://twitter.com/fhenneke/status/1470377931230875650?s=20>.
> 6. [2021-12-15] OSS-Fuzz adds Log4j to their suite
> <https://github.com/google/oss-fuzz/pull/7016>.
>
> Though this is just the beginning. Somebody needs to spend some serious
> amount of time to enrich the fuzz tests and cover as many Log4j entry
> points as possible.
>
> I am tinkering with the idea of a Kickstarter-like initiative to sign up
> for this. Maybe as a 2-months-long gig?
>
> Thoughts?
>