On Tue, 27 Jul 2021 at 18:12, Paul Querna <p...@querna.org> wrote: > Years ago I started hacking on an "mpm fuzz": > https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz > > The idea was to make a "fake" MPM, which could feed data from AFL directly > into the network filter stack, in a super efficient way. > > I don't know if it is really a great idea, since TLS and h2 are maybe hard > to get right in the stack, but its a different approach that could lead to > high coverage of critical remote network paths. > > Not sure it's the right way to go about it, but thought I'd mention it as > a potential approach to deep fuzzing. >
Full disclosure: I work for Google, I work with the OSSFuzz team. I like this plan - attack from anywhere in the stack reveals bugs. Adding a new vector does not block anything, so why not? The only reason why not, I'd say, is if there's an existing fuzzing target that trivially exercises the same code - even then it's fine, it's just wasted effort. > > On Fri, Jul 16, 2021 at 4:02 AM david korczynski <da...@adalogics.com> > wrote: > >> Hi all, >> >> I have been working on getting fuzzing into Apache httpd and it would be >> great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by >> Google that will continuously run fuzzers and the service is >> administrered on github (https://github.com/google/oss-fuzz). >> Apache-commons is already integrated into OSS-Fuzz (see here: >> https://github.com/google/oss-fuzz/pull/5633) >> >> I have done initial work on fuzzing httpd which can be found in this PR: >> https://github.com/google/oss-fuzz/pull/6044 >> >> I am happy to continue working more on improving the fuzzing so we can >> get a high code coverage of httpd, but I would prefer to do this only if >> the developers of httpd are happy to receive bug reports from the >> fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a >> set of email addresses that will receive the bug reports, and these >> emails need to be affiliated with a Google account (for login purposes). >> >> Let me know if you are happy to integrate httpd into OSS-Fuzz. >> >> Kind regards, >> David >> >> ADA Logics Ltd is registered in England. No: 11624074. >> Registered office: 266 Banbury Road, Post Box 292, >> OX2 7DL, Oxford, Oxfordshire , United Kingdom >> >