The OSS-Fuzz PR is now ready and should be merged in soon 
https://github.com/google/oss-fuzz/pull/6044

Following this I will look to put more efforts into it to get better coverage. 
If anyone wants their email attached to the project as well to see bug reports 
then please let me know and I will fix it up.

Thanks for the link Paul, I skimmed over it quickly and it looks good. I will 
look to integrate this in the oss-fuzz set up in the near future.

Thanks Ben. This is also what we do for a lot of the other projects on 
OSS-Fuzz, i.e. we have some fuzzers that are more end-to-end style and some 
that are closer to unit-test style. An important aspects to watch out for when 
you attack deeper in the code is to comply with the contracts/threat model of 
the code as otherwise you may end up with tons of false positives which can 
consequently end up taking a lot of time for triaging.

On 27/07/2021 20:29, Ben Laurie wrote:


On Tue, 27 Jul 2021 at 18:12, Paul Querna 
<p...@querna.org<mailto:p...@querna.org>> wrote:
Years ago I started hacking on an "mpm fuzz":
https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz

The idea was to make a "fake" MPM, which could feed data from AFL directly into 
the network filter stack, in a super efficient way.

I don't know if it is really a great idea, since TLS and h2 are maybe hard to 
get right in the stack, but its a different approach that could lead to high 
coverage of critical remote network paths.

Not sure it's the right way to go about it, but thought I'd mention it as a 
potential approach to deep fuzzing.

Full disclosure: I work for Google, I work with the OSSFuzz team.

I like this plan - attack from anywhere in the stack reveals bugs. Adding a new 
vector does not block anything, so why not? The only reason why not, I'd say, 
is if there's an existing fuzzing target that trivially exercises the same code 
- even then it's fine, it's just wasted effort.



On Fri, Jul 16, 2021 at 4:02 AM david korczynski 
<da...@adalogics.com<mailto:da...@adalogics.com>> wrote:
Hi all,

I have been working on getting fuzzing into Apache httpd and it would be
great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
Google that will continuously run fuzzers and the service is
administrered on github (https://github.com/google/oss-fuzz).
Apache-commons is already integrated into OSS-Fuzz (see here:
https://github.com/google/oss-fuzz/pull/5633)

I have done initial work on fuzzing httpd which can be found in this PR:
https://github.com/google/oss-fuzz/pull/6044

I am happy to continue working more on improving the fuzzing so we can
get a high code coverage of httpd, but I would prefer to do this only if
the developers of httpd are happy to receive bug reports from the
fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
set of email addresses that will receive the bug reports, and these
emails need to be affiliated with a Google account (for login purposes).

Let me know if you are happy to integrate httpd into OSS-Fuzz.

Kind regards,
David

ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom

Reply via email to