The OSS-Fuzz PR is now ready and should be merged in soon https://github.com/google/oss-fuzz/pull/6044
Following this I will look to put more efforts into it to get better coverage. If anyone wants their email attached to the project as well to see bug reports then please let me know and I will fix it up. Thanks for the link Paul, I skimmed over it quickly and it looks good. I will look to integrate this in the oss-fuzz set up in the near future. Thanks Ben. This is also what we do for a lot of the other projects on OSS-Fuzz, i.e. we have some fuzzers that are more end-to-end style and some that are closer to unit-test style. An important aspects to watch out for when you attack deeper in the code is to comply with the contracts/threat model of the code as otherwise you may end up with tons of false positives which can consequently end up taking a lot of time for triaging. On 27/07/2021 20:29, Ben Laurie wrote: On Tue, 27 Jul 2021 at 18:12, Paul Querna <p...@querna.org<mailto:p...@querna.org>> wrote: Years ago I started hacking on an "mpm fuzz": https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz The idea was to make a "fake" MPM, which could feed data from AFL directly into the network filter stack, in a super efficient way. I don't know if it is really a great idea, since TLS and h2 are maybe hard to get right in the stack, but its a different approach that could lead to high coverage of critical remote network paths. Not sure it's the right way to go about it, but thought I'd mention it as a potential approach to deep fuzzing. Full disclosure: I work for Google, I work with the OSSFuzz team. I like this plan - attack from anywhere in the stack reveals bugs. Adding a new vector does not block anything, so why not? The only reason why not, I'd say, is if there's an existing fuzzing target that trivially exercises the same code - even then it's fine, it's just wasted effort. On Fri, Jul 16, 2021 at 4:02 AM david korczynski <da...@adalogics.com<mailto:da...@adalogics.com>> wrote: Hi all, I have been working on getting fuzzing into Apache httpd and it would be great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by Google that will continuously run fuzzers and the service is administrered on github (https://github.com/google/oss-fuzz). Apache-commons is already integrated into OSS-Fuzz (see here: https://github.com/google/oss-fuzz/pull/5633) I have done initial work on fuzzing httpd which can be found in this PR: https://github.com/google/oss-fuzz/pull/6044 I am happy to continue working more on improving the fuzzing so we can get a high code coverage of httpd, but I would prefer to do this only if the developers of httpd are happy to receive bug reports from the fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a set of email addresses that will receive the bug reports, and these emails need to be affiliated with a Google account (for login purposes). Let me know if you are happy to integrate httpd into OSS-Fuzz. Kind regards, David ADA Logics Ltd is registered in England. No: 11624074. Registered office: 266 Banbury Road, Post Box 292, OX2 7DL, Oxford, Oxfordshire , United Kingdom ADA Logics Ltd is registered in England. No: 11624074. Registered office: 266 Banbury Road, Post Box 292, OX2 7DL, Oxford, Oxfordshire , United Kingdom ADA Logics Ltd is registered in England. No: 11624074. Registered office: 266 Banbury Road, Post Box 292, OX2 7DL, Oxford, Oxfordshire , United Kingdom