On Thu, Aug 31, 2017 at 12:24 PM, Bhargava Shastry < [email protected]> wrote:
> Dear dev@OVS, KCC@google, > > Konstantin Serebryany (KCC) in CC is part of the OSS-Fuzz project that I > mentioned before. I think he will be happy to see openvswitch use > OSS-Fuzz services. > Yes, openvswitch is more than welcome to OSS-Fuzz. https://github.com/google/oss-fuzz > > An update from my side. I have written a small test case for catching > CVE-2016-2074 here [1]. KCC strongly encourages me to get rid of file > I/O based APIs such as ovs_pcap_read() and so on. Correct. The speed of executing a single input is very important and so not having any real IO in the fuzz target is important too. At the very least, I suggest to replace real file IO with a fake one (fmemopen), but it would be even better to use a real memory-based API, if there is such (e.g. instead of "ovs_pcap_read" call something like "ovs_pcap_read_from_buffer"); [disclaimer: I know almost nothing about openvswitch] Question: do you have a corpus of inputs of this 'pcap' type? If so, the fuzz target should consume these inputs as is, with the 5-byte header, so that the existing corpus can be reused. There is no harm in letting the fuzzing engine mutate the first 5 bytes occasionally. BTW, does wireshark deal with the 'pcap' inputs? If so, OSS-Fuzz already has a huge set of inputs of this exact type, and we will be able to feed them to the openvswitch target, but this target needs to consume vanilla pcap, not header-less pcap. FTR, we've reported ~50 bugs to wireshark and all were fixed: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=proj-wireshark+-status%3Dwontfix --kcc > So, my question to > dev@OVS is: Any suggestions how I can do this? Right now, the test runs > but is relatively slow. I haven't really benchmarked it so I can't > provide hard numbers. > > [1]: > https://github.com/bshastry/fuzzer-test-suite/blob/master/ > openvswitch-2.3.2/target.c > > Regards, > Bhargava > > On 08/18/2017 07:53 PM, Ben Pfaff wrote: > > I also support this idea. Thanks! > > > > On Wed, Aug 16, 2017 at 07:55:51PM -0700, Bhargava Shastry wrote: > >> Hi Justin, > >> > >> Nice to hear. I have CC ed Dev ml. > >> > >> Regards > >> Bhargava > >> > >> > >> On August 16, 2017 5:18:58 PM PDT, Justin Pettit <[email protected]> > wrote: > >>> Hi, Bhargava. This seems like a great idea to me. Unless there's > >>> something sensitive, I'd suggest we discuss it on the > >>> [email protected] mailing list. The security mailing list is good > >>> for discussing potential OVS vulnerabilities, but this seems like a > >>> good topic for the general community. And thanks for all your > >>> contributions to making OVS more secure! > >>> > >>> --Justin > >>> > >>> > >>>> On Aug 16, 2017, at 4:17 PM, Bhargava Shastry > >>> <[email protected]> wrote: > >>>> > >>>> Dear Ben, Sec@OvS, > >>>> > >>>> We have had reasonable success fuzzing OvS so far. It turns out there > >>> is > >>>> a security initiative led by Google that enables open-source projects > >>> to > >>>> benefit from continuous fuzzing [1]. I was wondering if you'd be > >>>> interested. If you are, I can help integrate OvS into their framework > >>>> over a two-staged effort. > >>>> > >>>> First, I write a test case for the remote code execution bug and > >>>> integrate it into the fuzzer test suite [2] which is basically a > >>>> framework for fuzzer evaluation. > >>>> > >>>> Second, I try to integrate OvS into OSS-fuzz, Google's initiative. > >>> Let > >>>> me know what you think. > >>>> > >>>> [1]: https://github.com/google/oss-fuzz > >>>> [2]: https://github.com/google/fuzzer-test-suite > >>>> > >>>> Regards, > >>>> Bhargava > >>>> > >>>> -- > >>>> Bhargava Shastry <[email protected]> > >>>> Security in Telecommunications > >>>> TU Berlin / Telekom Innovation Laboratories > >>>> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany > >>>> phone: +49 30 8353 58235 > >>>> Keybase: https://keybase.io/bshastry > >>>> _______________________________________________ > >>>> security mailing list > >>>> [email protected] > >>>> https://mail.openvswitch.org/mailman/listinfo/ovs-security > >> > >> -- > >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > >> _______________________________________________ > >> security mailing list > >> [email protected] > >> https://mail.openvswitch.org/mailman/listinfo/ovs-security > > > > -- > Bhargava Shastry <[email protected]> > Security in Telecommunications > TU Berlin / Telekom Innovation Laboratories > Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany > phone: +49 30 8353 58235 > Keybase: https://keybase.io/bshastry > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
