Re: [Openvpn-devel] fuzz testing by google ?

2017-01-04 Thread Hubert Kario 
On Wednesday, 7 December 2016 13:04:30 CET Gert Doering wrote:
> Hi,
> 
> On Wed, Dec 07, 2016 at 04:51:36PM +0500,  ?? wrote:
> > it used to crash on simple tcp connect (after immediate disconnect), it
> > was
> > reproducible to running login/password authentication mode
> > 
> > it might have been caught by fuzz testing.
> 
> I should point out that this was not a "crash" but an "openvpn detects
> invalid input and ASSERT()s out -> well-defined program exit".
> 
> Not exactly *friendly* behaviour (and stupid, in this case), but not
> a *crash*.
> 
> But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and
> in doubt, we ASSERT() - which is well-defined behaviour, not "crashing
> randomly, possibly in a way that can be exploited to get access to
> security critical bits"

It still results in a denial of service. Yes, far less severe than private key 
leak or remote code execution, but a severe vulnerability none the less.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] fuzz testing by google ?

2016-12-07 Thread Gert Doering 
Hi,

On Wed, Dec 07, 2016 at 04:51:36PM +0500,  ?? wrote:
> at least, I recall this commit
> https://github.com/OpenVPN/openvpn/commit/0d8da22ae36d5efd03fba36c1d783b907589e321

*That* commit is "the 2.3.6 release", but I see what you mean.

> it used to crash on simple tcp connect (after immediate disconnect), it was
> reproducible to running login/password authentication mode
> 
> it might have been caught by fuzz testing.

I should point out that this was not a "crash" but an "openvpn detects
invalid input and ASSERT()s out -> well-defined program exit".

Not exactly *friendly* behaviour (and stupid, in this case), but not 
a *crash*.

But that's exactly why fuzzing openvpn is hard: we detect bad stuff, and
in doubt, we ASSERT() - which is well-defined behaviour, not "crashing
randomly, possibly in a way that can be exploited to get access to
security critical bits"

> > Anyway - so what's necessary to make this google fuzz testing work?  Do
> > we instrument our code, or just tell them "hey, here's a useful piece
> > of software, go figure it out yourself"?
> 
> we can start with PR to
> https://github.com/google/oss-fuzz/tree/master/projects
> it must been done by someone from "OpenVPN" github organization.

OK, that would then be Samuli, David or me, I think.  We'll investigate...

> if google machinery will not figure out anything, it might be long way with
> libfuzz-helpers (if we implement such helpers, we can add them to cmoka and
> travis-ci)

Indeed, but that would be "we have to do it", which nobody seems to have
time right now.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] fuzz testing by google ?

2016-12-07 Thread Илья Шипицин 
2016-12-07 2:18 GMT+05:00 Gert Doering :

> Hi,
>
> On Fri, Dec 02, 2016 at 08:48:29AM +0500,  ?? wrote:
> > https://opensource.googleblog.com/2016/12/announcing-oss-
> fuzz-continuous-fuzzing.html
>
> This is generally interesting, of course.
>
> Fuzzing openvpn "as a whole" is quite complicated, though - we do check
> our input very well, so the last time someone tried to fuzz TLS packets
> to make openvpn "do bad things", all he got was "go away, you stink,
> session destroyed" :-)
>

at least, I recall this commit
https://github.com/OpenVPN/openvpn/commit/0d8da22ae36d5efd03fba36c1d783b907589e321
it used to crash on simple tcp connect (after immediate disconnect), it was
reproducible to running login/password authentication mode

it might have been caught by fuzz testing.



>
> Anyway - so what's necessary to make this google fuzz testing work?  Do
> we instrument our code, or just tell them "hey, here's a useful piece
> of software, go figure it out yourself"?
>

we can start with PR to
https://github.com/google/oss-fuzz/tree/master/projects
it must been done by someone from "OpenVPN" github organization.

if google machinery will not figure out anything, it might be long way with
libfuzz-helpers (if we implement such helpers, we can add them to cmoka and
travis-ci)


>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/ 
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-
> muenchen.de
>
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] fuzz testing by google ?

2016-12-06 Thread Gert Doering 
Hi,

On Fri, Dec 02, 2016 at 08:48:29AM +0500,  ?? wrote:
> https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html

This is generally interesting, of course.

Fuzzing openvpn "as a whole" is quite complicated, though - we do check
our input very well, so the last time someone tried to fuzz TLS packets
to make openvpn "do bad things", all he got was "go away, you stink,
session destroyed" :-)

Anyway - so what's necessary to make this google fuzz testing work?  Do
we instrument our code, or just tell them "hey, here's a useful piece
of software, go figure it out yourself"?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] fuzz testing by google ?

2016-12-01 Thread Илья Шипицин 
Hello,

https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html

Cheers,
Ilya Shipitsin
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel