Hi Fabian,
Thanks for posting this and your interest in helping to test and improve
the quality of the Java core libraries. One comment/request below:
On 5/17/21 9:09 AM, Fabian Meumertzheim wrote:
(Crosspost from core-libs-dev@:
https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html
<https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html>)
I'm one of the maintainers of Jazzer
(https://github.com/CodeIntelligenceTesting/jazzer
<https://github.com/CodeIntelligenceTesting/jazzer>), a new
open-source fuzzer for the JVM platform. Jazzer has recently been
integrated into Google's OSS-Fuzz (https://google.github.io/oss-fuzz/
<https://google.github.io/oss-fuzz/>) to allow for free continuous
fuzzing of important open-source Java projects. Jazzer has already
found over a hundred bugs and eight security issues in libraries such
as Apache Commons, PDFBox and the OWASP json-sanitizer.
Jazzer finds unexpected exceptions and infinite loops by default, but
can also be used to check domain-specific properties such as
decrypt(encrypt(data)) == data. Since it tracks the coverage it
achieves using instrumentation applied by a Java agent, it can
synthesize interesting test data from scratch.
If there is interest from your side, I could set up the Java core
libraries themselves for fuzzing in OSS-Fuzz. Especially the parts
that are frequently applied to untrusted input, such as
java.security.* and javax.imageio.*, would benefit from fuzz tests. I
have prepared basic fuzz tests for some of the classes in these
packages at
https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk
<https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk>,
which has already resulted in a few bug reports by running it locally
(JDK-8267086 is one of them affecting java.security.*).
All I would need from you is:
* a list of email addresses to which the fuzzer findings should be
sent (ideally associated with Google accounts for authentication to
full reports on oss-fuzz.com <http://oss-fuzz.com/>),
All fuzzer findings with security implications should be sent to the
OpenJDK Vulnerability Group. See
https://openjdk.java.net/groups/vulnerability/report
<https://openjdk.java.net/groups/vulnerability/report> for more
information. Please send the detailed information (description, impacted
release, and PoC) to /vuln-rep...@openjdk.java.net
<mailto:vuln-rep...@openjdk.java.net>/.
Thanks,
Sean
* ideas for additional fuzz tests, in particular those where there are
interesting properties to verify.
The technical questions about setting up the OpenJDK in OSS-Fuzz have
already been resolved (see also
https://github.com/google/oss-fuzz/issues/5757
<https://github.com/google/oss-fuzz/issues/5757>).
If you need more information on OSS-Fuzz or fuzzing in general, I am
happy to help.
Fabian (@fmeum on GitHub)
