Add blogpost for etcd fuzzing audit #566
Conversation
| --- | ||
|
|
||
| In the last few months the team at [Ada Logics](https://adalogics.com) has worked on integrating continuous fuzzing into the etcd project. This was an effort focused on improving the security posture of etcd and ensuring a continued good experience for etcds users. The fuzzing integration involved enrolling etcd in the OSS-Fuzz project and writing a set of fuzzers that would bring the test coverage of etcd up to a mature level. In total, 18 fuzzers were written and 8 bugs were found, demonstrating the value the work has had for etcd both short term and long term. All fuzzers were implemented by way of go-fuzz and when running in OSS-Fuzz instrumented by way of libFuzzer, and as such, etcd uses state-of-the-art open source fuzzing capabilities. | ||
| The full report of the engagement can be found [here](https://github.com/etcd-io/etcd/blob/main/security/audit_fuzzer_adalogics_2022.pdf). |
There was a problem hiding this comment.
I assume it should also land in website, probably: https://github.com/etcd-io/website/tree/main/content/en/community or just blog
There was a problem hiding this comment.
@ptabor thanks so much for the quick review. It was planned to add as a blog only. The community page seems to focus on community-wide ongoing collaborative events. It has a Twitter handler under Join the conversation, and we will tweet blog and report.
| --- | ||
|
|
||
| In the last few months the team at [Ada Logics](https://adalogics.com) has worked on integrating continuous fuzzing into the etcd project. This was an effort focused on improving the security posture of etcd and ensuring a continued good experience for etcds users. The fuzzing integration involved enrolling etcd in the OSS-Fuzz project and writing a set of fuzzers that would bring the test coverage of etcd up to a mature level. In total, 18 fuzzers were written and 8 bugs were found, demonstrating the value the work has had for etcd both short term and long term. All fuzzers were implemented by way of go-fuzz and when running in OSS-Fuzz instrumented by way of libFuzzer, and as such, etcd uses state-of-the-art open source fuzzing capabilities. | ||
| The full report of the engagement can be found [here](https://github.com/etcd-io/etcd/blob/main/security/audit_fuzzer_adalogics_2022.pdf). |
There was a problem hiding this comment.
@ptabor thanks so much for the quick review. It was planned to add as a blog only. The community page seems to focus on community-wide ongoing collaborative events. It has a Twitter handler under Join the conversation, and we will tweet blog and report.
| @@ -0,0 +1,31 @@ | |||
| --- | |||
| title: etcd Integrates Continuous Fuzzing | |||
| spelling: cSpell:ignore Gyuho | |||
There was a problem hiding this comment.
I don't think we need spelling: but it's okay, will remove it later if needed.
|
We will merge it after the report gets merged. |
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
Thank you for the thorough read-through. |
Co-authored-by: Nate W. <[email protected]>
Co-authored-by: Nate W. <[email protected]>
|
@nate-double-u thanks for the review and valuable comments. @AdamKorcz thank you for quickly addressing Nate's comments. |
Adds the blogpost for the fuzzing audit performed by Ada Logics.
Hold this PR until the report has been merged here: etcd-io/etcd#13788
@spzala @DavidKorczynski @caniszczyk