-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New fuzz drivers for a series of integrated C projects #9523
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
CLA signed |
I wonder it those drivers were generated automatically?
Those projects keep their fuzz targets upstream. Could you please send your fuzz drivers to https://github.com/libbpf/libbpf/ and https://lore.kernel.org/selinux/ accordingly to get them reviewed properly? cc @cgzones since the selinux project is involved.
That's great but given that all the developers receive notifications from Monorail and also sometimes CVEs are automatically assigned based on OSS-Fuzz bug reports it would be great if the bar was a bit higher from the start. |
Thanks for the feedback, we will refine the submission according to the suggestions.
Yes, we are trying to automate the whole thing and it is still working in progress. |
Looking at the new selinux fuzz targets I think it's far from being ready to be honest. |
Thanks for the notice, we just noticed that we forget to remove the Currently, these drivers are targeting the untested APIs, and covering more diverse usage is our next target. |
I think https://fuzz-introspector.readthedocs.io/en/latest/ can come in handy here. It can show what's already covered and whether anything has been improved or not.
It's true that |
Thanks, will try the |
FWIW FI kind of started supporting diffs recently: https://fuzz-introspector.readthedocs.io/en/latest/user-guides/comparing-introspector-reports.html and ossf/fuzz-introspector#734 so in theory it could be used to evaluate auto-generated fuzz targets automatically. Then again personally I think that before automating anything it would probably make sense to improve projects one by one manually (or semi-automatically) by looking at how they are integrated and try contacting projects in the process (to make sure they are fine with adding external contributors to CC for example). |
Exciting with the auto generation! I don't think the PR is ready for various reasons. Technically, it's not ready due to:
Logistically it's not ready due to:
I would also prefer if it's auto-generated that the algorithms were public. This makes it more easy to "review" as what we really want to review in that case is the auto-generation approach. Can you reveal this? I know UTopia has a fuzzer on OSS-Fuzz (libwebsockets trophy) https://github.com/Samsung/UTopia/blob/main/Trophy.md and was wonering if the fuzzers are from this project? |
Thanks for the explanation and discussion today, we've learnt a lot from it.
Agreed and thanks! We'll try it first! |
@DavidKorczynski I think it's an understatement because FI already has enough data to generate fuzz targets (and there was an experimental analysis plugin doing exactly that as far as I can remember). If it could extract global coverage it would be even better. I'm not sure how to infer whether code is reachable through world-writable sockets by using only FI yet but it could be a separate research project :-) Anyway I think if that algorithm turns out to be good enough in practice I think it would great if it could be integrated into FI as a plugin or something like that. This way those fuzz targets could be copy-pasted easily and turned into something suitable for integrating into actual projects. |
@evverx -- I totally agree. I think I didn't want to be too pushy given my involvement with FI as in a sense I'm quite biased. However, FI has a ton of potential in this domain. It has a of mechanics that can be extended for the purpose of auto-generation. I'm actually working on this at the moment and will let you know when I make it public! |
Hi, we have recently created 320 fuzz drivers for 31 oss-fuzz C projects and would like to submit them for practical cluster fuzzing. These drivers target untested APIs within the projects, selected based on their names (an API is considered if it looks like parsing the input data). The drivers have passed our local fuzz testing for a duration of one minute, and we plan to further improve them in both quality and quantity.
Here lists the statistics of the fuzz drivers:
Finished projects (23/31):
bluez
: 7 fuzz driverscoturn
: 37 fuzz driversgdbm
: 2 fuzz driversgdk-pixbuf
: 11 fuzz driversgpac
: 43 fuzz driversinchi
: 2 fuzz driverskamailio
: 25 fuzz driverslibdwarf
: 5 fuzz driverslibjpeg-turbo
: 6 fuzz driverslibpg_query
: 3 fuzz driverslibssh
: 1 fuzz driverslibucl
: 22 fuzz driverslibwebsockets
: 10 fuzz driverslua
: 2 fuzz driversoniguruma
: 2 fuzz driversopusfile
: 1 fuzz driversostree
: 7 fuzz driversspdk
: 8 fuzz driversselinux
: 1 fuzz driverspjsip
: 17 fuzz driverspostfix
: 2 fuzz driversproftpd
: 7 fuzz driversutf8proc
: 5 fuzz driversOngoing projects (8/31) which require the fix of the
build.sh
in projectbind9
: 32 fuzz driverscivetweb
: 13 fuzz driversfribidi
: 1 fuzz driverskrb5
: 4 fuzz driverspidgin
: 3 fuzz driversminiz
: 28 fuzz driversigraph
: 6 fuzz driverslibbpf
: 9 fuzz drivers (not the build issue, failed to executegit clone git://sourceware.org/git/elfutils.git
, too slow)