Mailing List Archive

Fuzzing integration with oss-fuzz
Hi all,

I have been working on getting fuzzing into Apache httpd and it would be
great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
Google that will continuously run fuzzers and the service is
administrered on github (https://github.com/google/oss-fuzz).
Apache-commons is already integrated into OSS-Fuzz (see here:
https://github.com/google/oss-fuzz/pull/5633)

I have done initial work on fuzzing httpd which can be found in this PR:
https://github.com/google/oss-fuzz/pull/6044

I am happy to continue working more on improving the fuzzing so we can
get a high code coverage of httpd, but I would prefer to do this only if
the developers of httpd are happy to receive bug reports from the
fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
set of email addresses that will receive the bug reports, and these
emails need to be affiliated with a Google account (for login purposes).

Let me know if you are happy to integrate httpd into OSS-Fuzz.

Kind regards,
David

ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
Re: Fuzzing integration with oss-fuzz [ In reply to ]
David,

> Am 16.07.2021 um 12:57 schrieb david korczynski <david@adalogics.com>:
>
> Hi all,
>
> I have been working on getting fuzzing into Apache httpd and it would be
> great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
> Google that will continuously run fuzzers and the service is
> administrered on github (https://github.com/google/oss-fuzz).
> Apache-commons is already integrated into OSS-Fuzz (see here:
> https://github.com/google/oss-fuzz/pull/5633)
>
> I have done initial work on fuzzing httpd which can be found in this PR:
> https://github.com/google/oss-fuzz/pull/6044
>
> I am happy to continue working more on improving the fuzzing so we can
> get a high code coverage of httpd, but I would prefer to do this only if
> the developers of httpd are happy to receive bug reports from the
> fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
> set of email addresses that will receive the bug reports, and these
> emails need to be affiliated with a Google account (for login purposes).
>
> Let me know if you are happy to integrate httpd into OSS-Fuzz.

I am in favour of getting our server into a regular fuzzing setup
and would subscribe to such reports with my google mail. Thanks for
bringing this to the team and your efforts.

Perhaps other people here can voice their opinion as well? It would
not work as well, if I am the only one willing to listen to findings.

Cheers,

Stefan

> Kind regards,
> David
>
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
Re: Fuzzing integration with oss-fuzz [ In reply to ]
> I am in favour of getting our server into a regular fuzzing setup
> and would subscribe to such reports with my google mail. Thanks for
> bringing this to the team and your efforts.
>
> Perhaps other people here can voice their opinion as well? It would
> not work as well, if I am the only one willing to listen to findings.

I would subscribe, but I am a bit pessimistic about the coverage with
this approach in our codebase.
Re: Fuzzing integration with oss-fuzz [ In reply to ]
I am happy to put in efforts in getting the coverage up. If I do not
succeed in getting coverage up to a decent amount then I am okay with
that personally.

On 19/07/2021 15:27, Eric Covener wrote:
>> I am in favour of getting our server into a regular fuzzing setup
>> and would subscribe to such reports with my google mail. Thanks for
>> bringing this to the team and your efforts.
>>
>> Perhaps other people here can voice their opinion as well? It would
>> not work as well, if I am the only one willing to listen to findings.
> I would subscribe, but I am a bit pessimistic about the coverage with
> this approach in our codebase.
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
Re: Fuzzing integration with oss-fuzz [ In reply to ]
Eric and Stefan, are you okay with me proceeding with the fuzzing
integration (https://github.com/google/oss-fuzz/pull/6044) and putting
your emails in as recipients of bug reports? I will also put my own
email in and we can add more contacts at any point too. We could then
get the fuzzing initiated and see get some insights as to whether the
results are of interest.

On 19/07/2021 16:26, david korczynski wrote:
> I am happy to put in efforts in getting the coverage up. If I do not
> succeed in getting coverage up to a decent amount then I am okay with
> that personally.
>
> On 19/07/2021 15:27, Eric Covener wrote:
>>> I am in favour of getting our server into a regular fuzzing setup
>>> and would subscribe to such reports with my google mail. Thanks for
>>> bringing this to the team and your efforts.
>>>
>>> Perhaps other people here can voice their opinion as well? It would
>>> not work as well, if I am the only one willing to listen to findings.
>> I would subscribe, but I am a bit pessimistic about the coverage with
>> this approach in our codebase.
>> ADA Logics Ltd is registered in England. No: 11624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
Re: Fuzzing integration with oss-fuzz [ In reply to ]
Hi David,

Please subscribe me too.

Regards;
Yann.

On Monday, July 26, 2021, david korczynski <david@adalogics.com> wrote:

> Eric and Stefan, are you okay with me proceeding with the fuzzing
> integration (https://github.com/google/oss-fuzz/pull/6044) and putting
> your emails in as recipients of bug reports? I will also put my own
> email in and we can add more contacts at any point too. We could then
> get the fuzzing initiated and see get some insights as to whether the
> results are of interest.
>
> On 19/07/2021 16:26, david korczynski wrote:
>
>> I am happy to put in efforts in getting the coverage up. If I do not
>> succeed in getting coverage up to a decent amount then I am okay with
>> that personally.
>>
>> On 19/07/2021 15:27, Eric Covener wrote:
>>
>>> I am in favour of getting our server into a regular fuzzing setup
>>>> and would subscribe to such reports with my google mail. Thanks for
>>>> bringing this to the team and your efforts.
>>>>
>>>> Perhaps other people here can voice their opinion as well? It would
>>>> not work as well, if I am the only one willing to listen to findings.
>>>>
>>> I would subscribe, but I am a bit pessimistic about the coverage with
>>> this approach in our codebase.
>>> ADA Logics Ltd is registered in England. No: 11624074.
>>> <https://www.google.com/maps/search/d.+No:+11624074.?entry=gmail&source=g>
>>> Registered office: 266 Banbury Road, Post Box 292,
>>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>>>
>> ADA Logics Ltd is registered in England. No: 1
>> <https://www.google.com/maps/search/n+England.+No:+1?entry=gmail&source=g>
>> 1624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>> ADA Logics Ltd is registered in England.
>> <https://www.google.com/maps/search/ered+in+England.?entry=gmail&source=g>
>> No: 11624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>>
> ADA Logics Ltd is registered in Engl
> <https://www.google.com/maps/search/gistered+in+Engl?entry=gmail&source=g>and.
> No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>
Re: Fuzzing integration with oss-fuzz [ In reply to ]
works for me

On Mon, Jul 26, 2021 at 9:04 AM david korczynski <david@adalogics.com> wrote:
>
> Eric and Stefan, are you okay with me proceeding with the fuzzing
> integration (https://github.com/google/oss-fuzz/pull/6044) and putting
> your emails in as recipients of bug reports? I will also put my own
> email in and we can add more contacts at any point too. We could then
> get the fuzzing initiated and see get some insights as to whether the
> results are of interest.
>
> On 19/07/2021 16:26, david korczynski wrote:
> > I am happy to put in efforts in getting the coverage up. If I do not
> > succeed in getting coverage up to a decent amount then I am okay with
> > that personally.
> >
> > On 19/07/2021 15:27, Eric Covener wrote:
> >>> I am in favour of getting our server into a regular fuzzing setup
> >>> and would subscribe to such reports with my google mail. Thanks for
> >>> bringing this to the team and your efforts.
> >>>
> >>> Perhaps other people here can voice their opinion as well? It would
> >>> not work as well, if I am the only one willing to listen to findings.
> >> I would subscribe, but I am a bit pessimistic about the coverage with
> >> this approach in our codebase.
> >> ADA Logics Ltd is registered in England. No: 11624074.
> >> Registered office: 266 Banbury Road, Post Box 292,
> >> OX2 7DL, Oxford, Oxfordshire , United Kingdom
> > ADA Logics Ltd is registered in England. No: 11624074.
> > Registered office: 266 Banbury Road, Post Box 292,
> > OX2 7DL, Oxford, Oxfordshire , United Kingdom
> > ADA Logics Ltd is registered in England. No: 11624074.
> > Registered office: 266 Banbury Road, Post Box 292,
> > OX2 7DL, Oxford, Oxfordshire , United Kingdom
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom



--
Eric Covener
covener@gmail.com
Re: Fuzzing integration with oss-fuzz [ In reply to ]
Sure!

> Am 26.07.2021 um 15:03 schrieb david korczynski <david@adalogics.com>:
>
> Eric and Stefan, are you okay with me proceeding with the fuzzing
> integration (https://github.com/google/oss-fuzz/pull/6044) and putting
> your emails in as recipients of bug reports? I will also put my own
> email in and we can add more contacts at any point too. We could then
> get the fuzzing initiated and see get some insights as to whether the
> results are of interest.
>
> On 19/07/2021 16:26, david korczynski wrote:
>> I am happy to put in efforts in getting the coverage up. If I do not
>> succeed in getting coverage up to a decent amount then I am okay with
>> that personally.
>>
>> On 19/07/2021 15:27, Eric Covener wrote:
>>>> I am in favour of getting our server into a regular fuzzing setup
>>>> and would subscribe to such reports with my google mail. Thanks for
>>>> bringing this to the team and your efforts.
>>>>
>>>> Perhaps other people here can voice their opinion as well? It would
>>>> not work as well, if I am the only one willing to listen to findings.
>>> I would subscribe, but I am a bit pessimistic about the coverage with
>>> this approach in our codebase.
>>> ADA Logics Ltd is registered in England. No: 11624074.
>>> Registered office: 266 Banbury Road, Post Box 292,
>>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>> ADA Logics Ltd is registered in England. No: 11624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>> ADA Logics Ltd is registered in England. No: 11624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
Re: Fuzzing integration with oss-fuzz [ In reply to ]
Years ago I started hacking on an "mpm fuzz":
https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz

The idea was to make a "fake" MPM, which could feed data from AFL directly
into the network filter stack, in a super efficient way.

I don't know if it is really a great idea, since TLS and h2 are maybe hard
to get right in the stack, but its a different approach that could lead to
high coverage of critical remote network paths.

Not sure it's the right way to go about it, but thought I'd mention it as a
potential approach to deep fuzzing.


On Fri, Jul 16, 2021 at 4:02 AM david korczynski <david@adalogics.com>
wrote:

> Hi all,
>
> I have been working on getting fuzzing into Apache httpd and it would be
> great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
> Google that will continuously run fuzzers and the service is
> administrered on github (https://github.com/google/oss-fuzz).
> Apache-commons is already integrated into OSS-Fuzz (see here:
> https://github.com/google/oss-fuzz/pull/5633)
>
> I have done initial work on fuzzing httpd which can be found in this PR:
> https://github.com/google/oss-fuzz/pull/6044
>
> I am happy to continue working more on improving the fuzzing so we can
> get a high code coverage of httpd, but I would prefer to do this only if
> the developers of httpd are happy to receive bug reports from the
> fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
> set of email addresses that will receive the bug reports, and these
> emails need to be affiliated with a Google account (for login purposes).
>
> Let me know if you are happy to integrate httpd into OSS-Fuzz.
>
> Kind regards,
> David
>
> ADA Logics Ltd is registered in England. No: 11624074.
> Registered office: 266 Banbury Road, Post Box 292,
> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>
Re: Fuzzing integration with oss-fuzz [ In reply to ]
On Tue, 27 Jul 2021 at 18:12, Paul Querna <paul@querna.org> wrote:

> Years ago I started hacking on an "mpm fuzz":
> https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz
>
> The idea was to make a "fake" MPM, which could feed data from AFL directly
> into the network filter stack, in a super efficient way.
>
> I don't know if it is really a great idea, since TLS and h2 are maybe hard
> to get right in the stack, but its a different approach that could lead to
> high coverage of critical remote network paths.
>
> Not sure it's the right way to go about it, but thought I'd mention it as
> a potential approach to deep fuzzing.
>

Full disclosure: I work for Google, I work with the OSSFuzz team.

I like this plan - attack from anywhere in the stack reveals bugs. Adding a
new vector does not block anything, so why not? The only reason why not,
I'd say, is if there's an existing fuzzing target that trivially exercises
the same code - even then it's fine, it's just wasted effort.


>
> On Fri, Jul 16, 2021 at 4:02 AM david korczynski <david@adalogics.com>
> wrote:
>
>> Hi all,
>>
>> I have been working on getting fuzzing into Apache httpd and it would be
>> great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
>> Google that will continuously run fuzzers and the service is
>> administrered on github (https://github.com/google/oss-fuzz).
>> Apache-commons is already integrated into OSS-Fuzz (see here:
>> https://github.com/google/oss-fuzz/pull/5633)
>>
>> I have done initial work on fuzzing httpd which can be found in this PR:
>> https://github.com/google/oss-fuzz/pull/6044
>>
>> I am happy to continue working more on improving the fuzzing so we can
>> get a high code coverage of httpd, but I would prefer to do this only if
>> the developers of httpd are happy to receive bug reports from the
>> fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
>> set of email addresses that will receive the bug reports, and these
>> emails need to be affiliated with a Google account (for login purposes).
>>
>> Let me know if you are happy to integrate httpd into OSS-Fuzz.
>>
>> Kind regards,
>> David
>>
>> ADA Logics Ltd is registered in England. No: 11624074.
>> Registered office: 266 Banbury Road, Post Box 292,
>> OX2 7DL, Oxford, Oxfordshire , United Kingdom
>>
>
Re: Fuzzing integration with oss-fuzz [ In reply to ]
The OSS-Fuzz PR is now ready and should be merged in soon https://github.com/google/oss-fuzz/pull/6044

Following this I will look to put more efforts into it to get better coverage. If anyone wants their email attached to the project as well to see bug reports then please let me know and I will fix it up.

Thanks for the link Paul, I skimmed over it quickly and it looks good. I will look to integrate this in the oss-fuzz set up in the near future.

Thanks Ben. This is also what we do for a lot of the other projects on OSS-Fuzz, i.e. we have some fuzzers that are more end-to-end style and some that are closer to unit-test style. An important aspects to watch out for when you attack deeper in the code is to comply with the contracts/threat model of the code as otherwise you may end up with tons of false positives which can consequently end up taking a lot of time for triaging.

On 27/07/2021 20:29, Ben Laurie wrote:


On Tue, 27 Jul 2021 at 18:12, Paul Querna <paul@querna.org<mailto:paul@querna.org>> wrote:
Years ago I started hacking on an "mpm fuzz":
https://github.com/pquerna/httpd/compare/trunk...pquerna:mpm_fuzz

The idea was to make a "fake" MPM, which could feed data from AFL directly into the network filter stack, in a super efficient way.

I don't know if it is really a great idea, since TLS and h2 are maybe hard to get right in the stack, but its a different approach that could lead to high coverage of critical remote network paths.

Not sure it's the right way to go about it, but thought I'd mention it as a potential approach to deep fuzzing.

Full disclosure: I work for Google, I work with the OSSFuzz team.

I like this plan - attack from anywhere in the stack reveals bugs. Adding a new vector does not block anything, so why not? The only reason why not, I'd say, is if there's an existing fuzzing target that trivially exercises the same code - even then it's fine, it's just wasted effort.



On Fri, Jul 16, 2021 at 4:02 AM david korczynski <david@adalogics.com<mailto:david@adalogics.com>> wrote:
Hi all,

I have been working on getting fuzzing into Apache httpd and it would be
great to have it set up with OSS-Fuzz. OSS-Fuzz is a free service run by
Google that will continuously run fuzzers and the service is
administrered on github (https://github.com/google/oss-fuzz).
Apache-commons is already integrated into OSS-Fuzz (see here:
https://github.com/google/oss-fuzz/pull/5633)

I have done initial work on fuzzing httpd which can be found in this PR:
https://github.com/google/oss-fuzz/pull/6044

I am happy to continue working more on improving the fuzzing so we can
get a high code coverage of httpd, but I would prefer to do this only if
the developers of httpd are happy to receive bug reports from the
fuzzers. In order to integrate with OSS-Fuzz the only thing needed is a
set of email addresses that will receive the bug reports, and these
emails need to be affiliated with a Google account (for login purposes).

Let me know if you are happy to integrate httpd into OSS-Fuzz.

Kind regards,
David

ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom
ADA Logics Ltd is registered in England. No: 11624074.
Registered office: 266 Banbury Road, Post Box 292,
OX2 7DL, Oxford, Oxfordshire , United Kingdom