Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzz testing with oss-fuzz #2738

Open
naveensrinivasan opened this issue Sep 7, 2021 · 3 comments
Open

Fuzz testing with oss-fuzz #2738

naveensrinivasan opened this issue Sep 7, 2021 · 3 comments
Labels
test coverage Discussion and pull requests for improving test coverage.

Comments

@naveensrinivasan
Copy link
Contributor

Enable Fuzz testing with oss-fuzz https://github.com/google/oss-fuzz , the oss-fuzz helped to identify with ethereum DoS https://adalogics.com/blog/the-importance-of-continuity-in-fuzzing-cve-2020-28362

@degeri
Copy link
Member

degeri commented Sep 7, 2021

I have some moral/privacy issues with using a google server to find vulns. But if you want to take it up for it DM me on matrix we can try to come up with something.

https://github.com/degeri/dcrd-continuous-fuzz for current fuzzing work (I am working on moving this to LibFuzzer).

@davecgh davecgh added the test coverage Discussion and pull requests for improving test coverage. label Sep 15, 2021
@naveensrinivasan
Copy link
Contributor Author

I have some moral/privacy issues with using a google server to find vulns. But if you want to take it up for it DM me on matrix we can try to come up with something.

https://github.com/degeri/dcrd-continuous-fuzz for current fuzzing work (I am working on moving this to LibFuzzer).

OK, I understand your concerns. What about the risk of something like this not being discovered ?https://twitter.com/peter_szilagyi/status/1332047468004077569?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1332047468004077569%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fadalogics.com%2Fblog%2Fthe-importance-of-continuity-in-fuzzing-cve-2020-28362

@degeri
Copy link
Member

degeri commented Sep 18, 2021

Not against fuzzing.

But very against using a centralized google service (And the accepting their rules) for fuzzing.

Not sure you have actually read the google rules. They have some restrictive policies.

eg:

Once a project is signed up for OSS-Fuzz, it is automatically subject to the 90-day disclosure deadline for newly reported bugs in our tracker. This matches industry’s best practices and improves end-user security and stability by getting patches to users faster.

While 90 day disclosure period is fine for normal software if something requires a consensus change we cant get it done in 90 days.. So then it would require some patch work and multiple fixes. We will be working on their timeline instead of our own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
test coverage Discussion and pull requests for improving test coverage.
Projects
None yet
Development

No branches or pull requests

3 participants