[gdal-dev] Google OSS Fuzz

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gdal-dev] Google OSS Fuzz

Kurt Schwehr-2
The Google security team is interested in having GDAL join the OSS-Fuzz - Continuous Fuzzing for Open Source Software project:


I've been doing this a bit for GDAL internally at Google, but it's not at head and the bugs generated are not available until I take action to push them out.

If folks are interested, I've got a few fuzzers that we can start with that we can copy from gdal-autotest2.

-kurt

_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Google OSS Fuzz

Mateusz Loskot
On 21 April 2017 at 02:06, Kurt Schwehr <[hidden email]> wrote:
> The Google security team is interested in having GDAL join the OSS-Fuzz -
> Continuous Fuzzing for Open Source Software project:
>
> https://github.com/google/oss-fuzz
>
> If folks are interested, I've got a few fuzzers that we can start with that
> we can copy from gdal-autotest2.

I think it's an interesting project GDAL should be part of.

I'm interested. What is your plan, where help is needed?

p.s. I see OSS-Fuzz is going to add new fuzing engines in future.
Perhaps Dr Memory/Dr Fuzz, already used by Chromium AFAIK,
will be considered too. AFAIU it comes with built-in fuzzer
and supports Windows.

Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net
_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Google OSS Fuzz

Even Rouault-2

On vendredi 21 avril 2017 09:23:50 CEST Mateusz Loskot wrote:

> On 21 April 2017 at 02:06, Kurt Schwehr <[hidden email]> wrote:

> > The Google security team is interested in having GDAL join the OSS-Fuzz -

> > Continuous Fuzzing for Open Source Software project:

> >

> > https://github.com/google/oss-fuzz

> >

> > If folks are interested, I've got a few fuzzers that we can start with

> > that

> > we can copy from gdal-autotest2.

>

> I think it's an interesting project GDAL should be part of.

 

+1

 

>

> I'm interested. What is your plan, where help is needed?

>

> p.s. I see OSS-Fuzz is going to add new fuzing engines in future.

> Perhaps Dr Memory/Dr Fuzz, already used by Chromium AFAIK,

> will be considered too. AFAIU it comes with built-in fuzzer

> and supports Windows.

>

> Best regards,

 

 

--

Spatialys - Geospatial professional services

http://www.spatialys.com


_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Google OSS Fuzz

Kurt Schwehr-2
> I'm interested. What is your plan, where help is needed?

I don't actually have a plan :) 

I've been using an internal to Google interface to drive fuzzing so far and have yet to look at what it takes to drive OSS-Fuzz.  So someone looking at what we need to do to trigger the fuzzing would be great.

The actual writing of fuzzers is pretty easy...  e.g. https://gist.github.com/schwehr/d4d48b60ed99986ce18703262fe98758

We just need to get a local version of WrapUnique and autotest2::VsiMemTempWrappe, or something equivalent, or be explicit about the cleanup.

Agreed that more fuzzing engines would be nice, but I think we are still at the point where we can find bugs faster than we can fix them.  I've got a stack of HFA issues and I hit my first GeoJSON bug with the first couple minutes of fuzzing starting with an empty corpus on a single core.  A comparison data point... kakadu was 43 issues found in approx a week of fuzzing with 1k cores.

On Sat, Apr 22, 2017 at 7:58 AM, Even Rouault <[hidden email]> wrote:

On vendredi 21 avril 2017 09:23:50 CEST Mateusz Loskot wrote:

> On 21 April 2017 at 02:06, Kurt Schwehr <[hidden email]> wrote:

> > The Google security team is interested in having GDAL join the OSS-Fuzz -

> > Continuous Fuzzing for Open Source Software project:

> >

> > https://github.com/google/oss-fuzz

> >

> > If folks are interested, I've got a few fuzzers that we can start with

> > that

> > we can copy from gdal-autotest2.

>

> I think it's an interesting project GDAL should be part of.

 

+1

 

>

> I'm interested. What is your plan, where help is needed?

>

> p.s. I see OSS-Fuzz is going to add new fuzing engines in future.

> Perhaps Dr Memory/Dr Fuzz, already used by Chromium AFAIK,

> will be considered too. AFAIU it comes with built-in fuzzer

> and supports Windows.

>

> Best regards,

 

 

--

Spatialys - Geospatial professional services

http://www.spatialys.com





_______________________________________________
gdal-dev mailing list
[hidden email]
https://lists.osgeo.org/mailman/listinfo/gdal-dev
Loading...