-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add fuzzing testing #1215
Comments
I'd like to suggest and champion an effort integrating liboqs with google/oss-fuzz. If you aren't familiar with it, Google offers a free (for open source) continuous fuzzing service called OSS-fuzz. I've opened up a draft pull request to add a super basic fuzz-testing harness here #1905. It needs a little bit of tidying before it's ready to go but I thought I'd guage interest before polishing it up. The general process would look something like this.
Let me know what your thoughts are on this :) |
This would be very welcome, @silvergasp ! Thanks a million for the suggestion and apparent commitment!! As you seem to be an Independent Contributor like me (trying to establish that notion towards the corporate/LF folks :) I shall provide any possibly needed assistance with this, e.g., helping #1905 move to merge-ability, so please be sure to tag me when needed.
In a nutshell: LGTM :) Details to follow once this moves forward, I guess. |
Cheers mate. Yeah I'm an independent contributor. I've gone ahead and opened up a draft pull request over at oss-fuzz google/oss-fuzz#12408 that will function as both the integration and the "application" process. Everything seems to be working well locally and the CI is passing. A few things I'll need to move that PR forward (in the order that they need to happen);
I've gone ahead and polished up #1905 and I think it's ready for review. It's just a super-basic fuzzer that's mostly adapted from one of the examples. But the goal was just to get all the infrastructure in place so that more complex/useful fuzzer's are possible and worth the effort. |
Ideally you'd use [email protected] (listed at https://openquantumsafe.org/liboqs/security.html#reporting-security-bugs) that different people read. Please let us know if it must be a gmail account (not really ideal, though). |
We can also set up a dedicated fuzz-related alias if it's helpful. |
It doesn't need to be a gmail account you just won't have access to the dashboard and will only receive email updates. The dashboard has a bunch of useful features for analysing fuzzing performance and also automatically bisecting bugs to see when they where introduced. So I'd recommend adding at least one gmail account that someone on the core team has access to. I can add as many email accounts as you like, but only the gmail ones will have full access. I know some projects will setup a specific separate gmail account for this purpose so that it's separate from their personal accounts e.g. rhai.
This might be worthwhile as oss-fuzz will send off an email everytime a fuzzer crashes this includes both security and non-security related bugs. In some projects this can be a lot of emails and it's often hard to triage them all without the filtering tools on the dashboard. If you use a gmail account you can configure your notifications to only receive security updates rather than every crash report. I'll leave that up to you to decide :) |
@ryjones Do you have a preferred way to handle setting up a Gmail account for project use? As you can see in the comment above there is apparently a benefit to using a Gmail account for this fuzzing dashboard rather than just a generic email address. |
Let me ask around. I don't think I can set up a gmail/google apps account for any of the domains PQCA controls. |
Follow the approach taken by OpenSSL or another one: Suggestions welcome below.
The text was updated successfully, but these errors were encountered: