Open guidovranken opened 1 year ago
Pratyush
commented
1 year ago Hi @guidovranken!
Thanks a lot for this! We're happy to integrate the harness either into this repo or into the curves repo, and maintain it thereafter.
Regarding the email, we can initially put down my email (pratyush795@gmail.com).
Please let us know any next steps.
guidovranken
commented
1 year ago Thanks.
It currently builds the 0.3.0 version of everything. Should we test the latest code in the repository instead?
Can we change these dependencies so that they use the latest development code for everything?
https://github.com/guidovranken/cryptofuzz/blob/master/modules/arkworks-algebra/Cargo.toml
guidovranken
commented
1 year ago You should have receive bug reports from OSS-Fuzz. I think they are false positives and I'll fix them one of these days. You can log in at http://oss-fuzz.com/ to see all bugs along with stack traces and other details.
I run a project which has found hundreds of bugs in cryptographic libraries. I have written a harness for arkworks crates. It can now be integrated into Google's OSS-Fuzz where it will be fuzzed 24/7. If it finds a bug, you receive an e-mail notification. I propose to integrate this harness into the existing bls-signatures project (this is a bit of a misnomer because it is intended for all pairing libraries, not just BLS curves), where it will be tested against libraries like blst and mcl. You initially don't need to do anything other than supplying a list of e-mail address linked to a Google account (note: these addresses will be public in the project.yaml file). Preferably you will maintain the harness so I personally don't need to stay on top of breaking API changes. There are no costs associated with any of this. Is there any interest in a Google OSS-Fuzz integration?