Closed guidovranken closed 5 years ago
fluffy
commented
6 years ago Hi Guido, sorry no one ever got back to you on this - I don't think anyone knew who should respond. It seems like everyone is in favor of improving security and think fuzzing is a good idea. What do we need to do to run your stuff against this project. Thoughts on best way to proceed ?
guidovranken
commented
6 years ago I can integrate it into Google oss-fuzz if you want? Let me know which e-mail addresses should receive notifications if a crash is found, and I'll set it up.
fluffy
commented
6 years ago Great - I'll get an email list set up.
guidovranken
commented
5 years ago Merging into oss-fuzz: https://github.com/google/oss-fuzz/pull/2183
Please specify one or more e-mail addresses that will deal with the crashes oss-fuzz might find, thanks.
fluffy
commented
5 years ago Add richbarn@cisco.com - thanks
guidovranken
commented
5 years ago It's running. richbarn can login to https://oss-fuzz.com/ to see progress/build status. Note that he must have a Google account linked to his e-mail address. If oss-fuzz finds a bug, richbarn will get an e-mail.
guidovranken
commented
5 years ago Are you interested in merging my fuzzing tree into the main tree, so that the fuzzer can built against the latest libsrtp code?
pabuhler
commented
5 years ago Hi @guidovranken , great that it is up and running, Maybe should also add libsrtp-security@lists.packetizer.com to the cc list?
Is the tree basically the same one that you shared with me last year? I have no problem merging it in if the change is not to obtrusive. Is that the norm when it comes to oss-fuzz, that the individual projects include the fuzzer code?
Will it mean that the fuzzer will be automatically run against the latest libsrtp code, or is the version on oss-fuzz fixed?
guidovranken
commented
5 years ago I will add that e-mail to the CC's.
I'll make sure that my fuzzing tree of libsrtp can be merged without making changes to the existing library code. Currently it runs against my fuzzing tree, but yes, it would be ideal if it constantly ran against the latest master branch, so that any bugs can be found before they enter production/official releases. I'm a bit busy right now but I will try to do a PR within a few days.
Google-Autofuzz
commented
5 years ago Having your own fuzzer is the preferred way to integrate with OSS-Fuzz, yes.
Let us know if we can help in any way :)
pabuhler
commented
5 years ago @guidovranken now your fuzzer is integrated into master, will you switch to using this branch now?
pabuhler
commented
5 years ago Will close this now as it is complete. Thank you for all the effort @guidovranken !
I've written an extensive libsrtp fuzzer with a focus on dynamic configuration generation (eg. policy chains of arbitrary length extracted from the fuzzer input, EKT yes/no, dynamic window size, dynamic SSRC type and value and so on). It is libFuzzer-based and supports ASAN+UBSAN and MSAN sanitization. If you are keen to include it in your project, I will make a PR. I will sign a CLA if necessary. I am meaning to submit it for inclusion in Google's OSS-fuzz.