Fuzzing cwltool

[mr-c]

https://alexgaynor.net/2015/apr/13/introduction-to-fuzzing-in-python-with-afl/

Fuzzing is a technique in computer testing and security where you generate a bunch of random inputs, and see how some program handles it. For example, if you had a JPEG parser, you might create a bunch of valid images and broken images, and make sure it either parses them or errors out cleanly. In C (and other memory unsafe languages) fuzzing can often be used to discover segfaults, invalid reads, and other potential security issues. Fuzzing is also useful in Python, where it can discover uncaught exceptions, and other API contract violations.

Goal: No interaction with cwltool should run forever, produce a segfault, or quit with just a plain Python exception traceback.

Another resource is https://www.fuzzingbook.org/

• [ ] fuzz using the CWL 1.1 conformance tests as example inputs
• [ ] fix bugs, add test cases
• [ ] if many bugs are found, research test case reduction
• [ ] later, integrate with OSS-Fuzz (OSS-Fuzz does not yet support Python)

https://github.com/DRMacIver/structureshrink/commits/master might be useful for reducing CWL test cases

Adding property based testing may also be useful https://hypothesis.readthedocs.io/en/latest/

https://pypi.org/project/pythonfuzz/

[kunal12298]

Hey, looking forward to contribute for this project for GSOC, can you let me know how to get started?

[mr-c]

Welcome @kunal12298 ! Do you have any experience with fuzzing and/or Python? Did you read the blog post link above?

[kunal12298]

Thank you and yes, I have read the blog post link above. I know Python but have no experience with Fuzzing. If guided, then I will surely prove myself

[mr-c]

@kunal12298 I recommend working through the CWL User Guide so that you get experience with how to use cwltool https://www.commonwl.org/user_guide/ Then, based upon that experience, we should be able to work together to create a plan for fuzzing cwltool. We are also new to fuzzing! :-)

[Shubhamlmp]

Hello sir, I am interested in contributing to this project for gsoc. And I am currently read about this project. I would appreciate some help for a better and quick understanding. Thank you!

[mr-c]

Hello @Shubhupatel, thanks for your interest. As I suggested to @kunal12298 , please work through the CWL user guide and the other linked resources. I've also updated the first post above as well.

[Shubhamlmp]

Sir can I know about project proposal format. like you can suggest me any specific proposal format or I will make my own.

[chhavi18387]

Hey! I am really interested in contributing to this project as a part of GSoC'20. Please guide me further.

[mr-c]

@Shubhupatel Please follow the advice at https://www.open-bio.org/events/gsoc/gsoc-project-ideas/#fuzz-cwl under "how to apply" and https://developers.google.com/open-source/gsoc/help/student-advice

[dark00infinity]

Hi, My name is Deepak singh and I am a second year Electronics and Communication Engineering student at university institute of engineering and technology, Panjab University. I can code in Python ,c++and c. I am a resident of India. Yes, I have knowledge about fuzzing. I have also made a generation based python fuzzer in one of my hackathon and also have experience with PyFuzz module in python. i am new to cwl but started learning it. I want to participate in GSOC 2020.Therefore want some more insights on what kind of fuzzer is the requirement here(any speifications) and One more question where to send the proposals for review.

[Shubhamlmp]

Hello @Shubhupatel, thanks for your interest. As I suggested to @kunal12298 , please work through the CWL user guide and the other linked resources. I've also updated the first post above as well.

Sir what we do next after reading and some work on CWL user guide.

[utkarsh1148]

Hi, My name is Utkarsh Mishra Second Year student at Thapar Institute Patiala India. I have worked with CWL and fuzzing before and am excited to contribute to this project. I liked the project idea and started to work on this. I wanted to ask if there is any slack or Discord group for this or should i post my progress here.

[muhammadusman93]

Hi Michael,

I am Usman and a third year PhD student at the University of Texas at Austin, USA. I am doing research in automated software testing and want to contribute to the Fuzzing Project for CWL.

I have drafted a proposal and wanted to share it with you for feedback. Kindly guide me about how I can discuss it with you.

Thanks,

M. Usman

[mr-c]

Hello all. Please share your draft proposals with us via mrc@commonwl.org & peter.amstutz@curii.com