eliben / pyelftools

Parsing ELF and DWARF in Python
Other
2.03k stars 512 forks source link

OSSFuzz Integration #529

Closed capuanob closed 11 months ago

capuanob commented 11 months ago

Good evening,

I am looking to integrate pyelftools into OSSFuzz. If you are not familiar with OSSFuzz, it is Google's platform for continuous fuzzing of open-source software. In order to get the most out of this program, it would be greatly beneficial to be able to merge in my fuzz harness and build scripts into the upstream repository and contribute bug fixes if they come up. Is this something that you would support me putting the effort into?

Thank you in advance!

eliben commented 11 months ago

Can you elaborate what you mean? You have patches you want to contribute to pyelftools for this purpose? Please describe them in detail

capuanob commented 11 months ago

@eliben Hi Eli,

I have not yet integrated pyelftools into OSSFuzz, as I wanted to get your permission first.

The contribution would be the inclusion of an atheris fuzzing harness to test the library's entrypoints. Additionally, a build.sh and a cifuzz.yml would be contributed. The build.sh is executed nightly by Google's ClusterFuzz server to perform continuous testing of the library and the cifuzz.yml allows for brief fuzz-testing to be integrated into the pull request pipeline (to ensure that changes do not introduce bugs/vulnerabilities into the library's codebase).

For more information on the OSSFuzz program, please see here

eliben commented 11 months ago

So the idea is to fuzz pyelftools?

I have to think more about it, but overall I'm negative on this topic. pyelftools is for tools, it's not supposed to be on security boundaries and its input surface is enormous given the support for large, complex formats. It's also in low-maintenance mode. I'm not sure what benefit will be gained from fuzzing in this case.

sevaa commented 11 months ago

I don't see a lot of value, either. First, making the input format of pyelftools (ELF) fuzzable will take about the same amount of time as putting together pyelftools itself. Second, the Pythonic nature of pyelftools negates the possibility of the kind of bugs that become security vulnerabilities (buffer overruns and such), and "the library threw an exception on bogus input" is functioning as designed.

If anything, pyelftools would benefit from a corpus testing - amass a pile of binaries (preferably with DWARF), sic pyelftools on them - but that's not what is being proposed.

capuanob commented 11 months ago

@eliben @sevaa I appreciate your inputs, thank you for the consideration regardless!