eliben
commented
8 months ago Can you elaborate what you mean? You have patches you want to contribute to pyelftools for this purpose? Please describe them in detail
Closed capuanob closed 8 months ago
eliben
commented
8 months ago Can you elaborate what you mean? You have patches you want to contribute to pyelftools for this purpose? Please describe them in detail
capuanob
commented
8 months ago @eliben Hi Eli,
I have not yet integrated pyelftools into OSSFuzz, as I wanted to get your permission first.
The contribution would be the inclusion of an atheris fuzzing harness to test the library's entrypoints. Additionally, a build.sh and a cifuzz.yml would be contributed. The build.sh is executed nightly by Google's ClusterFuzz server to perform continuous testing of the library and the cifuzz.yml allows for brief fuzz-testing to be integrated into the pull request pipeline (to ensure that changes do not introduce bugs/vulnerabilities into the library's codebase).
For more information on the OSSFuzz program, please see here
eliben
commented
8 months ago So the idea is to fuzz pyelftools?
I have to think more about it, but overall I'm negative on this topic. pyelftools is for tools, it's not supposed to be on security boundaries and its input surface is enormous given the support for large, complex formats. It's also in low-maintenance mode. I'm not sure what benefit will be gained from fuzzing in this case.
sevaa
commented
8 months ago I don't see a lot of value, either. First, making the input format of pyelftools (ELF) fuzzable will take about the same amount of time as putting together pyelftools itself. Second, the Pythonic nature of pyelftools negates the possibility of the kind of bugs that become security vulnerabilities (buffer overruns and such), and "the library threw an exception on bogus input" is functioning as designed.
If anything, pyelftools would benefit from a corpus testing - amass a pile of binaries (preferably with DWARF), sic pyelftools on them - but that's not what is being proposed.
capuanob
commented
8 months ago @eliben @sevaa I appreciate your inputs, thank you for the consideration regardless!
Good evening,
I am looking to integrate pyelftools into OSSFuzz. If you are not familiar with OSSFuzz, it is Google's platform for continuous fuzzing of open-source software. In order to get the most out of this program, it would be greatly beneficial to be able to merge in my fuzz harness and build scripts into the upstream repository and contribute bug fixes if they come up. Is this something that you would support me putting the effort into?
Thank you in advance!