Closed capuanob closed 11 months ago
Can you elaborate what you mean? You have patches you want to contribute to pyelftools
for this purpose? Please describe them in detail
@eliben Hi Eli,
I have not yet integrated pyelftools
into OSSFuzz, as I wanted to get your permission first.
The contribution would be the inclusion of an atheris fuzzing harness to test the library's entrypoints. Additionally, a build.sh
and a cifuzz.yml
would be contributed. The build.sh
is executed nightly by Google's ClusterFuzz server to perform continuous testing of the library and the cifuzz.yml
allows for brief fuzz-testing to be integrated into the pull request pipeline (to ensure that changes do not introduce bugs/vulnerabilities into the library's codebase).
For more information on the OSSFuzz program, please see here
So the idea is to fuzz pyelftools
?
I have to think more about it, but overall I'm negative on this topic. pyelftools is for tools, it's not supposed to be on security boundaries and its input surface is enormous given the support for large, complex formats. It's also in low-maintenance mode. I'm not sure what benefit will be gained from fuzzing in this case.
I don't see a lot of value, either. First, making the input format of pyelftools (ELF) fuzzable will take about the same amount of time as putting together pyelftools itself. Second, the Pythonic nature of pyelftools negates the possibility of the kind of bugs that become security vulnerabilities (buffer overruns and such), and "the library threw an exception on bogus input" is functioning as designed.
If anything, pyelftools would benefit from a corpus testing - amass a pile of binaries (preferably with DWARF), sic pyelftools on them - but that's not what is being proposed.
@eliben @sevaa I appreciate your inputs, thank you for the consideration regardless!
Good evening,
I am looking to integrate pyelftools into OSSFuzz. If you are not familiar with OSSFuzz, it is Google's platform for continuous fuzzing of open-source software. In order to get the most out of this program, it would be greatly beneficial to be able to merge in my fuzz harness and build scripts into the upstream repository and contribute bug fixes if they come up. Is this something that you would support me putting the effort into?
Thank you in advance!