Improve automated security unit testing

[jentfoo]

I would like to make sure our testing covers security cases, notably bugs which could result in denial of service conditions. As part of onboarding to the code I will look for opportunities for fuzzing and other testing to make sure these types of bugs are not going undiscovered.

Sub Tasks

• Core
• SDK
  • [ ] https://github.com/opentdf/platform/issues/1390
  • [ ] https://github.com/opentdf/platform/issues/1389
    • [x] https://github.com/opentdf/platform/issues/1391

[dmihalcik-virtru]

We should probably have a table of what we want to fuzz and how. We can focus on the obvious ugc, notably the SDK but really this could be:

• core:
  • any protocol buffer sent to the services
  • any rest content sent to the gateway
  • decrypted content (unwrapped values)
• sdk
  • TDF content
  • Decrypted content
  • Plain text content
  • any value passed into the system for configuration
  • any response from KAS
  • any response decrypted from KAS

We should probably break these down into priority chunks and do a brief threat analysis to assign priority. Then we will have a breakdown like

Epic: Add fuzz testing to sdk and core Tasks: Fuzz service x/ input y from the list above Bugs: issues found from the above fuzz tests

I'll add a few issues for the most obvious of the above related to the SDK and one for the issue you found recently.

[jentfoo]

@dmihalcik-virtru, thank you for the additional details! I am working on a branch which will include some of the most sensitive areas I am discovering. However I would love some feedback from the team afterwords on what I have missed.

In short, I feel like fuzzing is the best way to create automated tests around any protocol parsing we need to do. I am trying to target areas where our protocol work is most complicated first.