Closed fuzzy-boiii23a closed 1 year ago
alex
commented
1 year ago You're welcome to use my email address (alex.gaynor@gmail.com), however I doubt there's much value to be had here -- rust-openssl is a wrapper around OpenSSL. OpenSSL contains all the parsers and such, and is already fuzzed.
My experience having pyca/cryptography (an analogous python library) fuzzed is that it was similarly low value.
fuzzy-boiii23a
commented
1 year ago Thanks Alex much appreciated, understood however I think it would be relatively easy to set up in addition to adding CI fuzzing in order to fuzz any future pull requests automatically and would be nice to have in any case and so i'm happy to get this cracking, i hope you have a great rest of your day :)
Hi all,
Currently this project is not being fuzzed constantly and i believe integrating it with OSS-Fuzz is a great idea to have new and old code constantly tested for potential issues and although Rust is for the most part memory safe integer overflows are common and typical memory corruption may still occur when using unsafe.
Proposed Solution If there is interest with regards to integrating this project into OSS-Fuzz, this would allow continuous testing of this project in order to identify vulnerabilities using google's infrastructure with no monetary cost to this project. Google's OSS-Fuzz has identified 10,000 vulnerabilities and 36,000 bugs in 1000 open source projects as per https://google.github.io/oss-fuzz/#trophies. The process can be seen at https://google.github.io/oss-fuzz/architecture/ and I'm willing to integrate this project into OSS-Fuzz and write harnesses to test key functionalities of this project.
If this is something that everyone would like to see could you please let me know and provide me with an email or two in order to receive new issues found via fuzzing? I'm also happy to support with writing patches for any issues found.