Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add fuzzer to Debian Parser #3858

Open
joydeep049 opened this issue Feb 24, 2024 · 1 comment
Open

feat: Add fuzzer to Debian Parser #3858

joydeep049 opened this issue Feb 24, 2024 · 1 comment
Assignees
@joydeep049

Comments

@joydeep049
Copy link
Contributor

joydeep049 commented Feb 24, 2024
edited
Loading

Description

cve-bin-tool has an existing fuzz testing setup which is based on Google Atheris. One of the areas it doesn't yet cover is the files used by the language list parsers. These are typically lists of 3rd party components/requirements written in a format to a specific packaging tool for a specific programming language. These may be lists of requirements generated by a human, or they could be generated by a tool.

This particular request is to fuzz the Debian parser which uses control files, but requests will be filed for the other parsers as well. You can see which ones are listed under the security tag.

Why?

Regular fuzz testing can help us find bugs and potential security issues in parsing . While we hope users aren't going to be regularly scanning malicious control files we'd still like to be able to handle things correctly if a file is really malformed.

How should I do this?

  1. Set up your own environment for fuzzing cve-bin-tool using Atheris. We recommend you use a container or vm for this for safety (a misconfigured fuzzer can potentially make a big mess).
  2. Be aware that Atheris and its requirements can be a bit finicky to set up and last time we ran a big fuzzing campaign only some versions of Python in some environments actually worked easily. If you find any issues with following the setup docs, or manage to find good workarounds for an environment we haven't mentioned, please file issues or make a PR to add them to our docs.
  3. Create a new proto file (or files) to generate fuzzed control files and add them to our proto files directory: https://github.com/intel/cve-bin-tool/tree/main/fuzz/proto_files. It's ok to have tests against files that are completely garbage, but probably the most interesting bugs will come from files that mostly look correct, and the proto setup will help you do that. If you're not sure how any of this works, you may find it useful to read this primer on structure-aware fuzzing
  4. Make a python file to call your fuzzer. Here's what the cyclonedx fuzzer looks like, as an example. Yours may be considerably different -- feel free to search for other examples and read the Atheris/libfuzzer/protobuf-mutator docs to help you figure out what you need.
@joydeep049
Copy link
Contributor Author

joydeep049 commented Feb 24, 2024
edited
Loading

Filing this to so that i can work on it after this is merged.
@terriko

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joydeep049 joydeep049

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joydeep049