On 13/05/2021 09:14, Fabian Meumertzheim wrote:
I'm one of the maintainers of Jazzer (
https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
fuzzer for the JVM platform. Jazzer has recently been integrated into
Google's OSS-Fuzz (https://google.github.io/oss-fuzz/) to allow for free
continuous fuzzing of important open-source Java projects. Jazzer has
already found over a hundred bugs and eight security issues in libraries
such as Apache Commons, PDFBox and the OWASP json-sanitizer.
Jazzer finds unexpected exceptions and infinite loops by default, but can
also be used to check domain-specific properties such as
decrypt(encrypt(data)) == data. Since it tracks the coverage it achieves
using instrumentation applied by a Java agent, it can synthesize
interesting test data from scratch.
If there is interest from your side, I could set up the Java core libraries
themselves for fuzzing in OSS-Fuzz. Especially the parts that are
frequently applied to untrusted input, such as java.security.* and
javax.imageio.*, would benefit from fuzz tests. I have prepared basic fuzz
tests for some of the classes in these packages at
https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk,
which has already resulted in the first bug report (JDK-8267086).
All I would need from you is:
* a list of email addresses to which the fuzzer findings should be sent
(ideally associated with Google accounts for authentication to full reports
on oss-fuzz.com),
* ideas for additional fuzz tests, in particular those where there are
interesting properties to verify.
The technical questions about setting up the OpenJDK in OSS-Fuzz have
already been resolved (see also
https://github.com/google/oss-fuzz/issues/5757).
If you need more information on OSS-Fuzz or fuzzing in general, I am happy
to help.
I have one ask. As you mention, sometimes fuzzing will report issues
issues that may be security issues. It often requires experts in
particular areas to look at an issue and decide if it a functional or
security issue. If there is any question mark over an issue then the
assumption is that it is a security issue until determined otherwise. In
that context it may not be possible to engage on the mailing lists here
about these issues. Oracle engineers are strictly prohibited from
engaging in any discussions on mailing lists about potential
vulnerability issues. I suspect many other contributors are somewhat
restricted too but I think everyone is very responsible and knows not to
discuss sensitive issues that may need patching. So all I ask is that if
the fuzzer finds issues that may be security issues that they should be
reported to the vunl-report list [1] and not discussed on the mailing
list. I'm not suggesting to sign up the vunl-report list for
notifications of course, but whoever is triaging these issues should
know how to report issues.
-Alan
[1] https://openjdk.java.net/groups/vulnerability/report
