Hi everyone, Thank you for the opportunity. Currently I'm very busy at work, but I'm sure I'll be able to setup some fuzzers in the next few weeks.
Of course I can stop/pause the processes when the regression tests are on, that's no problem. You are also allowed to just kill the processes whenever necessary. Just so there is no miscommunication, fuzzers usually use 100% CPU (that's the bottleneck) but can also get a little greedy with memory and other resources such as disc space. In the end we are trying to trigger edge cases and due to the nature of instrumented fuzzers, they tend to "like" situations that are strange (e.g. deep nested structures, etc.). Of course it is possible to kill the processes, clean the disc space, etc. but there is always a slight chance that the fuzzer is going to do something unexpected. A little example (that is unlikely though in the Java area): A fuzzer once filled up an output directory with several thousand files with arbitrary (full byte range) file names, because it figured out how to use a memory corruption to overwrite the memory area that was storing the output file name. This is not likely to happen with Java targets, but you can imagine what would have happened once it would have figured out what ../ is for. If you want to read a little more about the AFL fuzzer that is the basis for the JQF fuzzer I'm going to use, I recommend this: https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html So my questions are: 1. Is it OK that 100% CPU is used when no regression tests are taking place? 2. Is there any data on the VM that is not backed up somewhere else? 3. Are there any other sort of "cost" involved (cpu usage, disc space, etc.) for you? 4. Can you do snapshots of the VM? That would probably be a very convenient way to restore if anything goes wrong (unlikely but can not be ruled out completely). I'll send you a username privately. Best regards, Tobi Tobias Ospelt <tob...@modzero.ch> mobile phone: +41.79.2617365 phone: +41.44.500.5731 Key fingerprint = 526A 11EC 3E2A 7E45 DA85 CAF3 DA85 B579 776C B69D modzero AG Schweiz / Technoparkstr. 2 / CH-8406 Winterthur HRB CH-020.3.036.501-1 / MwSt. ID: CH-236.520.692 MWST modzero GmbH Deutschland / Marienstr. 12 / DE-10117 Berlin HRB 147824 B (Charlottenburg) / USt. ID: DE288107996 Geschaeftsleiter/Managing Directors: Max Moser & Thorsten Schroeder This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail by mistake) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. On 28.09.18 13:04, Tim Allison wrote: > Tobias, > I'm sorry for my delay. We welcome you to use our regression vm > hosted by Rackspace for fuzzing work to identify vulnerabilities. Our > one request: we ask that you pause/stop your processes when we need to > run regression tests before a release. > Email me privately with your desired username. Welcome and thank you! > > Cheers, > Tim > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
