Dear dev@OVS, KCC@google, Konstantin Serebryany (KCC) in CC is part of the OSS-Fuzz project that I mentioned before. I think he will be happy to see openvswitch use OSS-Fuzz services.
An update from my side. I have written a small test case for catching CVE-2016-2074 here [1]. KCC strongly encourages me to get rid of file I/O based APIs such as ovs_pcap_read() and so on. So, my question to dev@OVS is: Any suggestions how I can do this? Right now, the test runs but is relatively slow. I haven't really benchmarked it so I can't provide hard numbers. [1]: https://github.com/bshastry/fuzzer-test-suite/blob/master/openvswitch-2.3.2/target.c Regards, Bhargava On 08/18/2017 07:53 PM, Ben Pfaff wrote: > I also support this idea. Thanks! > > On Wed, Aug 16, 2017 at 07:55:51PM -0700, Bhargava Shastry wrote: >> Hi Justin, >> >> Nice to hear. I have CC ed Dev ml. >> >> Regards >> Bhargava >> >> >> On August 16, 2017 5:18:58 PM PDT, Justin Pettit <jpet...@ovn.org> wrote: >>> Hi, Bhargava. This seems like a great idea to me. Unless there's >>> something sensitive, I'd suggest we discuss it on the >>> d...@openvswitch.org mailing list. The security mailing list is good >>> for discussing potential OVS vulnerabilities, but this seems like a >>> good topic for the general community. And thanks for all your >>> contributions to making OVS more secure! >>> >>> --Justin >>> >>> >>>> On Aug 16, 2017, at 4:17 PM, Bhargava Shastry >>> <bshas...@sec.t-labs.tu-berlin.de> wrote: >>>> >>>> Dear Ben, Sec@OvS, >>>> >>>> We have had reasonable success fuzzing OvS so far. It turns out there >>> is >>>> a security initiative led by Google that enables open-source projects >>> to >>>> benefit from continuous fuzzing [1]. I was wondering if you'd be >>>> interested. If you are, I can help integrate OvS into their framework >>>> over a two-staged effort. >>>> >>>> First, I write a test case for the remote code execution bug and >>>> integrate it into the fuzzer test suite [2] which is basically a >>>> framework for fuzzer evaluation. >>>> >>>> Second, I try to integrate OvS into OSS-fuzz, Google's initiative. >>> Let >>>> me know what you think. >>>> >>>> [1]: https://github.com/google/oss-fuzz >>>> [2]: https://github.com/google/fuzzer-test-suite >>>> >>>> Regards, >>>> Bhargava >>>> >>>> -- >>>> Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de> >>>> Security in Telecommunications >>>> TU Berlin / Telekom Innovation Laboratories >>>> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany >>>> phone: +49 30 8353 58235 >>>> Keybase: https://keybase.io/bshastry >>>> _______________________________________________ >>>> security mailing list >>>> secur...@openvswitch.org >>>> https://mail.openvswitch.org/mailman/listinfo/ovs-security >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >> _______________________________________________ >> security mailing list >> secur...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-security > -- Bhargava Shastry <bshas...@sec.t-labs.tu-berlin.de> Security in Telecommunications TU Berlin / Telekom Innovation Laboratories Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany phone: +49 30 8353 58235 Keybase: https://keybase.io/bshastry
_______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
