1:44 a.m.
Google announced OSS-Fuzz project [1]. It's aim is to test projects with
significant user base and/or critical projects to the global
infrastructure. I like to think that libvirt falls in both categories :-)
You can find a list of already accepted projects here [2]. Once accepted
to the project we would have to provide some scripts that build libvirt
and run some tests.
One of the disadvantages is that we have to provide a docker(!) image
where the scripts would run from.
What are your thoughts on this? Should we apply?
Michal
1:
https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-...
2: https://github.com/google/oss-fuzz
3:14 a.m.
On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
Google announced OSS-Fuzz project [1]. It's aim is to test
projects with
significant user base and/or critical projects to the global
infrastructure. I like to think that libvirt falls in both categories :-)
You can find a list of already accepted projects here [2]. Once accepted
to the project we would have to provide some scripts that build libvirt
and run some tests.
I was thinking about that too. And danpb would like that as well, I
guess, since he came up with the fuzzing idea for GSoC.
One of the disadvantages is that we have to provide a docker(!) image
where the scripts would run from.
But it's not like the whole libvirt has to be installed and running
there, right? It's unit-test fuzzing, it will just link against
libvirt.la and run random APIs (mostly public ones, I guess).
What are your thoughts on this? Should we apply?
I was already reading up on it when you sent the mail, so I'd say yes.
Michal
1:
https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-...
2: https://github.com/google/oss-fuzz
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:16 a.m.
On Fri, Dec 02, 2016 at 10:14:22AM +0100, Martin Kletzander wrote:
On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
> Google announced OSS-Fuzz project [1]. It's aim is to test projects with
> significant user base and/or critical projects to the global
> infrastructure. I like to think that libvirt falls in both categories :-)
> You can find a list of already accepted projects here [2]. Once accepted
> to the project we would have to provide some scripts that build libvirt
> and run some tests.
>
I was thinking about that too. And danpb would like that as well, I
guess, since he came up with the fuzzing idea for GSoC.
> One of the disadvantages is that we have to provide a docker(!) image
> where the scripts would run from.
>
But it's not like the whole libvirt has to be installed and running
there, right? It's unit-test fuzzing, it will just link against
libvirt.la and run random APIs (mostly public ones, I guess).
You have to write test harnesses for the fuzzer, so it'll fuzz whatever
APIs you call from your test harnesses.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
4:08 a.m.
On Fri, Dec 02, 2016 at 09:16:26AM +0000, Daniel P. Berrange wrote:
On Fri, Dec 02, 2016 at 10:14:22AM +0100, Martin Kletzander wrote:
> On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
> > Google announced OSS-Fuzz project [1]. It's aim is to test projects with
> > significant user base and/or critical projects to the global
> > infrastructure. I like to think that libvirt falls in both categories :-)
> > You can find a list of already accepted projects here [2]. Once accepted
> > to the project we would have to provide some scripts that build libvirt
> > and run some tests.
> >
>
> I was thinking about that too. And danpb would like that as well, I
> guess, since he came up with the fuzzing idea for GSoC.
>
> > One of the disadvantages is that we have to provide a docker(!) image
> > where the scripts would run from.
> >
>
> But it's not like the whole libvirt has to be installed and running
> there, right? It's unit-test fuzzing, it will just link against
> libvirt.la and run random APIs (mostly public ones, I guess).
You have to write test harnesses for the fuzzer, so it'll fuzz whatever
APIs you call from your test harnesses.
Yeah, we choose what to do. I was elaborating on what we are going to
choose. So I take it as you like the idea?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
4:21 a.m.
On Fri, Dec 02, 2016 at 11:08:14AM +0100, Martin Kletzander wrote:
On Fri, Dec 02, 2016 at 09:16:26AM +0000, Daniel P. Berrange wrote:
> On Fri, Dec 02, 2016 at 10:14:22AM +0100, Martin Kletzander wrote:
> > On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
> > > Google announced OSS-Fuzz project [1]. It's aim is to test projects
with
> > > significant user base and/or critical projects to the global
> > > infrastructure. I like to think that libvirt falls in both categories :-)
> > > You can find a list of already accepted projects here [2]. Once accepted
> > > to the project we would have to provide some scripts that build libvirt
> > > and run some tests.
> > >
> >
> > I was thinking about that too. And danpb would like that as well, I
> > guess, since he came up with the fuzzing idea for GSoC.
> >
> > > One of the disadvantages is that we have to provide a docker(!) image
> > > where the scripts would run from.
> > >
> >
> > But it's not like the whole libvirt has to be installed and running
> > there, right? It's unit-test fuzzing, it will just link against
> > libvirt.la and run random APIs (mostly public ones, I guess).
>
> You have to write test harnesses for the fuzzer, so it'll fuzz whatever
> APIs you call from your test harnesses.
>
Yeah, we choose what to do. I was elaborating on what we are going to
choose. So I take it as you like the idea?
I'm totally supportive of fuzzing of libvirt in general. I'm ambivalent
on where we actually run the fuzzers we create. Whether its on Google
or our Jenkins CI, or both doesn't matter as long as we have something
running somewhere. Since our Jenkins CI is already maxing out CPU
capacity quite often, it makes sense to try Google for now - we can
easily move later if needed, since their framework is built around
opensource fuzzing libraries/tools.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
3:15 a.m.
On Fri, Dec 02, 2016 at 08:44:48AM +0100, Michal Privoznik wrote:
Google announced OSS-Fuzz project [1]. It's aim is to test
projects with
significant user base and/or critical projects to the global
infrastructure. I like to think that libvirt falls in both categories :-)
You can find a list of already accepted projects here [2]. Once accepted
to the project we would have to provide some scripts that build libvirt
and run some tests.
One of the disadvantages is that we have to provide a docker(!) image
where the scripts would run from.
What are your thoughts on this? Should we apply?
I think we'd certainly benefit from some fuzzing of libvirt / libvirtd.
I was a little unclear on exactly how they're doing the fuzzing from those
docs, but looking at some of the project's they're already got it seems they
rely on providing some custom test programs that call the APIs.
eg
https://github.com/google/oss-fuzz/blob/master/projects/libyaml/libyaml_f...
https://github.com/google/oss-fuzz/blob/master/projects/libxml2/libxml2_x...
https://github.com/google/oss-fuzz/blob/master/projects/libxml2/libxml2_x...
OpenSSL is a little different as it seems they've natively integrated
support for libfuzz in their code base, so google merely turns that
on at configure stage
https://github.com/google/oss-fuzz/blob/master/projects/openssl/build.sh
So someone is going to need to write the test harness to actually
exercise libvirt via the fuzzer still, which is work we've long had
an outstanding todo for - its even a GSoC suggestion
https://wiki.libvirt.org/page/Google_Summer_of_Code_2017#QEMU_command_lin...
Once that's done we could leverage google's infra to actually run it.
The XML parser is only half the story though - it'd be nice to get
fuzzing on the main public APIs too (and thus the remote RPC protocol
handling and QEMU driver code). Writing fuzzer test harnesses for all
the public APIs is an even bigger bit of work
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
2912
days inactive
2912
days old
5 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Martin Kletzander -
Michal Privoznik