[ovs-dev] [ovs-security] RFC: Adding OvS to fuzzer test suite

Bhargava Shastry bshastry at sec.t-labs.tu-berlin.de
Thu Aug 31 19:24:29 UTC 2017


Dear dev at OVS, KCC at google,

Konstantin Serebryany (KCC) in CC is part of the OSS-Fuzz project that I
mentioned before. I think he will be happy to see openvswitch use
OSS-Fuzz services.

An update from my side. I have written a small test case for catching
CVE-2016-2074 here [1]. KCC strongly encourages me to get rid of file
I/O based APIs such as ovs_pcap_read() and so on. So, my question to
dev at OVS is: Any suggestions how I can do this? Right now, the test runs
but is relatively slow. I haven't really benchmarked it so I can't
provide hard numbers.

[1]:
https://github.com/bshastry/fuzzer-test-suite/blob/master/openvswitch-2.3.2/target.c

Regards,
Bhargava

On 08/18/2017 07:53 PM, Ben Pfaff wrote:
> I also support this idea.  Thanks!
> 
> On Wed, Aug 16, 2017 at 07:55:51PM -0700, Bhargava Shastry wrote:
>> Hi Justin,
>>
>> Nice to hear. I have CC ed Dev ml.
>>
>> Regards
>> Bhargava
>>
>>
>> On August 16, 2017 5:18:58 PM PDT, Justin Pettit <jpettit at ovn.org> wrote:
>>> Hi, Bhargava.  This seems like a great idea to me.  Unless there's
>>> something sensitive, I'd suggest we discuss it on the
>>> dev at openvswitch.org mailing list.  The security mailing list is good
>>> for discussing potential OVS vulnerabilities, but this seems like a
>>> good topic for the general community.  And thanks for all your
>>> contributions to making OVS more secure!
>>>
>>> --Justin
>>>
>>>
>>>> On Aug 16, 2017, at 4:17 PM, Bhargava Shastry
>>> <bshastry at sec.t-labs.tu-berlin.de> wrote:
>>>>
>>>> Dear Ben, Sec at OvS,
>>>>
>>>> We have had reasonable success fuzzing OvS so far. It turns out there
>>> is
>>>> a security initiative led by Google that enables open-source projects
>>> to
>>>> benefit from continuous fuzzing [1]. I was wondering if you'd be
>>>> interested. If you are, I can help integrate OvS into their framework
>>>> over a two-staged effort.
>>>>
>>>> First, I write a test case for the remote code execution bug and
>>>> integrate it into the fuzzer test suite [2] which is basically a
>>>> framework for fuzzer evaluation.
>>>>
>>>> Second, I try to integrate OvS into OSS-fuzz, Google's initiative.
>>> Let
>>>> me know what you think.
>>>>
>>>> [1]: https://github.com/google/oss-fuzz
>>>> [2]: https://github.com/google/fuzzer-test-suite
>>>>
>>>> Regards,
>>>> Bhargava
>>>>
>>>> -- 
>>>> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
>>>> Security in Telecommunications
>>>> TU Berlin / Telekom Innovation Laboratories
>>>> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
>>>> phone: +49 30 8353 58235
>>>> Keybase: https://keybase.io/bshastry
>>>> _______________________________________________
>>>> security mailing list
>>>> security at openvswitch.org
>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-security
>>
>> -- 
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
>> _______________________________________________
>> security mailing list
>> security at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-security
> 

-- 
Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Security in Telecommunications
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58235
Keybase: https://keybase.io/bshastry



More information about the dev mailing list