[ovs-dev] ossfuzz: Regression testing with fuzzer generated corpus

Bhargava Shastry bshastry at sect.tu-berlin.de
Fri Nov 30 12:17:39 UTC 2018


Hi all,

oss-fuzz corpus (test inputs synthesized by the fuzzer) comprises two
classes of inputs: crashing and non-crashing-but-new-coverage-yielding.

At the moment, Open vSwitch performs regression testing using
**crashing** test inputs only [1].

[1]: https://github.com/openvswitch/ovs/tree/master/tests/fuzz-regression

However, adding non-crashing test inputs generated by the fuzzer to this
set may be useful to catch bugs that are not necessarily regressions of
known bugs but bugs in program paths that have already been covered
during fuzz testing.

If you like this idea, I have an initial proposal. What we could do is
use this "driver" [2] for each of the fuzzer targets to drive regression
testing on the entire fuzzer corpus.

[2]:
https://github.com/llvm-mirror/compiler-rt/blob/master/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c

The fuzzer corpus may be downloaded by oss-fuzz contact points (e.g.,
Ben Pfaff, Justin Pettit etc.) from Google Cloud via a program called
gsutil that is shipped with Google Cloud SDK. This would need to be
updated from time to time, but this is very easy (`gsutil sync` is
sufficient).

The plan is to have a PR that includes the corpus obtained via Google
cloud, standalone drivers, and some sort of regression test automation
for all the fuzzer targets.

I am interested in contributing to this effort, should you decide to go
forward with it. Looking forward to feedback.

Best,
Bhargava


-- 
Bhargava Shastry <bshastry at sect.tu-berlin.de>
Security in Telecommunications
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58235
Keybase: https://keybase.io/bshastry


More information about the dev mailing list