Fuzzing for java.security.* (and other libraries)
Fabian Meumertzheim
meumertzheim at code-intelligence.com
Mon May 17 13:09:38 UTC 2021
(Crosspost from core-libs-dev@:
https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html)
I'm one of the maintainers of Jazzer (
https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
fuzzer for the JVM platform. Jazzer has recently been integrated into
Google's OSS-Fuzz (https://google.github.io/oss-fuzz/) to allow for free
continuous fuzzing of important open-source Java projects. Jazzer has
already found over a hundred bugs and eight security issues in libraries
such as Apache Commons, PDFBox and the OWASP json-sanitizer.
Jazzer finds unexpected exceptions and infinite loops by default, but can
also be used to check domain-specific properties such as
decrypt(encrypt(data)) == data. Since it tracks the coverage it achieves
using instrumentation applied by a Java agent, it can synthesize
interesting test data from scratch.
If there is interest from your side, I could set up the Java core libraries
themselves for fuzzing in OSS-Fuzz. Especially the parts that are
frequently applied to untrusted input, such as java.security.* and
javax.imageio.*, would benefit from fuzz tests. I have prepared basic fuzz
tests for some of the classes in these packages at
https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk,
which has already resulted in a few bug reports by running it locally
(JDK-8267086 is one of them affecting java.security.*).
All I would need from you is:
* a list of email addresses to which the fuzzer findings should be sent
(ideally associated with Google accounts for authentication to full reports
on oss-fuzz.com),
* ideas for additional fuzz tests, in particular those where there are
interesting properties to verify.
The technical questions about setting up the OpenJDK in OSS-Fuzz have
already been resolved (see also
https://github.com/google/oss-fuzz/issues/5757).
If you need more information on OSS-Fuzz or fuzzing in general, I am happy
to help.
Fabian (@fmeum on GitHub)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210517/312b0835/attachment.htm>
More information about the security-dev
mailing list