Fuzzing for java.security.* (and other libraries)
Sean Mullan
sean.mullan at oracle.com
Thu May 27 12:35:01 UTC 2021
Hi Fabian,
Thanks for posting this and your interest in helping to test and improve
the quality of the Java core libraries. One comment/request below:
On 5/17/21 9:09 AM, Fabian Meumertzheim wrote:
> (Crosspost from core-libs-dev@:
> https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html
> <https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html>)
>
> I'm one of the maintainers of Jazzer
> (https://github.com/CodeIntelligenceTesting/jazzer
> <https://github.com/CodeIntelligenceTesting/jazzer>), a new
> open-source fuzzer for the JVM platform. Jazzer has recently been
> integrated into Google's OSS-Fuzz (https://google.github.io/oss-fuzz/
> <https://google.github.io/oss-fuzz/>) to allow for free continuous
> fuzzing of important open-source Java projects. Jazzer has already
> found over a hundred bugs and eight security issues in libraries such
> as Apache Commons, PDFBox and the OWASP json-sanitizer.
>
> Jazzer finds unexpected exceptions and infinite loops by default, but
> can also be used to check domain-specific properties such as
> decrypt(encrypt(data)) == data. Since it tracks the coverage it
> achieves using instrumentation applied by a Java agent, it can
> synthesize interesting test data from scratch.
>
> If there is interest from your side, I could set up the Java core
> libraries themselves for fuzzing in OSS-Fuzz. Especially the parts
> that are frequently applied to untrusted input, such as
> java.security.* and javax.imageio.*, would benefit from fuzz tests. I
> have prepared basic fuzz tests for some of the classes in these
> packages at
> https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk
> <https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk>,
> which has already resulted in a few bug reports by running it locally
> (JDK-8267086 is one of them affecting java.security.*).
>
> All I would need from you is:
>
> * a list of email addresses to which the fuzzer findings should be
> sent (ideally associated with Google accounts for authentication to
> full reports on oss-fuzz.com <http://oss-fuzz.com/>),
All fuzzer findings with security implications should be sent to the
OpenJDK Vulnerability Group. See
https://openjdk.java.net/groups/vulnerability/report
<https://openjdk.java.net/groups/vulnerability/report> for more
information. Please send the detailed information (description, impacted
release, and PoC) to /vuln-report at openjdk.java.net
<mailto:vuln-report at openjdk.java.net>/.
Thanks,
Sean
> * ideas for additional fuzz tests, in particular those where there are
> interesting properties to verify.
>
> The technical questions about setting up the OpenJDK in OSS-Fuzz have
> already been resolved (see also
> https://github.com/google/oss-fuzz/issues/5757
> <https://github.com/google/oss-fuzz/issues/5757>).
>
> If you need more information on OSS-Fuzz or fuzzing in general, I am
> happy to help.
>
> Fabian (@fmeum on GitHub)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210527/913dc671/attachment.htm>
More information about the security-dev
mailing list