Fuzzing for java.security.* (and other libraries)

Fabian Meumertzheim meumertzheim at code-intelligence.com
Thu May 27 13:12:35 UTC 2021

Hi Sean,

On Thu, May 27, 2021 at 2:35 PM Sean Mullan <sean.mullan at oracle.com> wrote:

> Hi Fabian,
> Thanks for posting this and your interest in helping to test and improve
> the quality of the Java core libraries. One comment/request below:
> On 5/17/21 9:09 AM, Fabian Meumertzheim wrote:
> (Crosspost from core-libs-dev@:
> https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html
> )
> I'm one of the maintainers of Jazzer (
> https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
> fuzzer for the JVM platform. Jazzer has recently been integrated into
> Google's OSS-Fuzz (https://google.github.io/oss-fuzz/) to allow for free
> continuous fuzzing of important open-source Java projects. Jazzer has
> already found over a hundred bugs and eight security issues in libraries
> such as Apache Commons, PDFBox and the OWASP json-sanitizer.
> Jazzer finds unexpected exceptions and infinite loops by default, but can
> also be used to check domain-specific properties such as
> decrypt(encrypt(data)) == data. Since it tracks the coverage it achieves
> using instrumentation applied by a Java agent, it can synthesize
> interesting test data from scratch.
> If there is interest from your side, I could set up the Java core
> libraries themselves for fuzzing in OSS-Fuzz. Especially the parts that are
> frequently applied to untrusted input, such as java.security.* and
> javax.imageio.*, would benefit from fuzz tests. I have prepared basic fuzz
> tests for some of the classes in these packages at
> https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk,
> which has already resulted in a few bug reports by running it locally
> (JDK-8267086 is one of them affecting java.security.*).
> All I would need from you is:
> * a list of email addresses to which the fuzzer findings should be sent
> (ideally associated with Google accounts for authentication to full reports
> on oss-fuzz.com),
> All fuzzer findings with security implications should be sent to the
> OpenJDK Vulnerability Group. See
> https://openjdk.java.net/groups/vulnerability/report for more
> information. Please send the detailed information (description, impacted
> release, and PoC) to *vuln-report at openjdk.java.net
> <vuln-report at openjdk.java.net>*.

Just to clarify the role of OSS-Fuzz: The fuzzing and report filing would
be performed automatically. Since not every finding will necessarily have
security implications (but all will be actual bugs), I'm hesitant to have
these reports submitted to vuln-report at . Ideally, we would find two or
three humans that agree to receive the findings reports and forward those
deemed security issues to that list.


> Thanks,
> Sean
> * ideas for additional fuzz tests, in particular those where there are
> interesting properties to verify.
> The technical questions about setting up the OpenJDK in OSS-Fuzz have
> already been resolved (see also
> https://github.com/google/oss-fuzz/issues/5757).
> If you need more information on OSS-Fuzz or fuzzing in general, I am happy
> to help.
> Fabian (@fmeum on GitHub)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20210527/dddbb88d/attachment-0001.htm>

More information about the security-dev mailing list