<div dir="ltr"><div dir="ltr">Hi Sean,<div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 27, 2021 at 2:35 PM Sean Mullan <<a href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Hi Fabian,<br>
<br>
Thanks for posting this and your interest in helping to test and
improve the quality of the Java core libraries. One comment/request
below:<br>
<br>
<div>On 5/17/21 9:09 AM, Fabian Meumertzheim
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>(Crosspost from core-libs-dev@: <a href="https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html" target="_blank">https://mail.openjdk.java.net/pipermail/core-libs-dev/2021-May/077483.html</a>)</div>
<div><br>
</div>
I'm one of the maintainers of Jazzer (<a href="https://github.com/CodeIntelligenceTesting/jazzer" rel="noreferrer" target="_blank">https://github.com/CodeIntelligenceTesting/jazzer</a>),
a new open-source fuzzer for the JVM platform. Jazzer has
recently been integrated into Google's OSS-Fuzz (<a href="https://google.github.io/oss-fuzz/" rel="noreferrer" target="_blank">https://google.github.io/oss-fuzz/</a>)
to allow for free continuous fuzzing of important open-source
Java projects. Jazzer has already found over a hundred bugs and
eight security issues in libraries such as Apache Commons,
PDFBox and the OWASP json-sanitizer.
<div dir="auto"><br>
</div>
<div dir="auto">Jazzer finds unexpected exceptions and infinite
loops by default, but can also be used to check
domain-specific properties such as decrypt(encrypt(data)) ==
data. Since it tracks the coverage it achieves using
instrumentation applied by a Java agent, it can synthesize
interesting test data from scratch.
<div dir="auto"><br>
</div>
<div dir="auto">If there is interest from your side, I could
set up the Java core libraries themselves for fuzzing in
OSS-Fuzz. Especially the parts that are frequently applied
to untrusted input, such as java.security.* and
javax.imageio.*, would benefit from fuzz tests. I have
prepared basic fuzz tests for some of the classes in these
packages at <a href="https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk" target="_blank">https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/openjdk/projects/openjdk</a>,
which has already resulted in a few bug reports by running
it locally (JDK-8267086 is one of them affecting
java.security.*).</div>
<div dir="auto"><br>
</div>
<div dir="auto">All I would need from you is:</div>
<div dir="auto"><br>
</div>
<div dir="auto">* a list of email addresses to which the
fuzzer findings should be sent (ideally associated with
Google accounts for authentication to full reports on <a href="http://oss-fuzz.com/" target="_blank">oss-fuzz.com</a>),</div>
</div>
</div>
</blockquote>
All fuzzer findings with security implications should be sent to the
OpenJDK Vulnerability Group. See <a href="https://openjdk.java.net/groups/vulnerability/report" target="_blank">https://openjdk.java.net/groups/vulnerability/report</a>
for more information. Please send the detailed information
(description, impacted release, and PoC) to <em style="color:rgb(0,0,0);font-family:"DejaVu Sans","Bitstream Vera Sans","Luxi Sans",Verdana,Arial,Helvetica;font-size:13.3333px;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><a href="mailto:vuln-report@openjdk.java.net" style="text-decoration:none;color:rgb(231,111,0)" target="_blank">vuln-report@openjdk.java.net</a></em><span style="color:rgb(0,0,0);font-family:"DejaVu Sans","Bitstream Vera Sans","Luxi Sans",Verdana,Arial,Helvetica;font-size:13.3333px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">.<br></span></div></blockquote><div><br></div><div>Just to clarify the role of OSS-Fuzz: The fuzzing and report filing would be performed automatically. Since not every finding will necessarily have security implications (but all will be actual bugs), I'm hesitant to have these reports submitted to vuln-report@. Ideally, we would find two or three humans that agree to receive the findings reports and forward those deemed security issues to that list.</div><div><br></div><div>Best,</div><div>Fabian </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><span style="color:rgb(0,0,0);font-family:"DejaVu Sans","Bitstream Vera Sans","Luxi Sans",Verdana,Arial,Helvetica;font-size:13.3333px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">
<br>
Thanks,<br>
Sean</span>
<blockquote type="cite">
<div dir="ltr">
<div dir="auto">
<div>* ideas for additional fuzz tests, in particular those
where there are interesting properties to verify.</div>
<div><br>
</div>
<div>The technical questions about setting up the OpenJDK in
OSS-Fuzz have already been resolved (see also <a href="https://github.com/google/oss-fuzz/issues/5757" target="_blank">https://github.com/google/oss-fuzz/issues/5757</a>).</div>
<div><br>
</div>
<div>If you need more information on OSS-Fuzz or fuzzing in
general, I am happy to help.</div>
<div dir="auto"><br>
<div dir="auto">Fabian (@fmeum on GitHub)</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote></div></div>