go-fuzz for CIRCL

[kriskwiatkowski]

We should use both:

• https://github.com/dvyukov/go-fuzz for fuzzing interfaces (see how it's used here: https://github.com/mmcloughlin/cryptofuzz)
• https://github.com/guidovranken/cryptofuzz : for checking against alternative implementation (see this https://guidovranken.com/2019/05/14/differential-fuzzing-of-cryptographic-libraries/). This one will be especially useful for experimental implementations (like pq-crypto), which do not have any official test vectors

Obviously it can't be part of the CI as it will disturb development process. os-fuzz is much better place

[claucece]

Very interesting. I can start playing with this a little.

[kriskwiatkowski]

oh, while I'm here. I was recently informed by the author via linkedin that this exists and uses CIRCL
https://github.com/kuking/go-pqsw

thought you may want to know

[claucece]

Oh, wow, interesting @henrydcase .. check it out @bwesterb : https://github.com/kuking/go-pqsw

[guidovranken]

Hey @henrydcase @claucece , I'm the maintainer of Cryptofuzz. I'm still improving it every day. It now supports elliptic curve operations and has been effective at finding EC bugs (see full bug list here ). PQ crypto not yet but I'm planning on implementing that. Have you gotten around to work with Cryptofuzz to test circl? Feel free to reach out to me at guido@guidovranken.com to discuss these plans in depth.

[armfazh]

Fuzzing is something we want to include in CIRCL, we are open for discussion.
thanks for the pointer @guidovranken

[guidovranken]

I now have a circl module for Cryptofuzz https://github.com/guidovranken/cryptofuzz/tree/master/modules/circl
It found one bug so far #312

I can install it on OSS-Fuzz if you want @armfazh ?

[armfazh]

I now have a circl module for Cryptofuzz https://github.com/guidovranken/cryptofuzz/tree/master/modules/circl It found one bug so far #312

Thanks for writing the module.

I can install it on OSS-Fuzz if you want @armfazh ?

What does this implies and what it is required to be included? (sorry, not so familiar with the internals of the project).

[guidovranken]

Basically:

• Requires participants to have a Google account. I need a list of e-mail addresses (linked to a Google account) of maintainers. Note: these will be public
• You will receive an e-mail notification when a bug is found, and when it is detected as fixed
• There is an expectation that bugs found by OSS-Fuzz will be fixed by the maintainers (you)
• Bugs found remain private for 90 days, then they are automatically publicly disclosed whether they are fixed or not
• "To be accepted to OSS-Fuzz, an open-source project must have a significant user base and/or be critical to the global IT infrastructure."
• Usage of OSS-Fuzz is free of charge
• I will collect the $1,000 integration reward

More information: https://google.github.io/oss-fuzz/

[chris-wood]

Requires participants to have a Google account. I need a list of e-mail addresses (linked to a Google account) of maintainers. Note: these will be public

@guidovranken can you please clarify who the "participants" are here?

[guidovranken]

People who receive the bug reports, typically the maintainers of the software being fuzzed, in this case the circl maintainers.

[armfazh]

@guidovranken just reached at this address https://guidovranken.com/contact/, please confirm you have received my email.

[guidovranken]

Yes I did, thanks, I will reply in a minute.

[armfazh]

Tracking integration at: google/oss-fuzz#7262