Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fuzzing support #508

Closed
mattklein123 opened this issue Feb 25, 2017 · 12 comments
Closed

fuzzing support #508

mattklein123 opened this issue Feb 25, 2017 · 12 comments
Assignees
@anirudhmurali @htuch
Labels
area/security help wanted Needs help!
Milestone
1.8.0

Comments

@mattklein123
Copy link
Member

We should start adding fuzz testing (probably using llvm). Some thinking needs to be put into how to get the most value out of this. (Which granularity to fuzz, etc.). At minimum it would be nice to fuzz not only the HTTP codecs, but also all the way through the downstream HTTP connection manager processing. Doing this in a sane way which also yields good coverage is not going to be trivial. Also need to figure out how/when to run the tests.

@PiotrSikora would you like to own this? (At least in terms of getting some stuff started and then educating the rest of us on best practices so that we can all contribute).
@PiotrSikora
Copy link
Contributor

Yes, please assign this to me.

@mattklein123 mattklein123 mentioned this issue Jul 5, 2017
Closed
@htuch
Copy link
Member

htuch commented Aug 29, 2017
edited
Loading

@amb67 suggested we take a look at http://lcamtuf.coredump.cx/afl/.

@htuch htuch added the api/v2 label Aug 29, 2017
@dnoe
Copy link
Contributor

dnoe commented Aug 29, 2017

Would this be something that runs during CI or is it too heavyweight?

@htuch
Copy link
Member

htuch commented Aug 29, 2017 via email

@mattklein123
Copy link
Member Author

Assuming we get accepted to CNCF we will have have more resources to apply to CI for things like fuzzing/perf/etc. We should still plan for what we ultimately want to do though.

@htuch
Copy link
Member

htuch commented Aug 29, 2017

@PiotrSikora is this still on your radar, or should we tag "help wanted"?

@mattklein123 mattklein123 added the help wanted Needs help! label Oct 28, 2017
@htuch htuch self-assigned this Jan 9, 2018
@htuch htuch removed the help wanted Needs help! label Jan 24, 2018
@htuch
Copy link
Member

htuch commented Jan 24, 2018

I've started work on the new project setup for https://github.com/google/oss-fuzz. I'm working through a bunch of build issues, as we need to build Envoy in a Docker image with an oss-fuzz supplied compiler (looks to be clang-6.0) and its own set of CFLAGS/CXXFLAGS (including -stdlib=libc++). Will track progress here.

@htuch
Copy link
Member

htuch commented Jan 25, 2018

FTR the following pertinent restrictions exist in oss-fuzz today:

This implies that we can't make use of any of our existing integration tests with a fuzz frontend, it probably makes sense to focus on some unit tests for inspiration as well as new fuzz areas.

I'm going to start with just a simple Envoy::Base64 utility fuzzer to get the infrastructure in place (the encode/decode function are a direct match for the fuzz inputs https://llvm.org/docs/LibFuzzer.html#fuzz-target).

Following this, we can focus on configuration (protobuf) ingest and protocol handling on the data plane as the low hanging targets of interest. Any other suggestions welcome as well.

@mattklein123
Copy link
Member Author

@htuch the no network restriction is pretty unfortunate. I wonder if we could somehow fuzz/inject a fake client directly into the normal Envoy process maybe via a custom transport socket implementation?

This was referenced Jan 25, 2018
Closed
Closed
htuch added a commit to htuch/envoy that referenced this issue Jan 30, 2018
@htuch
fuzz: initial fuzzing infrastructure, docs and and Base64::encode() e…
1d50fdf 
…xample.

This is the groundwork for envoyproxy#508. See test/fuzz/README.md for the spiel
on what we're integrating with, the fuzz test model and how to create
new fuzz tests.

There were a bunch of changes needed to the build infrastructure to get
it to work in the oss-fuzz Docker build environment. In particular, we
needed to allow clang + libc++ static linking on Linux and to supply
extra flags that some of the external deps were not handling correctly.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch htuch mentioned this issue Jan 30, 2018
Merged
htuch added a commit that referenced this issue Jan 31, 2018
@htuch
fuzz: initial fuzzing infrastructure, docs and and Base64::encode() e… (
b019747 
#2476)

This is the groundwork for #508. See test/fuzz/README.md for the spiel
on what we're integrating with, the fuzz test model and how to create
new fuzz tests.

There were a bunch of changes needed to the build infrastructure to get
it to work in the oss-fuzz Docker build environment. In particular, we
needed to allow clang + libc++ static linking on Linux and to supply
extra flags that some of the external deps were not handling correctly.

Signed-off-by: Harvey Tuch <htuch@google.com>
@mattklein123 mattklein123 added this to the 1.6.0 milestone Feb 1, 2018
@mattklein123 mattklein123 modified the milestones: 1.6.0, 1.7.0 Mar 5, 2018
@mattklein123 mattklein123 added the help wanted Needs help! label Mar 16, 2018
@mattklein123 mattklein123 removed this from the 1.7.0 milestone Mar 25, 2018
@htuch
Copy link
Member

htuch commented Apr 23, 2018
edited
Loading

Status here is we have server config fuzzing (server_fuzz_test) happening and are busy crunching through a bunch of crash reports. In addition, we have H1 wire fuzzing (h1_capture_fuzz_test) working, most of the crash reports are test infra related at this point. Some additional ideas that have come up in discussion for fuzzers:

  • Config validation mode fuzzing (similar to existing server_fuzz_test in structure).
  • One-way H1 fuzzing; skip the upstream aspect of h1_capture_fuzz_test and use direct replies.
  • Fuzzing H1 with router/HCM fuzzing combined, to support corpuses that have special configuration needs and explore the impact of configurations beyond h1_capture_fuzz_test.
  • Dumb H2 fuzzing (basically a h2_capture_fuzz_test).
  • Stateful and protocol aware (e.g. HPACK) H2 fuzzing
  • xDS (starting with EDS, since a lot of the xDS crashes would show up on the boostrap config in the existing server config fuzz test).
  • Header processing libraries
  • String libraries
  • Examine coverage reports & look at high value low hanging fruit.

@htuch htuch mentioned this issue Apr 27, 2018
Merged
htuch added a commit to htuch/envoy that referenced this issue May 1, 2018
@htuch
tap/fuzz: transport socket extension for traffic capture.
886034d 
This PR introduces a transport socket extension that wraps a given transport socket, interposes on its
plain text traffic and records it into a proto trace file on the filesystem. This can be used for a
number of purposes:
1. As a corpus for fuzzing the data plane.
2. Converted to PCAP using a soon-to-be-written utility, allowing existing tools such as Wireshark
   to be used to decode L4/L7 protocol history in the trace. Essentially this lets us take advantage
   of the PCAP ecosystem.

Relates to envoyproxy#1413 and envoyproxy#508.

Risk Level: Low (opt-in).
Testing: New SSL integration tests, demonstrating plain text intercept.

Signed-off-by: Harvey Tuch <htuch@google.com>
htuch added a commit that referenced this issue May 6, 2018
@htuch
tap/fuzz: transport socket extension for traffic capture. (#3244)
6c7a917 
* tap/fuzz: transport socket extension for traffic capture.

This PR introduces a transport socket extension that wraps a given transport socket, interposes on its
plain text traffic and records it into a proto trace file on the filesystem. This can be used for a
number of purposes:
1. As a corpus for fuzzing the data plane.
2. Converted to PCAP using a soon-to-be-written utility, allowing existing tools such as Wireshark
   to be used to decode L4/L7 protocol history in the trace. Essentially this lets us take advantage
   of the PCAP ecosystem.

Relates to #1413 and #508.

Risk Level: Low (opt-in).
Testing: New SSL integration tests, demonstrating plain text intercept.

Signed-off-by: Harvey Tuch <htuch@google.com>
@mattklein123 mattklein123 added this to the 1.7.0 milestone May 12, 2018
@mattklein123 mattklein123 modified the milestones: 1.7.0, 1.8.0 May 28, 2018
@htuch
Copy link
Member

htuch commented Jun 7, 2018

#3493 just merged with the string lib fuzzing.

htuch added a commit to htuch/envoy that referenced this issue Aug 1, 2018
@htuch
fuzz: H2 codec fuzzer.
db9ad27 
Fuzzer for the H2 codec. This is similar in structure to
//test/common/http/http2:codec_impl_test, where a client H2 codec is wired via
shared memory to a server H2 codec and stream actions are applied. We fuzz the
various client/server H2 codec API operations and in addition apply fuzzing at
the wire level by modeling explicit mutation, reordering and drain operations
on the connection buffers between client and server.

Part of envoyproxy#508.

Risk Level: Low
Testing: Tested with corpus under bazel test and under oss-fuzz Docker image.
~500 cases per second with python infra/helper.py build_fuzzers
--sanitizer=address envoy <envoy path> && python infra/helper.py run_fuzzer
envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of
http2/codec_impl.cc.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch htuch mentioned this issue Aug 1, 2018
Merged
@mattklein123
Copy link
Member Author

Calling this complete. We can open individual issues on fuzzing tasks.

htuch added a commit that referenced this issue Aug 5, 2018
@htuch
fuzz: H2 codec fuzzer. (#4017)
7bf713a 
Fuzzer for the H2 codec. This is similar in structure to
//test/common/http/http2:codec_impl_test, where a client H2 codec is wired via
shared memory to a server H2 codec and stream actions are applied. We fuzz the
various client/server H2 codec API operations and in addition apply fuzzing at
the wire level by modeling explicit mutation, reordering and drain operations
on the connection buffers between client and server.

Part of #508.

Risk Level: Low
Testing: Tested with corpus under bazel test and under oss-fuzz Docker image.
~500 cases per second with python infra/helper.py build_fuzzers
--sanitizer=address envoy <envoy path> && python infra/helper.py run_fuzzer
envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of
http2/codec_impl.cc.

Signed-off-by: Harvey Tuch <htuch@google.com>
wolfguoliang pushed a commit to wolfguoliang/envoy that referenced this issue Jan 23, 2021
@vgbhfive
zh-translation: docs/root/configuration/http/http_filters/ext_authz_f… (
1ba624e 
envoyproxy#508)
jpsim pushed a commit that referenced this issue Nov 28, 2022
@jpsim
ci: add master aar release dist workflow job (#508)
46d1d36 
Signed-off-by: Alan Chiu <achiu@lyft.com>

Description: ci: add master aar release dist workflow job
Risk Level: low
Testing: on master
Docs Changes: n/a
Release Notes: n/a
[Optional Fixes #Issue]
[Optional Deprecated:]

Signed-off-by: JP Simard <jp@jpsim.com>
jpsim pushed a commit that referenced this issue Nov 29, 2022
@jpsim
ci: add master aar release dist workflow job (#508)
be97595 
Signed-off-by: Alan Chiu <achiu@lyft.com>

Description: ci: add master aar release dist workflow job
Risk Level: low
Testing: on master
Docs Changes: n/a
Release Notes: n/a
[Optional Fixes #Issue]
[Optional Deprecated:]

Signed-off-by: JP Simard <jp@jpsim.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anirudhmurali anirudhmurali

@htuch htuch

Labels
area/security help wanted Needs help!
Projects
None yet
Milestone
1.8.0
Development

No branches or pull requests
5 participants
@PiotrSikora @dnoe @anirudhmurali @mattklein123 @htuch