fuzz: replace cfg(fuzzing) weth cfg(bitcoin-hashes-fuzz).
#1821
Conversation
apoelstra
force-pushed
the
2023-04--rename-fuzzing
branch
from
7a98c16
to
393187b
Compare
|
Hmm, shouldn't the broken crypto be improved? Fuzzing with real crypto is very rarely what you want, at a minimum it's pretty slow! |
|
@TheBlueMatt yes, but doing this is probably a masters' thesis worth of work. Not crazy, but crazy enough that it's caused me to avoid doing it for multiple years. And meanwhile I need some sort of working crypto now to get my downstream crates to work. |
|
Maybe not a masters thesis, but certainly an honors thesis ;P. Though the result would be pretty high-impact so I'd bet you could get a masters out of it.. |
|
I also think that we'd still need something like this PR since
[*] The ideas that come to mind involve using a real hash to get collision resistance, but directly encoding preimage data alongside it to make it easy to extract a preimage. |
|
I think the underlying issue in trying to fix fuzzing crypto is that we cannot really know how the fuzzing is used and what properties about the primitives we need to emulate. It is impossible to determine what properties of primitives users might use.
computing sha256 is not that slow. It's very CPU friendly. And code being fuzzed can easily rely on it for collision resistance. For example, a taproot descrpitor. The fuzzer has been useful in rust-miniscript catching several bugs in round-tripping keys and descriptors. While we are not checking the crypto part in the fuzzing, it is difficult/impossible to separate out code cleanly and fuzz the part without the crypto part. The annoying thing is that this has caused some abrupt failures that are difficult to figure out. One example is where people have hit rust-bitcoin/rust-miniscript#245 To summarize,
|
|
I'm certainly open to making the broken crypto optional, and while I'm quite dubious that's the Right fix, it sounds like we agree it's not. The broken crypto as it stands was always a hack, having fuzzers with less coverage is equally broken so.... sure, as long as it's still optional cause we desperately need the performance of it. For the rust-miniscript case specifically, is there really any need to swap out the secp broken crypto? I'd have thought it's roughly fine as-is.
The definition of "slow" when fuzzing is quite different from normal code :p |
As such we are not using any cryptography in there, just parsing keys/points etc. Some other downstream users use it for testing addresses, tweaking etc. I agree that we can improve help improve performance of it. But given my low confidence in crypto fuzz code and some issues in the past, in the short term horizon having an option for fuzzing against non-fuzzing provides us with more benefits.
Agreed, that the correct fix should be to improve the code, but I it should still be optional and not mandated via |
fuzz/README.md
Outdated
| # Fuzzing with weak cryptography | ||
|
|
||
| You may wish to replace the hashing and signing code with broken crypto, | ||
| which will be faster and enable the fuzzer to do other-wise impossible |
There was a problem hiding this comment.
other-wise
Never seen it written like this, always "otherwise", is this correct?
There was a problem hiding this comment.
I'm not sure what I was thinking here :). Yeah, the dash shouldn't be there.
There was a problem hiding this comment.
ROFL, a whole bunch of times over the last few years when reading your writing @apoelstra I've thought "damn this guy knows his English", this slip up "other-wise" made me hold my stomach laughing - so glad its not only me that does shit like this :)
Thanks Matt! I will take this as a concept ACK from you on this PR (and an equivalent one on rust-secp). Definitely agreed that we should improve the broken crypto....but as Sanket says the requirements are not obvious and probably different for different users. A proper fix might even result in multiple flags and a multi-page manual explaining what they do. |
apoelstra
force-pushed
the
2023-04--rename-fuzzing
branch
from
393187b
to
463d613
Compare
There was a problem hiding this comment.
Whilst technically correct as is, I rekon it would make sense to change the line in bitcoin/lib.rs
#![cfg_attr(fuzzing, allow(dead_code, unused_imports))]to not use fuzzing.
A mild point; I'm confused with the name bitcoin_hashes_fuzz - a dev may ask:
- does this mean we are only fuzzing
bitcoin_hashes, why nobitcoin_fuzz? - does this mean 'bitcoin' and 'hashes'
_fuzzsince we are really fuzzing both?
Perhaps we should use hashes_fuzz and comment in the readme that currently there is no special code required when fuzzing bitcoin so there is no need for --cfg=bitcoin_fuzz?
fuzz/README.md
Outdated
| Meanwhile, to use the broken crypto, simply compile (and run the fuzzing | ||
| scripts) with | ||
|
|
||
| RUSTFLAGS="--cfg=bitcoin_hashes_fuzz --cfg=secp256k1_fuzz" |
There was a problem hiding this comment.
This line is wrong mate, https://github.com/rust-bitcoin/rust-secp256k1/pull/608/files uses sec256k1_fuzzing, we should pick either _fuzz or _fuzzing.
There was a problem hiding this comment.
Heh, oops :) I'll change the other PR to use _fuzz.
fuzz/README.md
Outdated
| Doing so may result in spurious bug reports since the broken crypto does | ||
| not respect the encoding or algebraic invariants as the real crypto. We |
There was a problem hiding this comment.
This sentence reads a bit clunky, perhaps
| Doing so may result in spurious bug reports since the broken crypto does | |
| not respect the encoding or algebraic invariants as the real crypto. We | |
| Doing so may result in spurious bug reports since the broken crypto does | |
| not respect the encoding or algebraic invariants upheld by the real crypto. We |
|
Yeah, good idea. |
9bdab89 change --cfg=fuzzing to --cfg=secp256k1_fuzz (Andrew Poelstra) Pull request description: Companion PR to rust-bitcoin/rust-bitcoin#1821 ACKs for top commit: sanket1729: ACK 9bdab89 Tree-SHA512: 9ff5ce4cae99089f85a73a845cd5dca7b7d0ad9e73c0ee180e73fd9a55c6b92f21ad0192c8c0976e2e590be9d5d899b113b8b2006a3c53e0146a3ce5ba1450ec
apoelstra
force-pushed
the
2023-04--rename-fuzzing
branch
from
463d613
to
15aad07
Compare
apoelstra
force-pushed
the
2023-04--rename-fuzzing
branch
from
15aad07
to
6b9473f
Compare
apoelstra
force-pushed
the
2023-04--rename-fuzzing
branch
from
6b9473f
to
ab4a48c
Compare
|
Updated to change cfg name to We could re-introduce the "fuzz against RustCrypto" tests at some point, though I'm a little unenthusiastic about them because there's so little value in checking a hash library against another for more than 1 or 2 examples. |
I agree, the code is probably too complex for a fuzzer to identify any but trivial differences. |
| @@ -53,6 +53,7 @@ hashes_sha1, | |||
| override: true | |||
| profile: minimal | |||
| - name: fuzz | |||
| run: if [[ "${{ matrix.fuzz_target }}" =~ ^bitcoin ]]; then export RUSTFLAGS='--cfg=hashes_fuzz --cfg=secp256k1_fuzz'; fi | |||
There was a problem hiding this comment.
Are you sure the env var is kept across multiple run: statements? We should debug print it I guess.
There was a problem hiding this comment.
Will go ahead and merge. We can add a debug print later on. But it would really surprise me if env vars were not preserved.
a1aaf5f ci: fix run syntax in fuzz job (Andrew Poelstra) Pull request description: I think our CI failures started with #1821 when we added an extra `run:` line to `fuzz.yml` without prefixing it with `-`. Fix the syntax to use a multi-line `run` instead. ACKs for top commit: tcharding: ACK a1aaf5f Kixunil: ACK a1aaf5f Tree-SHA512: 7214291dc629b6417f8dfaf4a68bfcdc23078a57759717cef92344e1873d475f597fe447e037d15c568a1d5b04ec764ebf8477d18274f52a4b93c50d8a1615f5
A custom
cfgflag can be turned on or off by the user. Our current use ofcfg(fuzzing)is impossible to turn off when using honggfuzz, which makes it impossible to fuzz without the broken crypto. This causes trouble for some downstream crates and also makes it hard for us to fuzz our own library.Companion to rust-secp PR (TODO open this) which does effectively the same thing.
Fixes #1587.