[HN Gopher] Fuzzing Java in OSS-Fuzz
___________________________________________________________________
Fuzzing Java in OSS-Fuzz
Author : theafh
Score : 87 points
Date : 2021-03-10 17:08 UTC (5 hours ago)
(HTM) web link (security.googleblog.com)
(TXT) w3m dump (security.googleblog.com)
| lucb1e wrote:
| > fuzzing code written in memory safe languages, such as JVM-
| based languages, is useful for finding bugs where code behaves
| incorrectly or crashes. Incorrect behavior can be just as
| dangerous as memory corruption. For example, Jazzer was used to
| find CVE-2021-23899 in json-sanitizer which could be exploited
| for cross-site scripting (XSS). Bugs causing crashes or incorrect
| exceptions can sometimes be used for denial of service.
|
| So the prime examples are denial of service and cross-site
| scripting. Definitely dangerous and good to apply fuzzing, but I
| do want to emphasize that this is a different class than all the
| memory corruption vulnerabilities we're seeing in C(-like)
| languages. Executing arbitrary code on systems in many cases is
| definitely worse than executing code in a browser with the
| privileges of the currently logged-in user. As someone working in
| security, it seems to me like moving away from memory-unsafe
| languages is long overdue by 2020---scratch that, 2021.
| fhenneke wrote:
| While I agree with most of what you are saying (let's hope that
| 2021 will finally be "the year of memory-safe languages"),
| remote code execution issues also affect Java.
| https://securitylab.github.com/research/securing-the-fight-a...
| is just one of the latest prominent examples.
| lucb1e wrote:
| Yep, for sure. One of the things we see most frequently
| leading to code execution is still deserialization... but
| it's much more rare now, so a step forwards from my point of
| view.
| The_rationalist wrote:
| Another great tool is Pitest for mutation testing on the JVM
| (make coverage more meaningful) https://github.com/hcoles/pitest
| spockz wrote:
| If you want an easy way to have better mutation coverage, check
| out property based testing. Eg junit-quickcheck for Java.
|
| https://github.com/pholser/junit-quickcheck
| The_rationalist wrote:
| Thanks!
| chriswarbo wrote:
| I've found Scalacheck quite pleasant (run through Scalatest)
| exdsq wrote:
| How does property based testing relate to mutation testing,
| unless you just mean you'll have a larger test vector?
| spullara wrote:
| I was hoping this was about fuzzing OpenJDK, but alas.
| fhenneke wrote:
| With minor changes to the default exclude list for coverage
| instrumentation, you can use Jazzer to fuzz the Java standard
| library (at least the parts that are implemented in Java).
| fhenneke wrote:
| One of the authors of Jazzer here. Feel free to ask any questions
| regarding Jazzer
| (https://github.com/CodeIntelligenceTesting/jazzer) or how to
| integrate Java/JVM projects into OSS-Fuzz.
| victor106 wrote:
| This is awesome!!! going to explore and start using it.
|
| Thanks for working on this.
| exdsq wrote:
| I've been interested in applying fuzzing to some projects I
| work on but every time I go to do this I'm not really sure
| where to start. Do you have any recommended sources to learn
| about how to use them in practice? :)
| fhenneke wrote:
| That depends on the language you want to fuzz. A good general
| introduction and hands-on "course" for C/C++ is
| https://github.com/Dor1s/libfuzzer-workshop. If you prefer
| Java and just want to get a feeling for how concrete fuzz
| targets can look like, take a look at the Jazzer examples at
| https://github.com/CodeIntelligenceTesting/jazzer/tree/main/.
| ...
| saagarjha wrote:
| Recent discussion of Jazzer:
| https://news.ycombinator.com/item?id=26090139
___________________________________________________________________
(page generated 2021-03-10 23:01 UTC)