Comments (9)
A first part of the "dreamed-up" fuzz tests was merged with #97 - others will be added at some point
from parsec.
The AFL crate is not really all that good - lack of documentation and functionality.
Started using libfuzzer instead, which seems to have better support and tooling. Not that thoroughly documented, but good overall, quite easy to set up.
There was an idea to try and get the project into OSS-Fuzz, but projects accepted there need to have a large user base (or be critical to IT infrastructure). So... maybe a task for the future :)
from parsec.
Dealt with in #94
from parsec.
I've realized that the way we're doing testing is too "sparse" - we're testing the system as if a client was using it - essentially more like a stress test than a fuzz test. This means that a lot of the packets would be lost along the way and never reach the providers.
My new idea is to crack open the service and extract the parts that we deem more complex and inherently prone to crashes/bugs etc. The main "pipeline", i.e. the frontend handler, dispatcher and backend handler are relatively small pieces of code that can be audited by hand/eye (if we don't consider all the parsing and conversions as part of that).
Hence, I'll attempt to describe a number of tests and label them in an enum (along with their inputs). Tests would be something more specific than before - create a key using provider P - but still have the full freedom over the inputs to the operation. The fuzzer will generate a variant of the enum at each run and hence all the tests will be run "at once".
The main areas that I'll focus on are the two boundaries - the providers and the service interface.
from parsec.
I think that it might be indeed more efficient to fuzz test only specific components.
But there is still, to me, to do a fuzz test on the whole service (fuzzing the stream sent to the FrontEndHandler
). Those things could happen in parallel!
from parsec.
Indeed, it's probably a good idea to have both. I'll keep them as separate fuzz targets, fuzz_service
and fuzz_components
. Might add them in separate PRs, since the fuzz_service
part is almost done.
from parsec.
And I do believe it's a really good idea to fuzz the FrontEndHandler
instead of bypassing it and going straight to the Dispatcher
!
from parsec.
Should we maybe close this for the release and add a new issue for the other fuzz targets? Or should the other targets also be part of Parsec for production readyness?
from parsec.
Unsure, it all depends on how much time we have until a release is imminent. Let's close, I'll open another one and not assign that one to Parsec 1
from parsec.
Related Issues (20)
- Yocto parsec build reports warnings related to build paths HOT 1
- Can we have a single "latest" Quickstart release package?
- Parsec fails to compile for arm32 HOT 4
- Vulnerability in SQLite HOT 3
- Investigate using Arm Virtual Hardware in CI
- Suggest using `/dev/tpmrm0` over `/dev/tpm`
- Parsec 1.1 fails to build with meta-security master branch HOT 4
- Parsec Quickstart - Docker: Pull access denied for parallaxsecond/parsec-quickstart, repository does not exist HOT 1
- Update cryptoki version to `0.4.1` HOT 1
- parsec 1.1.0/1.2.0-rc1 fail to build with gcc13 HOT 3
- Generate arm64 quickstart package
- Provide details of built-in providers
- Investigate e2e_tests failure on RasberryPi for PKCS11 backend
- Investigate e2e_tests failure on RasberryPi for TPM backend
- Migrate away from using users crate HOT 1
- Format check errors should only appear in one CI job
- parsec-quickstart container on arm64 HOT 1
- Improve PKCS11 failure mode HOT 1
- e2e_tests/stress.rs: Signature Verification fails sporadically with PsaErrorInvalidArgument
- parsec-cli-tests.sh error: The CSR does not contain the serialNumber field of the Distinguished Name HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from parsec.