Project

General

Profile

Actions

Optimization #4125

open

Ideal integration into oss-fuzz

Added by Philippe Antoine 10 months ago. Updated 3 months ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

List of things to do :
+ fix bugs
+ visualisation of rust coverage
+ performance inspection
+ coverage inspection
+ run targets on corpus as part of CI
+ more fuzz targets

+ structure aware versus pcap (so as not to fuzz libpcap, but somehow still use pcaps in the seed corpus)
+ differential testing with tcp flow splitting

Current proposal : https://github.com/OISF/suricata/pull/5541


Related issues

Related to Optimization #3591: fuzz: target with pcap, rules and yamlNewPhilippe AntoineActions
Related to Optimization #3590: fuzz: target for dataset/datarep filesNewPhilippe AntoineActions
Related to Optimization #3589: fuzz: target for iprep data filesNewPhilippe AntoineActions
Related to Optimization #3588: fuzz: target for reference.configNewPhilippe AntoineActions
Related to Optimization #3587: fuzz: target for threshold.configNewPhilippe AntoineActions
Copied to Optimization #4364: Ideal integration into oss-fuzzRejectedJeff LucovskyActions
Copied to Optimization #4365: Ideal integration into oss-fuzzRejectedShivani BhardwajActions
Actions #1

Updated by Philippe Antoine 10 months ago

  • Target version set to 7.0rc1
Actions #2

Updated by Philippe Antoine 10 months ago

After merge of https://github.com/OISF/suricata/pull/5557

+ fix more bugs
+ visualisation of rust coverage
+ performance inspection
+ coverage inspection (already improved from 40 to 43% in one day on oss-fuzz, and up to 46% three days after)
+ run targets on corpus as part of CI
+ more fuzz targets

+ structure aware versus pcap (so as not to fuzz libpcap, but somehow still use pcaps in the seed corpus)
+ differential testing with tcp flow splitting

Actions #3

Updated by Philippe Antoine 10 months ago

https://github.com/OISF/suricata/pull/5616 :
+ fix some bugs in the targets / improve output
+ visualisation of rust coverage : first required step

Actions #4

Updated by Philippe Antoine 9 months ago

improving fuzz target initializaition to prevent dummy bug : https://github.com/OISF/suricata/pull/5672

Actions #5

Updated by Philippe Antoine 8 months ago

https://github.com/OISF/suricata/pull/5760 to run targets on public corpus as part of CI

Actions #7

Updated by Philippe Antoine 8 months ago

Actions #8

Updated by Philippe Antoine 7 months ago

TODO : Fuzz when STREAM_MIDSTREAM...

Actions #9

Updated by Philippe Antoine 7 months ago

https://github.com/OISF/suricata/pull/5838 to run targets on corpus as part of CI

So, what is left :
+ fix more bugs like https://github.com/OISF/suricata/pull/5850
+ visualisation of rust coverage cf WIP https://github.com/google/oss-fuzz/pull/4697
+ performance inspection + coverage inspection (50% last time I checked and still rising) (fix bugs first)
+ more fuzz targets (cf other redmine tickets)

+ structure aware versus pcap cf https://github.com/OISF/suricata/pull/5818
+ differential testing with tcp flow splitting cf WIP https://github.com/OISF/suricata/pull/4917 to be improved

Actions #10

Updated by Victor Julien 7 months ago

  • Status changed from Assigned to Closed
  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #11

Updated by Jeff Lucovsky 7 months ago

Actions #12

Updated by Jeff Lucovsky 7 months ago

Actions #13

Updated by Philippe Antoine 7 months ago

  • Status changed from Closed to In Review
  • Label deleted (Needs backport to 5.0, Needs backport to 6.0)

https://redmine.openinfosecfoundation.org/issues/4366 is closed
But this parent ticket has more things to do cf #9 as last point

Actions #14

Updated by Philippe Antoine 6 months ago

So, what is left :
+ fix more bugs
+ performance inspection + coverage inspection
+ more fuzz targets (cf other redmine tickets)
+ structure aware versus pcap cf https://github.com/OISF/suricata/pull/5967
+ differential testing with tcp flow splitting cf WIP https://github.com/OISF/suricata/pull/4917 to be improved
+ fuzz midstream by default for sigpcap ?

Maybe we should also have specific fuzz target per protocol in addition to the generic ones

Actions #15

Updated by Philippe Antoine 6 months ago

Actions #16

Updated by Philippe Antoine 6 months ago

Actions #17

Updated by Philippe Antoine 6 months ago

Actions #18

Updated by Philippe Antoine 6 months ago

Actions #19

Updated by Philippe Antoine 6 months ago

Actions #20

Updated by Philippe Antoine 5 months ago

In addition to midstream, its, async are interesting options.
We should try to fuzz them all

Actions #21

Updated by Philippe Antoine 5 months ago

So, what is left :
+ fix the bugs
+ performance inspection + coverage inspection + more fuzz targets (cf other redmine tickets)
+ fuzz midstream/async/ips conditionally
+ differential testing with tcp flow splitting cf WIP https://github.com/OISF/suricata/pull/4917 to be improved ?

Actions #22

Updated by Philippe Antoine 3 months ago

Performance inspection :
in addition to https://github.com/OISF/suricata/pull/6188, disabling eve.log is a great way to speed up fuzz_sigpcap_aware (from 5 minutes to 3 minutes and 30 seconds on the corpus)

Another prominent function is __sanitizer_cov_trace_cmp8 called from HashListTableFree

The call to ConfGetBool in DetectMpmInitializeAppMpms seems quite expensive as well
Can be optimized away with #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION

Another idea is to split the target in 2 : one to only the "one single TCP stream" inputs , and one to do whatever pcaps

Actions

Also available in: Atom PDF