Date
1 - 3 of 3
FYI: Fuzzing for CNCF Projects
Katie Gamanji
That's a very insightful report! Would be great to see more CNCF projects using fuzzing integration to simplify vulnerability scanning and bug fixing.
On Mon, Jan 4, 2021 at 10:04 PM Lorenzo Fontana <fontanalorenz@...> wrote:
Thanks for sharing, this is a very useful initiative Chris.I’ve been thinking about doing a proposal for the Falco project to adopt syzcaller[0] to perform continuous fuzzing of the inputs/language parser.I’ll bring up this topic at the next Falco community call to see what other maintainers think.Thanks again for sharing!Lore[0]: https://syzkaller.appspot.com/On Mon, 4 Jan 2021 at 22:31 Chris Aniszczyk <caniszczyk@...> wrote:Hey TOC and the wider community, some of our projects have taken advantage of fuzzing (through oss-fuzz and other tools), also we recently funded some fuzzing/audit work for fluentbit to see the impact and usefulness: https://github.com/fluent/fluent-bit/pull/2853I've attached a report as an output which contains all the issues found/resolved. If your project is interested in this type of work, let us know via a servicedesk request (https://github.com/cncf/servicedesk), we found it fairly useful on top of normal security audits.--Chris Aniszczyk (@cra)
Lorenzo Fontana <fontanalorenz@...>
Thanks for sharing, this is a very useful initiative Chris.
I’ve been thinking about doing a proposal for the Falco project to adopt syzcaller[0] to perform continuous fuzzing of the inputs/language parser.
I’ll bring up this topic at the next Falco community call to see what other maintainers think.
Thanks again for sharing!
Lore
On Mon, 4 Jan 2021 at 22:31 Chris Aniszczyk <caniszczyk@...> wrote:
Hey TOC and the wider community, some of our projects have taken advantage of fuzzing (through oss-fuzz and other tools), also we recently funded some fuzzing/audit work for fluentbit to see the impact and usefulness: https://github.com/fluent/fluent-bit/pull/2853I've attached a report as an output which contains all the issues found/resolved. If your project is interested in this type of work, let us know via a servicedesk request (https://github.com/cncf/servicedesk), we found it fairly useful on top of normal security audits.--Chris Aniszczyk (@cra)
Hey TOC and the wider community, some of our projects have taken advantage of fuzzing (through oss-fuzz and other tools), also we recently funded some fuzzing/audit work for fluentbit to see the impact and usefulness: https://github.com/fluent/fluent-bit/pull/2853
--
I've attached a report as an output which contains all the issues found/resolved. If your project is interested in this type of work, let us know via a servicedesk request (https://github.com/cncf/servicedesk), we found it fairly useful on top of normal security audits.
Chris Aniszczyk (@cra)