Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting e-mail address of developer(s) for bignum fuzzer, crypto fuzzer running on oss-fuzz #2038

Closed
guidovranken opened this issue Sep 29, 2018 · 2 comments
Closed

Requesting e-mail address of developer(s) for bignum fuzzer, crypto fuzzer running on oss-fuzz #2038

guidovranken opened this issue Sep 29, 2018 · 2 comments

Comments

@guidovranken
Copy link
Contributor

I've tried reaching out a few times about this but I didn't get a response.

I've set up a bignum fuzzer on oss-fuzz [1]. This performs differential fuzzing of mathematical operations across different bignum (mpi) libraries, including mbed TLS.
So if 10 + 10 results in 20 in OpenSSL and 30 in mbed TLS, this would indicate of a bug.
Everything is compiled with AddressSanitizer so memory bugs can transpire as well.
The fuzzer has been running for months and has not found any bugs in mbed TLS (if it had, I would have informed you).
I'd like to invite you to subscribe to the notification system. The oss-fuzz system sends out an e-mail to each subscriber once a computational discrepancy (or memory bug) is found. This keeps you in the loop of all bugs found by the fuzzer, which gives you the opportunity to fix these bugs.
E-mail traffic is generally low (only one e-mail per several weeks on average).
If you are keen, please submit to me one or more e-mail addresses of mbed TLS core developers who can deal with (potentially security-sensitive) bug reports distributed by the oss-fuzz system.

Apart from the bignum fuzzer, I've built a crypto fuzzer as well, and I will be submitting this to oss-fuzz shortly.
In short, this performs a variety of cryptographic operations (symmetric and asymmetric encryption, hmac, many different ciphers, modes, etc..) across multiple libraries (currently OpenSSL and mbed TLS), and compares the outputs.
If you submit any e-mail address for subscription to the bignum fuzzer, I will use these for the crypto fuzzer as well.

[1] https://github.com/google/oss-fuzz/tree/master/projects/bignum-fuzzer
@RonEld RonEld added the question label Oct 2, 2018
@simonbutcher
Copy link
Contributor

Hi @guidovranken,

Whom and how did you try emailing us? You should have my work email address, so should be able to contact me directly I would have thought. Sorry if you've had problems.

If you want to provide an email address, please use our support email address of support-mbedtls@arm.com. That will be handled by Mbed TLS staff.

@guidovranken
Copy link
Contributor Author

Hi Simon,

sent an e-mail to your personal address on July 11 2018.
Also referenced it here: #477 (comment)

Anyway, it doesn't matter. I'll use support-mbedtls@arm.com for the fuzzing projects, thanks.

@guidovranken guidovranken mentioned this issue Feb 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@guidovranken @simonbutcher @RonEld