[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From:       "Stuart D. Gathman" <stuart () gathman ! org>
Date:       2019-06-24 15:59:43
Message-ID: alpine.LRH.2.21.1906241152180.4597 () fairfax ! gathman ! org
[Download RAW message or body]

On Mon, 24 Jun 2019, Bob Friesenhahn wrote:

> Most oss-fuzz issue detections are not CVE worthy.  For example, a one-byte 
> read "heap overflow" is not likely to cause any actual harm but oss-fuzz 
> would classify it as "heap overflow".

Nevertheless, it is a bug.  Fuzzers are amazing.  Going forward, the
best plan is for more projects to include fuzzing as part of the
build process testing.

Question: is fuzzing useful for languages like Java/python?  Obviously,
you eventually reach a native code module in both cases, but fuzzing 
the entire virtual machine is cumbersome.  Maybe native code libraries
for "safe" languages should include fuzzing as part of testing.

-- 
 	      Stuart D. Gathman <stuart@gathman.org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[prev in list] [next in list] [prev in thread] [next in thread]