oss-sec mailing list archives
Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Alexander Potapenko <glider () google com>
Date: Tue, 25 Jun 2019 16:08:29 +0200
On Tue, Jun 25, 2019 at 3:43 PM Bob Friesenhahn <bfriesen () simple dallas tx us> wrote:
On Mon, 24 Jun 2019, Alex Gaynor wrote:- Not having sooooo many vulnerabilities. While there's some dispute over just what % of the bugs that OSS-Fuzz and syzbot turn up are exploitable, there's no doubt that they find a _lot_ of them. Even if only 20% of OSS-Fuzz reports were truly exploitable vulnerabilities, that'd still be600 of them. We can't produce this many vulnerabilities and then try toclean up afterwards by finding them with fuzzing -- at some point the number of vulnerabilities simply overwhelms us. Tactics for reducing vulnerabilities in the first instance, like memory safe languages, are an important part of making this problem tractable. Do folks feel like there were important themes that this misses?I see the assumption that 20% of oss-fuzz reports are exploitable vulnerabilities. Where does this percentage estimate come from? What does it mean to be "exploitable"? From working on fixing oss-fuzz detected bugs in GraphicsMagick I see that many/most of the issues are not significant from a security standpoint, assuming that the software is deployed in a way suitable for its level of exposure. Common issues include: * Huge uninitialized memory allocations (which do not really matter under Linux since Linux does not reserve anything but virtual memory space). * Consumption of uninitialized data (e.g. image data) which is not used to make important decisions. This is usually due to unhandled cases or error handling which does not quit immediately. * Tiny heap over-reads which are not past the bounds of the underlying allocation. * Heap over-reads or over-writes which cause an immediate core dump.
Please note that these particular bugs most certainly behave differently with different memory allocators. Even assuming these immediate core dumps happen regardless of the contents of data being written (e.g. the crash happens because you hit a protected page), there's no guarantee that using a different allocator won't let the malicious user silently corrupt the heap. (Not to mention different standard library versions, CPU architecture, bitness etc.)
* Excessively slow code with the slowness emphasized by ASAN and UBSAN code running vastly slower. The excessively slow code is not necessarily noticeable in a normal compilation. * Memory leaks. * "undefined behavior" which nevertheless has a common behavior that compilers have followed since the dawn of time. The most important thing that oss-fuzz contributes is a large collection of files which cause problems for unfixed software such that only the unaware or foolish do not update to fixed versions. Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
-- Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Straße, 33 80636 München Geschäftsführer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg
Current thread:
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz, (continued)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Stuart D. Gathman (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Matthew Fernandez (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Seth Arnold (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Matthew Fernandez (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeff Law (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Pascal Cuoq (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeff Law (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Jeffrey Walton (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Florian Weimer (Jun 25)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Martin Carpenter (Jun 26)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alexander Potapenko (Jun 24)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 24)