[Qemu-devel] Disk image fuzz testing (OPW)

[Qemu-devel] Disk image fuzz testing (OPW)

[M.Kustova]

Hello,

My name is Maria and  I'm a participant of the Outreach Program for Women.
My project is fuzz testing of support of qcow2 image format.

The project git:
https://github.com/maxalab/qemu_fuzzer.git

It's pubic, so welcome, make yourself at home.


The blog:
http://eeff.catit.be/

It's empty yet, but stay tuned, please. It has RSS and all the project
related topics will have 'opw' tag.

Thanks a lot for your support. Further one will be appreciated no less.

BR,
Maria.

Re: [Qemu-devel] Disk image fuzz testing (OPW)

[Kevin Wolf]

Hi Maria,

Am 26.05.2014 um 07:07 hat M.Kustova geschrieben:
> My name is Maria and  I'm a participant of the Outreach Program for Women.
> My project is fuzz testing of support of qcow2 image format.
> 
> The project git:
> https://github.com/maxalab/qemu_fuzzer.git
> 
> It's pubic, so welcome, make yourself at home.

Thanks for sharing this. I read your requirements file and have a
question or two.

The first is about what "actions" are. You define it as "structure
elements retrieved from an image format" or "element of an image
structure", which unfortunately doesn't make things much clearer to me.
My guess is that you mean a data structure (like header, L1 table,
refcount block, etc.) and this is the structure that is going to be
modified during the fuzzing? Is this right?

The other thing is that you seem to concentrate on generating test image
(and probably rightly so), but there's also the part that you need to
use that image for something, i.e. using the right actions with qemu to
actually test it against that image in a meaningful way (for example,
corrupting a snapshot's L1 table isn't interesting as long as this
snapshot isn't touched). What are your plans for determining what test
to run against the generated test images?

Also, if you don't mind, I'd like to be CCed on your further emails
about this project.

Kevin

Re: [Qemu-devel] Disk image fuzz testing (OPW)

[Stefan Hajnoczi]

On Mon, May 26, 2014 at 09:07:43AM +0400, M.Kustova wrote:
> Hello,
> 
> My name is Maria and  I'm a participant of the Outreach Program for Women.
> My project is fuzz testing of support of qcow2 image format.
> 
> The project git:
> https://github.com/maxalab/qemu_fuzzer.git
> 
> It's pubic, so welcome, make yourself at home.
> 
> 
> The blog:
> http://eeff.catit.be/
> 
> It's empty yet, but stay tuned, please. It has RSS and all the project
> related topics will have 'opw' tag.

Cool, thanks.  Subscribed to the RSS feed.

Stefan

Re: [Qemu-devel] Disk image fuzz testing (OPW)

[M.Kustova]

Hello Kevin,
Thanks a lot for your feedback.

Your first guess is absolutely correct. For now, 'action' can be
freely interpret as an image block will be corrupted. It's possible,
that in the future this term will be extended to a set of fuzzing
rules necessary to corrupt some image block, e.g. not only create a
wrong snapshot  table entry but support it with a valid snapshot. But
for now, 'action' is just a image block, like a header field or L1
table.

About fuzzer effectiveness. 'qemu-img' was set as the fuzzer target,
so its commands under interest are any that modify or/and read an
image. As first step, a tested command will be selected randomly or
specified by user. After investigation of code coverage on the final
stage of the project additional constrains will be added to the
algorithm selecting blocks to be fuzzed.

Thanks again for useful questions.

BR, M.

On Mon, May 26, 2014 at 12:43 PM, Kevin Wolf <kwolf@redhat.com> wrote:
> Hi Maria,
>
> Am 26.05.2014 um 07:07 hat M.Kustova geschrieben:
>> My name is Maria and  I'm a participant of the Outreach Program for Women.
>> My project is fuzz testing of support of qcow2 image format.
>>
>> The project git:
>> https://github.com/maxalab/qemu_fuzzer.git
>>
>> It's pubic, so welcome, make yourself at home.
>
> Thanks for sharing this. I read your requirements file and have a
> question or two.
>
> The first is about what "actions" are. You define it as "structure
> elements retrieved from an image format" or "element of an image
> structure", which unfortunately doesn't make things much clearer to me.
> My guess is that you mean a data structure (like header, L1 table,
> refcount block, etc.) and this is the structure that is going to be
> modified during the fuzzing? Is this right?
>
> The other thing is that you seem to concentrate on generating test image
> (and probably rightly so), but there's also the part that you need to
> use that image for something, i.e. using the right actions with qemu to
> actually test it against that image in a meaningful way (for example,
> corrupting a snapshot's L1 table isn't interesting as long as this
> snapshot isn't touched). What are your plans for determining what test
> to run against the generated test images?
>
> Also, if you don't mind, I'd like to be CCed on your further emails
> about this project.
>
> Kevin