oss-fuzz
awesome-safety-critical
Our great sponsors
| oss-fuzz | awesome-safety-critical | |
|---|---|---|
| 31 | 12 | |
| 9,907 | 1,520 | |
| 4.4% | - | |
| 9.9 | 4.7 | |
| 3 days ago | 6 days ago | |
| Shell | Python | |
| Apache License 2.0 | Creative Commons Zero v1.0 Universal |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
oss-fuzz
- Xz: Disable ifunc to fix Issue 60259
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
> because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers
for example, https://github.com/google/oss-fuzz/pull/10667
-
Ask HN: Any Good Fuzzer for gRPC?
Have you tried Googles grpc fuzzer?
https://github.com/google/oss-fuzz/blob/master/projects/grpc...
-
Pacemaker should be running open source software
https://www.fda.gov/medical-devices/digital-health-center-ex...
oss-fuzz: https://github.com/google/oss-fuzz :
> We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.
> Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.
-
Fuzz Testing Is the Best Thing to Happen to Our Application Tests
I love fuzzing as a technique and use it quite regularly, but running AFL++ on even a single program occupies all threads of a high end AMD server for weeks. I'm running it locally so only paying for the electricity. If it was a cloud instance it would cost a small fortune. I think this is a reason it is not used more widely.
I will note that Google have a programme for doing fuzz testing on open source projects using computer from their cloud: https://google.github.io/oss-fuzz/
- Fixed Spelling Errors or Typos
- ELI5: How can downloading a pdf or word file give you a virus?
- OSS-Fuzz – continuous fuzzing for open source software
-
Mosh: An Interactive Remote Shell for Mobile Clients (2012) [pdf]
Yes, mosh has fuzz tests in oss-fuzz [1].
[1] https://github.com/google/oss-fuzz/tree/master/projects/mosh
-
Java Fuzzing with Jazzer compared to Symflower
We will explore how Jazzer is used to automatically generate malicious inputs for Java programs, and how it compares to Symflower, which can automatically generate unit tests to uncover bugs and errors in your code. With the help of Jazzer, many bugs - some of them even in the OpenJDK - were found already. Also, as of March 2021, Jazzer is officially part of OSS-Fuzz, Google's cloud fuzzing engine. It should be noted that Jazzer is a pure "bug detection" utility that finds reproducers for errors in user code. Symflower can do the same, but provides additional functionalities to boost developer productivity, like generating high coverage unit tests and providing test templates for the software developer or tester.
awesome-safety-critical
-
Aerugo – RTOS for aerospace uses written in Rust
https://awesome-safety-critical.readthedocs.io/en/latest/#so...
-
Pacemaker should be running open source software
awesome-safety-critical: https://awesome-safety-critical.readthedocs.io/en/latest/
FDA > Medical Devices > Cybersecurity:
-
Misra C++:2023 Published
awesome-safety-critical > Coding Guidelines: https://awesome-safety-critical.readthedocs.io/en/latest/
Rust SAST and DAST tools would be great for all, too.
From https://news.ycombinator.com/item?id=35565960 :
> Additional lists of static analysis, dynamic analysis, SAST, DAST, and other source code analysis tools: https://news.ycombinator.com/item?id=24511280 https://analysis-tools.dev/tools?languages=c++
-
Ask HN: Which school produces the best programmers or software engineers?
https://awesome-safety-critical.readthedocs.io/en/latest/#co...
Predict; software quality, career success
By well-rounded do you mean the ACM Computer Science Curriculum; or a strong liberal arts program which emphasizes critical thinking and effective communication; or Emotional Intelligence, Servant Leadership, and Project Management?
InfoSec; Computer Security > Careers: https://en.wikipedia.org/wiki/Computer_security#Careers
The NIST NICE Framework describes Categories (7),
- Learning C as someone who already knows Rust
- NSA urges orgs to use memory-safe programming languages
-
The James Webb Space Telescope Runs JavaScript, Apparently
For a low level view, as how the code actually should look like, I found the JPL C coding guidelines very useful. It had an effect on me on how I wrote C after reading it.
Here's a github hosted version https://github.com/stanislaw/awesome-safety-critical/blob/ma...
-
Ask HN: Is it worth it to learn C to better understand Python?
https://news.ycombinator.com/item?id=28709239 :
> From "Ask HN: Is it worth it to learn C in 2020?" https://news.ycombinator.com/item?id=21878372 : (which discusses [bounded] memory management)
> There are a number of coding guidelines e.g. for safety-critical systems where bounded running time and resource consumption are essential. *These coding guidelines and standards are basically only available for C, C++, and Ada.*
> awesome-safety-critical > Software safety standards: https://awesome-safety-critical.readthedocs.io/en/latest/#so...
> awesome-safety-critical > Coding Guidelines: https://awesome-safety-critical.readthedocs.io/en/latest/#co...
-
Are Software Engineering “best practices” just developer preferences?
Critical systems: https://en.wikipedia.org/wiki/Critical_system
> There are four types of critical systems: safety critical, mission critical, business critical and security critical.
Safety-critical systems > "Software engineering for safety-critical systems" https://en.wikipedia.org/wiki/Safety-critical_system#Softwar...
awesome-safety-critical lists very many resources for safety critical systems: https://awesome-safety-critical.readthedocs.io/en/latest/
There are many certification programs for software and other STEM fields. One test to qualify applicants does not qualify as a sufficient set of controls for safety critical systems that must be resilient, fault-tolerant, and redundant.
-
Half of curl’s vulnerabilities are C mistakes, "could’ve been prevented if curl had been written in Rust"
There are heuristics for memory-unsecure C: https://awesome-safety-critical.readthedocs.io/en/latest/
What are some alternatives?
AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
diodb - Open-source vulnerability disclosure and bug bounty program database
fuzzilli - A JavaScript Engine Fuzzer
safety-gymnasium - NeurIPS 2023: Safety-Gymnasium: A Unified Safe Reinforcement Learning Benchmark
ffmpeg-libav-tutorial - FFmpeg libav tutorial - learn how media works from basic to transmuxing, transcoding and more. Translations: 🇺🇸 🇨🇳 🇰🇷 🇪🇸 🇻🇳 🇧🇷
awesome-python - 📚 Awesome Python Resources (mostly PyCon).
libfuzzer - Thin interface for libFuzzer, an in-process, coverage-guided, evolutionary fuzzing engine.
projects - Contains a list of security related Rust projects.
FFmpeg - Mirror of https://git.ffmpeg.org/ffmpeg.git
analyze - NaiveSystems Analyze is a static analysis tool for code security and compliance.
uafuzz - UAFuzz: Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
ffmpeg-tutorial - A set of tutorials that demonstrates how to write a video player based on FFmpeg