oss-fuzz
concise-encoding
Our great sponsors
oss-fuzz | concise-encoding | |
---|---|---|
31 | 22 | |
9,879 | 255 | |
4.1% | - | |
9.9 | 7.2 | |
1 day ago | 7 months ago | |
Shell | ANTLR | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
oss-fuzz
- Xz: Disable ifunc to fix Issue 60259
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
> because the ifunc code was breaking with all sorts of build options and obviously caused many problems with various sanitizers
for example, https://github.com/google/oss-fuzz/pull/10667
-
Ask HN: Any Good Fuzzer for gRPC?
Have you tried Googles grpc fuzzer?
https://github.com/google/oss-fuzz/blob/master/projects/grpc...
-
Pacemaker should be running open source software
https://www.fda.gov/medical-devices/digital-health-center-ex...
oss-fuzz: https://github.com/google/oss-fuzz :
> We support the libFuzzer, AFL++, and Honggfuzz fuzzing engines in combination with Sanitizers, as well as ClusterFuzz, a distributed fuzzer execution environment and reporting tool.
> Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.
-
Fuzz Testing Is the Best Thing to Happen to Our Application Tests
I love fuzzing as a technique and use it quite regularly, but running AFL++ on even a single program occupies all threads of a high end AMD server for weeks. I'm running it locally so only paying for the electricity. If it was a cloud instance it would cost a small fortune. I think this is a reason it is not used more widely.
I will note that Google have a programme for doing fuzz testing on open source projects using computer from their cloud: https://google.github.io/oss-fuzz/
- Fixed Spelling Errors or Typos
- ELI5: How can downloading a pdf or word file give you a virus?
- OSS-Fuzz – continuous fuzzing for open source software
-
Mosh: An Interactive Remote Shell for Mobile Clients (2012) [pdf]
Yes, mosh has fuzz tests in oss-fuzz [1].
[1] https://github.com/google/oss-fuzz/tree/master/projects/mosh
-
Java Fuzzing with Jazzer compared to Symflower
We will explore how Jazzer is used to automatically generate malicious inputs for Java programs, and how it compares to Symflower, which can automatically generate unit tests to uncover bugs and errors in your code. With the help of Jazzer, many bugs - some of them even in the OpenJDK - were found already. Also, as of March 2021, Jazzer is officially part of OSS-Fuzz, Google's cloud fuzzing engine. It should be noted that Jazzer is a pure "bug detection" utility that finds reproducers for errors in user code. Symflower can do the same, but provides additional functionalities to boost developer productivity, like generating high coverage unit tests and providing test templates for the software developer or tester.
concise-encoding
- Ask HN: What Underrated Open Source Project Deserves More Recognition?
-
It's Time for a Change: Datetime.utcnow() Is Now Deprecated
"Local time" is time zone metadata. I've written a fair bit about timekeeping, because the context of what you're capturing becomes very important: https://github.com/kstenerud/concise-encoding/blob/master/ce...
-
RFC 3339 vs. ISO 8601
This is basically why I ended up rolling my own text date format for Concise Encoding: https://github.com/kstenerud/concise-encoding/blob/master/ct...
ISO 8601 and RFC 3339 are fine for dates in the past, but they're not great as a general time format.
-
Ask HN: Please critique my metalanguage: “Dogma”
This looks similar to https://concise-encoding.org/
Dogma was developed as a consequence of trying to describe Concise Binary Encoding. The CBE spec used to look like the preserves binary spec, full of hex values, tables and various ad-hoc illustrations: https://preserves.dev/preserves-binary.html
Now the CBE formal description looks like this: https://github.com/kstenerud/concise-encoding/blob/master/cb...
And the regular documentation looks like this: https://github.com/kstenerud/concise-encoding/blob/master/cb...
Dogma also does text formats (Concise Encoding has a text and binary format, so I needed a metalanguage that could do both in order to make it less jarring for a reader):
https://github.com/kstenerud/concise-encoding/blob/master/ct...
https://github.com/kstenerud/concise-encoding/blob/master/ct...
- Concise Encoding Design Document
-
Keep ’Em Coming: Why Your First Ideas Aren’t Always the Best
Hey thanks for taking the time to critique!
I actually do have an ANTLR file that is about 90% of the way there ( https://github.com/kstenerud/concise-encoding/tree/master/an... ), so I could use those as a basis...
One thing I'm not sure about is how to define a BNF rule that says for example: "An identifier is a series of characters from unicode categories Cf, L, M, N, and these specific symbol characters". BNF feels very ASCII-centric...
-
Working in the software industry, circa 1989 – Jim Grey
It's still in the prerelease stage, but v1 will be released later this year. I'm mostly getting hits from China since they tend to be a lot more worried about security. I expect the rest of the world to catch on to the gaping security holes of JSON and friends in the next few years as the more sophisticated actors start taking advantage of them. For example https://github.com/kstenerud/concise-encoding/blob/master/ce...
There are still a few things to do:
- Update enctool (https://github.com/kstenerud/enctool) to integrate https://cuelang.org so that there's at least a command line schema validator for CE.
- Update the grammar file (https://github.com/kstenerud/concise-encoding/tree/master/an...) because it's a bit out of date.
- Revamp the compliance tests to be themselves written in Concise Encoding (for example https://github.com/kstenerud/go-concise-encoding/blob/master... but I'll be simplifying the format some more). That way, we can run the same tests on all CE implementations instead of everyone coming up with their own. I'll move the test definitions to their own repo when they're done and then you can just submodule it.
I'm thinking that they should look more like:
c1
-
Breaking our Latin-1 assumptions
Ugh Unicode has been the bane of my existence trying to write a text format spec. I started by trying to forbid certain characters to keep files editable and avoid Unicode rendering exploits (like hiding text, or making structured text behave differently than it looks), but in the end it became so much like herding cats that I had to just settle on https://github.com/kstenerud/concise-encoding/blob/master/ct...
Basically allow everything except some separators, most control chars, and some lookalike characters (which have to be updated as more characters are added to Unicode). It's not as clean as I'd like, but it's at least manageable this way.
-
I accidentally used YAML.parse instead of JSON.parse, and it worked?
You might get a kick out of Concise Encoding then (shameless plug). It focuses on security and consistency of behavior.
In particular:
* How to deal with unrepresentable values: https://github.com/kstenerud/concise-encoding/blob/master/ce...
* Mandatory limits and security considerations: https://github.com/kstenerud/concise-encoding/blob/master/ce...
* Consistent error classification and processing: https://github.com/kstenerud/concise-encoding/blob/master/ce...
-
Ask HN: Who Wants to Collaborate?
In the above example, `&a:` means mark the next object and give it symbolic identifier "a". `$a` means look up the reference to symbolic identifier "a". So this is a map whose "recusive link" key is a pointer to the map itself. How this data is represented internally by the receiver of such a document (a table, a struct, etc) is up to the implementation.
> - Time zones: ASN.1 supports ISO 8601 time types, including specification of local or UTC time.
Yes, this is the major failing of ISO 8601: They don't have true time zones. It only uses UTC offsets, which are a bad idea for so many reasons. https://github.com/kstenerud/concise-encoding/blob/master/ce...
> - Bin + txt: Again, I'm unclear on what you mean here, but ASN.1 has both binary and text-based encodings
Ah cool, didn't know about those.
> - Versioned: Also a little unclear to me
The intent is to specify the exact document formatting that the decoder can expect. For example we could in theory decide make CBE version 2 a bit-oriented format instead of byte-oriented in order to save space at the cost of processing time. It would be completely unreadable to a CBE 1 decoder, but since the document starts with 0x83 0x02 instead of 0x83 0x01, a CBE 1 decoder would say "I can't decode this" and a CBE 2 decoder would say "I can decode this".
With documents versioned to the spec, we can change even the fundamental structure of the format to deal with ANYTHING that might come up in future. Maybe a new security flaw in CBE 1 is discovered. Maybe a new data type becomes so popular that it would be crazy not to include it, etc. This avoids polluting the simpler encodings with deprecated types and bloating the format.
What are some alternatives?
AFLplusplus - The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
cue - The home of the CUE language! Validate and define text-based and dynamic configuration
fuzzilli - A JavaScript Engine Fuzzer
joystick - A full-stack JavaScript framework for building stable, easy-to-maintain apps and websites.
ffmpeg-libav-tutorial - FFmpeg libav tutorial - learn how media works from basic to transmuxing, transcoding and more. Translations: 🇺🇸 🇨🇳 🇰🇷 🇪🇸 🇻🇳 🇧🇷
postal-codes-json-xml-csv - Collection of postal codes in different formats, ready for importing.
libfuzzer - Thin interface for libFuzzer, an in-process, coverage-guided, evolutionary fuzzing engine.
FrameworkBenchmarks - Source for the TechEmpower Framework Benchmarks project
uafuzz - UAFuzz: Binary-level Directed Fuzzing for Use-After-Free Vulnerabilities
futurecoder - 100% free and interactive Python course for beginners
ffmpeg-tutorial - A set of tutorials that demonstrates how to write a video player based on FFmpeg
cue - CUE has moved to https://github.com/cue-lang/cue