My Proposal (Open for discussion,Not Final) - Printable Version +- Kodi Community Forum (https://forum.kodi.tv) +-- Forum: Development (https://forum.kodi.tv/forumdisplay.php?fid=32) +--- Forum: Kodi Application (https://forum.kodi.tv/forumdisplay.php?fid=93) +---- Forum: GSoC (https://forum.kodi.tv/forumdisplay.php?fid=299) +----- Forum: GSOC 2022 (https://forum.kodi.tv/forumdisplay.php?fid=317) +----- Thread: My Proposal (Open for discussion,Not Final) (/showthread.php?tid=367927) |
My Proposal (Open for discussion,Not Final) - AhmedElShereef - 2022-04-19 USING FUZZ TESTING TO FUZZ TEST KODI
we're going to use A Dynamic Security testing which is Fuzzing Software issues are mostly resulted from bad parsed input/output data/files,We should Catch the existing bugs/vulnerabilities in the libraries or in our dependency code, By Creating a coverage-guided fuzzer which is capable of exploring Kodi's Code/Files, Injected/Tested it with random inputs/data to find bugs that leads to make our Kodi crash or fail.
the most important parts are: Fuzzer Setup Coverage rate Documentation
For Developer, a lot money and time, if we fuzz before being fuzzed!
Maybe In Next gsoc, we gonna try Reverse Engineering Protection As well as Exploit Development for more secure Software
its own fuzz testing internally (OSSFuzz), and if they don't fuzzing on their own,So we will need to set up fuzzing for these libraries. If they are adapting / having OSS-Fuzz service/System/techniue built-in in their codebase,We shouldn't fuzz that. e.g: As you mentioned ffmpeg which is handling video, audio, and other multimedia files and streams, it handles its own fuzzing,
that is already fuzzed
libraries if they have files which contain "LLVMFuzzerTestOneInput" // Oss-Fuzz service
It depends how coverage limit we would go for / covered? There may still be bugs, but they're not easy to reach,Maybe we could parallel fuzzers to test that. RE: My Proposal (Open for discussion,Not Final) - AhmedElShereef - 2022-04-19 I wonder if you would like the final proposal to follow the same outline or no ? RE: My Proposal (Open for discussion,Not Final) - Razze - 2022-04-19 Outline in general seems fine. Quote:It depends how coverage limit we would go for / covered? There may still be bugs, but they're not easy to reach,Maybe we could parallel fuzzers to test that. while you will need to run your stuff to test it, the important work you should be doing is getting us the tools, not executing them. That should be out of scope, but we can surely try to document some high level failures, if we find them. |