From 3eac4444a9ae03cb6def8ba642787a256f454a01 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:15:15 +0000 Subject: [PATCH] Add fuzzing audit blog post (#5827) Signed-off-by: Adam Korczynski Co-authored-by: Tiffany Hrabusa <30397949+tiffany76@users.noreply.github.com> Co-authored-by: Severin Neumann Co-authored-by: Severin Neumann Co-authored-by: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com> --- content/en/blog/2024/fuzzing-audit-results.md | 72 +++++++++++++++++++ static/refcache.json | 12 ++++ 2 files changed, 84 insertions(+) create mode 100644 content/en/blog/2024/fuzzing-audit-results.md diff --git a/content/en/blog/2024/fuzzing-audit-results.md b/content/en/blog/2024/fuzzing-audit-results.md new file mode 100644 index 000000000000..a3ad3552a51b --- /dev/null +++ b/content/en/blog/2024/fuzzing-audit-results.md @@ -0,0 +1,72 @@ +--- +title: OpenTelemetry Collector Completes Fuzzing Audit +linkTitle: Fuzzing Audit Results +date: 2024-12-20 +author: '[Adam Korczynski](https://github.com/AdamKorcz)' +issue: 5798 +sig: GC +cSpell:ignore: Korczynski containerd +--- + +OpenTelemetry is happy to announce the completion of the Collector's fuzzing +audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by +[Ada Logics](https://adalogics.com/). The audit marks a significant step in the +OpenTelemetry project, ensuring the security and reliability of the Collector +for its users. + +## What is fuzzing? + +Fuzzing is a testing technique that executes an API with a high amount of +pseudo-random inputs and observes the API's behavior. The technique has +increased in popularity due to its empirical success in finding security +vulnerabilities and reliability issues. Fuzzing initially developed with a focus +on testing software implemented in memory-unsafe languages, where it has been +most productive. However, in recent years, fuzzing has expanded to memory-safe +languages as well. + +Over several years, the CNCF has invested in fuzzing for its ecosystem. This +testing has found numerous security vulnerabilities in widely used projects such +as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the +Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane +(CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). + +## OSS-Fuzz + +To initiate the audit, Ada Logics auditors integrated the OpenTelemetry +Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a +service offered by Google to critical open source projects, free of charge. The +service runs a project's fuzzers with excess resources multiple times per week. +If OSS-Fuzz finds a crash, it notifies the project. It then checks if the +project has fixed the crash upstream and if so, marks the issue(s) as fixed. The +whole workflow happens continuously on Google's fuzzing infrastructure, +supported by thousands of CPU cores. These testing resources outperform what +developers or malicious threat actors can muster. + +## The tests + +After the Ada Logics team integrated OpenTelemetry into OSS-Fuzz, the next step +was to write a series of fuzz tests for the OpenTelemetry Collector. The +auditors wrote 49 fuzz tests for core components of the Collector, as well as +several receivers and processors in the `opentelemetry-collector-contrib` +repository. + +The fuzz tests were left to run while the audit team observed their health in +production. At the completion of the fuzzing audit, the 49 fuzz tests on the +OSS-Fuzz platform were healthy. + +To ensure continued reliability, the fuzz testing continues on the Collector +even though the audit is complete. + +## The results so far + +Fuzz testing for the Collector is ongoing, allowing for changes to the project +to be tested as well. As of the date of this post, no crashes have been +detected. + +But the work is not done! The Ada Logics team created the Collector's fuzzing +setup as a reference implementation that other OpenTelemetry subprojects can +rely on to create their own fuzz testing, ensuring greater stability for the +project as a whole. + +For more insight into the audit process, see the +[published summary](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). diff --git a/static/refcache.json b/static/refcache.json index ee2e246570dd..707a9a56df52 100644 --- a/static/refcache.json +++ b/static/refcache.json @@ -59,6 +59,10 @@ "StatusCode": 200, "LastSeen": "2024-08-09T10:46:17.075695-04:00" }, + "https://adalogics.com/": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:22.847313555Z" + }, "https://adri-v.medium.com/43dca4a857a0": { "StatusCode": 200, "LastSeen": "2024-02-23T23:30:53.006527-05:00" @@ -3899,6 +3903,10 @@ "StatusCode": 200, "LastSeen": "2024-08-06T15:19:48.633928+02:00" }, + "https://github.com/AdamKorcz": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:22.289195232Z" + }, "https://github.com/AkhigbeEromo": { "StatusCode": 200, "LastSeen": "2024-12-17T15:37:25.440239-05:00" @@ -5251,6 +5259,10 @@ "StatusCode": 200, "LastSeen": "2024-11-07T20:32:07.730871-05:00" }, + "https://github.com/google/oss-fuzz": { + "StatusCode": 200, + "LastSeen": "2024-12-20T14:53:23.420338032Z" + }, "https://github.com/google/pprof": { "StatusCode": 200, "LastSeen": "2024-10-24T15:10:16.695786+02:00"