[tbb-bugs] #24154 [Applications/Tor Browser]: Look into fuzzing our tor-browser patches

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 1 13:33:46 UTC 2017

#24154: Look into fuzzing our tor-browser patches
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  TorBrowserTeam201711,                |  Actual Points:
  GeorgKoppen201711                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4

Comment (by gk):

 To sum up on where we are with this:

 To get started with fuzzing the Firefox codebase it seems worth trying to
 get our own patches under scrutiny first. Firefox itself is regularly
 fuzzed by an own, specialized team targeting different components (like
 the JS engines).

 As we don't have any JS engine patches ourselves there is no need for
 looking for a specialized tool in that area. Instead I started to look
 into `domfuzz` (https://github.com/MozillaSecurity/domfuzz) while glancing
 over `domato` (https://github.com/google/domato) which we might deploy
 later on.

 I got `domfuzz` running locally and started fuzzing our code using ASan
 builds (see: #21998 and #24478). There are some challenges we might want
 to consider, though, to make this a smoother and more successful

 1) We are using ESR 52 and git and the fuzzing code is expecting `mozilla-
 central` and a mercurial repo. We can work around that but might benefit
 from the idea to at least rebase our patches to `mozilla-central`
 regularly (see: https://lists.torproject.org/pipermail/tbb-
 dev/2017-November/000669.html) and use that. That might as help with the
 plan to discover issues in the Firefox codebase itself.

 2) Doing fuzzing on local computer does not scale and does not give good
 results. Thus, we need to get dedicated machines for that thinking about
 budget etc. I asked Mozilla if we could share resources somehow but they
 declined for good reasons. But they are willing to help us to duplicate
 their infrastructure or at least to get their tools running for us.

 3) There is currently no process established to get the feedback from the
 fuzzing efforts back into the development cycle (like ticket creation,
 ticket assignments and working on them).

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24154#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list