libgmp differential fuzzer running on Google's oss-fuzz

Guido Vranken guidovranken at gmail.com
Wed Jul 11 15:42:20 UTC 2018 

The fuzzer extracts 4 (large) integers, A, B, C, D from a buffer generated
by the fuzzing engine. Then arithmic operations are performed on these
numbers eg:

A = B + C
A = B - C
A = B / C

Etc. These operations are executed in tandem across two bignum libraries,
for example OpenSSL and libgmp. If the results don't match, an error is
raised and the system sends an e-mail. Beyond the differential aspect
(compare output of calculations), it also detects undefined behavior (eg.
signed integer overflow) and memory errors (buffer overflow etc).

Per your wish I will notify this list as soon as a legitimate bug has been
found.

Guido


On Wed, Jul 11, 2018, 17:24 Torbjörn Granlund <tg at gmplib.org> wrote:

> Guido Vranken <guidovranken at gmail.com> writes:
>
>   I built a bignum differential fuzzer [1] that has been running on
>   Google's oss-fuzz service [2] for a while. It performs the same
>   mathematical operations (addition, subtraction, multiplication,
>   modular exponentation, etc) across multiple bignum libraries (
>   currently OpenSSL, Go, Rust, C++ Boost, libgmp), compares their
>   results and crashes if they don't match. This effort has so far
>   found a couple of (minor) bugs in OpenSSL and Go.
>
> What is the "fuzz" in the case of arithmetic?
>
> I understand the test concept of fuzzing as feeding someting (like a
> parser) with slightly incorrect input, with the inserted errors being
> (pseudo) randomly selected.
>
> Or is fuzzing perhaps a novel term for testing?
>
>   As soon as a mismatch is found, oss-fuzz will send a notification
>   e-mail to the developers of the various bignum libraries so the bug
>   can be examined and resolved.
>
>   At which e-mail address(es) do the
>   developers of libgmp wish to receive these notifications?
>
> Do any perceived errors automatically generate mail?
>
> I do not want a perpetually running test program to send me email.  Some
> other GMP developer might want such mail.
>
> But if you find some suspected error in GMP, please investigate it
> manually and report it to the gmp-bugs mailing list.
>
> External testing of GMP is a very good thing.  The GMP test suite is
> great, but it is written by the very same developers who wrote GMP; we
> might have missed some aspect.
>
> --
> Torbjörn
> Please encrypt, key id 0xC8601622
>

More information about the gmp-devel mailing list