Welcome to the regression vm!

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Welcome to the regression vm!

Tim Allison
Tobias,
  I'm sorry for my delay. We welcome you to use our regression vm
hosted by Rackspace for fuzzing work to identify vulnerabilities.  Our
one request: we ask that you pause/stop your processes when we need to
run regression tests before a release.
   Email me privately with your desired username.  Welcome and thank you!

              Cheers,
                                 Tim

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Welcome to the regression vm!

Tobias Ospelt
Hi everyone,

Thank you for the opportunity. Currently I'm very busy at work, but I'm
sure I'll be able to setup some fuzzers in the next few weeks.

Of course I can stop/pause the processes when the regression tests are
on, that's no problem. You are also allowed to just kill the processes
whenever necessary.

Just so there is no miscommunication, fuzzers usually use 100% CPU
(that's the bottleneck) but can also get a little greedy with memory and
other resources such as disc space. In the end we are trying to trigger
edge cases and due to the nature of instrumented fuzzers, they tend to
"like" situations that are strange (e.g. deep nested structures, etc.).
Of course it is possible to kill the processes, clean the disc space,
etc. but there is always a slight chance that the fuzzer is going to do
something unexpected.

A little example (that is unlikely though in the Java area): A fuzzer
once filled up an output directory with several thousand files with
arbitrary (full byte range) file names, because it figured out how to
use a memory corruption to overwrite the memory area that was storing
the output file name. This is not likely to happen with Java targets,
but you can imagine what would have happened once it would have figured
out what ../ is for.

If you want to read a little more about the AFL fuzzer that is the basis
for the JQF fuzzer I'm going to use, I recommend this:

https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html

So my questions are:
1. Is it OK that 100% CPU is used when no regression tests are taking place?
2. Is there any data on the VM that is not backed up somewhere else?
3. Are there any other sort of "cost" involved (cpu usage, disc space,
etc.) for you?
4. Can you do snapshots of the VM? That would probably be a very
convenient way to restore if anything goes wrong (unlikely but can not
be ruled out completely).

I'll send you a username privately.

Best regards,
Tobi

Tobias Ospelt <[hidden email]>

mobile phone:    +41.79.2617365     phone:          +41.44.500.5731
Key fingerprint = 526A 11EC 3E2A 7E45 DA85 CAF3 DA85 B579 776C B69D

modzero AG Schweiz / Technoparkstr. 2 / CH-8406 Winterthur
   HRB CH-020.3.036.501-1 / MwSt. ID: CH-236.520.692 MWST

modzero GmbH Deutschland / Marienstr. 12 / DE-10117 Berlin
   HRB 147824 B (Charlottenburg) / USt. ID: DE288107996

Geschaeftsleiter/Managing Directors: Max Moser & Thorsten Schroeder

This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail
by mistake)  please notify the sender  immediately and destroy this
e-mail. Any unauthorized copying, disclosure or distribution of the
material in this e-mail is strictly forbidden.

On 28.09.18 13:04, Tim Allison wrote:

> Tobias,
>   I'm sorry for my delay. We welcome you to use our regression vm
> hosted by Rackspace for fuzzing work to identify vulnerabilities.  Our
> one request: we ask that you pause/stop your processes when we need to
> run regression tests before a release.
>    Email me privately with your desired username.  Welcome and thank you!
>
>               Cheers,
>                                  Tim
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Welcome to the regression vm!

Tim Allison
Tobias,
  I just gave you access to the vm and sent login stuff to you
personally.  I have to update some groups and permissions, but I'll
let you know when that is ready.
  Let me know if you have problems getting on.

          Best,

                   Tim

> 1. Is it OK that 100% CPU is used when no regression tests are taking place?
Y.  Have at it!

> 2. Is there any data on the VM that is not backed up somewhere else?
Not really.  Not all is backed up as is, but we should be able to
regenerate it all fairly quickly.

> 3. Are there any other sort of "cost" involved (cpu usage, disc space,
> etc.) for you?
no on cpu, yes on disc, but we've provisioned 4x 1TB drives.  I'll
clear most of one off for you.

> 4. Can you do snapshots of the VM? That would probably be a very
> convenient way to restore if anything goes wrong (unlikely but can not
> be ruled out completely).

I'd have to look into this.  Generally we should treat this vm as
ephemeral given my, um, talents as a sysadmin.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]