|
| 1 | +--- |
| 2 | +title: OpenTelemetry Collector Completes Fuzzing Audit |
| 3 | +linkTitle: Fuzzing Audit Results |
| 4 | +date: 2024-12-20 |
| 5 | +author: '[Adam Korczynski](https://github.com/AdamKorcz)' |
| 6 | +issue: 5798 |
| 7 | +sig: GC |
| 8 | +cSpell:ignore: Korczynski containerd |
| 9 | +--- |
| 10 | + |
| 11 | +OpenTelemetry is happy to announce the completion of the Collector's fuzzing |
| 12 | +audit sponsored by [the CNCF](https://www.cncf.io/) and carried out by |
| 13 | +[Ada Logics](https://adalogics.com/). The audit marks a significant step in the |
| 14 | +OpenTelemetry project, ensuring the security and reliability of the Collector |
| 15 | +for its users. |
| 16 | + |
| 17 | +## What is fuzzing? |
| 18 | + |
| 19 | +Fuzzing is a testing technique that executes an API with a high amount of |
| 20 | +pseudo-random inputs and observes the API's behavior. The technique has |
| 21 | +increased in popularity due to its empirical success in finding security |
| 22 | +vulnerabilities and reliability issues. Fuzzing initially developed with a focus |
| 23 | +on testing software implemented in memory-unsafe languages, where it has been |
| 24 | +most productive. However, in recent years, fuzzing has expanded to memory-safe |
| 25 | +languages as well. |
| 26 | + |
| 27 | +Over several years, the CNCF has invested in fuzzing for its ecosystem. This |
| 28 | +testing has found numerous security vulnerabilities in widely used projects such |
| 29 | +as Helm (CVE-2022-36055, CVE-2022-23524, CVE-2022-23526, CVE-2022-23525), the |
| 30 | +Notary project (CVE-2023-25656), containerd (CVE-2023-25153), Crossplane |
| 31 | +(CVE-2023-28494, CVE-2023-27483) and Flux (CVE-2022-36049). |
| 32 | + |
| 33 | +## OSS-Fuzz |
| 34 | + |
| 35 | +To initiate the audit, Ada Logics auditors integrated the OpenTelemetry |
| 36 | +Collector into [OSS-Fuzz](https://github.com/google/oss-fuzz). OSS-Fuzz is a |
| 37 | +service offered by Google to critical open source projects, free of charge. The |
| 38 | +service runs a project's fuzzers with excess resources multiple times per week. |
| 39 | +If OSS-Fuzz finds a crash, it notifies the project. It then checks if the |
| 40 | +project has fixed the crash upstream and if so, marks the issue(s) as fixed. The |
| 41 | +whole workflow happens continuously on Google's fuzzing infrastructure, |
| 42 | +supported by thousands of CPU cores. These testing resources outperform what |
| 43 | +developers or malicious threat actors can muster. |
| 44 | + |
| 45 | +## The tests |
| 46 | + |
| 47 | +After the Ada Logics team integrated OpenTelemetry into OSS-Fuzz, the next step |
| 48 | +was to write a series of fuzz tests for the OpenTelemetry Collector. The |
| 49 | +auditors wrote 49 fuzz tests for core components of the Collector, as well as |
| 50 | +several receivers and processors in the `opentelemetry-collector-contrib` |
| 51 | +repository. |
| 52 | + |
| 53 | +The fuzz tests were left to run while the audit team observed their health in |
| 54 | +production. At the completion of the fuzzing audit, the 49 fuzz tests on the |
| 55 | +OSS-Fuzz platform were healthy. |
| 56 | + |
| 57 | +To ensure continued reliability, the fuzz testing continues on the Collector |
| 58 | +even though the audit is complete. |
| 59 | + |
| 60 | +## The results so far |
| 61 | + |
| 62 | +Fuzz testing for the Collector is ongoing, allowing for changes to the project |
| 63 | +to be tested as well. As of the date of this post, no crashes have been |
| 64 | +detected. |
| 65 | + |
| 66 | +But the work is not done! The Ada Logics team created the Collector's fuzzing |
| 67 | +setup as a reference implementation that other OpenTelemetry subprojects can |
| 68 | +rely on to create their own fuzz testing, ensuring greater stability for the |
| 69 | +project as a whole. |
| 70 | + |
| 71 | +For more insight into the audit process, see the |
| 72 | +[published summary](https://github.com/open-telemetry/community/blob/main/reports/ADA_Logics-collector-fuzzing-audit-2024.pdf). |
0 commit comments