Open Stack

I'm actually working on some (very simple) fuzzing tests for the Barbican project right now. I've realized that using a Python client that is strictly defined for sending "good" data to an API isn't necessarily the best mechanism for truly fuzzing that API. For example, the "requests" lib chokes on trying to convert unicode strings to ascii in HTTP request headers.

I'm contemplating using something like sulley (link: https://github.com/OpenRCE/sulley) for deeper fuzzing, but I don't have time to really dig into it at the moment. I'd love to hear others' thoughts on this problem.

Cheers,
Charles Neill

From: <Clark>, Robert Graham <robert.clark at hp.com<mailto:robert.clark at hp.com>>
Date: Wednesday, June 17, 2015 at 5:32 AM
To: Timur Nurlygayanov <tnurlygayanov at mirantis.com<mailto:tnurlygayanov at mirantis.com>>, "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>>
Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components?

Fuzzing with Tempest is something that was discussed at the last summit, I think Rackspace had some interesting work that wanted to share but I might be miss-remembering.

One of the issues is that unless you’re looking with issues in the python libraries used for handling the APIs (which would be interesting to find) message/protocol fuzzing is pretty limited, instead we need something that really understands the API to perform fuzzing to find things that logically shouldn’t be allowed to happen – many of these will be broken state issues.

-Rob

From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com]
Sent: 15 June 2015 18:21
To: openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>
Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components?

Hi team,
Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components?
I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes.
Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create.

Thank you!

[1] https://github.com/stackforge/bandit
[2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test

--

Timur,
Senior QA Engineer
OpenStack Projects
Mirantis Inc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150617/fba55d58/attachment.html>