HTTP Filter Fuzzing

[asraa]

Objectives

1. Provide a common interface to fuzz all HTTP filters.
2. Make it easy for filter authors to create their own filter fuzz target.
3. Create a healthy fuzzer from the beginning.
   • These should be optimized for speed, and ideally they should be stateless at first.
   • Sizeable corpus data (see Inputs and Corpus)

Target
Starting with just Decoder Filters, the fuzz target should execute each of the decode methods, decodeHeaders, decodeData, decodeTrailers and decodeMetadata. The inputs to these methods should be fuzzed. The common interface should implement these methods. For example:

class DecoderFuzzFilter  {
  public:
        DecoderFuzzFilter();

        void fuzz(const fuzz::HttpData& request) {
            filter_->decodeHeaders(request.headers(), false);
            filter_->decodeData(request.data(), false);
            filter_->decodeTrailers(request.trailers());
            filter_->decodeMetadata(request.metadata());
        }

        NiceMock<Http::MockStreamDecoderFilterCallbacks> callbacks_;
        std::unique_ptr<Http::StreamDecoderFilter> filter_;
}

Writers of individual filter fuzzers would be responsible for extending this base class, writing a constructor that initializes the filter_, and then writing the fuzz target like:

DEFINE_PROTO_FUZZER(const test::extensions::filters::http::buffer::BufferFuzzTestCase& input) {
       BufferFuzzFilter filter(input.config());
       filter.fuzz(input.request());
}

Inputs and Corpus
Input will consist of:

1. Filter configuration data.
2. HTTP request/response data (headers, data, trailers, and metadata)

message ExampleFilterFuzzTestCase {
        envoy.config.filter.http.example.v2.ExampleFilterConfig config = 1;

        HttpData request = 2;
}

HttpData is the untrusted data that the filters encode and decode. This data could be used in every filter fuzzer. For example, a HeaderMap with missing Host header should be tested against all filters to ensure that they don't hit a null pointer dereference. If the common HTTP filter fuzz directory /test/extensions/filters/http/common/fuzz/http_data contained these common request protobufs, and each filter contained it's own default_configuration, we could use a bazel genrule to concatenate each common request file with the default config to produce valid corpus entries.

Future Goals
Here are some future goals, and I'm most interested to see how to design the framework to adapt to these goals easily.

1. Support fuzzing a filter chain.
2. Support stateful fuzzing of the filters.
3. Support filter specific validations.
   • As a first step, the fuzzers should simply running decode and encode methods of the filters to catch crashes. If the behavior is easy enough to predict or model with an abstract filter, filter classes can extend the base class to define their own validate(input) methods to expect behavior. (TODO: add this to the POC for buffer_filter_test)

See #9400 for a POC, but there are many TODOs in this.

Open Questions

1. How should end_stream be handled? They could be handled with bools in the input, or the design could take a more stateful turn and we could instead fuzz a valid sequence of Headers, Data and Trailers.

[mattklein123]

@asraa this is awesome and something I really want to see land.

How should end_stream be handled? They could be handled with bools in the input, or the design could take a more stateful turn and we could instead fuzz a valid sequence of Headers, Data and Trailers.

I mentioned this in the RFC PR you opened, but I think the main issue you are going to face almost immediately is that the fuzzer is going to have to be stateful. I'm positive you will hit asserts, crashes, etc. otherwise. Essentially this will involve correctly handling end_stream and not calling further methods which the filter would not reasonably expect.

My fear however is that this is going to get very complicated very fast, as I think you will also have to deal with filter callbacks in a sane way. My ultimate fear is that we are going to end up reimplementing a bunch of the HCM in order to run the fuzzer correctly.

Stepping back, one of the things that has been discussed is decomposing the HCM for better understandability, testability, etc. What I wonder is whether we should first try to split out some of the filter management code from the HCM, and then somehow use that to drive both the real code and the fuzzer?

WDYT?

[asraa]

Hm. The goal of the smallest style of filter fuzzer (rather than a chain fuzzer) would be to get coverage over the implementation of the filter. But even then, like you said, I think trouble points to getting maximal coverage would be from handling end_stream, filter callbacks, and simulating time.

I made a change in to the POC to take repeated Data and call end_stream on the last encodeHeader (if no data) or the last encodeData (if no trailers), but I think this still may not be enough.

Yes -- I think splitting out some of the filter management code is the best way to handle fuller, more realistic filter fuzzers. Even splitting out an ActiveStream in the HCM would help. Is there an issue tracking this already? For centralized suggestions about refactoring the HCM.

[mattklein123]

Is there an issue tracking this already? For centralized suggestions about refactoring the HCM.

I don't think so, but @htuch might have opened one as this is something I have discussed with him offline. Also, I think @goaway has a patch you might be able to start with from some work he was doing on Envoy Mobile. Let's chat about this after the holidays?

[asraa]

Sounds good -- one point I've already come across is dissociating Filter creation from Active Streams.
I can't use the factories to find all filters and create appropriate ones based on the proto without looping in a new active stream. (createFilterFactoryFromProto wraps the creation of a filter chain for a new stream).

[htuch]

I agree that long term we're going to have to have some of the state and sequencing logic that exists in HCM in the fuzzer. Taking a step back, I can see a ton of value in a generic filter fuzzer that is as simple as a stateless decodeHeaders() fuzzer. It wouldn't handle complex filters, but it would be a good default filter fuzz and probably catch a ton of bugs. It's kind of reasonable to extend this with some simple state to at least tracking the stream continuation and end status. Beyond that, I agree, it gets really tricky with callbacks, but we can get the low hanging fruit here I reckon without too much pain.

[mattklein123]

This is done at a high level. Let's open issues for specific new fuzzing we want.