I have been experimenting with TLS 1.3 in tlsbunny project. This is a framework for building negative tests and fuzzers for TLS 1.3 implementations. For example, tlsbunny has several simple fuzzers for TLS structures like TLSPlaintext, Handshake, ClientHello, etc. It would not be worse to run those fuzzers against picotls server.
Java 10 is coming in March 2018. This release contains quite a lot of enhancements in the JVM. But it looks like JDK users are mostly interested in one particular update in the Java Language – type inference to declarations of local variables with initializers. Besides updates to the Java Language and JVM, Java 10 contains another update which together with the six-month release model has been bothering the Java community for several months.
Here is a digest of the rest of the main features in Java 10 which weren’t covered in the previous post. Enjoy!
Java 10 should be released in Mar 2018. It’s going to be the next short-term release after Java 9 which was released in Sep 2017.
After I had left the Java Team at Oracle in the end of 2017, and moved to another side of Atlantic Ocean, I made a New Year’s promise that I’ll keep myself updated about changes in Java at least for a year.
Since Java 10 is coming, it’s time to have a look at the JEPs (Java Enhancement Proposal) targeted to Java 10. Here is a digest of the main features which are planned to be delivered in Java 10. Enjoy!
OpenJDK and AddressSanitizer are well-known open source projects. OpenJDK sources contain C/C++ code which may be affected by memory corruption issues and memory leaks. Such issues may be detected at runtime with memory checkers like AddressSanitizer. Now it’s going to be easier to use AddressSanitizer for OpenJDK development to check for memory corruptions and leaks.
There are a couple of new bug bounty programs on HackeOne for popular open source libraries:
They just started on last week (Sep 22nd, 2017). You can find the rules, scope and other details on HackerOne
Those are well-known tools and libraries, and they have already gotten quite much attention from the security community. So, looks like it’s going to be challenging to discover new issues there. Looking for a challenge? This may be a good one for sure. By the way, minimum bounty is $500. Not too much, but you also are going to get some credit for making the world better.
The libraries are mostly written in C/C++, so you may want to start with fuzzing. Although, if you search for fuzzing results for the libs above, you are going to find that security researches put some effort on it. On the other hand, it’s never worse to try even harder. Someone can also contribute to Google’s OOS-fuzz project, and add support for fuzzing those libraries. OSS-fuzz already has libpng and curl, but seems like there may be some room for libcap, ImageMagick, GraphicsMagick and tcpdump.
MessagePack is a binary serialization format. There are lots of open source implementations of this protocol on various languages including C/C++. It’s good to do something good in new year. For example, it can be a little contribution to an open source project. Let’s check quickly if the implementation on C/C++ has any memory corruption issues. One of the best ways is of course fuzzing.
Usually there is no problem if you want to fuzz a headless application. A headless application can be run just in a terminal, and doesn’t have any GUI. You can pick up your favorite fuzzer, and feed fuzzed data to the application. Normally, a headless application just processes data, and then quits or crashes right away. But it may be different if you are trying to fuzz an application with GUI. Let’s try to fuzz an open source text editor AbiWord.