Boost logo

Boost :

Subject: Re: [boost] [beast] Security
From: Marshall Clow (mclow.lists_at_[hidden])
Date: 2017-12-13 04:57:55


On Tue, Dec 12, 2017 at 7:26 PM, Vinnie Falco via Boost <
boost_at_[hidden]> wrote:

> On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost
> <boost_at_[hidden]> wrote:
> > To what extent do we think that Beast should be "secure"? I am
> > thinking mostly about handling malicious input.
> >
> > Has it been reviewed by anyone with specific experience of how
> > HTTP can be attacked? Has it been "fuzzed"?
>
> We now have the answer to this question:
>
> <https://vinniefalco.github.io/BeastAssets/Beast%20-%
> 20Hybrid%20Application%20Assessment%202017%20-%20Assessment%20Report%20-%
> 2020171114.pdf>
>
> Linked from
>
> <http://www.boost.org/doc/libs/master/libs/beast/doc/
> html/beast/reports.html#beast.reports.security_review_bishop_fox>
>
> Bishop Fox did find one serious vulnerability in the processing of
> compressed websocket frames. This flaw was fixed in time for Boost
> 1.66.0.
>
>
I can heartily recommend the project OSS-Fuzz.
https://github.com/google/oss-fuzz

You figure out how to apply a byte stream to a call in your library, and
they fuzz it. Over and over. Forever.

I have hooked up several of the calls in libc++ (sorting, heap operations,
regex parsers) and it has found a few bugs (all in the regex stuff)

I'm glad to show people how to get started with this.

-- Marshall


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk