DEV Community: shivi28

OSS-Fuzz ?? Setup Cluster API on OSS-Fuzz

shivi28 — Wed, 20 Apr 2022 15:30:10 +0000

Open source software is a software with source code that anyone can inspect, modify, and enhance. They have multiple advantages like high quality software, no vendor lock-in, lower software cost and most important ABUNDANT support.

But with more flexibility comes more responsibility and that’s why we need something that can assure us that our software is free from programmatic errors, and have no serious security threats.

So to make our open source softwares more secure and stable, Google has introduced OSS fuzz in 2016 with three primary goals:

1. Finding security vulnerabilities, stability issues, and functional bugs at scale.
2. Making the platform easy to use for open-source developers and encouraging them to take security testing into their own hands.
3. Getting the bugs fixed quickly (OSS-Fuzz has a 90% fix-rate!)

OSS-Fuzz does Fuzz testing which is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications, but with OSS-Fuzz we aims to make common open source softwares more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.

Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages supported by LLVM may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds.

Overview

To know more, read this detailed documentation to learn how to use OSS-Fuzz

Cluster API

Cluster API is a Kubernetes sub-project focused on providing declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters.

Started by the Kubernetes Special Interest Group (SIG) Cluster Lifecycle, the Cluster API project uses Kubernetes-style APIs and patterns to automate cluster lifecycle management for platform operators. The supporting infrastructure, like virtual machines, networks, load balancers, and VPCs, as well as the Kubernetes cluster configuration are all defined in the same way that application developers operate deploying and managing their workloads. This enables consistent and repeatable cluster deployments across a wide variety of infrastructure environments.

To know more, visit this github page.

Setup Cluster API on OSS-Fuzz

As Cluster API is a widely used open source project, so community decided to setup Cluster API on OSS-Fuzz.

This is the following PR to track this setup process in CAPI project.

Once we initiate the setup of any open source project on Oss-Fuzz, we also raised one corresponding PR in google/oss-fuzz repository.

This is the corresponding google/oss-fuzz PR for CAPI setup `

Once all these steps are executed, then we are done with initial integrations. In above steps we have mentioned some email IDs in the PR, and these people will get the automatic email notification if any bug is found in the mentioned project.

Once we received a mail, next action item is to reproduce this issue locally and resolve it in the project.

In next section I will list down few steps to reproduce the issue in your local system.

Steps to reproduce it locally

Files and variables required to run it in local

/path/to/downloaded/minimized/testcase:
this is the path for a file which every issue has. It's called a reproducer file (also know as a "testcase" file). This you can get from mail with a name as Reproducer Testcase
Take checkout of OSS-Fuzz in local:
git clone https://github.com/google/oss-fuzz cd oss-fuzz
Pull the latest Docker images
Docker images get regularly updated with a newer version of build tools, build configurations, scripts, and other changes. In some cases, a particular issue can be reproduced only with a fresh image being used. Pull the latest images by running the following command:
python infra/helper.py pull_images
Build the image and the fuzzers. Run following command
python infra/helper.py build_image kubernetes-cluster-api python infra/helper.py build_fuzzers kubernetes-cluster-api python infra/helper.py reproduce kubernetes-cluster-api fuzz_conversion_of_all_types /path/to/downloaded/minimized/testcase

After running all the above commands you will see something like this in your local:

In this way, you can reproduce the bug locally.

To know more on reproducing the bug locally follow this official doc.

Blockchain Terminologies

shivi28 — Mon, 18 Apr 2022 06:36:48 +0000

Addresses

Address or bitcoin addresses are unique identifiers that are composed from 26 to 35 alphanumeric characters. They are used in blockchain transactions and they are responsible for denoting senders and recipients. For every transaction, users can use a new address, but they can reuse old ones if they wish. Reusing the same addresses can lead to easier identification of the user that created it. Addresses can also be case sensitive and created offline. it is also possible to create multi-signature addresses that require more than one private key.

Transactions

Transactions are the main units of blockchain technology. They are used for transferring values from one address to another

Transaction Fee

Miners that choose to include a transaction in a block collect a transaction fee. The fee is calculated differently for every transaction based on variables like the size of the transaction and amount of resources (electricity and hardware) required to process it. Generally, the bigger the transaction, the larger the fee. Miners choose transactions from memory pools by checking their priority. Those with a higher priority for the block that is being built should be picked up first. Anyone wanting faster processing of a transaction would need to offer a higher incentive (more money) in order to make a miner want to pick it up sooner.

Turing Complete

Turing complete is a computability theory that is used for abstract machines. Computability theory says that any system of data manipulation rules that can simulate a Turing machine is called Turing Complete. Turing complete programming language is in a high demand when it comes to blockchain technology but security issues are still a problem. Virtual machines are used to run Turing complete code on blockchain

Block

A block hash, timestamp , nonce and at least several transactions make a block. once a block is completed, the records about transactions can not be modified or deleted. Multiple blocks added together form a blockchain network. block contains information about past, present and future transactions.

Block Explorer

Block explorer is a web tool used for viewing information about addresses, transactions, transaction histories, and individual blocks in a blockchain network.

Block Height

Block Height represents the number of blocks that are ahead of the given block in the blockchain network. Every block contains a header containing the current block height.

Block Reward

Block rewards are rewards for the miners which solve some type of mining puzzles. When Bitcoin was started, for example, the reward for successfully mining a block was 50 Bitcoins. The reward is contained in Coinbase transactions that miners receive after solving a puzzle.

Central Ledger

The central ledger represents records about all financial transactions of an organization. Centralized ledger means that there is a main ledger which contains all information in. one place.

Peer-to-Peer Network

A P2P is a type of network where each peer can contact other peers and exchange information. In this network topology, there is no need for a central server. The peers need only to join a peer-to-peer network before they can send and receive messages.

Smart Contracts

A smart contract is a computer program or protocol that is used to set the rules of a contract between two parties. Smart contracts are also called crypto-contracts. They can also, apart from setting rules, take control to enforce those rules and transfer the digital currencies between parties if conditions of the contract are met. The main advantage is that smart contracts don't require a third party.

Oracles

an Oracle is a third party information source and is a part of the smart contract system. Smart contracts are unable to access external data which might be needed for a rule to be executed. Oracles can deliver that external data to smart contracts. They use a secure channel when transferring data and they are considered secure.

Consensus

Consensus is a type of agreement and means that multiple parties have agreed on the same value or goal. When talking about blockchain technology, Consensus means that nodes have agreed on the same state of a blockchain.

Confirmation

Confirmation happens when a network has successfully processed a transaction. It also means that the transaction can not be reversed. When talking about trade life cycle, Confirmation means that both opposing parties have agreed to the details of trade. For a transaction to be finalized multiple confirmations are often needed.

Cryptocurrency

Cryptocurrency is considered to be a digital form of money. It uses high-end encryption techniques to create funds and to verify their transfer. Without blockchain, cryptocurrency would not exist. They use a decentralized control system which works through distributed ledger technology, like a blockchain. The most famous cryptocurrency is Bitcoin.

Cryptographic Hash Function

Hash functions are functions that take an input value of some length, and extracts from it another value of a fixed length. No matter how many characters are fed into the hash function, the output will always be of the fixed defined output length. even if 2 input values differ by only one character, their output hashes will be totally different. Characteristics of a cryptographic hash functions:

Computationally Efficient:
Deterministic: For some input, output should always be same
Collision Resistant: no 2 inputs could have same output
Pre-image resistant: input can not be revealed by looking at the output

DAPP

DAPP stands for Decentralized Application. This is an application whose backend runs on multiple computers that are part of a decentralized network. This differs from a standard app, whose backend runs on centralized servers.

DAO

DAO stands for Decentralized Autonomous Organization. A DAO is computer software that runs on top of a blockchain.

Distributed Ledger

Distributed Ledger are identical databases that are distributed to each of the participants. They are often confused with blockchain but they are not the same thing. The records of these ledgers are not placed in blocks like in a. blockchain, but rather stored contiguously. Each participant node is first updated individually. After that, they all collectively vote on the update and prove it or not. When all participants reach an agreement, the ledger then gets updates to the latest change and all participants' nodes save the same version.

Distributed Network

A distributed network is a kind of network that expands across several networks. This way, these networks can function and operate together as a coherent unit, or separately as individual units.

Difficulty

Difficulty represents how hard it is (how long it takes) to find the hash needed to add a new block to a blockchain.

Digital Signature

A digital signature is used for identifying an entity which is sending a message. Every electronic document contains a digital signature. They are also used for nonrepudiation because they are authentic, non-forgeable and non-reusable.

Multi-Signature

A multi-signature is a a digital signature type used for situations where a group of entities need to sign a document. One combined signature composed by using a multi-signature scheme from more entities is considered more secure and compact than a collection of signatures from entities.

Double Spending

Double spending is an attack where an entity tries to spend the same crypto coins in more than one transaction at the same time. blockchain tries to prevent double spending attacks by using timestamps on transactions, and then by broadcasting them to the nodes that are in the network. Various cryptocurrencies have developed ways for their networks to be immune to double spending attacks.

Ethereum

Ethereum is a blockchain technology product that is based on the Turing complete programming language called Solidity. The difference between Ethereum and other cryptocurrencies is that there is no limited scripting. Ethereum is not only a platform and cryptocurrency, but also a programming language. It uses smart contract technology, and it has smaller blocks then Bitcoin and other better known cryptocurrencies. The average size of an Ethereum block is under 2KB.

EVM

Ethereum virtual Machine is a network of machines that run the same software and are public nodes.

Solidity

Solidity is a high-level programming language that is based on contracts. Smart contracts can be implemented with it.

Testnet

TestNet is a software that is used for testing out new features and changes to the blockchain, without disrupting the primary blockchain software. TestNets are identical to the original blockchain being tested. Ethereum and bitcoin both use testnets.

Fork

A fork represents an update to a blockchain, and in essence they are a change to a cryptocurrency protocol.

Soft fork

soft forks are backward compatible protocol changes. This means that any nodes running an older version of the protocol are allowed to add new blocks to the blockchain as long as they respect the new protocol. If a node tries to process a transaction that does not fall into the new protocol, it will not be successful. This kind of principle makes nodes running an older protocol version to update to the new version.

Hard fork

Hard forks are protocol changes that are not backward compatible. this means that nodes which are running an older protocol version will not be able to process new transactions even though the transactions might fall into all protocol requirements

Genesis Block

A genesis block represents the first block inside of a blockchain

Hash Rate

A hash rate is the speed of computing hashes per second. Hash rates were much slower when bitcoin miners mined with CPUs. Later, hash rates increased when ASICs replaced CPUs.

Mining

Mining is the process of inserting a transaction into a blockchain's ledger where all previous transactions are also recorded. Mining ensures the security of a blockchain and it is a method of achieving blockchain decentralization.

Wallets

Wallet is a digital wallet software that holds essential information related to users' cryptocurrency. These are things like private and public keys and bitcoin addresses. They can perform different functions that are important for manipulating cryptocurrency, such as sending and receiving bitcoins.

CPU mining

CPU mining is the action of executing computations with a computer's CPU for the purpose of mining an asset of value. In most cases, these are cryptocurrencies like bitcoin. CPU mining was the first way bitcoins could be mined. But this technique isn't as profitable now, so more advanced methods are used.

GPU mining

GPU mining is the action of executing computations with a computer's GPU for the purpose of mining an asset of values, usually cryptocurrencies.

Nodes

In the context of blockchains, nodes are parts of the blockchain network that carry out different functions (such as transaction validation, mining or other tasks), depending on the kind of blockchain and its purpose.

ASIC Application Specific Integrated Circuit

ASIC are a type of ICs created significantly for some application or other specific intent, instead of being built for general use.

Ledger

A ledger is a digital record of all transactions that an organization has performed.

Blockchain Architecture

shivi28 — Mon, 18 Apr 2022 05:34:00 +0000

In this article we understand basic blockchain block structure and learn about the fields by taking example of a real block with block-number=#601439

In the Block we have following fields:

Block Number/Block Height

It represents the number of a block in line, so the first block would be 1, the second 2, and so on to our block 601439.

Block size

Maximum limit for the amount of transactions. It is not the actual number of transactions allowed instead it is the size of transactions that is allowed.

Block Hash

A block hash in this case, which is created from the block header with SHA256

Version

This is a protocol version. Miners need to know protocol versions in order to be able to properly process blocks.

hashMerkelRoot

If all the transactions are used to create a single hash, this would be simple, and not what we have here!. This principle is not used because if we wanted to run a verification of a particular transaction we would need to know all of the other ones as well. This is doable, just less efficient than the Merkel tree approach.

In this approach , we only need some of the “hashes”. We go slowly, we first take hashes in a set of 2 transactions till we reach just one hash.

Number of Transactions

Each block contains a number of transactions. Usually a maximum size is defined, but the number of transactions per block varies.

TimeStamp

This is the time when the hashing actually took place. It can be in a different format but for all blocks with the same number it should point to the same time. Notation difference is ignored.

Transactions

In this example transaction refers to payment, but different protocols can define transactions in different ways. Yet it does not always have to be an individual transaction. Instead it can just be observed as an event defined by a given protocol.

Bits

It can be a hexadecimal number. This is just another representation of difficulty

Difficulty

When the hashing process takes place, the difficulty is determined by the targeted number of zeroes that the hash needs to begin with. As more people involved in mining we need to increase the difficulty

Difficulty = expected/actual(available computation power)
if D >1 then increase(0.25, 4)
if D < 1, then decrease(0.25,4)
want no sudden change that’s why keeping this threshold
so newDifficulty = oldDifficulty * expected/actual
targetDiff = targetMax(=Bits)/difficulty

so, blockHash < targetDiff always.

Nonce

This is the data that we need to the block data to make block hash < targetDiff

hashPrefixBlock

This is the hash of the previous block, and is embedded into the current block. Hash should have a certain number of zeroes before it.

Go: nil == nil is true or false? Na tum jano na hum…

shivi28 — Sat, 16 Apr 2022 08:23:54 +0000

In this article, we will understand how to use == the operator in Go to compare object values. We will also look at scenarios where the behaviour of this operator looks like a bug in the language but it is due to a lack of understanding.

Let's go through the below example

var a *string = nil    
var b interface{} = a
fmt.Println("a == nil:", a == nil) // true 
fmt.Println("b == nil:", b == nil) // false 
fmt.Println("a == b:  ", a == b  ) // true

To understand the above example lets start with a simple one:

var a int = 12
var b int = 12
c:= 12
fmt.Println("a == b :", a == b) // true
fmt.Println("a == c :", a == c) // true

This is very obvious.
Let's twist the example

var a *string = nil
var b interface{} = nil
fmt.Println("a == nil:", a == nil) // true
fmt.Println("b == nil:", b == nil) // true
fmt.Println("a == b:",   a == b) // false (even though the value is
                                           nil for both a and b)

To understand the last case, let us dive deeper into it.

In Go, every pointer variable has two values associated with it <type, value> The fact that every variable needs a type is the reason why we can not have a nil value assigned to a variable whose type is not defined. That's why we can not write x := nil because we don't mention the type of x and we get the following error use of untyped nil

Now let's see our problem again

var a *string = nil      // a is <*string, nil>
var b interface{} = nil  // b is <nil, nil>
fmt.Println("a == nil:", a == nil) // true
fmt.Println("b == nil:", b == nil) // true
fmt.Println("a == b:", a == b)    // false <*string,nil>!=<nil, nil>

In our case variable a actually represent <*string, nil> and interface{} default type is nil so variable b is <nil, nil>.
So that's why when we say a == b then we are actually comparing <*string,nil> == <nil, nil> which is false.

Now come back to our main example

var a *string = nil     // a is <*string, nil>
var b interface{} = a 
fmt.Println("a ==nil:",a==nil)//true(<*string, nil>==<*string, nil>)
fmt.Println("b == nil:", b == nil) //false (<*string,nil>==<nil,nil>    fmt.Println("a == b:  ", a == b  ) // true

When we do a == nil , == the operator compares type as well as value. Here the value is nil for both LHS and RHS, but what will be the type of nil ???

When nil(hard-coded value) is compared with an object, the type of nil is the same as the declaration type of object with whom it is compared.

So in the case of a == nil we are doing <*string, nil> == <*string, nil>

In the case of b == nil , RHS is <nil, nil> because the declaration type of b is interface{} which is nil (default). Hence when we did

var b interface{} = a

Then we assigned the value of a to variable b which means b now refers to <*string, nil> . Hence LHS != RHS

Note: var b interface{} = a does not change the declaration type of b variable.

Conclusion

This issue occurs frequently in industrial code like below code snippet is very common in Go where we can face such error.

var resp string
var err error
resp, err = CallFunction()
if err != nil{
   // code inside this if statement will be executed if return type  of CallFunction doesn't match with error
}
func CallFunction() custom.Error{
 // return pointer variable
}

Here is the playground for more experimentation https://play.golang.org/p/BnPPXEs9_Oq

So it's always better to check that the return type of called function and type of receiving variables in the caller function should match.