GSoC2014/Student/Manishanker

Personal Details

Name : Manishanker Talusani

Email : shanker.mani0@gmail.com

Name of the University: Birla Institute of Technology & Science Pilani - K.K.Birla Goa Campus,Goa,India

Education : Master Of Science (Technology)

IRC nickname[freenode] : Manishanker

Other contact methods (mobile no) : (+91) 9503395344

Project Description

Project Idea url : https://wiki.openstack.org/wiki/GSoC2014/Testing/Fuzz

Project Goals : *   Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combinations (random or pattern based) *   Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example) *   Integrate above fuzz test framework with OpenStack Tempest test framework

Project Plan

There are many open source fuzzing tools like BED, SFUZZ, SICKFUZZ, SPIKE. Frameworks will be evaluated based on the following criteria:
 * Task 1: Identify the best open source Fuzzing framework to fuzz Openstack API's
 * 1) Whether it can perform API fuzzing ?
 * 2) Can it do HTTP fuzzing?
 * 3) Can it be invoked using Tempest?

After finding the appropriate fuzzing tool, few fuzzing iterations will be run using different types of inputs using Tempest as a POC.

Inputs for fuzzing can be random by defining the mandatory input parameters and randomizing the other parameters or they can be pattern based by defining a protocol which serves as a black box which is used to create them. For example Backtrack 5 R3 can be used to run different types of the fuzzing programs like BED program to test OpenStack Horizon's HTTP service. BED program can be used to send fuzz packets to HTTP HEAD,GET,POST etc. In the similar way sfuzz program can be used to fuzz the OpenStack Horizon's HTTP service by providing configuration files. Depending on the results obtained by the different fuzzing programs, fuzzing tool will be used to test OpenStack service.

After selecting the best fuzzing tool, it will be used to fuzz OpenStack APIs for one of the projects/ services, such as OpenStack Nova. This will be further broken down to several sub tasks i.e fuzzing the main components of that service which may lead to any security vulnerabilities. To begin with, API fuzzing and HTTP fuzzing will be completed. During this stage, appropriate reporting mechanism would also be finalized in order to report the vulnerabilities effectively. The OpenStack Security Group will be consulted for this step.
 * Task 2: Implement Fuzzing for one OpenStack project, say OpenStack Nova

Next task would be integrating with Tempest.Tempest should be able to run fuzzing iterations on OpenStack service. Tempest currently supports API testing to some extent, but by integrating fuzzing with Tempest, fuzzing can be run directly from it.
 * Task 3 : Integrate with OpenStack testing framework - Tempest

How will i achieve these goals:

Successful completion of the project involves thorough understanding of Fuzzing tools, Fuzzing techniques, Penetration tools and also in depth knowledge of the OpenStack service internals on which fuzzing is to be done. I am familiar and have experience with architecture of the OpenStack and its services. I also have experience in deploying OpenStack using Devstack and in 3 node setup with different Hypervisors. I plan to learn and work with the different fuzzing tools and techniques before coding starts so that I could start using fuzzing techniques as the coding period starts. I have discussed with my mentor Sriram Subramanian, he has given me material which has all the information on how fuzzing and other penetration tests were done in OpenStack Essex cloud software. In the meantime i will also work on a specific OpenStack services,Tempest and gain in depth knowledge of it so that i can implement fuzzing on it.

What are my milestones

* My first milestone would be identifying the appropriate fuzzing tool which can be used to fuzz OpenStack service based on the prerequisites mentioned in task 1 * Second milestone would be, after the identification and implementation of the fuzzing tool and techniques, using it to fuzz OpenStack service * Third milestone would be, integrating the fuzzing tool with the Tempest which could be used to run fuzzing tests directly and enabling automated reporting of security vulnerabilities  to the OpenStack Security Group. Project Timeline

This is my tentative project timeline based on the discussion with my mentor.

* Familiarize myself with different types of Fuzzing techniques and Fuzzing tools like BED,SPIKE, SFUZZ, SICKFUZZ. * Familiarize myself with OpenStack services,Tempest and OpenStack code base. * I will be in constant touch with my mentor to improve my knowledge and get better, deeper understanding of Fuzzing and OpenStack services.
 * Before April 20

* Identifying the best open source fuzzing tool which can be used for API ,HTTP fuzzing * Creating a working draft on which fuzzing tool can serve the purpose * Discussing with mentor on using the fuzzing tool for the further project and changes to the tool(if required)
 * April 21 - May 4 (Before the actual coding time)

* Implementing the fuzzing tool to fuzz on one of the OpenStack service API * Creating exhaustive fuzzers and trying to automate the fuzzing tool to create inputs(random or pattern based) to the fuzzing tool * Based on the complexity of the OpenStack service ,fuzzing can be done on separate parts of the service
 * May 5 - May 18

* Implementing other penetration tests which may lead to threats like Memory leaks and Buffer overflows
 * May 19 - June 1

* Improving the code functionality ,removing bugs and exception handling * By the Mid-term, a fully functional fuzzing on one of the OpenStack service * Integrating fuzzing tool with the tempest so that tempest can directly be used to run fuzz test
 * June 2 - June 15
 * June 16 - June 29 (Mid term Evaluation)
 * June 30 - July 13

* Testing Tempest to see if it can run the fuzzing test on OpenStack service
 * July 14 - July 27

* Making further changes in the code to improve functionality,bug removals,exception handling
 * July 28 - Aug 10

* Discussion about the documentation with mentor and wrapping up * Most of the time will be used for bug fixes and testing * Final documentation which includes complete details about all the methods and their usage. Technical Background
 * Aug 11 - Aug 24

I haven't contributed to open source but i want to start my contribution to open source through OpenStack.
 * Open Source contribution

I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on OpenStack for couple of months and i am involved in deployment of OpenStack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the OpenStack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android, Hadoop, Matlab
 * Academic background

C, Java, Python
 * Programming language