Jump to: navigation, search

Difference between revisions of "GSoC2014/Student/Manishanker"

(Created page with "'''Personal Details''' Name : Manishanker Talusani<br /> Email : shanker.mani0@gmail.com<br /> Name of the University: Birla Institute of Technology & Science Pilani - K.K.Bi...")
 
 
(4 intermediate revisions by 2 users not shown)
Line 13: Line 13:
  
 
Project Goals :
 
Project Goals :
*    Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combninarions (random or pattern based)
+
*    Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combinations (random or pattern based)
*    Integrate above fuzz test framework with OpenStack Tempest test framework
+
*    Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)
*    Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)
+
*    Integrate above fuzz test framework with OpenStack Tempest test framework
  
 
'''Project Plan'''
 
'''Project Plan'''
*Task 1:
 
  Designing a framework prefarably with a user interface , application and database.Inputs to the framework can be given using command line or through a interface .User interface is used to give inputs (random or pattern based ) to the framework which can be automated or semi-automated.According to the input given to the framework, application then makes Openstack API calls. Framework is then used to monitor the output of the API calls and it is also used to check if there were any crashes ,Bugs, Security vulnerbilities. The result of the input is compared with the actual output whose information  is already stored in the database.If there were any crashes then the input is stored in the database as a succesful fuzzer. Several combinations of the fuzzer are formed from previous fuzzer which are again fed to the framework and monitored. Among all the fuzz testing techniques available ,depending on the bugs ,crashes ocurred ,based on the information on inputs stored in database best fuzzing technique will be used in the application of the framework.
 
  
*Task 2:  
+
* Task 1: Identify the best open source Fuzzing framework to fuzz Openstack API's
  Integrating the above framework into the Tempest framework in Openstack.This requires a lot of understanding of how two frameworks can be integrated. My primary focus would be to build the Fuzzing framework in such a way that it can be extensible as well as it can be integrated to Tempest with few integration problems.
+
    There are many open source fuzzing tools like BED, SFUZZ, SICKFUZZ, SPIKE. Frameworks will be evaluated based on the following criteria:
 +
# Whether it can perform API fuzzing ?
 +
# Can it do HTTP fuzzing?
 +
# Can it be invoked using Tempest?
  
*Task3 :  
+
After finding the appropriate fuzzing tool, few fuzzing iterations will be run using different types of inputs using Tempest as a POC. 
  Extending Fuzz testing framework for atleast one Openstack project.Also enabling automated reporting of security vulnerabilities to Openstack Security Group.
+
 
 +
Inputs for fuzzing can be random by defining the mandatory input parameters and randomizing the other parameters or they can be pattern based by defining a protocol which serves as a black box which is used to create them. For example Backtrack 5 R3 can be used to run different types of the fuzzing programs like BED program to test OpenStack Horizon's HTTP service. BED program can be used to send fuzz packets to HTTP HEAD,GET,POST etc. In the similar way sfuzz program can be used to fuzz the OpenStack Horizon's HTTP service by providing configuration files. Depending on the results obtained by the different fuzzing programs, fuzzing tool will be used to test OpenStack service.
 +
 
 +
* Task 2: Implement Fuzzing for one OpenStack project, say OpenStack Nova
 +
    After selecting the best fuzzing tool, it will be used to fuzz OpenStack APIs for one of the projects/ services, such as OpenStack Nova. This will be further broken down to several sub tasks i.e fuzzing the main components of that service which may lead to any security vulnerabilities. To begin with, API fuzzing and HTTP fuzzing will be completed.
 +
 +
During this stage, appropriate reporting mechanism would also be finalized in order to report the vulnerabilities effectively. The [https://launchpad.net/~openstack-ossg OpenStack Security Group] will be consulted for this step.
 +
 
 +
* Task 3 : Integrate with OpenStack testing framework - Tempest
 +
    Next task would be integrating with Tempest.Tempest should be able to run fuzzing iterations on OpenStack service. Tempest currently supports API testing to some extent, but by integrating fuzzing with Tempest, fuzzing can be run directly from it.
  
 
'''How will i achieve these goals:'''
 
'''How will i achieve these goals:'''
<To be filled after discussing with mentor>
+
 
 +
Successful completion of the project involves thorough understanding of Fuzzing tools, Fuzzing techniques, Penetration tools and also in depth knowledge of the OpenStack service internals on which fuzzing is to be done. I am familiar and have experience with architecture of the OpenStack and its services. I also have experience in deploying OpenStack using Devstack and in 3 node setup with different Hypervisors. I plan to learn and work with the different fuzzing tools and techniques before coding starts so that I could start using fuzzing techniques as the coding period  starts. I have discussed with my mentor Sriram Subramanian, he has given me material which has all the information on how fuzzing and other penetration tests were done in OpenStack Essex cloud software. In the meantime i will also work on a specific OpenStack services,Tempest and gain in depth knowledge of it so that i can implement fuzzing on it.
  
 
'''What are my milestones'''
 
'''What are my milestones'''
* My first milestone would be designing the framework since it should be extensible to other Openstack services and it should be integrated to Tempest with less integration errors.
 
* Second milestone would be, after the implementation of the framework is done ,selecting the best fuzzing technique and building the application in framework with it.
 
* Third milestone would be, after the application building in framework is done , enabling it on one of the openstack service .This requires in depth understanding of the service since the automation of the fuzzing framework and protocol creation for inputs totally depend on the particular service. 
 
  
 +
* My first milestone would be identifying the appropriate fuzzing tool which can be used to fuzz OpenStack service based on the prerequisites mentioned in task 1
 +
* Second milestone would be, after the identification and implementation of the fuzzing tool and techniques, using it to fuzz OpenStack service
 +
* Third milestone would be, integrating the fuzzing tool with the Tempest which could be used to run fuzzing tests directly and enabling automated reporting of security vulnerabilities  to the OpenStack Security Group.
 +
 
'''Project Timeline'''
 
'''Project Timeline'''
<To be filled after discussing with mentor>
 
  
 +
This is my tentative project timeline based on the discussion with my mentor.
 +
 +
* Before April 20
 +
  * Familiarize myself with different types of Fuzzing techniques and Fuzzing tools like BED,SPIKE, SFUZZ, SICKFUZZ.
 +
  * Familiarize myself with OpenStack services,Tempest and OpenStack code base.
 +
  * I will be in constant touch with my mentor to improve my knowledge and get better, deeper understanding of Fuzzing and OpenStack services.
 +
 +
* April 21 - May 4 (Before the actual coding time)
 +
  * Identifying the best open source fuzzing tool which can be used for API ,HTTP fuzzing
 +
  * Creating a working draft on which fuzzing tool can serve the purpose
 +
  * Discussing with mentor on using the fuzzing tool for the further project and changes to the tool(if required)
 +
 +
* May 5 - May 18
 +
  * Implementing the fuzzing tool to fuzz on one of the OpenStack service API
 +
  * Creating exhaustive fuzzers and trying to automate the fuzzing tool to create inputs(random or pattern based) to the fuzzing tool
 +
  * Based on the complexity of the OpenStack service ,fuzzing can be done on separate parts of the service
 +
 +
* May 19 - June 1
 +
  * Implementing other penetration tests which may lead to threats like Memory leaks and Buffer overflows
 +
 +
* June 2 - June 15
 +
  * Improving the code functionality ,removing bugs and exception handling 
 +
 +
* June 16 - June 29 (Mid term Evaluation)
 +
  * By the Mid-term, a fully functional fuzzing on one of the OpenStack service
 +
 +
* June 30 - July 13
 +
  * Integrating fuzzing tool with the tempest so that tempest can directly be used to run fuzz test
 +
 +
* July 14 - July 27
 +
  * Testing Tempest to see if it can run the fuzzing test on OpenStack service
 +
 +
* July 28 - Aug 10
 +
  * Making further changes in the code to improve functionality,bug removals,exception handling
 +
 +
* Aug 11 - Aug 24
 +
  * Discussion about the documentation with mentor and wrapping up
 +
  * Most of the time will be used for bug fixes and testing
 +
  * Final documentation which includes complete details about all the methods and their usage.
 +
 
'''Technical Background'''
 
'''Technical Background'''
  
 
*'''Open Source contribution'''
 
*'''Open Source contribution'''
     I haven't contributed to open source but i want to start my contribution to open source through Openstack.
+
     I haven't contributed to open source but i want to start my contribution to open source through OpenStack.
  
 
*'''Academic background'''
 
*'''Academic background'''
     I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on Openstack for couple of months and i am involved  in deployment of Openstack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the Openstack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android ,Hadoop, Matlab
+
     I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on OpenStack for couple of months and i am involved  in deployment of OpenStack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the OpenStack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android, Hadoop, Matlab
  
 
*'''Programming language'''
 
*'''Programming language'''
     C,Java,Python
+
     C, Java, Python

Latest revision as of 18:27, 20 March 2014

Personal Details

Name : Manishanker Talusani
Email : shanker.mani0@gmail.com
Name of the University: Birla Institute of Technology & Science Pilani - K.K.Birla Goa Campus,Goa,India
Education : Master Of Science (Technology)
IRC nickname[freenode] : Manishanker
Other contact methods (mobile no) : (+91) 9503395344

Project Description

Project Idea url : https://wiki.openstack.org/wiki/GSoC2014/Testing/Fuzz

Project Goals : 

*    Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combinations (random or pattern based)
*    Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)
*    Integrate above fuzz test framework with OpenStack Tempest test framework

Project Plan

  • Task 1: Identify the best open source Fuzzing framework to fuzz Openstack API's
    There are many open source fuzzing tools like BED, SFUZZ, SICKFUZZ, SPIKE. Frameworks will be evaluated based on the following criteria:
  1. Whether it can perform API fuzzing ?
  2. Can it do HTTP fuzzing?
  3. Can it be invoked using Tempest?

After finding the appropriate fuzzing tool, few fuzzing iterations will be run using different types of inputs using Tempest as a POC.

Inputs for fuzzing can be random by defining the mandatory input parameters and randomizing the other parameters or they can be pattern based by defining a protocol which serves as a black box which is used to create them. For example Backtrack 5 R3 can be used to run different types of the fuzzing programs like BED program to test OpenStack Horizon's HTTP service. BED program can be used to send fuzz packets to HTTP HEAD,GET,POST etc. In the similar way sfuzz program can be used to fuzz the OpenStack Horizon's HTTP service by providing configuration files. Depending on the results obtained by the different fuzzing programs, fuzzing tool will be used to test OpenStack service.

  • Task 2: Implement Fuzzing for one OpenStack project, say OpenStack Nova
    After selecting the best fuzzing tool, it will be used to fuzz OpenStack APIs for one of the projects/ services, such as OpenStack Nova. This will be further broken down to several sub tasks i.e fuzzing the main components of that service which may lead to any security vulnerabilities. To begin with, API fuzzing and HTTP fuzzing will be completed.

During this stage, appropriate reporting mechanism would also be finalized in order to report the vulnerabilities effectively. The OpenStack Security Group will be consulted for this step.

  • Task 3 : Integrate with OpenStack testing framework - Tempest
    Next task would be integrating with Tempest.Tempest should be able to run fuzzing iterations on OpenStack service. Tempest currently supports API testing to some extent, but by integrating fuzzing with Tempest, fuzzing can be run directly from it.

How will i achieve these goals:

Successful completion of the project involves thorough understanding of Fuzzing tools, Fuzzing techniques, Penetration tools and also in depth knowledge of the OpenStack service internals on which fuzzing is to be done. I am familiar and have experience with architecture of the OpenStack and its services. I also have experience in deploying OpenStack using Devstack and in 3 node setup with different Hypervisors. I plan to learn and work with the different fuzzing tools and techniques before coding starts so that I could start using fuzzing techniques as the coding period starts. I have discussed with my mentor Sriram Subramanian, he has given me material which has all the information on how fuzzing and other penetration tests were done in OpenStack Essex cloud software. In the meantime i will also work on a specific OpenStack services,Tempest and gain in depth knowledge of it so that i can implement fuzzing on it.

What are my milestones 

* My first milestone would be identifying the appropriate fuzzing tool which can be used to fuzz OpenStack service based on the prerequisites mentioned in task 1 
* Second milestone would be, after the identification and implementation of the fuzzing tool and techniques, using it to fuzz OpenStack service
* Third milestone would be, integrating the fuzzing tool with the Tempest which could be used to run fuzzing tests directly and enabling automated reporting of security vulnerabilities   to the OpenStack Security Group.

Project Timeline

This is my tentative project timeline based on the discussion with my mentor.

  • Before April 20
 * Familiarize myself with different types of Fuzzing techniques and Fuzzing tools like BED,SPIKE, SFUZZ, SICKFUZZ.
 * Familiarize myself with OpenStack services,Tempest and OpenStack code base.
 * I will be in constant touch with my mentor to improve my knowledge and get better, deeper understanding of Fuzzing and OpenStack services.
  • April 21 - May 4 (Before the actual coding time)
 * Identifying the best open source fuzzing tool which can be used for API ,HTTP fuzzing
 * Creating a working draft on which fuzzing tool can serve the purpose 
 * Discussing with mentor on using the fuzzing tool for the further project and changes to the tool(if required)
  • May 5 - May 18
 * Implementing the fuzzing tool to fuzz on one of the OpenStack service API
 * Creating exhaustive fuzzers and trying to automate the fuzzing tool to create inputs(random or pattern based) to the fuzzing tool
 * Based on the complexity of the OpenStack service ,fuzzing can be done on separate parts of the service
  • May 19 - June 1
 * Implementing other penetration tests which may lead to threats like Memory leaks and Buffer overflows
  • June 2 - June 15
 * Improving the code functionality ,removing bugs and exception handling
  • June 16 - June 29 (Mid term Evaluation)
 * By the Mid-term, a fully functional fuzzing on one of the OpenStack service
  • June 30 - July 13
 * Integrating fuzzing tool with the tempest so that tempest can directly be used to run fuzz test
  • July 14 - July 27
 * Testing Tempest to see if it can run the fuzzing test on OpenStack service
  • July 28 - Aug 10
 * Making further changes in the code to improve functionality,bug removals,exception handling
  • Aug 11 - Aug 24
 * Discussion about the documentation with mentor and wrapping up
 * Most of the time will be used for bug fixes and testing 
 * Final documentation which includes complete details about all the methods and their usage.

Technical Background

  • Open Source contribution
   I haven't contributed to open source but i want to start my contribution to open source through OpenStack.
  • Academic background
   I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on OpenStack for couple of months and i am involved  in deployment of OpenStack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the OpenStack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android, Hadoop, Matlab
  • Programming language
   C, Java, Python
Retrieved from "https://wiki.openstack.org/w/index.php?title=GSoC2014/Student/Manishanker&oldid=46121"