Name : Manishanker Talusani
Email : firstname.lastname@example.org
Name of the University: Birla Institute of Technology & Science Pilani - K.K.Birla Goa Campus,Goa,India
Education : Master Of Science (Technology)
IRC nickname[freenode] : Manishanker
Other contact methods (mobile no) : (+91) 9503395344
Project Idea url : https://wiki.openstack.org/wiki/GSoC2014/Testing/Fuzz
Project Goals :
* Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combinations (random or pattern based) * Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example) * Integrate above fuzz test framework with OpenStack Tempest test framework
- Task 1: Identify the best open source Fuzzing framework to fuzz Openstack API's
There are many open source fuzzing tools like BED, SFUZZ, SICKFUZZ, SPIKE. Frameworks will be evaluated based on the following criteria:
- Whether it can perform API fuzzing ?
- Can it do HTTP fuzzing?
- Can it be invoked using Tempest?
After finding the appropriate fuzzing tool, few fuzzing iterations will be run using different types of inputs using Tempest as a POC.
Inputs for fuzzing can be random by defining the mandatory input parameters and randomizing the other parameters or they can be pattern based by defining a protocol which serves as a black box which is used to create them. For example Backtrack 5 R3 can be used to run different types of the fuzzing programs like BED program to test OpenStack Horizon's HTTP service. BED program can be used to send fuzz packets to HTTP HEAD,GET,POST etc. In the similar way sfuzz program can be used to fuzz the OpenStack Horizon's HTTP service by providing configuration files. Depending on the results obtained by the different fuzzing programs, fuzzing tool will be used to test OpenStack service.
- Task 2: Implement Fuzzing for one OpenStack project, say OpenStack Nova
After selecting the best fuzzing tool, it will be used to fuzz OpenStack APIs for one of the projects/ services, such as OpenStack Nova. This will be further broken down to several sub tasks i.e fuzzing the main components of that service which may lead to any security vulnerabilities. To begin with, API fuzzing and HTTP fuzzing will be completed.
During this stage, appropriate reporting mechanism would also be finalized in order to report the vulnerabilities effectively. The OpenStack Security Group will be consulted for this step.
- Task 3 : Integrate with OpenStack testing framework - Tempest
Next task would be integrating with Tempest.Tempest should be able to run fuzzing iterations on OpenStack service. Tempest currently supports API testing to some extent, but by integrating fuzzing with Tempest, fuzzing can be run directly from it.
How will i achieve these goals:
Successful completion of the project involves thorough understanding of Fuzzing tools, Fuzzing techniques, Penetration tools and also in depth knowledge of the OpenStack service internals on which fuzzing is to be done. I am familiar and have experience with architecture of the OpenStack and its services. I also have experience in deploying OpenStack using Devstack and in 3 node setup with different Hypervisors. I plan to learn and work with the different fuzzing tools and techniques before coding starts so that I could start using fuzzing techniques as the coding period starts. I have discussed with my mentor Sriram Subramanian, he has given me material which has all the information on how fuzzing and other penetration tests were done in OpenStack Essex cloud software. In the meantime i will also work on a specific OpenStack services,Tempest and gain in depth knowledge of it so that i can implement fuzzing on it.
What are my milestones
* My first milestone would be identifying the appropriate fuzzing tool which can be used to fuzz OpenStack service based on the prerequisites mentioned in task 1 * Second milestone would be, after the identification and implementation of the fuzzing tool and techniques, using it to fuzz OpenStack service * Third milestone would be, integrating the fuzzing tool with the Tempest which could be used to run fuzzing tests directly and enabling automated reporting of security vulnerabilities to the OpenStack Security Group.
This is my tentative project timeline based on the discussion with my mentor.
- Before April 20
* Familiarize myself with different types of Fuzzing techniques and Fuzzing tools like BED,SPIKE, SFUZZ, SICKFUZZ. * Familiarize myself with OpenStack services,Tempest and OpenStack code base. * I will be in constant touch with my mentor to improve my knowledge and get better, deeper understanding of Fuzzing and OpenStack services.
- April 21 - May 4 (Before the actual coding time)
* Identifying the best open source fuzzing tool which can be used for API ,HTTP fuzzing * Creating a working draft on which fuzzing tool can serve the purpose * Discussing with mentor on using the fuzzing tool for the further project and changes to the tool(if required)
- May 5 - May 18
* Implementing the fuzzing tool to fuzz on one of the OpenStack service API * Creating exhaustive fuzzers and trying to automate the fuzzing tool to create inputs(random or pattern based) to the fuzzing tool * Based on the complexity of the OpenStack service ,fuzzing can be done on separate parts of the service
- May 19 - June 1
* Implementing other penetration tests which may lead to threats like Memory leaks and Buffer overflows
- June 2 - June 15
* Improving the code functionality ,removing bugs and exception handling
- June 16 - June 29 (Mid term Evaluation)
* By the Mid-term, a fully functional fuzzing on one of the OpenStack service
- June 30 - July 13
* Integrating fuzzing tool with the tempest so that tempest can directly be used to run fuzz test
- July 14 - July 27
* Testing Tempest to see if it can run the fuzzing test on OpenStack service
- July 28 - Aug 10
* Making further changes in the code to improve functionality,bug removals,exception handling
- Aug 11 - Aug 24
* Discussion about the documentation with mentor and wrapping up * Most of the time will be used for bug fixes and testing * Final documentation which includes complete details about all the methods and their usage.
- Open Source contribution
I haven't contributed to open source but i want to start my contribution to open source through OpenStack.
- Academic background
I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on OpenStack for couple of months and i am involved in deployment of OpenStack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the OpenStack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android, Hadoop, Matlab
- Programming language
C, Java, Python