Ada Logics sets up continuous fuzzing for Cluster API

20th July, 2022
Adam Korczynski,
Security Engineering & Security Automation
David Korczynski,
Security Research & Security Engineering

In the last few months, the team at Ada Logics has worked on integrating continuous fuzzing into the Kubernetes Cluster API project. This was an effort focused on improving the security posture of Cluster API and ensuring a continued good experience for Cluster API users. The fuzzing integration involved enrolling Cluster API in the OSS-Fuzz project and developing a set of fuzzers that would bring the code coverage up to a mature level.

In total, 20 fuzzers were developed and 4 issues were found. The issues are split into 2 nil pointer dereferences, a timeout and a type confusion. All fuzzers are implemented by way of go-fuzz and when run in OSS-Fuzz the fuzzers will be instrumented by way of libFuzzer. As such, Cluster API uses state-of-the-art open source fuzzing capabilities. Since Cluster API is integrated into OSS-Fuzz the fuzzers will continue to run on a continuous basis, even after the engagement, which is of significant importance to e.g. catch regressions and enable the fuzzers to achieve optimal code coverage.

The full report of the engagement can be found here and the fuzzing infrastructure developed can be found in the CNCF-Fuzzing repository here.

The Cluster API project includes documentation on the fuzzing set up and this is available here.

This fuzzing engagement is part of a larger effort by CNCF on integrating continuous fuzzing into the projects within the CNCF landscape. Recently, we published another post detailing this work across 18 CNCF projects where several hundreds of bugs have been uncovered. See this blog post for more details.