Project post originally published on the Knative blog by Adam Korczynski, Ada Logics

Knative is happy to announce the completion of its fuzzing security audit. The audit was carried out by Ada Logics and is part of an initiative by the CNCF to bring fuzzing to the CNCF landscape. The audit spanned several months in late 2022 and early 2023 and resulted in 29 fuzzers written for 3 Knative sub-projects. The fuzzers found a single issue in a 3rd-party dependency that has been fixed.

Read the full report for the audit here: Knative Fuzzing Report.

The audit covered the following three Knative sub-projects:

Fuzzing

Fuzzing is a way of testing software, whereby pseudo-random data is passed to a target API to find bugs and security issues. The pseudo-random data is created by a fuzzing engine that, over time will generate test cases that uncover more of the code base. This engine uses a coverage-guided approach and uses the feedback from each iteration to mutate new test cases. This type of fuzzing is called “coverage-guided fuzzing” and has been effective in finding bugs in software projects implemented in both memory-safe and memory-unsafe languages – including several other CNCF-hosted projects; Most recently, fuzzing has found security vulnerabilities in Notation-go and Crossplane during their CNCF-sponsored fuzzing audits. Read more about these here:

Fuzzing Knative

An important component of a robust fuzzing suite is making sure that the fuzzers run continuously. All Knatives fuzzers run continuously on OSS-Fuzz – Googles open source platform for running the fuzzers of critical open source projects continuously with excessive resources. Knatives fuzzing audit started by integrating Knative into OSS-Fuzz, and the auditors then added the fuzzers to that integration. This allowed the fuzzers to run continuously during the audit and will continue to do so after the audit has concluded.

The fuzzers developed during the audit cover different parts of the Knative ecosystem. These include and are not limited to:

All fuzzers live in CNCF’s fuzzing repository. During OSS-Fuzz’s build cycles, it pulls them from there and runs them against the latest main Knative branches.

Findings

The fuzzers found a single issue during the audit, which is impressive by the Knative project. The fuzzers continue to explore the target code, and they may find issues in the future. If that happens, OSS-Fuzz will notify the maintainers with a detailed bug report, including a reproducer test case and a stack trace. OSS-Fuzz notifies maintainers via email and automatically marks fixed issues as resolved in OSS-Fuzz’s bug tracker.

Contributing to Knative

Knative is open source and accepts community contributions. The community repository is the best place to start if you wish to contribute to the ecosystem.