GSoC2014/Student/Manishanker

个人信息

姓名：Manishanker Talusani
邮箱：shanker.mani0@gmail.com
所在大学：Birla Institute of Technology & Science Pilani - K.K.Birla Goa Campus,Goa,India
学历：理学硕士（技术）
IRC昵称[freenode]：Manishanker
其他联系方式（手机号）：(+91) 9503395344

项目描述

项目想法网址：https://wiki.openstack.org/wiki/GSoC2014/Testing/Fuzz

项目目标

*    Design and Implement Fuzz testing framework that can fuzz OpenStack APIs by generating configurable combinations (random or pattern based)
*    Enable fuzz testing on at least one OpenStack project (OpenStack Nova for example)
*    Integrate above fuzz test framework with OpenStack Tempest test framework

项目计划

• 任务 1：确定最佳开源模糊测试框架来模糊 Openstack API

    There are many open source fuzzing tools like BED, SFUZZ, SICKFUZZ, SPIKE. Frameworks will be evaluated based on the following criteria: 

1. 它是否可以执行 API 模糊测试？
2. 它是否可以进行 HTTP 模糊测试？
3. 是否可以使用 Tempest 调用它？

找到合适的模糊测试工具后，将使用不同的输入类型使用 Tempest 作为 POC 运行几次模糊测试迭代。

模糊测试的输入可以通过定义强制输入参数并随机化其他参数来随机生成，或者可以通过定义用作黑盒的协议来基于模式生成。例如，可以使用 Backtrack 5 R3 运行不同类型的模糊测试程序，如 BED 程序来测试 OpenStack Horizon 的 HTTP 服务。BED 程序可用于向 HTTP HEAD、GET、POST 等发送模糊数据包。以同样的方式，可以使用 sfuzz 程序通过提供配置文件来模糊 OpenStack Horizon 的 HTTP 服务。根据不同模糊测试程序获得的结果，将使用模糊测试工具来测试 OpenStack 服务。

• 任务 2：为 OpenStack 项目之一（例如 OpenStack Nova）实施模糊测试

    After selecting the best fuzzing tool, it will be used to fuzz OpenStack APIs for one of the projects/ services, such as OpenStack Nova. This will be further broken down to several sub tasks i.e fuzzing the main components of that service which may lead to any security vulnerabilities. To begin with, API fuzzing and HTTP fuzzing will be completed. 

在此阶段，还将最终确定适当的报告机制，以便有效地报告漏洞。将就此步骤咨询 OpenStack 安全组。

• 任务 3：与 OpenStack 测试框架 - Tempest 集成

    Next task would be integrating with Tempest.Tempest should be able to run fuzzing iterations on OpenStack service. Tempest currently supports API testing to some extent, but by integrating fuzzing with Tempest, fuzzing can be run directly from it.

我将如何实现这些目标

成功完成该项目需要彻底了解模糊测试工具、模糊测试技术、渗透测试工具，以及对要进行模糊测试的 OpenStack 服务内部的深入了解。我熟悉 OpenStack 及其服务的架构，并且具有使用 Devstack 部署 OpenStack 以及使用不同 Hypervisor 进行 3 节点设置的经验。我计划在开始编码之前学习和使用不同的模糊测试工具和技术，以便在编码期开始时就可以开始使用模糊测试技术。我已经与我的导师 Sriram Subramanian 讨论过，他给了我材料，其中包含有关如何在 OpenStack Essex 云软件中进行模糊测试和其他渗透测试的所有信息。与此同时，我也会研究特定的 OpenStack 服务、Tempest，并深入了解它，以便我可以在其上实施模糊测试。

我的里程碑是什么

* My first milestone would be identifying the appropriate fuzzing tool which can be used to fuzz OpenStack service based on the prerequisites mentioned in task 1 
* Second milestone would be, after the identification and implementation of the fuzzing tool and techniques, using it to fuzz OpenStack service
* Third milestone would be, integrating the fuzzing tool with the Tempest which could be used to run fuzzing tests directly and enabling automated reporting of security vulnerabilities   to the OpenStack Security Group.

项目时间表

这是我根据与导师的讨论制定的初步项目时间表。

• 4 月 20 日之前

 * Familiarize myself with different types of Fuzzing techniques and Fuzzing tools like BED,SPIKE, SFUZZ, SICKFUZZ.
 * Familiarize myself with OpenStack services,Tempest and OpenStack code base.
 * I will be in constant touch with my mentor to improve my knowledge and get better, deeper understanding of Fuzzing and OpenStack services.

• 4 月 21 日 - 5 月 4 日（在实际编码时间之前）

 * Identifying the best open source fuzzing tool which can be used for API ,HTTP fuzzing
 * Creating a working draft on which fuzzing tool can serve the purpose 
 * Discussing with mentor on using the fuzzing tool for the further project and changes to the tool(if required)

• 5 月 5 日 - 5 月 18 日

 * Implementing the fuzzing tool to fuzz on one of the OpenStack service API
 * Creating exhaustive fuzzers and trying to automate the fuzzing tool to create inputs(random or pattern based) to the fuzzing tool
 * Based on the complexity of the OpenStack service ,fuzzing can be done on separate parts of the service

• 5 月 19 日 - 6 月 1 日

 * Implementing other penetration tests which may lead to threats like Memory leaks and Buffer overflows

• 6 月 2 日 - 6 月 15 日

 * Improving the code functionality ,removing bugs and exception handling  

• 6 月 16 日 - 6 月 29 日（中期评估）

 * By the Mid-term, a fully functional fuzzing on one of the OpenStack service

• 6 月 30 日 - 7 月 13 日

 * Integrating fuzzing tool with the tempest so that tempest can directly be used to run fuzz test

• 7 月 14 日 - 7 月 27 日

 * Testing Tempest to see if it can run the fuzzing test on OpenStack service

• 7 月 28 日 - 8 月 10 日

 * Making further changes in the code to improve functionality,bug removals,exception handling

• 8 月 11 日 - 8 月 24 日

 * Discussion about the documentation with mentor and wrapping up
 * Most of the time will be used for bug fixes and testing 
 * Final documentation which includes complete details about all the methods and their usage. 

技术背景

• 开源贡献

   I haven't contributed to open source but i want to start my contribution to open source through OpenStack.

• 学术背景

   I am an Undergraduate student pursuing MSC.(Tech.) Information Systems at BITS Pilani K K Birla Goa Campus.Currently i am working as an intern.I have been working on OpenStack for couple of months and i am involved  in deployment of OpenStack services in the Data center. I am responsible for deployment of multi-hypervisor cloud which is used to test different products of the company and fixing errors for the other teams who are using the OpenStack services.I am also responsible for Baremetal and Ironic deployment which are currently in progress.Prior to this i have worked on different projects in Android, Hadoop, Matlab

• 编程语言

   C, Java, Python