The RGW's frontend is an S3 REST API server, and in this project we would like to use a REST API fuzzer to test the RGW for security issues (and other bugs). Would recommend exploring the Restler tool. Very good intro in this video. Feed it with the AWS S3 OpenAPI spec, and see what happens when we let it connect to the RGW.
- run Ceph with a radosgw. you can use cephadm to install and run ceph in containers or build it from source and run it a vstart cluster
- build and run the fuzzer against a demo service
- use the fuzzer to compile the s3 spec and run it agianst the radosgw (note that this will mostly fail due to lack of support with s3 authentication)
- feel free to suggest other fuzzing tools if
- they have good stateful fuzzing support (this is must for S3)
- they support S3 header signing, or it is esy to add it to them
- add S3 authntication to the fuzzer (mainly signing the S3 header)
- see this issue
- this tool has a python callback for getting a token, for token based authentication, however this won't help since S3 requires signing of the header
- note that signing the header may require code changes to the tool (written in F#)
- make sure that the fuzzer knows the right order of operations (e.g. create the bucket before performing operations on it)
- fix issues of inconsistency between the AWS S3 dialect and the Ceph S3 dialect
- run the fuzzer and try to find as many issues as possible in the radosgw
- try to fix some of the issues
- add fuzzing tests to the teuthology test automation framework
Hello @yuvalif ,
Thank you for clarifying. Indeed, Boofuzz’s lower-level approach requires much more work to model the entire S3 API, while RESTler’s built-in schema and stateful support align better with our current S3 fuzzing goals. If we pursue deeper HTTP-layer fuzzing in the future, Boofuzz could be worth revisiting. I appreciate your guidance.