Add fuzz-testing

[harshitasao]

Motivation

Part of #3297

Feature

Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion.

Integrate the project with OSS-Fuzz by following the instructions here.

Alternatives

N/A

Additional context

Maintainers help is highly appreciated. For example, helping in identifying the components where fuzz testing will be added.

[LucaGuerra]

Thank you for opening this. I would like to add some additional information:

• See the latest security audit re. the attack surface and challenges to build a meaningful fuzzer for Falco: https://github.com/falcosecurity/falco/blob/master/audits/SECURITY_AUDIT_2023_01_23-01-1097-LIV.pdf . Both the pentesting company that helped us there and us maintainers have built some small prototypes but nothing that could be deployed to production directly
• Since then, we have made the userspace side more robust and added AddressSanitizer support throughout the codebase to both enhance our current test suite and facilitate fuzzing and security testing
• I can discuss starting a project like this to bring this effort to completion with other maintainers. Are there additional resources (experts willing to help that you work with) that could help us maintainers in such a project?

Also apologies but these days I might be a bit slow to respond.

/assign

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale