Community post by Adam Korczynski, ADA Logics

The Keycloak project has completed its fuzzing audit. The audit was carried out by Ada Logics, a UK-based security firm with deep expertise in fuzz testing, and the audit was funded by the CNCF. The audit is part of the CNCF’s investment in security through security audits, and Keycloak joins a significant list of CNCF projects that have undergone fuzzing audits. See this blog post to read more about the fuzzing work for CNCF projects.

The audit resulted in Keycloak integrating into the OSS-Fuzz project – an open source fuzzing program developed and offered by Google for critical open source projects. Accepted projects can include their fuzz tests in their OSS-Fuzz build, and OSS-Fuzz will run them with high amounts of compute to scale the projects’ chances of finding potential bugs and vulnerabilities before malicious threat actors find them. 

The audit also saw the auditing team write an extensive fuzzing suite for the Keycloak project that targets both complex processing routines and code parts that interact with 3rd-party services enabled by mocking of these 3rd-party services in the fuzz tests. In total, the auditing team wrote 24 new harnesses and added them all to Keycloaks OSS-Fuzz integration such that they run continuously on the OSS-Fuzz infrastructure. The auditing team then assessed the feedback from OSS-Fuzz, adjusted the fuzz tests to improve these based on OSS-Fuzz’s feedback and added seed corpora to selected fuzz tests. 

The fuzz tests found a crash of low severity during the audit, which the auditing team fixed with an upstream patch. With Keycloaks integration into OSS-Fuzz, its fuzz tests continue to test the Keycloak code after its audit. 

The full report from the audit is available here.