Security Oriented Open Source Continuous Fuzzing 101 - From Start to Finish
Liban Mohamud
Product & Applications Security Lead at Verizon | AppSec Nerd | Passionate Hacker | Author | Speaker
"The Bazaar model “given enough eyeballs, all bugs are shallow"
In this post, I like to go over a fuzz from start to finish. What does that mean exactly? First, I like to walk you through basic Fuzzing-related archaeology and help you set up the environment with a good piece of software to fuzz, I'll demo fuzzing by showing you how I was able to rediscover the Heartbleed bug (aka CVE-2014-0160) using LibFuzzer – a critical security bug in the OpenSSL cryptography library, discovered in 2014, by code inspection and later demonstrated that the bug could have easily been found by fuzzing.
Basics: C/C++ (nothing special, but you need to be able to read, and compile C/C++ code in Unix shell)
What is Fuzzing (or Fuzz Testing)
Fuzzing or Fuzz testing is a Black Box software testing technique, which basically consists of finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. The idea is simply to subject the program to various kinds of inputs and see what happens. For those who are familiar with software Unit testing below is a comparison table with modern fuzzing;
Unit testing vs. Fuzz testing;
Setup the environment; Most of the examples has been taken from [libFuzzer tutorial] and [Fuzzer Test Suite].
First, the environment. I recommend using a VirtualBox VM with script available here, I am using clean Ubuntu 16.04.
Docker option;
- Install Docker
- Run docker run --cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt
Sample ‘Hello world' fuzzer program;
```
cpp
bool VulnerableFunction1(const uint8_t* data, size_t size) {
bool result = false;
if (size >= 3) {
result = data[0] == 'F' &&
data[1] == 'U' &&
data[2] == 'Z' &&
data[3] == 'Z';
}
return result;
}
```
Do you see any bug in the above function? Let's try to fuzz it with the following fuzz target: let me stop here and give you fuzzing-related terminology!
To reduce confusion around fuzzing-related terminology. Go here
- Corpus
- Fuzz Target
- Fuzzer
- Fuzzing Engine
- Mutation Engine
- Reproducer
- Sanitizer
- Test Generator and Test Input
Since you know the terminology now - Let's try to fuzz it with the following fuzz target below;
```
cpp
#include "vulnerable_functions.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
VulnerableFunction1(data, size);
return 0;
}
```
Here comes other terminology (Fuzzer) the most overloaded term and used in a variety of contexts, let's compile the fuzzer in the following way:
```
bash
clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
first_fuzzer.cc ../../libFuzzer/libFuzzer.a \ -o first_fuzzer
```
Now to create an empty directory for corpus and run the fuzzer: do the following;
``` bash mkdir corpus1 ./first_fuzzer corpus1 ```
w you should see the following when you run:
Wow! The fuzzer has just found a **heap-buffer-overflow**.
Heartbleed ( CVE-2014-0160)
***
This example has been taken from [google/fuzzer-stest-suite] repository.
***
Get the code and the Target here
Run the fuzzer: ```bash mkdir corpus1 ./openssl_fuzzer ./corpus1/ ``` After some time, you should see:
Exercise: run the fuzzer that finds CVE-2016-5180. The experience should be very similar to that of heartbleed.
OSS-Fuzz - Continuous Fuzzing for Open Source Software is here