Security Oriented Open Source Continuous Fuzzing 101 — From Start to Finish
In this post, I like to go over a fuzz from start to finish. What does that mean exactly? First, I like to walk you through basic Fuzzing-related archaeology and help you set up the environment with a good piece of software to fuzz, I’ll demo fuzzing by showing you how I was able to rediscover the Heartbleed bug (aka CVE-2014–0160) using LibFuzzer — a critical security bug in the OpenSSL cryptography library , discovered in 2014, by code inspection and later demonstrated that the bug could have easily been found by fuzzing.
Basics: C/C++ (nothing special, but you need to be able to read, and compile C/C++ code in Unix shell)
What is Fuzzing (or Fuzz Testing)
Fuzzing or Fuzz testing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. The idea is simply to subject the program to various kinds of inputs and see what happens. For those who are familiar with software Unit testing below is a comparison table with modern fuzzing;
Unit testing vs. Fuzz testing;
Setup the environment; Most of the examples has been taken from [libFuzzer tutorial] and [Fuzzer Test Suite].
First, the environment. I recommend using a VirtualBox VM with script available here, I am using clean Ubuntu 16.04
· Run docker run — cap-add SYS_PTRACE -ti libfuzzertutorial/prebuilt
Sample ‘Hello world’ fuzzer program;
Do you see any bug on the above function? Let’s try to fuzz it with the following fuzz target: let me stop here and give you fuzzing-related terminology!
To reduce confusion around fuzzing-related terminology. Go here
Corpus ,Fuzz Target, Fuzzer,Fuzzing Engine, Mutation Engine,Reproducer, Sanitizer,Test Generator and Test Input.
Since you know the terminology now — Let’s try to fuzz it with the following fuzz target below;
Here comes other terminology (Fuzzer) the most overloaded term and used in a variety of contexts, lets compile the fuzzer in the following way:
Now you should see the following when you run:
Wow! The fuzzer has just found a **heap-buffer-overflow**.
Heartbleed ( CVE-2014–0160)
This example has been taken from [google/fuzzer-stest-suite] repository.
Get the code and the Target here
Run the fuzzer:
After some time, you should see:
Exercise: run the fuzzer that finds CVE-2016–5180. The experience should be very similar to that of heartbleed.