2020-05-07 19:44:01 +08:00
|
|
|
Fuzzing OpenSSL
|
|
|
|
===============
|
|
|
|
|
|
|
|
OpenSSL can use either LibFuzzer or AFL to do fuzzing.
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2016-05-08 04:09:13 +08:00
|
|
|
LibFuzzer
|
2020-05-07 19:44:01 +08:00
|
|
|
---------
|
2016-05-08 04:09:13 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
How to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html),
|
|
|
|
starting from a vanilla+OpenSSH server Ubuntu install.
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
With `clang` from a package manager
|
|
|
|
-----------------------------------
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
Install `clang`, which [ships with `libfuzzer`](http://llvm.org/docs/LibFuzzer.html#fuzzer-usage)
|
|
|
|
since version 6.0:
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
sudo apt-get install clang
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
Configure `openssl` for fuzzing. For now, you'll still need to pass in the path
|
|
|
|
to the `libFuzzer` library file while configuring; this is represented as
|
|
|
|
`$PATH_TO_LIBFUZZER` below. A typical value would be
|
2020-04-01 14:51:31 +08:00
|
|
|
`/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a`.
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
CC=clang ./config enable-fuzz-libfuzzer \
|
2019-05-07 16:05:44 +08:00
|
|
|
--with-fuzzer-lib=$PATH_TO_LIBFUZZER \
|
2016-11-20 00:20:34 +08:00
|
|
|
-DPEDANTIC enable-asan enable-ubsan no-shared \
|
2016-12-03 02:26:31 +08:00
|
|
|
-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
|
2019-05-07 16:05:44 +08:00
|
|
|
-fsanitize=fuzzer-no-link \
|
|
|
|
enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
|
2016-12-16 03:06:51 +08:00
|
|
|
enable-weak-ssl-ciphers enable-rc5 enable-md2 \
|
2017-01-06 03:12:05 +08:00
|
|
|
enable-ssl3 enable-ssl3-method enable-nextprotoneg \
|
|
|
|
--debug
|
2019-05-07 16:05:44 +08:00
|
|
|
|
2023-10-12 00:35:10 +08:00
|
|
|
Clang uses the gcc libstdc++ library so this must also be installed. You can
|
|
|
|
check which version of gcc clang is using like this:
|
|
|
|
|
|
|
|
$ clang --verbose
|
|
|
|
Ubuntu clang version 14.0.0-1ubuntu1.1
|
|
|
|
Target: x86_64-pc-linux-gnu
|
|
|
|
Thread model: posix
|
|
|
|
InstalledDir: /usr/bin
|
|
|
|
Found candidate GCC installation: /usr/bin/../lib/gcc/i686-linux-gnu/12
|
|
|
|
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/10
|
|
|
|
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
|
|
|
|
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/12
|
|
|
|
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/12
|
|
|
|
Candidate multilib: .;@m64
|
|
|
|
Selected multilib: .;@m64
|
|
|
|
|
|
|
|
So, in the above example clang is using gcc version 12. Ensure that the selected
|
|
|
|
gcc version has the relevant libstdc++ files installed:
|
|
|
|
|
|
|
|
$ ls /usr/lib/gcc/x86_64-linux-gnu/12 | grep stdc++
|
|
|
|
libstdc++.a
|
|
|
|
libstdc++fs.a
|
|
|
|
libstdc++.so
|
|
|
|
|
|
|
|
On Ubuntu for gcc-12 this requires the libstdc++-12-dev package installed.
|
|
|
|
|
|
|
|
$ sudo apt-get install libstdc++-12-dev
|
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
Compile:
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
sudo apt-get install make
|
|
|
|
make clean
|
|
|
|
LDCMD=clang++ make -j4
|
2019-05-07 16:05:44 +08:00
|
|
|
|
|
|
|
Finally, perform the actual fuzzing:
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
fuzz/helper.py $FUZZER
|
2016-03-27 01:19:14 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
where $FUZZER is one of the executables in `fuzz/`.
|
2020-04-01 14:51:31 +08:00
|
|
|
It will run until you stop it.
|
2016-03-27 01:19:14 +08:00
|
|
|
|
|
|
|
If you get a crash, you should find a corresponding input file in
|
2017-01-06 03:12:05 +08:00
|
|
|
`fuzz/corpora/$FUZZER-crash/`.
|
2016-05-08 04:09:13 +08:00
|
|
|
|
2019-05-07 16:05:44 +08:00
|
|
|
With `clang` from source/pre-built binaries
|
|
|
|
-------------------------------------------
|
|
|
|
|
|
|
|
You may also wish to use a pre-built binary from the [LLVM Download
|
|
|
|
site](http://releases.llvm.org/download.html), or to [build `clang` from
|
|
|
|
source](https://clang.llvm.org/get_started.html). After adding `clang` to your
|
|
|
|
path and locating the `libfuzzer` library file, the procedure for configuring
|
|
|
|
fuzzing is the same, except that you also need to specify
|
|
|
|
a `--with-fuzzer-include` option, which should be the parent directory of the
|
|
|
|
prebuilt fuzzer library. This is represented as `$PATH_TO_LIBFUZZER_DIR` below.
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
CC=clang ./config enable-fuzz-libfuzzer \
|
2019-05-07 16:05:44 +08:00
|
|
|
--with-fuzzer-include=$PATH_TO_LIBFUZZER_DIR \
|
|
|
|
--with-fuzzer-lib=$PATH_TO_LIBFUZZER \
|
|
|
|
-DPEDANTIC enable-asan enable-ubsan no-shared \
|
|
|
|
-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
|
|
|
|
-fsanitize=fuzzer-no-link \
|
|
|
|
enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
|
|
|
|
enable-weak-ssl-ciphers enable-rc5 enable-md2 \
|
|
|
|
enable-ssl3 enable-ssl3-method enable-nextprotoneg \
|
|
|
|
--debug
|
|
|
|
|
2016-05-08 04:09:13 +08:00
|
|
|
AFL
|
2020-05-07 19:44:01 +08:00
|
|
|
---
|
2016-05-08 04:09:13 +08:00
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
This is an alternative to using LibFuzzer.
|
|
|
|
|
2016-05-08 04:09:13 +08:00
|
|
|
Configure for fuzzing:
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
sudo apt-get install afl-clang
|
|
|
|
CC=afl-clang-fast ./config enable-fuzz-afl no-shared no-module \
|
2019-08-29 00:30:14 +08:00
|
|
|
-DPEDANTIC enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 \
|
|
|
|
enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg \
|
2017-01-06 03:12:05 +08:00
|
|
|
enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
|
|
|
|
--debug
|
2020-04-01 14:51:31 +08:00
|
|
|
make clean
|
|
|
|
make
|
2016-05-08 04:09:13 +08:00
|
|
|
|
2016-12-16 03:06:51 +08:00
|
|
|
The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
|
|
|
|
|
2016-05-08 04:09:13 +08:00
|
|
|
Run one of the fuzzers:
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
|
2016-05-08 04:09:13 +08:00
|
|
|
|
2016-07-04 08:00:47 +08:00
|
|
|
Where $FUZZER is one of the executables in `fuzz/`.
|
2017-01-06 03:12:05 +08:00
|
|
|
|
|
|
|
Reproducing issues
|
2020-05-07 19:44:01 +08:00
|
|
|
------------------
|
2017-01-06 03:12:05 +08:00
|
|
|
|
|
|
|
If a fuzzer generates a reproducible error, you can reproduce the problem using
|
|
|
|
the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
|
2020-07-03 20:19:43 +08:00
|
|
|
don't need to be built for fuzzing, there is no need to set CC or the call
|
2017-01-06 03:12:05 +08:00
|
|
|
config with enable-fuzz-* or -fsanitize-coverage, but some of the other options
|
|
|
|
above might be needed. For instance the enable-asan or enable-ubsan option might
|
|
|
|
be useful to show you when the problem happens. For the client and server fuzzer
|
|
|
|
it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to
|
|
|
|
reproduce the generated random numbers.
|
|
|
|
|
|
|
|
To reproduce the crash you can run:
|
|
|
|
|
2020-04-01 14:51:31 +08:00
|
|
|
fuzz/$FUZZER-test $file
|
2017-01-06 03:12:05 +08:00
|
|
|
|
2020-07-03 20:19:43 +08:00
|
|
|
To do all the tests of a specific fuzzer such as asn1 you can run
|
|
|
|
|
|
|
|
fuzz/asn1-test fuzz/corpora/asn1
|
|
|
|
or
|
2020-11-04 21:39:42 +08:00
|
|
|
make test TESTS=fuzz_test_asn1
|
2020-07-03 20:19:43 +08:00
|
|
|
|
|
|
|
To run several fuzz tests you can use for instance:
|
|
|
|
|
2020-11-04 21:39:42 +08:00
|
|
|
make test TESTS='test_fuzz_cmp test_fuzz_cms'
|
2020-07-03 20:19:43 +08:00
|
|
|
|
|
|
|
To run all fuzz tests you can use:
|
|
|
|
|
2020-11-04 21:39:42 +08:00
|
|
|
make test TESTS='test_fuzz_*'
|
2020-07-03 20:19:43 +08:00
|
|
|
|
2017-01-06 03:12:05 +08:00
|
|
|
Random numbers
|
2020-05-07 19:44:01 +08:00
|
|
|
--------------
|
2017-01-06 03:12:05 +08:00
|
|
|
|
|
|
|
The client and server fuzzer normally generate random numbers as part of the TLS
|
|
|
|
connection setup. This results in the coverage of the fuzzing corpus changing
|
|
|
|
depending on the random numbers. This also has an effect for coverage of the
|
|
|
|
rest of the test suite and you see the coverage change for each commit even when
|
|
|
|
no code has been modified.
|
|
|
|
|
|
|
|
Since we want to maximize the coverage of the fuzzing corpus, the client and
|
|
|
|
server fuzzer will use predictable numbers instead of the random numbers. This
|
|
|
|
is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define.
|
|
|
|
|
|
|
|
The coverage depends on the way the numbers are generated. We don't disable any
|
|
|
|
check of hashes, but the corpus has the correct hash in it for the random
|
|
|
|
numbers that were generated. For instance the client fuzzer will always generate
|
|
|
|
the same client hello with the same random number in it, and so the server, as
|
|
|
|
emulated by the file, can be generated for that client hello.
|
|
|
|
|
|
|
|
Coverage changes
|
2020-05-07 19:44:01 +08:00
|
|
|
----------------
|
2017-01-06 03:12:05 +08:00
|
|
|
|
|
|
|
Since the corpus depends on the default behaviour of the client and the server,
|
|
|
|
changes in what they send by default will have an impact on the coverage. The
|
|
|
|
corpus will need to be updated in that case.
|
|
|
|
|
2017-02-20 00:09:45 +08:00
|
|
|
Updating the corpus
|
2020-05-07 19:44:01 +08:00
|
|
|
-------------------
|
2017-02-20 00:09:45 +08:00
|
|
|
|
|
|
|
The client and server corpus is generated with multiple config options:
|
2020-05-07 19:44:01 +08:00
|
|
|
|
2017-02-20 00:09:45 +08:00
|
|
|
- The options as documented above
|
|
|
|
- Without enable-ec_nistp_64_gcc_128 and without --debug
|
|
|
|
- With no-asm
|
|
|
|
- Using 32 bit
|
|
|
|
- A default config, plus options needed to generate the fuzzer.
|
|
|
|
|
|
|
|
The libfuzzer merge option is used to add the additional coverage
|
|
|
|
from each config to the minimal set.
|
2020-04-01 14:51:31 +08:00
|
|
|
|
|
|
|
Minimizing the corpus
|
2020-05-07 19:44:01 +08:00
|
|
|
---------------------
|
2020-04-01 14:51:31 +08:00
|
|
|
|
|
|
|
When you have gathered corpus data from more than one fuzzer run
|
2020-06-30 03:13:07 +08:00
|
|
|
or for any other reason want to minimize the data
|
2020-04-01 14:51:31 +08:00
|
|
|
in some corpus subdirectory `fuzz/corpora/DIR` this can be done as follows:
|
|
|
|
|
|
|
|
mkdir fuzz/corpora/NEWDIR
|
|
|
|
fuzz/$FUZZER -merge=1 fuzz/corpora/NEWDIR fuzz/corpora/DIR
|