fuzzinator - in bug we trust
TRANSCRIPT
FuzzinatorIn bug we trust.
Renata HodovanAkos Kiss
HACKTIVITY 2
outlineWhy do you want to have a fuzzer?For a fuzzer framework, what is
… must have? … nice to have?
What does Fuzzinator have?How can you have more?
10/21/16
HACKTIVITY 3
Why do you want to fuzz?
10/21/16
HACKTIVITY 4
Why do you want to fuzz?Real issues
CrashesMemory corruptionsHangsAssertion failuresUnhandled exceptions
Reproducible issuesLarge amount of test cases with little effort
10/21/16
HACKTIVITY 5
Mandatory componentsSoftware Under TestingTest generatorTransfer mechanismMonitoring system
10/21/16
HACKTIVITY 6
Convenience functionalitiesRecognize unique issuesReduce test casesCustomize issue descriptionsReport issuesUpdate SUTs regularlySchedule multiple generators / SUTsUser friendly UI
10/21/16
HACKTIVITY 7
fuzzinatorGeneral fuzzer framework
Extra support for browsersBased on building blocksBuilding blocks are arbitrarily …
customizablereplaceable
Setup from config files
10/21/16
HACKTIVITY 8
Fuzzinator’s architecture
10/21/16
Controller
Update Job Reduce Job
SUT call
Fuzz Job
ReducerFuzzer
ISSUE
Updater
TEST
DB
HACKTIVITY 9
Building blocks – sut callsSubprocess callStream-monitored subprocess callStdin subprocess callTestRunner subprocess callPython callable
10/21/16
HACKTIVITY 10
Building blocks – SUT decoratorsExit code filterStream regex filterGDB backtrace decoratorPlatform info decoratorUnique ID decoratorAnonymize decoratorFile writer decorator
10/21/16
HACKTIVITY 11
Building blocks - fuzzersFuzzers
Random contentList directorySubprocess runnerAFL runnerPython callable
DecoratorTornado decorator
10/21/16
HACKTIVITY 12
Building blocks - reducersPicire (https://github.com/renatahodovan/picire)
ParallelLine or character based
Picireny (https://github.com/renatahodovan/picireny)ParallelGrammar based
10/21/16
HACKTIVITY 13
How to configure your fuzzer?Regular .ini syntaxSection types
SUT sectionsFuzz sectionsBuilding block parameter sectionsFuzzinator section
10/21/16
HACKTIVITY 14
Example test generatorsRandom content
fuzzinator.fuzzer.RandomContentGenerinator:RATS
Random Attributes, Tags & StyleGeneration based fuzzerhttps://github.com/renatahodovan/generinator-rats
10/21/16
15
Sut section
10/21/16 HACKTIVITY
[sut.webkit]call=fuzzinator.call.SubprocessCallcall.decorate(0)=fuzzinator.call.StreamRegexFiltercall.decorate(1)=fuzzinator.call.SubprocessPropertyDecoratorcall.decorate(2)=fuzzinator.call.PlatformInfoDecoratorreduce=fuzzinator.reduce.Picire
[sut.webkit.call]cwd=${webkit:path}command=./WebKitBuild/Debug/bin/MiniBrowser {test}
[sut.webkit.call.decorate(0)]stderr_patterns=["(?P<msg>ASSERTION FAILED: [^\n]+)\n(?P<file>[^()\n]+)", ...]
[sut.webkit.call.decorate(1)]property=versioncommand=git rev-parse --short HEADcwd=${webkit:path}
16
Fuzz section
10/21/16 HACKTIVITY
[fuzz.generinator_rats_webkit]sut=sut.webkitfuzzer=fuzzinator.fuzzer.SubprocessRunnerfuzzer.decorate(0)=fuzzinator.fuzzer.TornadoDecoratorbatch=100
[fuzz.generinator_rats_webkit.fuzzer.init]outdir=${fuzzinator:work_dir}/generinator_rats/{uid}command=generinator-rats -o ${outdir} -n ${fuzz.generinator_rats_webkit:batch}
[fuzz.generinator_rats_webkit.fuzzer.decorate(0)]port=8000
HACKTIVITY 17
Screenshot– main window
10/21/16
HACKTIVITY 18
Screenshot – report window
10/21/16
HACKTIVITY 19
contacts
10/21/16