Fuzzing with Go-Fuzz August 2015
Fuzzing with Go-FuzzAugust 2015
Why Fuzz?Your code probably has
problems.
Fuzzing• Mainly applicable to
packages that parse complex inputs
• Technique of testing software by continuously feeding it automatically mutated inputs
• Hardening systems that parse inputs from potentially malicious users
What to Fuzz• Image decoders
• Format string decoders
• SIP message decoders
• HTTP requests
• XML
• JSON
• Anything that has user inputs
Fuzzing• American Fuzzy Lop
• Throwing random things at your code isn’t effective
• Compile time instrumentation and genetic algorithms
• Instrumented source coverage to judge which mutations pushed the program into new paths, eventually hitting many rarely-tested branches
http://lcamtuf.coredump.cx/afl/ http://lcamtuf.coredump.cx/afl/README.txt
Fuzzing Flow1. Load user-supplied initial test cases into the queue,
2. Take next input file from the queue,
3. Attempt to trim the test case to the smallest size that doesn't alter the measured behavior of the program,
4. Repeatedly mutate the file using a balanced and well-researched variety of traditional fuzzing strategies,
5. If any of the generated mutations resulted in a new state transition recorded by the instrumentation, add mutated output as a new entry in the queue.
6. Go to 2.
Go-Fuzz• Based on American Fuzzy Lop
• Instruments the source by rewriting it
• Catches
• Index out of range
• Panics
• Deadlock
• Insane memory allocation
• Anything else you explicitly check for
https://github.com/dvyukov/go-fuzz
Go Fuzz• You provide
• an entry function for go-fuzz
• Fuzz(data []byte) int
• 0 on error
• 1 if input was interesting
• -1 if not interesting
• initial set of inputs
• compile your program with go-fuzz-build
Fuzz Time• Gossip
• http://godoc.org/github.com/StefanKopieczek/gossip/parser
• SIPParser
• http://godoc.org/github.com/dgv/sipparser