Fuzzing SAE in hostap
This fuzzing test with libFuzzer is built on the existing fuzzing test found in
Even though both tests use the same fuzzing target function -
ieee802_11_mgmt() - the existing test cannot
properly target the SAE auth functionality. The reason is that
hostap/tests/fuzzing/ap-mgmt is compiled without SAE support
and that the
hapd hostap data structure does not have all required fields set.
// SAE specific hapd configuration os_memcpy(hapd->sae_token_key, "\xe1\x06\x03\xab\x05\x26\x07\x08", 8); os_get_reltime(&hapd->last_sae_token_key_update); hapd->dot11RSNASAERetransPeriod = 10; //ms dl_list_init(&hapd->sae_commit_queue); hapd->conf->wpa_key_mgmt = WPA_KEY_MGMT_SAE; hapd->conf->wpa = WPA_PROTO_RSN; hapd->conf->auth_algs = WPA_AUTH_ALG_SAE;
This fuzzzing test supports fuzzing all SAE functionality found in
MLME logic found in
Therefore, we needed to modify the compilation process in order to provide SAE support.
Another problem was the SAE queuing mechanism. Each new incoming SAE auth commit message is handled only
i*10ms later, where
i is the number of pending auth commit messages. This requires a couple of fixes in the
hostap source code in order to make fuzzing faster.
Furthermore, there is another major problem with memory leaks. There are a couple of
allocate memory without freeing. This will abort the fuzzer after a couple of minutes due to too much leaked memory.
Before compiling the fuzzer, several locations in hostap need to be patched in order to increase the fuzzing
speed. All changes are happening in
eloop_register_timeout(0, 0, auth_sae_process_commit, hapd, NULL);
in the function
auth_sae_process_commit() and in the function
This will invoke the sae parsing/processing functionality immediately, thus speeding up the fuzzing.
First download the most recent version of hostap.
git clone git://w1.fi/hostap.git
Then change into the directory with the fuzzing tests
Then download this repository and change into the dir:
git clone https://github.com/NikolaiT/fuzz_sae_hostap && cd fuzz_sae_hostap
FUZZ_FLAGS ?= -fsanitize=fuzzer,address,signed-integer-overflow,unsigned-integer-overflow
Clean and compile the fuzzing test:
export CC='clang-8' make clean make LIBFUZZER=y CONFIG_SAE=y -j4
after a couple of moments the fuzzer should be compiled and ready.
Now you may run the fuzzer with a command:
./sae sae_corpus_2 -detect_leaks=0 -max_len=1050 -print_final_stats=1
If you want to check what functionality was reached during fuzzing, you can set hostapd debug level to 0(DEBUG):
If you don't want to see any ouput while fuzzing, set to
- Fix memory leaks that prevent fuzzing for more than 5 minutes. I honestly don't know if this is an issue from hostapd or because fuzzing is stopped forcefully after 50 microseconds via
eloop_register_timeout(0, 50, sae_auth_terminate, &ctx, NULL);