Cryptofuzz (differential crypto fuzzing) #2273
Conversation
|
David Benjamin acknowledged to me via e-mail to run BoringSSL in this project. |
|
(LibreSSL people have agreed to this) |
|
@mattcaswell @kroeckx Do you prefer to fuzz the non-master branches as well? @Patater Are you interested incorporating mbed TLS in this project? mbed TLS is already supported. There are currently some mismatches between mbed TLS and other modules, which may be due to bugs in my mbed TLS module, or bugs in mbed TLS. Once we resolve that, we can insert mbed TLS into this project. |
|
Yes, that's a really nice project. Do you have any bug reports to share so far? Thanks |
|
@guidovranken If you do fuzz any other branches I would only do 1.1.1. I don't have a strong view on it. |
|
@Patater No memory corruption but some differences with other libraries. I will create issues on the mbed TLS bug tracker. @kcc Can this get merged? Is anything blocking this? |
There was a problem hiding this comment.
this didn't build for me in the docker:
[100%] Built target openssl
+ cd /src/cryptofuzz/modules/openssl
+ OPENSSL_INCLUDE_PATH=/src/libressl/include
+ OPENSSL_LIBCRYPTO_A_PATH=/src/libressl/build/crypto/libcrypto.a
+ CXXFLAGS='-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++ -I /src/cryptofuzz/fuzzing-headers/include -DCRYPTOFUZZ_LIBRESSL'
+ make -B
test /src/libressl/include
clang++ -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++ -I /src/cryptofuzz/fuzzing-headers/include -DCRYPTOFUZZ_LIBRESSL -Wall -Wextra -Werror -std=c++17 -I ../../include -I ../../fuzzing-headers/include -I ../../fuzzing-headers/include -DFUZZING_HEADERS_NO_IMPL -I /src/libressl/include -fPIC -c module.cpp -o module.o
module.cpp:1053:15: error: out-of-line definition of 'checkSetIVLength' does not match any declaration in 'cryptofuzz::module::OpenSSL'
bool OpenSSL::checkSetIVLength(const uint64_t cipherType, const EVP_CIPHER* cipher, EVP_CIPHER_CTX* ctx, const size_t inputIvLength) const {
projects/cryptofuzz/build.sh
Outdated
| python gen_repository.py | ||
|
|
||
| cd $SRC/openssl | ||
| git checkout 9efa0ae0b602c1c0e356009a58410a2e8b80201a |
There was a problem hiding this comment.
please explain why in comments.
Also, better to be done in Dockerfile.
| @@ -0,0 +1,16 @@ | |||
| homepage: "https://github.com/guidovranken/cryptofuzz" | |||
| primary_contact: "guidovranken@gmail.com" | |||
| auto_ccs: | |||
There was a problem hiding this comment.
just double-checking that everyone in CC agreed to be here.
|
Build is now fixed. |
|
PS: LibreSSL crashes on the seed corpus due to a bug that is fixed here. LibreSSL's non-BSD build script pulls https://github.com/libressl-portable/openbsd which is a mirror of their CVS repository, and lags behind a couple of days. This is not ideal for oss-fuzz as this will retain the failure status for an unnecessary amount of time. I will later look into whether OpenBSD's CVS can be used directly, but for now I'm content with the current setup. OpenSSL crashes on the seed corpus on a bug that is now fixed in upstream but because the oss-fuzz project locks to a an older commit to prevent build failure, the fuzzer still crashes. This can be resolved as soon as OpenSSL fixes their build system. |
projects/cryptofuzz/build.sh
Outdated
|
|
||
| # Compile Cryptofuzz | ||
| cd $SRC/cryptofuzz | ||
| LIBFUZZER_LINK="-lFuzzingEngine" CXXFLAGS="$CXXFLAGS -I $SRC/openssl/include" make -B -j$(nproc) |
There was a problem hiding this comment.
here and below, please change -lFuzzingEngine to $LIB_FUZZING_ENGINE -- we are trying to switch to using this variable so that we can use some other flags (such as -fsanitize=fuzzer)
|
One more request: this project is unusual for oss-fuzz, the only other likes this is (yours) bignum-fuzzer. One thing not immediately obvious from the first glance: is this doing differential fuzzing between the projects (e.g. boringssl vs opensssl), or self-differential fuzzing, or both. |
…tibility with OSS-Fuzz' new build setup
Done |
What needs fixing here? |
OSS-Fuzz builds using OpenSSL, like openssl, bignum-fuzzer, tor are failing. |
|
Oh right. I think that's the issue addressed by openssl/openssl#8778 |
Currently only embeds OpenSSL. More modules like mbed TLS and cppcrypto are implemented but not enabled at this point.
BoringSSL can be easily added by reusing the OpenSSL module, but I haven't contacted them yet.
KDF function fuzzing works but slows the process down a lot. Maybe I can build a separate fuzzer binary for that in the future.
It has so far found 3 minor API bugs in OpenSSL:
openssl/openssl#8567
openssl/openssl#8563
openssl/openssl#8576
If nothing else, this is a good way to fuzz the multitudes of hash/cipher code in OpenSSL. I don't think any other fuzzer is doing that yet (?).
This project generates two fuzzer binaries, one with and the other without assembly language.
Permission to add OpenSSL e-mail addresses to this project was granted in openssl/openssl#6848
@kroeckx @mattcaswell