[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16301 [Tor]: Add afl-fuzz instructions to contrib
#16301: Add afl-fuzz instructions to contrib
-----------------------------+---------------------------------
Reporter: teor | Owner: teor
Type: enhancement | Status: new
Priority: normal | Milestone: Tor: very long term
Component: Tor | Version:
Resolution: | Keywords: lorax
Actual Points: | Parent ID:
Points: |
-----------------------------+---------------------------------
Comment (by teor):
Aim to produce:
* a harness that reads and parses a single file
* a list of known tokens
For each of:
* command-line arguments
* directory requests
* directory replies
* HS subsystem
* (HS) cell parsing
* HSDir/client cache
Without specific AFL dependencies (or conditionalised), as a lot of
fuzzers work with files, not function calls or network calls.
{{{
[14:15] <teor_> asn, dgoulet: I have plans to work towards fuzzing some
parts of tor over the next week or two
[14:15] <teor_> do you have a priority area?
[14:16] <asn> teor_: great, keep me in the loop.
[14:16] <dgoulet> interesting
[14:16] <asn> i have done a bit of previous work
[14:16] <teor_> I have already done torrc options and found one bug
[14:16] <asn> teor_: nice
[14:16] <nickm> if you find any horrible security bugs, please send them
gpg-encrypted. :)
[14:16] <dgoulet> teor_: I would say the HS subsystem but I'm bias :P
[14:16] <asn> ehm
[14:16] <asn> HS cell parsing would be nice
[14:16] <asn> and general cell parsing
[14:16] <teor_> And looked at the directory requests, but never actually
got to fuzzing them
[14:16] <asn> then i guess directory documents
[14:17] <dgoulet> pushing the HSDir/client cache to the limit
[14:17] <asn> like microdescriptors
[14:18] <asn> teor_: i used to do fuzzing with radamsa like this:
https://gitorious.org/mytor/mytor/commit/6acef044580057b7496ed4eb67861656a5ca84a6
[14:19] <asn> teor_: super hacky way, i just basically overrode the
--verify-config switch
[14:19] <asn> teor_: but exposing the parsing functions like this and
fuzzing them , i think might be a reasonabe approach
[14:19] <asn> or maybe through the control port. depending on how it's
easier for afl.
[14:19] <dgoulet> if that fuzzing can be integrated in some part of the
test suite, that would be epic imo
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16301#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs