[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [tor-talk] Tor Research Framework update



On 13 Sep 2014, at 06:19 , George Kadianakis <desnacked@xxxxxxxxxx> wrote:

Tim <t_ebay@xxxxxxxxxx> writes:

On 13 Aug 2014, at 22:33 , George Kadianakis <desnacked@xxxxxxxxxx> wrote:

My plan was to make a Peach fuzzer to achieve this [0], but as I
mentioned in a previous email I never got past the V3 link handshake
since I actually had to implement Tor's crypto to get past.

Someone would need to implement all this stuff to be able to fuzz the
Tor protocol as I was intending to.

Gareth has implemented Tor's crypto in tor-research-framework[0] in Java.

Would this be sufficient for Peach, or does it need to be written in Python?

[0] https://github.com/drgowen/tor-research-framework


Did anything interesting happen after all? :)

Yes, some initial work, but no actual fuzzer (yet!):


A draft design for a fuzzer:
-----------------------------------

0. I decided to focus on fuzzing tor directory requests. Although descriptor uploads 
    seemed like a juicier target due to the volume of string manipulation involved, 
    they're also far more complex to fuzz.

1. I plan to create a URL enumerator using tor-research-framework [-6] and jbrofuzz [-5].
    tor-research-framework will provide consensus info, and jbrofuzz will provide
    the URL/request iterator framework. The enumerator will enumerate valid URLs
    (for multiple definitions of "valid").

2. The output of this enumerator can also be run through a mutating fuzzer like radamsa [-4]

3. Successful fuzzing output can be recycled through the mutator to find more "crashes". [-3]

4. A similar approach can be used to fuzz other areas of tor, like descriptor uploads.


Ongoing work on tor-research-framework
-------------------------------------------------------

Gareth has made significant improvements to the TRF functionality.
He and I have also corresponded on the design / architecture of tor-research-framework. [-2]


tor builds configured for fuzzing directory requests [-1]
-----------------------------------------------------------------------

These builds are configured to detect bugs and trap on errors, making debugging easy. [1][2]
They run locally, and only act as directory caches at this time.


Patches against tor
--------------------------

A few patches have also gone into tor during the configuration and testing of the 
fuzzing targets:

Logged due to initial fuzzing attempts:


Logged due to the compiler flags I wanted to use during fuzzing [1] 
(it's far easier to fuzz a version of tor that is undefined-behaviour clean)[2]:


Logged due to compiler warnings / static analysis:



[-2]: I could clean this up and upload it to github (it's in emails at the moment).

[1]: Using clang -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error -ftrapv 
      makes it easier to detect subtle bugs (along with a debugging malloc library)
[2]: Once the patches in [5] are applied, (many) commonly executed tor code paths
      will be undefined-behaviour clean at runtime.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev