<div dir="ltr">Hi George<div><br></div><div>Thanks for your reply and information+links. Tim (cc-ed) is leading the work on the fuzzer and is looking at a couple of different frameworks. I've set up a example that can do port-forwarding to a BEGIN_DIR service - so you can just point a fuzzer at the local port - this opens up a wider range of potential targets (some paths on the directory service are over Tor only) . </div>
<div><br></div><div>The framework implements the tor protocol so should be easy to modify to do fuzzing of the actual protocol but I'm skeptical how successful this would be, I can only think of a couple of places that could be error prone.</div>
<div><br></div><div>Looking through the source, I agree that there's a very large surface area and also there's a lot of manual string manipulation which is potentially error prone. It's reassuring that you've already found bugs this way, it suggests the route isn't a complete dead-end.</div>
<div><br></div><div>I've cc-ed Tim, so he might pick your brains ! </div><div><br></div><div>Thanks</div><div>Gareth</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 11 August 2014 18:19, George Kadianakis <span dir="ltr"><<a href="mailto:desnacked@riseup.net" target="_blank">desnacked@riseup.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Gareth Owen <<a href="mailto:gareth.owen@port.ac.uk">gareth.owen@port.ac.uk</a>> writes:<br>
<br>
> Hi all<br>
><br>
> I thought I'd give you an update on where the Tor Research Framework is now<br>
> at as there's been lots of development over the last few weeks. At present,<br>
> the framework is a largely fully functional tor client with code that is<br>
> easy to read, follow and crucially change for custom functionality.<br>
><br>
> URL: <a href="https://github.com/drgowen/tor-research-framework" target="_blank">https://github.com/drgowen/tor-research-framework</a><br>
><br>
> Completed<br>
> =======<br>
><br>
> The examples exercise a big chunk of the functionality so in the examples<br>
> directory, we now have examples on how to do:<br>
><br>
> - Circuit building, Random circuits based on flags, etc<br>
> - Building HS circuits and establishing streams to their service<br>
> - Consensus parsing examples<br>
> - RELAY_EARLY scanner - scans HSDirs looking for RELAY_EARLYs coming the<br>
> wrong way (aka the recent Blackhat deanon attack)<br>
> - Tor SOCKS Proxy and PortForwarder<br>
><br>
> The examples are here:<br>
> <a href="https://github.com/drgowen/tor-research-framework/tree/master/src/main/java/tor/examples" target="_blank">https://github.com/drgowen/tor-research-framework/tree/master/src/main/java/tor/examples</a><br>
><br>
> The RELAY_EARLY scanner took around five minutes to write for example and<br>
> didn't require modifying core library code.<br>
><br>
> Work in progress<br>
> ==========<br>
><br>
> Fuzzer: We also have another chap (twilsonb) working on a fuzzing framework<br>
> for Tor that is capable of fuzzing the protocol and directory services -<br>
> although this is at early stage I'm sure he'd welcome help from anyone<br>
> interested.<br>
><br>
<br>
</div></div>Great! Tor needs better fuzzing :)<br>
<br>
I have conducted two activities in this area:<br>
<br>
- I once started the ambitious project of making a Tor protocol fuzzer [0].<br>
I used the Peach fuzzing framework, a decision I later regreted. In<br>
the end, the fuzzer could successfully fuzz the first few cells of<br>
the v3 handshake, but I never implemented Tor's crypto which was<br>
necessary for fuzzing deeper.<br>
<br>
I think there is still lots of value in a fuzzer that can walk the<br>
various areas of the Tor protocol (circuit building, HSes, etc.) If<br>
I were to do this now, I would probably write my own networking code<br>
and only use a premade framework to procuce fuzzed output.<br>
<br>
- I used the radamsa mutator [1] and fed Tor tons of mutated<br>
descriptors, consensuses and hidden service descriptors. This was<br>
quite fun and effective: within a few hours it found #6811 which was<br>
a nice crash bug. FWIW, I don't think I ever fuzzed all the various<br>
directory documents of Tor this way...<br>
<br>
I think this is a fast and easy way of fuzzing the directory part of<br>
Tor, which has wide parsing attack surface.<br>
<br>
Feel free to discuss any aspects of Tor fuzzer development in this<br>
mailing list! (but please send any found 0days to Tor developers in a<br>
confidential manner ;) )<br>
<br>
[0]: <a href="https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3" target="_blank">https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3</a>:<br>
[1]: <a href="https://code.google.com/p/ouspg/wiki/Radamsa" target="_blank">https://code.google.com/p/ouspg/wiki/Radamsa</a><br>
<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Dr Gareth Owen<div>Senior Lecturer</div><div>School of Computing, University of Portsmouth</div><div><br></div><div>Tel: 02392 846423</div><div>
Web: <a href="http://ghowen.me" target="_blank">ghowen.me</a></div></div>
</div>