<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="-webkit-text-size-adjust: auto;">Hi George,</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I'm still trying to work out exactly how to go about fuzzing Tor. So far, I've been to defined an initial problem space, configured a test environment, and explored some fuzzing libraries / tools.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Fuzzing Problem Space</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">We started by looking at fuzzing Tor directory download requests over HTTP. This seemed like a manageable initial chunk of work.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I sketched an early draft design[0], and developed an annotated grammar for Tor directory requests[1] based on the Tor directory spec[2].</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Configuring a Test Environment</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I created scripts and configuration files to build, run and monitor a local-only tor directory cache.[3] I configured hardened, typical, and feature-full builds, all with dmalloc to catch memory access errors. I plan to start testing on the feature-full build, then re-test failures against the builds with smaller surfaces.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Exploring Fuzzing Tools / Libraries</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">JBroFuzz[4] is a HTTP / browser fuzzer written in Java. (tor-research-framework is also written in Java.) It focuses on exhaustive iteration through a set of alternatives.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I anticipate using JBroFuzz as a library to generate correct and near-correct requests to a tor instance. It may also be useful interactively, although the included analysis / graphing tools didn't work in my build. (And it's listed as "inactive".)</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Thanks for the pointer to radamsa[5], it looks like it's much more structure-aware than many of the other black-box fuzzes I've looked at. I could imagine using radamsa to mutate correct requests on their way to tor. (JBroFuzz isn't designed to do random mutation.)</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">I've also looked at at zzuf[6], which appears unloved, but is incorporated into the CERT Basic Fuzzing Framework[7]. The set of zuff/BFF mutations is limited to bit-level flips, and isn't syntax-aware. Hooking into all the target process' file descriptors is neat, but it requires a local(-only) process to fuzz.</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Results</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Certain parts of directory request URLs get written to the tor debug log unescaped.[8] But the effect is severely limited: it simply makes reading the log in a terminal irritating (including BEL, DEL, and CR effects - the BEL effect was how I discovered the issue).</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">Further Work</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">These are the tasks I can think of:</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">1. Write JBroFuzz iterators for valid Tor directory requests</div><div style="-webkit-text-size-adjust: auto;">2. Mutate valid requests with radamsa / BFF / ?</div><div style="-webkit-text-size-adjust: auto;">3. Define "failure" of tor to process a request "correctly" (crashes? memory access? more?)</div><div style="-webkit-text-size-adjust: auto;">4. Configure dmalloc on fuzzing target builds (to crash? on "failure")</div><div style="-webkit-text-size-adjust: auto;">5. Automate request logging and failure identification</div><div style="-webkit-text-size-adjust: auto;">6. Work out how to confirm and report failures responsibly</div><div style="-webkit-text-size-adjust: auto;"><br></div><div style="-webkit-text-size-adjust: auto;">[0] <a href="https://github.com/twilsonb/tor-research-framework/blob/master/src/test/DESIGN">https://github.com/twilsonb/tor-research-framework/blob/master/src/test/DESIGN</a></div><div style="-webkit-text-size-adjust: auto;">[1] <a href="https://github.com/twilsonb/tor-research-framework/blob/master/src/test/DIRECTORY_URL_SPEC">https://github.com/twilsonb/tor-research-framework/blob/master/src/test/DIRECTORY_URL_SPEC</a></div><div style="-webkit-text-size-adjust: auto;">[2] <a href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt">https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt</a></div><div style="-webkit-text-size-adjust: auto;">[3] <a href="https://github.com/twilsonb/tor-research-framework/tree/master/src/test">https://github.com/twilsonb/tor-research-framework/tree/master/src/test</a></div><div style="-webkit-text-size-adjust: auto;"><span style="-webkit-text-size-adjust: none;">[4] <a href="https://www.owasp.org/index.php/JBroFuzz">https://www.owasp.org/index.php/JBroFuzz</a></span></div><div style="-webkit-text-size-adjust: auto;">[5] <a href="https://code.google.com/p/ouspg/wiki/Radamsa">https://code.google.com/p/ouspg/wiki/Radamsa</a></div><div style="-webkit-text-size-adjust: auto;">[6] <a href="http://caca.zoy.org/wiki/zzuf">http://caca.zoy.org/wiki/zzuf</a></div><div style="-webkit-text-size-adjust: auto;">[7] <a href="http://www.cert.org/vulnerability-analysis/tools/bff.cfm?">http://www.cert.org/vulnerability-analysis/tools/bff.cfm</a></div><div style="-webkit-text-size-adjust: auto;">[8] <a href="https://github.com/twilsonb/tor-research-framework/tree/master/src/test/examples">https://github.com/twilsonb/tor-research-framework/tree/master/src/test/examples</a></div><div style="-webkit-text-size-adjust: auto;"><div><br></div></div><div style="-webkit-text-size-adjust: auto;"><br>On 12 Aug 2014, at 4:47, Gareth Owen <<a href="mailto:gareth.owen@port.ac.uk">gareth.owen@port.ac.uk</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto;"><div><div dir="ltr">Hi George<div><br></div><div>Thanks for your reply and information+links. Tim (cc-ed) is leading the work on the fuzzer and is looking at a couple of different frameworks. I've set up a example that can do port-forwarding to a BEGIN_DIR service - so you can just point a fuzzer at the local port - this opens up a wider range of potential targets (some paths on the directory service are over Tor only) . </div>
<div><br></div><div>The framework implements the tor protocol so should be easy to modify to do fuzzing of the actual protocol but I'm skeptical how successful this would be, I can only think of a couple of places that could be error prone.</div>
<div><br></div><div>Looking through the source, I agree that there's a very large surface area and also there's a lot of manual string manipulation which is potentially error prone. It's reassuring that you've already found bugs this way, it suggests the route isn't a complete dead-end.</div>
<div><br></div><div>I've cc-ed Tim, so he might pick your brains ! </div><div><br></div><div>Thanks</div><div>Gareth</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 11 August 2014 18:19, George Kadianakis <span dir="ltr"><<a href="mailto:desnacked@riseup.net" target="_blank">desnacked@riseup.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Gareth Owen <<a href="mailto:gareth.owen@port.ac.uk">gareth.owen@port.ac.uk</a>> writes:<br>
<br>
> Hi all<br>
><br>
> I thought I'd give you an update on where the Tor Research Framework is now<br>
> at as there's been lots of development over the last few weeks. At present,<br>
> the framework is a largely fully functional tor client with code that is<br>
> easy to read, follow and crucially change for custom functionality.<br>
><br>
> URL: <a href="https://github.com/drgowen/tor-research-framework" target="_blank">https://github.com/drgowen/tor-research-framework</a><br>
><br>
> Completed<br>
> =======<br>
><br>
> The examples exercise a big chunk of the functionality so in the examples<br>
> directory, we now have examples on how to do:<br>
><br>
> - Circuit building, Random circuits based on flags, etc<br>
> - Building HS circuits and establishing streams to their service<br>
> - Consensus parsing examples<br>
> - RELAY_EARLY scanner - scans HSDirs looking for RELAY_EARLYs coming the<br>
> wrong way (aka the recent Blackhat deanon attack)<br>
> - Tor SOCKS Proxy and PortForwarder<br>
><br>
> The examples are here:<br>
> <a href="https://github.com/drgowen/tor-research-framework/tree/master/src/main/java/tor/examples" target="_blank">https://github.com/drgowen/tor-research-framework/tree/master/src/main/java/tor/examples</a><br>
><br>
> The RELAY_EARLY scanner took around five minutes to write for example and<br>
> didn't require modifying core library code.<br>
><br>
> Work in progress<br>
> ==========<br>
><br>
> Fuzzer: We also have another chap (twilsonb) working on a fuzzing framework<br>
> for Tor that is capable of fuzzing the protocol and directory services -<br>
> although this is at early stage I'm sure he'd welcome help from anyone<br>
> interested.<br>
><br>
<br>
</div></div>Great! Tor needs better fuzzing :)<br>
<br>
I have conducted two activities in this area:<br>
<br>
- I once started the ambitious project of making a Tor protocol fuzzer [0].<br>
I used the Peach fuzzing framework, a decision I later regreted. In<br>
the end, the fuzzer could successfully fuzz the first few cells of<br>
the v3 handshake, but I never implemented Tor's crypto which was<br>
necessary for fuzzing deeper.<br>
<br>
I think there is still lots of value in a fuzzer that can walk the<br>
various areas of the Tor protocol (circuit building, HSes, etc.) If<br>
I were to do this now, I would probably write my own networking code<br>
and only use a premade framework to procuce fuzzed output.<br>
<br>
- I used the radamsa mutator [1] and fed Tor tons of mutated<br>
descriptors, consensuses and hidden service descriptors. This was<br>
quite fun and effective: within a few hours it found #6811 which was<br>
a nice crash bug. FWIW, I don't think I ever fuzzed all the various<br>
directory documents of Tor this way...<br>
<br>
I think this is a fast and easy way of fuzzing the directory part of<br>
Tor, which has wide parsing attack surface.<br>
<br>
Feel free to discuss any aspects of Tor fuzzer development in this<br>
mailing list! (but please send any found 0days to Tor developers in a<br>
confidential manner ;) )<br>
<br>
[0]: <a href="https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3" target="_blank">https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3</a>:<br>
[1]: <a href="https://code.google.com/p/ouspg/wiki/Radamsa" target="_blank">https://code.google.com/p/ouspg/wiki/Radamsa</a><br>
<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Dr Gareth Owen<div>Senior Lecturer</div><div>School of Computing, University of Portsmouth</div><div><br></div><div>Tel: 02392 846423</div><div>
Web: <a href="http://ghowen.me" target="_blank">ghowen.me</a></div></div>
</div>
</div></blockquote></body></html>