[tor-bugs] #16301 [Tor]: Add afl-fuzz instructions to contrib

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jun 10 14:28:54 UTC 2015 

#16301: Add afl-fuzz instructions to contrib
-----------------------------+---------------------------------
     Reporter:  teor         |      Owner:  teor
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:  Tor: very long term
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  lorax
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+---------------------------------

Comment (by teor):

 Aim to produce:
 * a harness that reads and parses a single file
 * a list of known tokens
 For each of:
 * command-line arguments
 * directory requests
 * directory replies
 * HS subsystem
 * (HS) cell parsing
 * HSDir/client cache
 Without specific AFL dependencies (or conditionalised), as a lot of
 fuzzers work with files, not function calls or network calls.

 {{{
 [14:15] <teor_> asn, dgoulet: I have plans to work towards fuzzing some
 parts of tor over the next week or two
 [14:15] <teor_> do you have a priority area?
 [14:16] <asn> teor_: great, keep me in the loop.
 [14:16] <dgoulet> interesting
 [14:16] <asn> i have done a bit of previous work
 [14:16] <teor_> I have already done torrc options and found one bug
 [14:16] <asn> teor_: nice
 [14:16] <nickm> if you find any horrible security bugs, please send them
 gpg-encrypted. :)
 [14:16] <dgoulet> teor_: I would say the HS subsystem but I'm bias :P
 [14:16] <asn> ehm
 [14:16] <asn> HS cell parsing would be nice
 [14:16] <asn> and general cell parsing
 [14:16] <teor_> And looked at the directory requests, but never actually
 got to fuzzing them
 [14:16] <asn> then i guess directory documents
 [14:17] <dgoulet> pushing the HSDir/client cache to the limit
 [14:17] <asn> like microdescriptors
 [14:18] <asn> teor_: i used to do fuzzing with radamsa like this:
 https://gitorious.org/mytor/mytor/commit/6acef044580057b7496ed4eb67861656a5ca84a6
 [14:19] <asn> teor_: super hacky way, i just basically overrode the
 --verify-config switch
 [14:19] <asn> teor_: but exposing the parsing functions like this and
 fuzzing them , i think might be a reasonabe approach
 [14:19] <asn> or maybe through the control port. depending on how it's
 easier for afl.
 [14:19] <dgoulet> if that fuzzing can be integrated in some part of the
 test suite, that would be epic imo
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16301#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list