[tor-dev] [tor-talk] Tor Research Framework update

George Kadianakis desnacked at riseup.net
Wed Aug 13 12:33:56 UTC 2014 

Tim <t_ebay at icloud.com> writes:

>> On 13 Aug 2014, at 0:10, George Kadianakis <desnacked at riseup.net> wrote:
>> 
>> Gareth Owen <gareth.owen at port.ac.uk> writes:
> ...
>>> The framework implements the tor protocol so should be easy to modify to do
>>> fuzzing of the actual protocol but I'm skeptical how successful this would
>>> be, I can only think of a couple of places that could be error prone.
>> 
>> Interesting point!
>> 
>> I admit that my main intention with that fuzzer was to implement the
>> state machine of the Tor protocol, and then make it so that the fuzzer
>> would do a random walk over all the possible states.
>> 
>> My intention was to check the robustness of Tor's state machine by
>> testing whether it would get confused if I send it unexpected cells in
>> unexpected times.
> ...
>> Because of the fail-open nature of those guards, I have a
>> hunch that some of those checks might not be robust and some necessary
>> ones might not exist at all.
>> 
>> That said, I have spent many hours auditing Tor for these bugs and I
>> still haven't found anything particularly interesting so maybe it's
>> not a good idea. My best catch (IIRC) was #5644, a fun crash bug.
>
> George, do you think you've exhausted the fuzzing space in this area?
> Is this the sort of project that requires more processor time (i.e. volunteers to run test instances until they crash?)
> Or more analysis once they crash?
>

I have not exhausted the fuzzing space in this area at all.

My plan was to make a Peach fuzzer to achieve this [0], but as I
mentioned in a previous email I never got past the V3 link handshake
since I actually had to implement Tor's crypto to get past.

Someone would need to implement all this stuff to be able to fuzz the
Tor protocol as I was intending to.

> Or would you recommend different fuzzing strategies entirely?
> (Given that different fuzzers explore different parts of the codebase in different ways.)

To be honest I don't know if my strategy would have been fruitful :)
It's probably not the easiest way or most effective way to fuzz for Tor bugs.

On the easy side, I think that fuzzing directory documents (while also
checking for memory leaks and invalid memory accesses using valgrind)
might produce some cheap fruits of labor, like these:

    - Fix a memory leak that could occur if a microdescriptor parse
      fails during the tokenizing step. This bug could enable a memory
      exhaustion attack by directory servers. Fixes bug 11649; bugfix
      on 0.2.2.6-alpha.

    - Fix a denial of service attack by which any directory authority
      could crash all the others, or by which a single v2 directory
      authority could crash everybody downloading v2 directory
      information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.


Enjoy! 

[0]: https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3:

More information about the tor-dev mailing list