[tor-dev] [tor-talk] Tor Research Framework update

Tim t_ebay at icloud.com
Thu Aug 14 00:59:41 UTC 2014 

On 13 Aug 2014, at 22:33 , George Kadianakis <desnacked at riseup.net> wrote:

> My plan was to make a Peach fuzzer to achieve this [0], but as I
> mentioned in a previous email I never got past the V3 link handshake
> since I actually had to implement Tor's crypto to get past.
> 
> Someone would need to implement all this stuff to be able to fuzz the
> Tor protocol as I was intending to.

Gareth has implemented Tor's crypto in tor-research-framework[0] in Java.

Would this be sufficient for Peach, or does it need to be written in Python?

[0] https://github.com/drgowen/tor-research-framework



On 13 Aug 2014, at 22:33 , George Kadianakis <desnacked at riseup.net> wrote:

> Tim <t_ebay at icloud.com> writes:
> 
>>> On 13 Aug 2014, at 0:10, George Kadianakis <desnacked at riseup.net> wrote:
>>> 
>>> Gareth Owen <gareth.owen at port.ac.uk> writes:
>> ...
>>>> The framework implements the tor protocol so should be easy to modify to do
>>>> fuzzing of the actual protocol but I'm skeptical how successful this would
>>>> be, I can only think of a couple of places that could be error prone.
>>> 
>>> Interesting point!
>>> 
>>> I admit that my main intention with that fuzzer was to implement the
>>> state machine of the Tor protocol, and then make it so that the fuzzer
>>> would do a random walk over all the possible states.
>>> 
>>> My intention was to check the robustness of Tor's state machine by
>>> testing whether it would get confused if I send it unexpected cells in
>>> unexpected times.
>> ...
>>> Because of the fail-open nature of those guards, I have a
>>> hunch that some of those checks might not be robust and some necessary
>>> ones might not exist at all.
>>> 
>>> That said, I have spent many hours auditing Tor for these bugs and I
>>> still haven't found anything particularly interesting so maybe it's
>>> not a good idea. My best catch (IIRC) was #5644, a fun crash bug.
>> 
>> George, do you think you've exhausted the fuzzing space in this area?
>> Is this the sort of project that requires more processor time (i.e. volunteers to run test instances until they crash?)
>> Or more analysis once they crash?
>> 
> 
> I have not exhausted the fuzzing space in this area at all.
> 
> My plan was to make a Peach fuzzer to achieve this [0], but as I
> mentioned in a previous email I never got past the V3 link handshake
> since I actually had to implement Tor's crypto to get past.
> 
> Someone would need to implement all this stuff to be able to fuzz the
> Tor protocol as I was intending to.
> 
>> Or would you recommend different fuzzing strategies entirely?
>> (Given that different fuzzers explore different parts of the codebase in different ways.)
> 
> To be honest I don't know if my strategy would have been fruitful :)
> It's probably not the easiest way or most effective way to fuzz for Tor bugs.
> 
> On the easy side, I think that fuzzing directory documents (while also
> checking for memory leaks and invalid memory accesses using valgrind)
> might produce some cheap fruits of labor, like these:
> 
>    - Fix a memory leak that could occur if a microdescriptor parse
>      fails during the tokenizing step. This bug could enable a memory
>      exhaustion attack by directory servers. Fixes bug 11649; bugfix
>      on 0.2.2.6-alpha.
> 
>    - Fix a denial of service attack by which any directory authority
>      could crash all the others, or by which a single v2 directory
>      authority could crash everybody downloading v2 directory
>      information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
> 
> 
> Enjoy! 
> 
> [0]: https://gitorious.org/tor_fuzz/tor_fuzz/source/54105204e91ed2d26e747e10fb21710aecfaf8b3:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140814/20d387ca/attachment.html>

More information about the tor-dev mailing list