[prev in list] [next in list] [prev in thread] [next in thread]
List: tor-dev
Subject: Re: [tor-dev] [tor-talk] Tor Research Framework update
From: Tim <t_ebay () icloud ! com>
Date: 2014-09-12 22:16:57
Message-ID: 37C03628-E0B6-44A9-8833-48E9B1CBC5D5 () icloud ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 13 Sep 2014, at 06:19 , George Kadianakis <desnacked@riseup.net> wrote:
> Tim <t_ebay@icloud.com> writes:
>
>> On 13 Aug 2014, at 22:33 , George Kadianakis <desnacked@riseup.net> wrote:
>>
>>> My plan was to make a Peach fuzzer to achieve this [0], but as I
>>> mentioned in a previous email I never got past the V3 link handshake
>>> since I actually had to implement Tor's crypto to get past.
>>>
>>> Someone would need to implement all this stuff to be able to fuzz the
>>> Tor protocol as I was intending to.
>>
>> Gareth has implemented Tor's crypto in tor-research-framework[0] in Java.
>>
>> Would this be sufficient for Peach, or does it need to be written in Python?
>>
>> [0] https://github.com/drgowen/tor-research-framework
>>
>
> Did anything interesting happen after all? :)
Yes, some initial work, but no actual fuzzer (yet!):
A draft design for a fuzzer:
-----------------------------------
0. I decided to focus on fuzzing tor directory requests. Although descriptor uploads
seemed like a juicier target due to the volume of string manipulation involved,
they're also far more complex to fuzz.
1. I plan to create a URL enumerator using tor-research-framework [-6] and jbrofuzz [-5].
tor-research-framework will provide consensus info, and jbrofuzz will provide
the URL/request iterator framework. The enumerator will enumerate valid URLs
(for multiple definitions of "valid").
2. The output of this enumerator can also be run through a mutating fuzzer like radamsa [-4]
3. Successful fuzzing output can be recycled through the mutator to find more "crashes". [-3]
4. A similar approach can be used to fuzz other areas of tor, like descriptor uploads.
Ongoing work on tor-research-framework
-------------------------------------------------------
Gareth has made significant improvements to the TRF functionality.
He and I have also corresponded on the design / architecture of tor-research-framework. [-2]
tor builds configured for fuzzing directory requests [-1]
-----------------------------------------------------------------------
These builds are configured to detect bugs and trap on errors, making debugging easy. [1][2]
They run locally, and only act as directory caches at this time.
Patches against tor
--------------------------
A few patches have also gone into tor during the configuration and testing of the
fuzzing targets:
Logged due to initial fuzzing attempts:
#13071 [patch] tor 0.2.6 sometimes fails to escape logged directory requests [0]
Logged due to the compiler flags I wanted to use during fuzzing [1]
(it's far easier to fuzz a version of tor that is undefined-behaviour clean)[2]:
#13085 [patch] tor control connection event mask (32 bits) is too small for events (33 events) [3]
#13096 [patch] routerlist: NULL struct pointer dereferenced to take address of element [4]
#13104 [patch] Arithmetic undef behaviour: sscanf, memeq, scale array, fmt exit status [5]
Logged due to compiler warnings / static analysis:
#13036 Uninitialised Variable & NULL Pointer Dereference Warnings in Clang [6]
[-6]: https://github.com/drgowen/tor-research-framework
[-5]: https://github.com/twilsonb/jbrofuzz
[-4]: https://www.ee.oulu.fi/research/ouspg/Radamsa
[-3]: Like http://www.cert.org/blogs/certcc/post.cfm?EntryID=179
[-2]: I could clean this up and upload it to github (it's in emails at the moment).
[-1]: https://github.com/twilsonb/tor-research-framework/tree/master/src/test
[0]: https://trac.torproject.org/projects/tor/ticket/13071
[1]: Using clang -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error -ftrapv
makes it easier to detect subtle bugs (along with a debugging malloc library)
[2]: Once the patches in [5] are applied, (many) commonly executed tor code paths
will be undefined-behaviour clean at runtime.
[3]: https://trac.torproject.org/projects/tor/ticket/13085
[4]: https://trac.torproject.org/projects/tor/ticket/13096
[5]: https://trac.torproject.org/projects/tor/ticket/13104
[6] : https://trac.torproject.org/projects/tor/ticket/13036
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;"><div><div>On 13 Sep 2014, at 06:19 , \
George Kadianakis <<a \
href="mailto:desnacked@riseup.net">desnacked@riseup.net</a>> wrote:</div><br \
class="Apple-interchange-newline"><blockquote type="cite">Tim <<a \
href="mailto:t_ebay@icloud.com">t_ebay@icloud.com</a>> writes:<br><br><blockquote \
type="cite">On 13 Aug 2014, at 22:33 , George Kadianakis <<a \
href="mailto:desnacked@riseup.net">desnacked@riseup.net</a>> \
wrote:<br><br><blockquote type="cite">My plan was to make a Peach fuzzer to achieve \
this [0], but as I<br>mentioned in a previous email I never got past the V3 link \
handshake<br>since I actually had to implement Tor's crypto to get \
past.<br><br>Someone would need to implement all this stuff to be able to fuzz \
the<br>Tor protocol as I was intending to.<br></blockquote><br>Gareth has implemented \
Tor's crypto in tor-research-framework[0] in Java.<br><br>Would this be sufficient \
for Peach, or does it need to be written in Python?<br><br>[0] <a \
href="https://github.com/drgowen/tor-research-framework">https://github.com/drgowen/tor-research-framework</a><br><br></blockquote><br>Did \
anything interesting happen after all? :)</blockquote></div><div><br></div>Yes, some \
initial work, but no actual fuzzer (yet!):<div><br></div><div><br></div><div>A draft \
design for a fuzzer:</div><div>-----------------------------------</div><div><br></div><div>0. \
I decided to focus on fuzzing tor directory requests. Although descriptor \
uploads </div><div> seemed like a juicier target due to the volume \
of string manipulation involved, </div><div> they're also far more \
complex to fuzz.</div><div><br></div><div>1. I plan to create a URL enumerator using \
tor-research-framework [-6] and jbrofuzz [-5].</div><div> \
tor-research-framework will provide consensus info, and jbrofuzz will \
provide</div><div> the URL/request iterator framework. The enumerator \
will enumerate valid URLs</div><div> (for multiple definitions of \
"valid").</div><div><br></div><div>2. The output of this enumerator can also be run \
through a mutating fuzzer like radamsa [-4]</div><div><br></div><div>3. Successful \
fuzzing output can be recycled through the mutator to find more "crashes". \
[-3]</div><div><br></div><div>4. A similar approach can be used to fuzz other areas \
of tor, like descriptor uploads.</div><div><br></div><div><br></div><div>Ongoing work \
on tor-research-framework</div><div>-------------------------------------------------------</div><div><br></div><div>Gareth \
has made significant improvements to the TRF functionality.</div><div>He and I have \
also corresponded on the design / architecture of tor-research-framework. \
[-2]<div><br></div><div><br></div><div>tor builds configured for fuzzing directory \
requests [-1]</div><div><div>-----------------------------------------------------------------------</div></div><div><br></div><div>These \
builds are configured to detect bugs and trap on errors, making debugging easy. \
[1][2]</div><div>They run locally, and only act as directory caches at this \
time.</div><div><br></div><div><br></div><div><div>Patches against \
tor</div><div>--------------------------</div></div><div><br></div><div>A few patches \
have also gone into tor during the configuration and testing of \
the </div><div>fuzzing targets:<div><div><br></div><div>Logged due to initial \
fuzzing attempts:<br><div><br></div><div>#13071 <a \
href="https://trac.torproject.org/projects/tor/ticket/13071" title="View \
ticket">[patch] tor 0.2.6 sometimes fails to escape logged directory \
requests</a> [0]</div><div><br></div><div>Logged due to the compiler flags I \
wanted to use during fuzzing [1] </div><div>(it's far easier to fuzz a version \
of tor that is undefined-behaviour \
clean)[2]:<br></div><div><br></div><div>#13085 <a \
href="https://trac.torproject.org/projects/tor/ticket/13085" title="View \
ticket">[patch] tor control connection event mask (32 bits) is too small for events \
(33 events)</a> [3]</div><div>#13096 <a \
href="https://trac.torproject.org/projects/tor/ticket/13096" title="View \
ticket">[patch] routerlist: NULL struct pointer dereferenced to take address of \
element</a> [4]</div><div>#13104 <a \
href="https://trac.torproject.org/projects/tor/ticket/13104" title="View \
ticket">[patch] Arithmetic undef behaviour: sscanf, memeq, scale array, fmt exit \
status</a> [5]</div><div><br></div><div>Logged due to compiler warnings / static \
analysis:</div><div><br></div><div>#13036 <a \
href="https://trac.torproject.org/projects/tor/ticket/13036" title="View \
ticket">Uninitialised Variable & NULL Pointer Dereference Warnings in \
Clang</a> [6]</div><div><br></div><div>[-6]: <a \
href="https://github.com/drgowen/tor-research-framework">https://github.com/drgowen/tor-research-framework</a></div><div>[-5]: <a \
href="https://github.com/twilsonb/jbrofuzz">https://github.com/twilsonb/jbrofuzz</a></div><div>[-4]: \
<a href="https://www.ee.oulu.fi/research/ouspg/Radamsa">https://www.ee.oulu.fi/research/ouspg/Radamsa</a></div><div>[-3]: \
Like <a href="http://www.cert.org/blogs/certcc/post.cfm?EntryID=179">http://www.cert.org/blogs/certcc/post.cfm?EntryID=179</a></div><div><br></div><div>[-2]: \
I could clean this up and upload it to github (it's in emails at the \
moment).</div><div>[-1]: <a \
href="https://github.com/twilsonb/tor-research-framework/tree/master/src/test">https:/ \
/github.com/twilsonb/tor-research-framework/tree/master/src/test</a></div><div><br></div><div>[0]: \
<a href="https://trac.torproject.org/projects/tor/ticket/13071">https://trac.torproject.org/projects/tor/ticket/13071</a></div><div>[1]: \
Using clang -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error \
-ftrapv </div><div> makes it easier to detect subtle bugs \
(along with a debugging malloc library)</div><div>[2]: Once the patches in [5] are \
applied, (many) commonly executed tor code paths</div><div> will \
be undefined-behaviour clean at runtime.</div><div>[3]: <a \
href="https://trac.torproject.org/projects/tor/ticket/13085">https://trac.torproject.org/projects/tor/ticket/13085</a></div><div>[4]: <a \
href="https://trac.torproject.org/projects/tor/ticket/13096">https://trac.torproject.org/projects/tor/ticket/13096</a></div><div>[5]: <a \
href="https://trac.torproject.org/projects/tor/ticket/13104">https://trac.torproject.org/projects/tor/ticket/13104</a></div><div>[6] \
: <a href="https://trac.torproject.org/projects/tor/ticket/13036">https://trac.torproject.org/projects/tor/ticket/13036</a><br><div \
apple-content-edited="true"><br></div></div></div></div></div></div></body></html>
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic