From e32bb4cb81ea57a7e3e1d48e9faa5a501c2b50b6 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Wed, 8 Apr 2015 06:16:11 +0000 Subject: [PATCH] [lib/Fuzzer] show how to find Heartbleed with LibFuzzer git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@234391 91177308-0d34-0410-b5e6-96231b3b80d8 --- docs/LibFuzzer.rst | 63 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst index 684d9def787..0d3040329d0 100644 --- a/docs/LibFuzzer.rst +++ b/docs/LibFuzzer.rst @@ -163,6 +163,67 @@ which will cause the fuzzer to exit on the first new synthesised input:: N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M -exit_on_first=1 +Heartbleed +---------- +Remember Heartbleed_? +As it was recently `shown `_, +fuzzing with AddressSanitizer can find Heartbleed. Indeed, here are the step-by-step instructions +to find Heartbleed with LibFuzzer:: + + wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz + tar xf openssl-1.0.1f.tar.gz + COV_FLAGS="-fsanitize-coverage=4" # -mllvm -sanitizer-coverage-8bit-counters=1" + (cd openssl-1.0.1f/ && ./config && + make -j 32 CC="clang -g -fsanitize=address $COV_FLAGS") + # Get and build LibFuzzer + svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer + clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer + # Get examples of key/pem files. + git clone https://github.com/hannob/selftls + cp selftls/server* . -v + cat << EOF > handshake-fuzz.cc + #include + #include + #include + SSL_CTX *sctx; + int Init() { + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_BIO_strings(); + OpenSSL_add_all_algorithms(); + assert (sctx = SSL_CTX_new(TLSv1_method())); + assert (SSL_CTX_use_certificate_file(sctx, "server.pem", SSL_FILETYPE_PEM)); + assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM)); + return 0; + } + extern "C" void TestOneInput(unsigned char *Data, size_t Size) { + static int unused = Init(); + SSL *server = SSL_new(sctx); + BIO *sinbio = BIO_new(BIO_s_mem()); + BIO *soutbio = BIO_new(BIO_s_mem()); + SSL_set_bio(server, sinbio, soutbio); + SSL_set_accept_state(server); + BIO_write(sinbio, Data, Size); + SSL_do_handshake(server); + SSL_free(server); + } + EOF + # Build the fuzzer. + clang++ -g handshake-fuzz.cc -fsanitize=address \ + openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o + # Run 20 independent fuzzer jobs. + ./a.out -jobs=20 -workers=20 + +Voila:: + + #1048576 pulse cov 3424 bits 0 units 9 exec/s 24385 + ================================================================= + ==17488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004748 at pc 0x00000048c979 bp 0x7fffe3e864f0 sp 0x7fffe3e85ca8 + READ of size 60731 at 0x629000004748 thread T0 + #0 0x48c978 in __asan_memcpy + #1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3 + #2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4 + Advanced features ================= @@ -274,3 +335,5 @@ Examples: regular expression matchers, text or binary format parsers. .. _AFL: http://lcamtuf.coredump.cx/afl/ .. _SanitizerCoverage: https://code.google.com/p/address-sanitizer/wiki/AsanCoverage + +.. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed -- 2.34.1