mirror of
https://github.com/RPCS3/llvm-mirror.git
synced 2024-10-18 18:42:46 +02:00
[lib/Fuzzer] show how to find Heartbleed with LibFuzzer
llvm-svn: 234391
This commit is contained in:
parent
304b9bd5e0
commit
daa2fc129a
@ -163,6 +163,67 @@ which will cause the fuzzer to exit on the first new synthesised input::
|
||||
|
||||
N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M -exit_on_first=1
|
||||
|
||||
Heartbleed
|
||||
----------
|
||||
Remember Heartbleed_?
|
||||
As it was recently `shown <https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html>`_,
|
||||
fuzzing with AddressSanitizer can find Heartbleed. Indeed, here are the step-by-step instructions
|
||||
to find Heartbleed with LibFuzzer::
|
||||
|
||||
wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz
|
||||
tar xf openssl-1.0.1f.tar.gz
|
||||
COV_FLAGS="-fsanitize-coverage=4" # -mllvm -sanitizer-coverage-8bit-counters=1"
|
||||
(cd openssl-1.0.1f/ && ./config &&
|
||||
make -j 32 CC="clang -g -fsanitize=address $COV_FLAGS")
|
||||
# Get and build LibFuzzer
|
||||
svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
|
||||
clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
|
||||
# Get examples of key/pem files.
|
||||
git clone https://github.com/hannob/selftls
|
||||
cp selftls/server* . -v
|
||||
cat << EOF > handshake-fuzz.cc
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/err.h>
|
||||
#include <assert.h>
|
||||
SSL_CTX *sctx;
|
||||
int Init() {
|
||||
SSL_library_init();
|
||||
SSL_load_error_strings();
|
||||
ERR_load_BIO_strings();
|
||||
OpenSSL_add_all_algorithms();
|
||||
assert (sctx = SSL_CTX_new(TLSv1_method()));
|
||||
assert (SSL_CTX_use_certificate_file(sctx, "server.pem", SSL_FILETYPE_PEM));
|
||||
assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM));
|
||||
return 0;
|
||||
}
|
||||
extern "C" void TestOneInput(unsigned char *Data, size_t Size) {
|
||||
static int unused = Init();
|
||||
SSL *server = SSL_new(sctx);
|
||||
BIO *sinbio = BIO_new(BIO_s_mem());
|
||||
BIO *soutbio = BIO_new(BIO_s_mem());
|
||||
SSL_set_bio(server, sinbio, soutbio);
|
||||
SSL_set_accept_state(server);
|
||||
BIO_write(sinbio, Data, Size);
|
||||
SSL_do_handshake(server);
|
||||
SSL_free(server);
|
||||
}
|
||||
EOF
|
||||
# Build the fuzzer.
|
||||
clang++ -g handshake-fuzz.cc -fsanitize=address \
|
||||
openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o
|
||||
# Run 20 independent fuzzer jobs.
|
||||
./a.out -jobs=20 -workers=20
|
||||
|
||||
Voila::
|
||||
|
||||
#1048576 pulse cov 3424 bits 0 units 9 exec/s 24385
|
||||
=================================================================
|
||||
==17488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004748 at pc 0x00000048c979 bp 0x7fffe3e864f0 sp 0x7fffe3e85ca8
|
||||
READ of size 60731 at 0x629000004748 thread T0
|
||||
#0 0x48c978 in __asan_memcpy
|
||||
#1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3
|
||||
#2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4
|
||||
|
||||
Advanced features
|
||||
=================
|
||||
|
||||
@ -274,3 +335,5 @@ Examples: regular expression matchers, text or binary format parsers.
|
||||
.. _AFL: http://lcamtuf.coredump.cx/afl/
|
||||
|
||||
.. _SanitizerCoverage: https://code.google.com/p/address-sanitizer/wiki/AsanCoverage
|
||||
|
||||
.. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed
|
||||
|
Loading…
Reference in New Issue
Block a user