[openssl-dev] Fuzzer Patch(es)

Thu Aug 25 22:34:23 UTC 2016

On 25/08/16 22:33, Tom Ritter wrote:
> NCC Group has prepared (or begun preparing) a patch that integrates
> fuzzing of OpenSSL.  This work was done primarily by Tim Newsham,
> although the code is based on selftls by Hanno Böck, and it was modified
> by me to fit into the OpenSSL tree. The general messiness is caused by
> me, not Tim.
> 
> Rather than attach a giant patch, I put it up here:
> https://github.com/nccgroup/openssl/tree/ncc-fuzzer
> 
> It consists of three parts:
> 
> - Expansive changes to the ossltest engine to support (broken) RSA and
> many more (broken) symmetric ciphers
> - Two function additions to OpenSSL that, when compiled with
> FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, insert deterministic
> timestamps into the TLS protocol
> - The ftls fuzz harness that speaks TLS to itself and allows for fuzzing
> any individual client or server message in the handshake
> 
> 
> This has only been tested on Linux x64 so far. I have had some trouble
> getting some parts working, but the fuzzing does commence.
> 
> wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
> tar xfv afl-<tab>
> ln -s afl-2<tab> afl
> cd afl ; make ; cd ..
> git clone git at github.com:nccgroup/openssl.git ncc-fuzzer
> cd ncc-fuzzer
> git checkout ncc-fuzzer
> CC=../afl/afl-clang ./Configure linux-x86_64
> -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-ssl3
> enable-ssl3-method enable-weak-ssl-ciphers enable-crypto-mdebug
> enable-asan enable-afl-fuzz
> (Optional: Edit Makefile and change '-O3' to '-O0' and '-g' to '-ggdb'. 
> I couldn't figure out how to make this part of the Configure command.)
> make
> (Ignore errors at the end for code in test/fuzz)
> cd test/ftls
> ln -s ../../../afl-2<tab> afl
> make all
> ./genCerts
> ./makeInputs
> LD_LIBRARY_PATH=../../ ./afl/afl-fuzz -i inputs -o outputs -m
> 99999999999999 -- ./ftls-afl
> 
> 
> There are few pieces that I was unable to get working correctly:
> 
> 1) The ossltest engine needs to have libcrypto statically linked into
> it. ftls has openssl libraries statically linked into them for ASAN+AFL
> fuzzing, but ossltest wants them loaded dynamically.  The correct thing
> to do is compile ossltest with libcrypto linked statically, but I could
> not figure out the correct way to represent that with the build.info
> <http://build.info> configurations. http://stackoverflow.com/a/2649792
> seems to be the correct instructions for the compiler/linker.
> 
> Until this is fixed, the above LD_LIBRARY_PATH=../../ is needed.
> 
> 2) I had trouble compiling with 'enable-asan' unless I used clang. gcc
> gave me problems.
> 
> 3) I got compilation errors for code in test/ when compiling with
> enable-afl-fuzz; however the important stuff compiled.  
> 
> 4) ERR_load_OSSLTEST_strings() in the original e_ossltest.c was causing
> a Segfault (under ASAN) on exit, so I commented it out.
> 
> 5) The original version of ftls by Tim included support for compiling
> and fuzzing on 32-bit and also getting gcov-based profiling information.
> While references and stubs to this are still in the Makefile, I wasn't
> able to fully investigate and get those aspects of it working
> 
> 6) There are some memory leaks that are exposed when you run
> ./makeInputs - I tracked most of them down, but a few remained. I
> believe these are from ftls and not OpenSSL.
> 
> 
> This fuzzer hits lots of things, but there are lots more things in
> OpenSSL.  It has the following limitations:
> - It doesn't support all the possible features of TLS. But it does
> support a lot of them. (makeInputs lists many things not completed at
> the end of the file)
> - The ossltest engine does not include support for removed ciphers like
> DES, RC2, or GOST. However, there are some mentions/stubs of that, as
> the fuzzer was written before all of these things were removed from 1.1
> - Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG
> becomes constant. This causes an error in
> ssl/ssl_sess.c:generate_session_id() because it always generates a
> colliding Session ID. This breaks renegotiation in the test harness. I
> haven't thought of an elegant way to resolve this.
> 
> 
> My ability to continue this effort is going to be extremely limited in
> the upcoming weeks, so I'm hopeful a community member will help us bring
> this across the finish line if OpenSSL is (still) interested in having
> this work merged into master.

Wow! Thanks Tom and Tim. This is fantastic. I really hope someone picks
this up - this would be great to get integrated.

Matt