Fuzzing Bind

Siva Kakarla sivakesava1 at gmail.com
Thu Aug 5 16:53:28 UTC 2021 

Thanks, Ondrej, for the reply.

Fuzzing responses is the second part, I would say. For now, I am only
fuzzing the authoritative server, so fuzzing named with queries would be a
good starting point. I will check the GitHub repository you pointed out.

The instructions for running AFL work great, thanks!

I came across the '-A' option from the report you filed a year ago
<https://gitlab.isc.org/isc-projects/bind9/-/issues/1649>, but was under
the impression that the "client" would be the default but I just saw that
it is none in the code so, I guess, named has to be passed with "named -A
client:IP:port" to fuzz the authoritative server with queries. I will check
the files you pointed more carefully.

When the AFL code was first added to Bind 4-5 years ago, what seed input
was given to it?

I understand that they are raw packets, but how did you get them in the raw
format? I guess the fuzzer would have generated some of them but what were
the starting raw packets? So, there is also no way to convert them from raw
format to readable DNS messages as most of them are invalid but is there a
way for valid ones?

I will try to be more specific - say I want to seed with a query <foo.com,
A>, how do I get the DNS packet that has this query in the raw format?
(capturing it using Wireshark?)

*Thanks a lot again for taking the time to answer my questions.*

On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý <ondrej at isc.org> wrote:

> If you want to get your hands dirty, I would recommend looking at
> https://github.com/dobin/ffw, but for useful fuzzing, this would also
> need a more complicated client fuzzing support because you don’t only want
> to fuzz the queries, but also responses given by “fake” authoritative
> servers and you want to do that on various levels of DNS tree and for
> various query types.  It’s a state machine and by doing fuzzing on single
> level, you might never hit all the states.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> > On 5. 8. 2021, at 18:01, Ondřej Surý <ondrej at isc.org> wrote:
> >
> >
> > --
> > Ondřej Surý (He/Him)
> > ondrej at isc.org
> >
> >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesava1 at gmail.com> wrote:
> >>
> >> Hello Everyone,
> >>
> >> I am trying to understand and set up a fuzzer for the Bind DNS
> implementation. My current goal is to fuzz the authoritative server with
> queries.
> >>
> >> I have looked around and came across different fuzzing engines, but I
> have some trouble and some questions getting it to work. If anyone has
> anything to comment on, please reply, and that would be really helpful.
> >>      • I configured with CC=/path/to/afl/afl-clang./configure
> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make
> and  make install.  I then tried fuzzing the named binary with afl-fuzz -i
> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then
> it stops immediately, sayingthe program crashed with one of the test cases
> provided.
> >>              • How to fuzz the named binary with queries?
> >
> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s
> more complicated to set it up (you need to pass -A extra option to `named`).
> >
> >>              • How to get the seed input in raw format?
> >>              • Honggfuzz seems to fuzz the named binary, but it
> produced too many files as crash reports within a minute. I have asked
> about it on their GitHub. Anyone that worked with Honggfuzz, please reply.
> >
> > I see, you got response from hongfuzz author directly.
> >
> >>      • A separate fuzz folder contains functions to fuzz small sections
> of the code.
> >>              • Was this created to improve coverage and modularity? (In
> the sense, can't named be fuzzed directly using the above setup?)
> >
> > Fuzzing a daemon that depends on various internal state (state of the
> cache, authoritative zones present or not, various configuration options
> enabled or not) is difficult and also sometimes it’s also useless to fuzz
> the big blob and you want to fuzz just specific parts (zone parser, DNS
> message parsers, etc…)
> >
> >>              • I could get them running with oss-fuzz but how to run
> them with afl-fuzz? The README mentions linking the files; can you please
> tell me how to do that?
> >
> > with AFL++ do
> >
> > CC=afl-clang-fast ./configure --enable-fuzzing=afl
> > make -j
> > cd fuzz
> >
> > and then for each test:
> >
> > make dns_message_parse
> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i
> dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
> >
> >>      • How to decode the packets given in
> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
> How to add a new packet to the corpus? (How to convert into a raw packet?)
> >
> > These are raw DNS messages.  There’s bigger corpus f.e. here:
> https://github.com/CZ-NIC/dns-fuzzing
> >
> >> Thank you
> >> Siva
> >>
> >> --
> >> Siva Kakarla
> >> (sivak.dev)
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >>
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210805/ea76f232/attachment-0001.htm>

More information about the bind-users mailing list