Fuzzing Bind

Siva Kakarla sivakesava1 at gmail.com
Sat Aug 14 13:59:27 UTC 2021

Thanks, Ondrej, for the pointers and detailed information. I read through
bin/named/fuzz.c, and it seems like the AFL fuzzing works only in the
persistent mode due to this check in fuzz.c
That means it has to be compiled using `afl-clang-fast` (I installed it
using 'apt install afl++') instead of `afl-clang.`

I configured the code using "CXX=afl-clang-fast++ CC=afl-clang-fast
./configure --enable-fuzzing=afl --disable-linux-caps --disable-shared
--enable-static --enable-developer --without-cmocka --without-zlib" and
then I tried "make -j" but that results in the following error.

Is there any specific version combination of Bind and afl++ that works
without this error, or am I missing some configure flag? No worries if you
are not immediately aware of it; I wanted to give the AFL persistent mode a
final try before giving up fuzzing the named binary.

fuzz.c:585:2: error: cast from 'const char *' to 'char *' drops const
> qualifier [-Werror,-Wcast-qual]
>         __AFL_LOOP(0);
>         ^
> <command line>:11:88: note: expanded from here
> #define __AFL_LOOP(_A) ({ static volatile char *_B __attribute__((used));
>  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility(...
>              ^
> afl-llvm-pass 2.52b by <lszekeres at google.com>

On Thu, Aug 5, 2021 at 10:48 PM Ondřej Surý <ondrej at isc.org> wrote:

> You can use dnspython to generate wire format.
> Generally, I think that writing more specific fuzzers on top of APIs that
> consumes user input would be more useful than just fuzzing `named`.
> F.e. it should be possible to write a fuzzer that takes multiple DNS
> messages as input (starting with query + all DNS messages needed to resolve
> the query) would be more useful that just fuzzing “stuff”.
> Also I think that for more complex stuff it would be better to write a
> protocol specific input generator than just generic one found in existing
> fuzzers.
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
> On 5. 8. 2021, at 18:51, Siva Kakarla <sivakesava1 at gmail.com> wrote:
> Thanks, Ondrej, for the reply.
> Fuzzing responses is the second part, I would say. For now, I am only
> fuzzing the authoritative server, so fuzzing named with queries would be a
> good starting point. I will check the GitHub repository you pointed out.
> The instructions for running AFL work great, thanks!
> I came across the '-A' option from the report you filed a year ago
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/1649>, but was under
> the impression that the "client" would be the default but I just saw that
> it is none in the code so, I guess, named has to be passed with "named -A
> client:IP:port" to fuzz the authoritative server with queries. I will check
> the files you pointed more carefully.
> When the AFL code was first added to Bind 4-5 years ago, what seed input
> was given to it?
> I understand that they are raw packets, but how did you get them in the
> raw format? I guess the fuzzer would have generated some of them but what
> were the starting raw packets? So, there is also no way to convert them
> from raw format to readable DNS messages as most of them are invalid but is
> there a way for valid ones?
> I will try to be more specific - say I want to seed with a query <foo.com,
> A>, how do I get the DNS packet that has this query in the raw format?
> (capturing it using Wireshark?)
> *Thanks a lot again for taking the time to answer my questions.*
> On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý <ondrej at isc.org> wrote:
>> If you want to get your hands dirty, I would recommend looking at
>> https://github.com/dobin/ffw, but for useful fuzzing, this would also
>> need a more complicated client fuzzing support because you don’t only want
>> to fuzz the queries, but also responses given by “fake” authoritative
>> servers and you want to do that on various levels of DNS tree and for
>> various query types.  It’s a state machine and by doing fuzzing on single
>> level, you might never hit all the states.
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>> > On 5. 8. 2021, at 18:01, Ondřej Surý <ondrej at isc.org> wrote:
>> >
>> >
>> > --
>> > Ondřej Surý (He/Him)
>> > ondrej at isc.org
>> >
>> >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesava1 at gmail.com> wrote:
>> >>
>> >> Hello Everyone,
>> >>
>> >> I am trying to understand and set up a fuzzer for the Bind DNS
>> implementation. My current goal is to fuzz the authoritative server with
>> queries.
>> >>
>> >> I have looked around and came across different fuzzing engines, but I
>> have some trouble and some questions getting it to work. If anyone has
>> anything to comment on, please reply, and that would be really helpful.
>> >>      • I configured with CC=/path/to/afl/afl-clang./configure
>> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make
>> and  make install.  I then tried fuzzing the named binary with afl-fuzz -i
>> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then
>> it stops immediately, sayingthe program crashed with one of the test cases
>> provided.
>> >>              • How to fuzz the named binary with queries?
>> >
>> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s
>> more complicated to set it up (you need to pass -A extra option to `named`).
>> >
>> >>              • How to get the seed input in raw format?
>> >>              • Honggfuzz seems to fuzz the named binary, but it
>> produced too many files as crash reports within a minute. I have asked
>> about it on their GitHub. Anyone that worked with Honggfuzz, please reply.
>> >
>> > I see, you got response from hongfuzz author directly.
>> >
>> >>      • A separate fuzz folder contains functions to fuzz small
>> sections of the code.
>> >>              • Was this created to improve coverage and modularity?
>> (In the sense, can't named be fuzzed directly using the above setup?)
>> >
>> > Fuzzing a daemon that depends on various internal state (state of the
>> cache, authoritative zones present or not, various configuration options
>> enabled or not) is difficult and also sometimes it’s also useless to fuzz
>> the big blob and you want to fuzz just specific parts (zone parser, DNS
>> message parsers, etc…)
>> >
>> >>              • I could get them running with oss-fuzz but how to run
>> them with afl-fuzz? The README mentions linking the files; can you please
>> tell me how to do that?
>> >
>> > with AFL++ do
>> >
>> > CC=afl-clang-fast ./configure --enable-fuzzing=afl
>> > make -j
>> > cd fuzz
>> >
>> > and then for each test:
>> >
>> > make dns_message_parse
>> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i
>> dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
>> >
>> >>      • How to decode the packets given in
>> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
>> How to add a new packet to the corpus? (How to convert into a raw packet?)
>> >
>> > These are raw DNS messages.  There’s bigger corpus f.e. here:
>> https://github.com/CZ-NIC/dns-fuzzing
>> >
>> >> Thank you
>> >> Siva
>> >>
>> >> --
>> >> Siva Kakarla
>> >> (sivak.dev)
>> >> _______________________________________________
>> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> >>
>> >> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>> >>
>> >>
>> >> bind-users mailing list
>> >> bind-users at lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210814/32007d23/attachment.htm>

More information about the bind-users mailing list