Fuzzing Bind

Ondřej Surý ondrej at isc.org
Sat Aug 14 14:18:41 UTC 2021


That looks like a bug. Please fill a GitLab issue so there’s a permanent record of it. Most probably this is due some combination of configure flags that we don’t use in testing.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 14. 8. 2021, at 15:57, Siva Kakarla <sivakesava1 at gmail.com> wrote:
> 
> 
> Thanks, Ondrej, for the pointers and detailed information. I read through bin/named/fuzz.c, and it seems like the AFL fuzzing works only in the persistent mode due to this check in fuzz.c. That means it has to be compiled using `afl-clang-fast` (I installed it using 'apt install afl++') instead of `afl-clang.` 
> 
> I configured the code using "CXX=afl-clang-fast++ CC=afl-clang-fast ./configure --enable-fuzzing=afl --disable-linux-caps --disable-shared --enable-static --enable-developer --without-cmocka --without-zlib" and then I tried "make -j" but that results in the following error.
> 
> Is there any specific version combination of Bind and afl++ that works without this error, or am I missing some configure flag? No worries if you are not immediately aware of it; I wanted to give the AFL persistent mode a final try before giving up fuzzing the named binary. 
> 
>> fuzz.c:585:2: error: cast from 'const char *' to 'char *' drops const qualifier [-Werror,-Wcast-qual]
>>         __AFL_LOOP(0);
>>         ^
>> <command line>:11:88: note: expanded from here
>> #define __AFL_LOOP(_A) ({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility(...
>>                                                                                        ^
>> afl-llvm-pass 2.52b by <lszekeres at google.com>
> 
>> On Thu, Aug 5, 2021 at 10:48 PM Ondřej Surý <ondrej at isc.org> wrote:
>> You can use dnspython to generate wire format.
>> 
>> Generally, I think that writing more specific fuzzers on top of APIs that consumes user input would be more useful than just fuzzing `named`.
>> 
>> F.e. it should be possible to write a fuzzer that takes multiple DNS messages as input (starting with query + all DNS messages needed to resolve the query) would be more useful that just fuzzing “stuff”.
>> 
>> Also I think that for more complex stuff it would be better to write a protocol specific input generator than just generic one found in existing fuzzers.
>> 
>> Ondřej
>> --
>> Ondřej Surý — ISC (He/Him)
>> 
>> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>> 
>>>> On 5. 8. 2021, at 18:51, Siva Kakarla <sivakesava1 at gmail.com> wrote:
>>>> 
>>> 
>>> Thanks, Ondrej, for the reply.
>>> 
>>> Fuzzing responses is the second part, I would say. For now, I am only fuzzing the authoritative server, so fuzzing named with queries would be a good starting point. I will check the GitHub repository you pointed out. 
>>> 
>>> The instructions for running AFL work great, thanks!
>>> 
>>> I came across the '-A' option from the report you filed a year ago, but was under the impression that the "client" would be the default but I just saw that it is none in the code so, I guess, named has to be passed with "named -A client:IP:port" to fuzz the authoritative server with queries. I will check the files you pointed more carefully. 
>>> 
>>> When the AFL code was first added to Bind 4-5 years ago, what seed input was given to it?
>>> 
>>> I understand that they are raw packets, but how did you get them in the raw format? I guess the fuzzer would have generated some of them but what were the starting raw packets? So, there is also no way to convert them from raw format to readable DNS messages as most of them are invalid but is there a way for valid ones?
>>> 
>>> I will try to be more specific - say I want to seed with a query <foo.com, A>, how do I get the DNS packet that has this query in the raw format? (capturing it using Wireshark?)
>>> 
>>> Thanks a lot again for taking the time to answer my questions.
>>> 
>>>> On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý <ondrej at isc.org> wrote:
>>>> If you want to get your hands dirty, I would recommend looking at https://github.com/dobin/ffw, but for useful fuzzing, this would also need a more complicated client fuzzing support because you don’t only want to fuzz the queries, but also responses given by “fake” authoritative servers and you want to do that on various levels of DNS tree and for various query types.  It’s a state machine and by doing fuzzing on single level, you might never hit all the states.
>>>> 
>>>> Ondrej
>>>> --
>>>> Ondřej Surý (He/Him)
>>>> ondrej at isc.org
>>>> 
>>>> > On 5. 8. 2021, at 18:01, Ondřej Surý <ondrej at isc.org> wrote:
>>>> > 
>>>> > 
>>>> > --
>>>> > Ondřej Surý (He/Him)
>>>> > ondrej at isc.org
>>>> > 
>>>> >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesava1 at gmail.com> wrote:
>>>> >> 
>>>> >> Hello Everyone,
>>>> >> 
>>>> >> I am trying to understand and set up a fuzzer for the Bind DNS implementation. My current goal is to fuzz the authoritative server with queries. 
>>>> >> 
>>>> >> I have looked around and came across different fuzzing engines, but I have some trouble and some questions getting it to work. If anyone has anything to comment on, please reply, and that would be really helpful.
>>>> >>      • I configured with CC=/path/to/afl/afl-clang./configure --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make and  make install.  I then tried fuzzing the named binary with afl-fuzz -i fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then it stops immediately, sayingthe program crashed with one of the test cases provided. 
>>>> >>              • How to fuzz the named binary with queries?
>>>> > 
>>>> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more complicated to set it up (you need to pass -A extra option to `named`).
>>>> > 
>>>> >>              • How to get the seed input in raw format? 
>>>> >>              • Honggfuzz seems to fuzz the named binary, but it produced too many files as crash reports within a minute. I have asked about it on their GitHub. Anyone that worked with Honggfuzz, please reply. 
>>>> > 
>>>> > I see, you got response from hongfuzz author directly.
>>>> > 
>>>> >>      • A separate fuzz folder contains functions to fuzz small sections of the code. 
>>>> >>              • Was this created to improve coverage and modularity? (In the sense, can't named be fuzzed directly using the above setup?) 
>>>> > 
>>>> > Fuzzing a daemon that depends on various internal state (state of the cache, authoritative zones present or not, various configuration options enabled or not) is difficult and also sometimes it’s also useless to fuzz the big blob and you want to fuzz just specific parts (zone parser, DNS message parsers, etc…)
>>>> > 
>>>> >>              • I could get them running with oss-fuzz but how to run them with afl-fuzz? The README mentions linking the files; can you please tell me how to do that?
>>>> > 
>>>> > with AFL++ do
>>>> > 
>>>> > CC=afl-clang-fast ./configure --enable-fuzzing=afl
>>>> > make -j
>>>> > cd fuzz
>>>> > 
>>>> > and then for each test:
>>>> > 
>>>> > make dns_message_parse
>>>> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
>>>> > 
>>>> >>      • How to decode the packets given in https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in? How to add a new packet to the corpus? (How to convert into a raw packet?)
>>>> > 
>>>> > These are raw DNS messages.  There’s bigger corpus f.e. here: https://github.com/CZ-NIC/dns-fuzzing
>>>> > 
>>>> >> Thank you
>>>> >> Siva
>>>> >> 
>>>> >> --
>>>> >> Siva Kakarla
>>>> >> (sivak.dev)
>>>> >> _______________________________________________
>>>> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>> >> 
>>>> >> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>> >> 
>>>> >> 
>>>> >> bind-users mailing list
>>>> >> bind-users at lists.isc.org
>>>> >> https://lists.isc.org/mailman/listinfo/bind-users
>>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210814/648eeb03/attachment-0001.htm>


More information about the bind-users mailing list