<div dir="ltr"><div>Hello Everyone,<br></div><div><br></div><div>I am trying to understand and set up a fuzzer for the Bind DNS implementation. My current goal is to fuzz the authoritative server with queries. </div><div><br></div><div>I have looked around and came across different fuzzing engines, but I have some trouble and some questions getting it to work. If anyone has anything to comment on, please reply, and that would be really helpful.</div><div><ol><li style="margin-left:15px"><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px">I configured with </span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">CC=/path/to/afl/afl-clang./configure --enable-fuzzing=afl</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px"> or </span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">afl-clang-fast</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px"> to enable fuzzing. Then, I did </span><span style="color:rgb(61,60,64)"><font face="Menlo, Monaco, Consolas, Courier New, monospace"><span style="font-size:12.15px;white-space:pre-wrap">make </span></font><font face="Open Sans, sans-serif"><span style="font-size:13.5px">and </span></font> <span style="font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;white-space:pre-wrap">make install</span><font face="Open Sans, sans-serif"><span style="font-size:13.5px">. </span></font></span> <span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)">I then tried fuzzing the </span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">named</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)"> binary with </span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">afl-fuzz -i fuzz/<a href="http://dns_message_parse.in/" target="_blank">dns_message_parse.in/</a> -o findings /usr/local/sbin/named -g</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)">but then it stops immediately, saying</span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">the program crashed with one of the test cases provided</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)">. </span><br></li><ol><li style="margin-left:15px"><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)">How to fuzz the </span><span style="box-sizing:border-box;color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">named</code></span><span style="color:rgb(61,60,64);font-family:"Open Sans",sans-serif;font-size:13.5px;background-color:rgba(61,60,64,0.04)">binary with queries?</span></li><li style="margin-left:15px">How to get the seed input in raw format? </li><li style="margin-left:15px"><a href="https://github.com/google/honggfuzz/tree/master/examples/bind" target="_blank">Honggfuzz </a>seems to fuzz the named binary, but it produced too many files as crash reports within a minute. I have asked about it on their <a href="https://github.com/google/honggfuzz/issues/408" target="_blank">GitHub</a>. Anyone that worked with Honggfuzz, please reply. </li></ol><li style="margin-left:15px"><font color="#3d3c40" face="Open Sans, sans-serif"><span style="font-size:13.5px">A <a href="https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz" rel="noreferrer" target="_blank" style="color:rgb(35,137,215);box-sizing:border-box;text-decoration-line:none;word-break:break-word">separate fuzz folder</a> contains functions to fuzz small sections of the code. </span></font></li><ol><li style="margin-left:15px"><font color="#3d3c40" face="Open Sans, sans-serif"><span style="font-size:13.5px">Was this created to improve coverage and modularity? (In the sense, can't <span style="box-sizing:border-box"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">named</code></span> be fuzzed directly using the above setup?) </span></font></li><li style="margin-left:15px"><font color="#3d3c40" face="Open Sans, sans-serif"><span style="font-size:13.5px">I could get them running with <span style="box-sizing:border-box"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">oss-fuzz</code></span> but how to run them with <span style="box-sizing:border-box"><code style="box-sizing:border-box;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;font-size:12.15px;padding:2px 4px;color:inherit;border-radius:4px;white-space:pre-wrap">afl-fuzz</code></span>? The <a href="https://gitlab.isc.org/isc-projects/bind9/-/blob/main/fuzz/FUZZING.md" target="_blank">README </a>mentions linking the files; can you please tell me how to do that?</span></font></li></ol><li style="margin-left:15px"><font color="#3d3c40" face="Open Sans, sans-serif"><span style="font-size:13.5px">How to decode the packets given in </span></font><a href="https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in" target="_blank">https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in</a>? How to add a new packet to the corpus? (How to convert into a raw packet?)</li></ol></div><div>Thank you</div><div>Siva</div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><br style="color:rgb(136,136,136)"><span style="color:rgb(136,136,136)">--</span><br style="color:rgb(136,136,136)"><div dir="ltr" style="color:rgb(136,136,136)"><div dir="ltr"><div dir="ltr">Siva Kakarla<div><font size="1">(<a href="https://www.sivak.dev/" style="color:rgb(17,85,204)" target="_blank">sivak.dev</a>)</font></div></div></div></div></div></div></div></div>