Cuberite ForumCuberiteDevelopment
Packet fuzzing?

Threaded Mode
Packet fuzzing?
LogicParrot Offline
Cuberite Developer
******
Posts: 721
Threads: 77
Joined: Apr 2014
Thanks: 113
Given 130 thank(s) in 91 post(s)
#1
12-26-2015, 06:49 PM (This post was last modified: 12-26-2015, 06:50 PM by LogicParrot.)
Just wondering: Did anyone (@tycho?) ever try packet-fuzzing the server to identify crashes and/or security vulnerabilities caused by malformed packets?
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 2
Given 73 thank(s) in 61 post(s)
#2
12-26-2015, 11:10 PM
I haven't. The tool I use primarily handles files, and cProtocol is too closely tied to cClientHandle to build easily on its own. I would like to have another look at doing it at some point, as I wouldn't be suprised if I found crashes.
Find
Reply
Thanks given by:
LogicParrot Offline
Cuberite Developer
******
Posts: 721
Threads: 77
Joined: Apr 2014
Thanks: 113
Given 130 thank(s) in 91 post(s)
#3
12-26-2015, 11:13 PM (This post was last modified: 12-26-2015, 11:14 PM by LogicParrot.)
(12-26-2015, 11:10 PM)worktycho Wrote: I haven't. The tool I use primarily handles files, and cProtocol is too closely tied to cClientHandle to build easily on its own. I would like to have another look at doing it at some point, as I wouldn't be suprised if I found crashes.

I wonder if we could use the American Fuzzy Lop for this: Save a typical packet in a file, feed it to netcat and make it transmit it to the server, see if that causes a crash, and report back to AFL so that it modifies the file.
Also, to fuzz things beyond initial connection, one would have to replace netcat with some custom software, which connects, authenticates, and joins the world, and only then sends the fuzzing packet stored in the file.
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 2
Given 73 thank(s) in 61 post(s)
#4
12-26-2015, 11:27 PM
Also, you'd either need to deal with server startup time, which would need a serious cluster to find anything, or use black box mode, which isn't as good.
Find
Reply
Thanks given by:
LogicParrot Offline
Cuberite Developer
******
Posts: 721
Threads: 77
Joined: Apr 2014
Thanks: 113
Given 130 thank(s) in 91 post(s)
#5
12-26-2015, 11:33 PM
(12-26-2015, 11:27 PM)worktycho Wrote: Also, you'd either need to deal with server startup time, which would need a serious cluster to find anything, or use black box mode, which isn't as good.

We wouldn't need to restart per test, a restart per crash is enough. It's fine to test multiple packets on the same running server.
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 2
Given 73 thank(s) in 61 post(s)
#6
12-26-2015, 11:41 PM
If you want to run afl in non-blackbox mode you need to restart, because otherwise the instrumentation will cause problems.
Find
Reply
Thanks given by:
xoft Offline
Cuberite Developer
******
Posts: 6,485
Threads: 176
Joined: Jan 2012
Thanks: 131
Given 1074 thank(s) in 852 post(s)
#7
12-26-2015, 11:58 PM
Couldn't we just build an executable that would use the cProtocol180 class from Cuberite, but provide custom implementation of all the classes it depends upon, and feed it from stdin instead of network? That way, we could fuzz just the packet parsing, which is at least the first line of defense against malicious attacks.
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 2
Given 73 thank(s) in 61 post(s)
#8
12-27-2015, 12:08 AM
Thats what i'm thinking, but with some nasty preprocessor stuff so we can redirect the headers. Otherwise we end up including everything.
Find
Reply
Thanks given by:




Users browsing this thread: 5 Guest(s)