Use AFL to fuzz Android IPV4/IPv6 stack
636 views
Skip to first unread message
priyesh bansal
Apr 19, 2017, 6:29:39 AM4/19/17
to afl-users
Hi,
I am new to AFL. I know its is mostly used to fuzz applications which takes files as an input. But can I use it to fuzz the IPv4/IPV6 stack of an android phone? Does it has an in-built support for this type of network fuzzing?Any help/pointers is appreciated.
Thanks,
Priyesh
Hanno Böck
Apr 19, 2017, 6:51:23 AM4/19/17
to 'priyesh bansal' via afl-users
Hi,
This is actually a pretty tricky task and most likely not the kind of
challenge you want to pick up when you say you're new to AFL.
If you want to fuzz an IP stack you have multiple challenges to
overcome:
* It's kernel code. AFL is usually used on userspace applications.
* It's low-level networking, while AFL works on files or piped inputs.
Also you say android. That's for all practical reasons linux, because
it's the linux kernel that's doing networking there.
Several people have tried to adopt afl to networking, although from
what I'm aware this is happening more on the TCP level, and not on
on lowlevel networking. See [1], [2], [3], but it's quite far from
the kernel level stuff.
There have also been attempts to do AFL on OS-level [4].
Most of the linux kernel level fuzzing has been done by other projects
like syzkaller [5].
It's certainly possible to bring that together to do ip-stack fuzzing
somehow. But don't expect any low hanging fruit here, it'll probably
mean diving deep into OS internals and write new tools that don't exist
yet.
[1]
https://vegardno.blogspot.dk/2017/03/fuzzing-openssh-daemon-using-afl.html
[2] https://github.com/jdbirdwell/afl
[3] https://github.com/zardus/preeny
[4]
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/
[5] https://github.com/google/syzkaller
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
challenge you want to pick up when you say you're new to AFL.
If you want to fuzz an IP stack you have multiple challenges to
overcome:
* It's kernel code. AFL is usually used on userspace applications.
* It's low-level networking, while AFL works on files or piped inputs.
Also you say android. That's for all practical reasons linux, because
it's the linux kernel that's doing networking there.
Several people have tried to adopt afl to networking, although from
what I'm aware this is happening more on the TCP level, and not on
on lowlevel networking. See [1], [2], [3], but it's quite far from
the kernel level stuff.
There have also been attempts to do AFL on OS-level [4].
Most of the linux kernel level fuzzing has been done by other projects
like syzkaller [5].
It's certainly possible to bring that together to do ip-stack fuzzing
somehow. But don't expect any low hanging fruit here, it'll probably
mean diving deep into OS internals and write new tools that don't exist
yet.
[1]
https://vegardno.blogspot.dk/2017/03/fuzzing-openssh-daemon-using-afl.html
[2] https://github.com/jdbirdwell/afl
[3] https://github.com/zardus/preeny
[4]
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/
[5] https://github.com/google/syzkaller
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Vegard Nossum
Apr 19, 2017, 7:17:35 AM4/19/17
to afl-...@googlegroups.com
On 19 April 2017 at 12:29, 'priyesh bansal' via afl-users
You can check out the setup that we used for Linux filesystem fuzzing,
in fact we already have a networking fuzzer which sends frames on a
tun/tap (virtual ethernet) interface as if the frames were coming from
the network:
https://github.com/oracle/kernel-fuzzing/blob/master/fuzzers/net/net.cc
This method probably requires that you also compile a kernel with
profiling enabled so that you can see where you hit dead ends
(checkums, etc.) and fix it up to let your packets reach further -- we
did that and did manage to get packets to reach some manner of IP
packet processing.
IIRC we ran into a problem with deferred processing where e.g. the
frame/packet/whatever is placed on a queue and then processed
asynchronously by a different thread/workqueue/softirq/tasklet (and
thus won't contribute to the instrumentation feedback to AFL). I don't
remember the specific problem well enough to say definitely how to
solve it, but one approach I've tried for syzkaller in the meantime is
to move various asynchronous processing to the syscall exit path to
make it deterministic. It's not particularly easy and requires some
fairly specific kernel knowledge to get it right.
Getting the whole thing set up is quite involved as you'll have to
apply a patch to AFL to work with the kernel, you'll have to apply
patches to the kernel to implement the AFL driver, and some more
patches to the kernel to generate the config (general instructions at
<https://github.com/oracle/kernel-fuzzing/blob/master/README.md>).
We'll maybe try to make it easier at some point in the future.
As Hanno said, it's probably worth getting started with an easier
project (using vanilla AFL) first :-)
Vegard
in fact we already have a networking fuzzer which sends frames on a
tun/tap (virtual ethernet) interface as if the frames were coming from
the network:
https://github.com/oracle/kernel-fuzzing/blob/master/fuzzers/net/net.cc
This method probably requires that you also compile a kernel with
profiling enabled so that you can see where you hit dead ends
(checkums, etc.) and fix it up to let your packets reach further -- we
did that and did manage to get packets to reach some manner of IP
packet processing.
IIRC we ran into a problem with deferred processing where e.g. the
frame/packet/whatever is placed on a queue and then processed
asynchronously by a different thread/workqueue/softirq/tasklet (and
thus won't contribute to the instrumentation feedback to AFL). I don't
remember the specific problem well enough to say definitely how to
solve it, but one approach I've tried for syzkaller in the meantime is
to move various asynchronous processing to the syscall exit path to
make it deterministic. It's not particularly easy and requires some
fairly specific kernel knowledge to get it right.
Getting the whole thing set up is quite involved as you'll have to
apply a patch to AFL to work with the kernel, you'll have to apply
patches to the kernel to implement the AFL driver, and some more
patches to the kernel to generate the config (general instructions at
<https://github.com/oracle/kernel-fuzzing/blob/master/README.md>).
We'll maybe try to make it easier at some point in the future.
As Hanno said, it's probably worth getting started with an easier
project (using vanilla AFL) first :-)
Vegard
Reply all
Reply to author
Forward
0 new messages