Fuzzing Haskell app with TCP socket?

88 views
Skip to first unread message

Mark Stopka

unread,
Jul 11, 2020, 9:20:24 PM7/11/20
to honggfuzz
Hi,
I am trying to figure out an easy way to fuzz a network app written in Haskell, and I was wondering if it's even supported and if so, how to get off the ground...

The app is a distributed application, my ideal deployment would be as follows:

A) First Docker instance with supervisord containing both the fuzzed and the application in question
B) Second Docker instance with the same tools
C) I would configure A and B to communicate as they would in a normal production scenario + have a 3rd (and 4th) instance of the client (server) which would be the fuzzer trying to fuzz over the TCP socket and discover potential crashes

Is that something viable with Hongfuzz?

Robert Święcki

unread,
Jul 16, 2020, 8:56:04 AM7/16/20
to Mark Stopka, honggfuzz
You can maybe use the libhfnetdriver https://github.com/google/honggfuzz/tree/master/libhfnetdriver - the idea is in general described here http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

It'll involve linking the libhfnetdriver.a code with your haskell binary, which to my knowledge might be doable. 

--
Robert Święcki

Mark Stopka

unread,
Jul 16, 2020, 9:03:34 AM7/16/20
to Robert Święcki, honggfuzz
Yep, linking the library won't be problematic, however I was wondering about the corpus data, do I just start two instances of "normal" nodes communicating and do a tcpdump pcap which I throw in as example of a valid input on which the fuzzer will mutate?
--
Best regards / S pozdravem,
BSc. Mark Stopka, BBA

mobile: +420 704 373 561

Robert Święcki

unread,
Jul 16, 2020, 9:10:17 AM7/16/20
to Mark Stopka, honggfuzz
Is the communication complex/interactive, or more like request/response?

I'm not sure if I'm reading your intentions correctly, but would you like to modify the live request stream? If so, then no, it's not supported by default, and would require some non-trival hacking.

But, maybe you can record the requests with socat, or with wireshark and use it as a corpus?

I had a bit similar problem with OpenSSL, and I ended up using socat which was passing SSL negotiation both to the openssl server, as well as saving the stream (only one direction of it) to files, and then using them as corpus.
--
Robert Święcki

Robert Święcki

unread,
Jul 16, 2020, 9:13:11 AM7/16/20
to Mark Stopka, honggfuzz
Also, as for pcap - no, you'll have to unpak it (i.e. fetch only one stream out of two) and save to plain files.

What I'm using is the 'tcpick' tool, which can save one part (direction) of a TCP stream to a raw file, with something like:

tcpick -i eth0 -wRS port 8080

or (for the other direction)

tcpick -i eth0 -wRC port 8080
--
Robert Święcki
Reply all
Reply to author
Forward
0 new messages