doc: Add instructions on how to fuzz the P2P layer using Honggfuzz NetDriver #20380

pull practicalswift wants to merge 1 commits into bitcoin:master from practicalswift:honggfuzz-p2p-fuzzing changing 1 files +74 −0
  1. practicalswift commented at 8:22 pm on November 12, 2020: contributor

    Add instructions on how to fuzz the P2P layer using Honggfuzz NetDriver.

    Honggfuzz NetDriver allows for very easy fuzzing of TCP servers such as Bitcoin Core without having to write any custom fuzzing harness. The bitcoind server process is largely fuzzed without modification.

    This makes the fuzzing highly realistic: a bug reachable by the fuzzer is likely also remotely triggerable by an untrusted peer.

  2. doc: Add instructions on how to fuzz the P2P layer using Honggfuzz NetDriver fd0be92cff
  3. DrahtBot added the label Docs on Nov 12, 2020
  4. Crypt-iQ commented at 6:00 pm on November 14, 2020: contributor
    Concept ACK - will be sure to try this out.
  5. in doc/fuzzing.md:195 in fd0be92cff
    190++++ b/src/bitcoind.cpp
    191+@@ -158,7 +158,11 @@ static bool AppInit(int argc, char* argv[])
    192+     return fRet;
    193+ }
    194+
    195++#ifdef HFND_FUZZING_ENTRY_FUNCTION_CXX
    


    Crypt-iQ commented at 10:02 pm on November 21, 2020:
    Ideally the person running fuzz tests wouldn’t have to do this. But I could also see an argument for not polluting src/bitcoind.cpp or src/net.cpp.

    practicalswift commented at 8:51 pm on November 23, 2020:
    I don’t have any strong opinion TBH: I’ll let others chime in, and I’ll happily follow the consensus opinion :)
  6. Crypt-iQ commented at 10:14 pm on November 21, 2020: contributor

    Currently testing on my macOS. Keep getting the following warning line, but seems that coverage still increases:

    0[2020-11-21T17:11:06-0500][W][91981] netDriver_bindToRndLoopback():143 Could not bind to a random IPv4 Loopback address: Can't assign requested address
    
  7. practicalswift commented at 8:59 pm on November 23, 2020: contributor

    @Crypt-iQ I don’t have any Mac to test on, so I’m afraid I cannot help much. Could you add an assertion in PeerManager::ProcessMessage to make sure you’re hitting the relevant code paths? :)

    Do you have any Linux machine to test under? :)

  8. Crypt-iQ commented at 8:39 pm on November 26, 2020: contributor
    Testing on an Ubuntu machine now.
  9. Crypt-iQ commented at 1:24 am on November 27, 2020: contributor
    With this method of fuzzing, I think honggfuzz has to guess the handshake by picking multiple correct inputs/messages?
  10. practicalswift commented at 8:54 am on November 27, 2020: contributor
    @Crypt-iQ That is correct (unless we bypass the handshake logic by manually patching it out too)! However, my experience is that Honggfuzz quickly figures that out and achieves meaningful coverage post-handshake. Is that your experience as well? :)
  11. MarcoFalke commented at 9:56 am on November 27, 2020: member
    Are crashes reproducible? I guess they might happen to, but generally might require all seeds that have been sent in the past?
  12. practicalswift commented at 10:19 pm on November 30, 2020: contributor

    @MarcoFalke

    Theoretically both types of issues are certainly possible: reproducible (single input enough to trigger condition) and “non-reproducible” (in this context: single input + previous inputs needed to trigger condition).

    Practically:

    If this fuzzer hits any issues my guess is that such issues will be reproducible with high probability. That has been the case historically with issues uncovered by src/test/fuzz/process_message or src/test/fuzz/process_messages. They have typically not been dependent on a specific state change being cause by previously proceed input.

    Does that answer your question? :)

  13. MarcoFalke commented at 6:31 am on December 1, 2020: member
    The reason is that process_messages sends all messages in one input/seed. This one might split them into multiple seeds.
  14. practicalswift commented at 11:54 am on December 1, 2020: contributor

    @MarcoFalke I’m not sure I follow TBH. In the case of HonggFuzz NetDriver each input is handled as if it was a new incoming TCP connection, and each input can contain multiple messages (Bitcoin P2P messages).

    The TCP connection is not re-used across inputs if that is what you meant :)

  15. Crypt-iQ commented at 6:27 pm on January 31, 2021: contributor

    Reports a signed integer overflow here: https://github.com/bitcoin/bitcoin/blob/16b784d953365bb2d7ae65acd2b20a79ef8ba7b6/src/net_processing.cpp#L2651

    0net_processing.cpp:2651:37: runtime error: signed integer overflow: -9223372036854775808 - 1612058654 cannot be represented in type 'long'
    1SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior net_processing.cpp:2651:37 in
    
  16. MarcoFalke referenced this in commit 685c16fcb2 on Feb 11, 2021
  17. practicalswift commented at 8:02 pm on February 16, 2021: contributor

    Given @Crypt-iQ’s finding above the value of having Honggfuzz NetDriver in the fuzzing toolbox has been proven empirically I guess :)

    Is there anything left to do for this documentation only PR?

  18. MarcoFalke merged this on Feb 17, 2021
  19. MarcoFalke closed this on Feb 17, 2021

  20. sidhujag referenced this in commit 63e0e65b4e on Feb 17, 2021
  21. Crypt-iQ commented at 3:03 pm on February 18, 2021: contributor

    I had to comment out the following line before building honggfuzz as otherwise it would stop on my 2015 macbook Arch Linux citing slow execution. Could be the age of my computer though. I bumped the timeout as some of the seeds took >4 seconds, and could not use multiple threads due to a lock on the data directory.

    https://github.com/google/honggfuzz/blob/e2acee785aa87a86261c96070cf51b85533257ca/libhfuzz/persistent.c#L78

  22. practicalswift deleted the branch on Apr 10, 2021
  23. Crypt-iQ commented at 1:23 pm on June 25, 2021: contributor
    Sorry to gravedig, but I found out why honggfuzz can’t get past the version-verack handshake on my machine. Compiling with honggfuzz and -fsanitize=address doesn’t instrument strncmp on my build, so it can’t guess the message commands. I tried with a very simple external testcase (guess “foo” and panic program) to be sure, and it got stuck.
  24. practicalswift commented at 2:58 pm on June 26, 2021: contributor
    @Crypt-iQ Could using a dictionary file containing the commands help overcome that fuzzing hurdle?
  25. DrahtBot locked this on Aug 16, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-18 18:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me