lwip-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] Fuzzing the lwIP stack

From: Erik Ekman
Subject: [lwip-devel] Fuzzing the lwIP stack
Date: Tue, 14 Jun 2016 15:45:15 +0200
Hi all

I have just commited a new app into lwip-contrib/ports/unix/fuzz that helps when testing
the code for handling of unexpected input.

It fits together with an advanced tool called afl or american fuzzy lop
(http://lcamtuf.coredump.cx/afl/) that uses instrumentation to randomize and change data
until as much of the code as possible is tested.

I have added a few valid input packets for it to start with, adding more is welcome. They just
need to have correct mac and IP address so they are accepted by the stack.

I have already found one bug with this tool, and I think it can be very helpful to us.

For more info, here is the README I added:
-------------------------------------------------------------------

Fuzzing the lwIP stack

This directory contains a small app that reads Ethernet frames from stdin and
processes them. It is used together with the 'american fuzzy lop' tool (found
at http://lcamtuf.coredump.cx/afl/) and the sample inputs to test how
unexpected inputs are handled. The afl tool will read the known inputs, and
try to modify them to exercise as many code paths as possible, by instrumenting
the code and keeping track of which code is executed.

Just running make will produce the test program.

Then run afl with:

afl-fuzz -i inputs/<INPUT> -i output ./lwip_fuzz

and it should start working. It will probably complain about CPU scheduler,
set AFL_SKIP_CPUFREQ=1 to ignore it.

The input is split into different subdirectories since they test different
parts of the code, and since you want to run one instance of afl-fuzz on each
core.

When afl finds a crash or a hang, the input that caused it will be placed in
the output directory. If you have hexdump and text2pcap tools installed,
running output_to_pcap.sh <outputdir> will create pcap files for each input
file to simplify viewing in wireshark.

The lwipopts.h file needs to have checksum checking off, otherwise almost every
packet will be discarded because of that. The other options can be tuned to
expose different parts of the code.

-------------------------------------------------------------------

/Erik
reply via email to
[Prev in Thread] Current Thread [Next in Thread]