If you want to get your hands dirty, I would recommend looking at https://github.com/dobin/ffw, but for useful fuzzing, this would also need a more complicated client fuzzing support because you don’t only want to fuzz the queries, but also responses given by “fake” authoritative servers and you want to do that on various levels of DNS tree and for various query types. It’s a state machine and by doing fuzzing on single level, you might never hit all the states.
Ondrej -- Ondřej Surý (He/Him) ond...@isc.org > On 5. 8. 2021, at 18:01, Ondřej Surý <ond...@isc.org> wrote: > > > -- > Ondřej Surý (He/Him) > ond...@isc.org > >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesa...@gmail.com> wrote: >> >> Hello Everyone, >> >> I am trying to understand and set up a fuzzer for the Bind DNS >> implementation. My current goal is to fuzz the authoritative server with >> queries. >> >> I have looked around and came across different fuzzing engines, but I have >> some trouble and some questions getting it to work. If anyone has anything >> to comment on, please reply, and that would be really helpful. >> • I configured with CC=/path/to/afl/afl-clang./configure >> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did make >> and make install. I then tried fuzzing the named binary with afl-fuzz -i >> fuzz/dns_message_parse.in/ -o findings /usr/local/sbin/named -gbut then it >> stops immediately, sayingthe program crashed with one of the test cases >> provided. >> • How to fuzz the named binary with queries? > > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s more > complicated to set it up (you need to pass -A extra option to `named`). > >> • How to get the seed input in raw format? >> • Honggfuzz seems to fuzz the named binary, but it produced too >> many files as crash reports within a minute. I have asked about it on their >> GitHub. Anyone that worked with Honggfuzz, please reply. > > I see, you got response from hongfuzz author directly. > >> • A separate fuzz folder contains functions to fuzz small sections of >> the code. >> • Was this created to improve coverage and modularity? (In the >> sense, can't named be fuzzed directly using the above setup?) > > Fuzzing a daemon that depends on various internal state (state of the cache, > authoritative zones present or not, various configuration options enabled or > not) is difficult and also sometimes it’s also useless to fuzz the big blob > and you want to fuzz just specific parts (zone parser, DNS message parsers, > etc…) > >> • I could get them running with oss-fuzz but how to run them >> with afl-fuzz? The README mentions linking the files; can you please tell me >> how to do that? > > with AFL++ do > > CC=afl-clang-fast ./configure --enable-fuzzing=afl > make -j > cd fuzz > > and then for each test: > > make dns_message_parse > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i > dns_message_parse.in/ -o xxx ./.libs/dns_message_parse > >> • How to decode the packets given in >> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in? >> How to add a new packet to the corpus? (How to convert into a raw packet?) > > These are raw DNS messages. There’s bigger corpus f.e. here: > https://github.com/CZ-NIC/dns-fuzzing > >> Thank you >> Siva >> >> -- >> Siva Kakarla >> (sivak.dev) >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
