README
1Inspriation
2
3One weekend I got inspired by this old article on slashdot,
4http://slashdot.org/articles/99/01/10/173223.shtml, and so I decided
5to write my own fuzz program.
6
7Why is this a security concern?
8
9The idea is to improve the overall security of Linux by fixing
10bugs. Paraphrasing Theo DeRandt, the head of the OpenBSD project, If
11you go about fixing bugs, then security is one of the benefits. This
12only goes so far because you can concievably have the perfectly
13implemented piece of code which provides a backdoor but I personally
14am not interested in dealing with that. I will let the other folk
15working on Bastille Linux take charge of making sure that there are no
16backdoors or conceptual errors in linux. I will take up the mantle of
17trying to ensure that each and every utility is as robust as it can
18possibly be.
19
20Also each one of these SEGVs could potentially be a root exploit if
21you can get root run a boobie trapped script. Imagine the case where
22root runs a script where a utility is tricked into seg faulting and
23the buffer overflow is specially designed to leave a back door on your
24system.
25
26Limitations
27
28The fuzz generator is designed to attack certain kinds of software and
29expose one particular kind of bug common in software. This is the
30situation where the programmer implicity makes some assumtions about
31the data stream that the program will be parsing. If the data stream
32is substantially different then the program might not be able to deal
33with it. This approach has several limitiations. Fist of all since the
34data stream is really and truly random, it is very likely that this
35will throughly test out a very small percentage of the total
36program. I have several ideas on how to improve this. The most
37ambitious is to compile the programs with profiling support and then
38use the information about the code coverage gathered from that as a
39goodness measure to some genetic algorithms which mate the data to
40achieve the greatest possible code coverage.
41
42Usage:
43------
44For programs that read from stdin and do something with it "fuzz
45progname" usually works. Sometimes you need to specify some command
46line arguments to make the program do what it should. For example,
47"fuzz grep foo" would have grep look for the string foo in the random
48data streams. However another test would be, "./fuzz --maxargs 1 grep"
49which would pass one random parameter to grep.
50
51Some programs don't read from stdin and only accept parameters. These
52programs can be tested using a command like, "./fuzz --omitdata
53--maxargs 2 basename". One way to test if the program reads from stdin
54is to do something like:
55strace program 2> /tmp/foobar
56grep "read(0," /tmp/foobar
57
58****The rest of this document is pretty much for Ben's use only. You
59can stop reading here unless you are curious about my little notes to myself***
60
61TODO List
62---------
631) make it possible to make printable-only apply to args or datastream
642) have it output to a file when and then and then feed that in when necessary
653) permute known args
664) permute known env vars
675) add random stuff to the environment
686) allow root override
697) have chroot feature move the needed shared libs into place.
708) have the program look at what files the program reads and make it fill that
71 file with random data. Strace style.
729) build in a feature to guess version number.
7310) add feature to catch what comes out of stderr or stdout for client
74program
7511) socket support
7612) x-jig
7713) genetic testing.
78
79Testing problems
80----------------
81consolechars - need to be able to generate a file and then have the file be read.
82ex - this seems to have problems because for some reason ex's get left running
83 I suspect that this is due to ex forking somewhere in its execution.
84