ASSERT-KTH / slumps

Cool code analysis research for WebAssembly
https://kth.github.io/slumps/
66 stars 11 forks source link

Fuzzing tool for WASM #48

Open Jacarte opened 4 years ago

Jacarte commented 4 years ago

Use SWAM as the core to create a full-fledge fuzzer for WASM. As a big picture here are the milestone to achieve it:

Depends on the WASM coverage tool, see #54

Reference implementations:

Medium priority todos:

Low priority todos:

tareq97-zz commented 4 years ago

Hi @Jacarte ,

https://github.com/tareq97/swam/commit/0e62af47b34f3189284abd7c35ace8a40a314516

commit with respect to coverage tool. with two test cases for the coverage method.

Jacarte commented 4 years ago

Hi @tareq97 and @olapiv

Now your code is in the branch feature/opt-in https://github.com/KTH/swam/tree/feature/opt-in, lets work on this branch. I will do the changes that I discussed with Lucas.

The new PR to be merged with master, https://github.com/KTH/swam/pull/6

Jacarte commented 4 years ago

@tareq97, @olapiv https://github.com/dwfault/afl-wasm

monperrus commented 4 years ago

FYI, good progress by @olapiv see https://github.com/olapiv/swam/tree/feature/opt-in/fuzzer and https://github.com/KTH/swam/pull/7

monperrus commented 4 years ago

Potential benchmark for evaluation the fuzzer: the 26 WASM binaries (98,924 functions) of https://www.unibw.de/patch/papers/usenixsecurity20-wasm.pdf

olapiv commented 4 years ago

Here are the technical details of how AFL works: https://github.com/google/AFL/blob/master/docs/technical_details.txt

It's very well explained - I especially recommend reading part 1 ("Coverage measurements").

olapiv commented 4 years ago

Done:

Moving todos at the point

olapiv commented 4 years ago

Current work is here: https://github.com/KTH/slumps/tree/wasm-fuzzer/wasm-fuzzer

Pull request is here: https://github.com/KTH/slumps/pull/53

olapiv commented 4 years ago

Here are a couple of thoughts that I am currently having regarding next steps. Some of it may not make sense, some of it may be obvious.

monperrus commented 4 years ago

Ack, thanks for the update. Is there a need to revise to todo list accordingly?

olapiv commented 4 years ago

Just did. It's all still a very vague idea though, so it's a bit difficult to pinpoint the exact next steps. I'm just researching for now, so I'm (more) sure that whatever we do next is viable.

Would be nice to hear what you guys think about it though! As far as I know the concept could also be an entire waste of time.

monperrus commented 4 years ago

Not sure to see the underlying concept behind the bullets. Do you mean "using v8"?

olapiv commented 4 years ago

Yes, exactly

monperrus commented 4 years ago

The question of using v8 versus using Swam is hard. There are pros and cons in both cases and we've made a strategic decision some time ago.

Now, for the fuzzer, we may use v8 again in the future. But in the timeframe of your internship, and given that only a few weeks remain, I would suggest to consolidate as much as possible the Swam solution, with as much as possible in Swam's master and with top code and documentation merged here in Slumps (and adding DWARF support in SWAM?).

olapiv commented 4 years ago

Using non-number types with SWAM

monperrus commented 4 years ago

FYI, the latest coverage code is in branch path_coverage https://github.com/KTH/swam/tree/feature/path_coverage

monperrus commented 4 years ago

The fuzzing code depends on a branch on olapiv through a git submodule https://github.com/olapiv/swam/tree/759e41a9cd778981c2009764a2236b22c2975646

Jacarte commented 4 years ago

AFL coverage info modification examples AFLFast, AFLGo and AFLSmart

monperrus commented 4 years ago

per our discussion with @olapiv today added one todo at the top "use the literals available in the WASM binary as seed in AFL"

Jacarte commented 3 years ago

In order to implement the socket protocol from AFL as a websocket protocol: A curated list of WebSockets related principles and technologies