That looks like a bug. Please fill a GitLab issue so there’s a permanent record
of it. Most probably this is due some combination of configure flags that we
don’t use in testing.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 14. 8. 2021, at 15:57, Siva Kakarla <sivakesa...@gmail.com> wrote:
>
>
> Thanks, Ondrej, for the pointers and detailed information. I read through
> bin/named/fuzz.c, and it seems like the AFL fuzzing works only in the
> persistent mode due to this check in fuzz.c. That means it has to be compiled
> using `afl-clang-fast` (I installed it using 'apt install afl++') instead of
> `afl-clang.`
>
> I configured the code using "CXX=afl-clang-fast++ CC=afl-clang-fast
> ./configure --enable-fuzzing=afl --disable-linux-caps --disable-shared
> --enable-static --enable-developer --without-cmocka --without-zlib" and then
> I tried "make -j" but that results in the following error.
>
> Is there any specific version combination of Bind and afl++ that works
> without this error, or am I missing some configure flag? No worries if you
> are not immediately aware of it; I wanted to give the AFL persistent mode a
> final try before giving up fuzzing the named binary.
>
>> fuzz.c:585:2: error: cast from 'const char *' to 'char *' drops const
>> qualifier [-Werror,-Wcast-qual]
>> __AFL_LOOP(0);
>> ^
>> <command line>:11:88: note: expanded from here
>> #define __AFL_LOOP(_A) ({ static volatile char *_B __attribute__((used));
>> _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility(...
>>
>> ^
>> afl-llvm-pass 2.52b by <lszeke...@google.com>
>
>> On Thu, Aug 5, 2021 at 10:48 PM Ondřej Surý <ond...@isc.org> wrote:
>> You can use dnspython to generate wire format.
>>
>> Generally, I think that writing more specific fuzzers on top of APIs that
>> consumes user input would be more useful than just fuzzing `named`.
>>
>> F.e. it should be possible to write a fuzzer that takes multiple DNS
>> messages as input (starting with query + all DNS messages needed to resolve
>> the query) would be more useful that just fuzzing “stuff”.
>>
>> Also I think that for more complex stuff it would be better to write a
>> protocol specific input generator than just generic one found in existing
>> fuzzers.
>>
>> Ondřej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do not feel
>> obligated to reply outside your normal working hours.
>>
>>>> On 5. 8. 2021, at 18:51, Siva Kakarla <sivakesa...@gmail.com> wrote:
>>>>
>>>
>>> Thanks, Ondrej, for the reply.
>>>
>>> Fuzzing responses is the second part, I would say. For now, I am only
>>> fuzzing the authoritative server, so fuzzing named with queries would be a
>>> good starting point. I will check the GitHub repository you pointed out.
>>>
>>> The instructions for running AFL work great, thanks!
>>>
>>> I came across the '-A' option from the report you filed a year ago, but was
>>> under the impression that the "client" would be the default but I just saw
>>> that it is none in the code so, I guess, named has to be passed with "named
>>> -A client:IP:port" to fuzz the authoritative server with queries. I will
>>> check the files you pointed more carefully.
>>>
>>> When the AFL code was first added to Bind 4-5 years ago, what seed input
>>> was given to it?
>>>
>>> I understand that they are raw packets, but how did you get them in the raw
>>> format? I guess the fuzzer would have generated some of them but what were
>>> the starting raw packets? So, there is also no way to convert them from raw
>>> format to readable DNS messages as most of them are invalid but is there a
>>> way for valid ones?
>>>
>>> I will try to be more specific - say I want to seed with a query <foo.com,
>>> A>, how do I get the DNS packet that has this query in the raw format?
>>> (capturing it using Wireshark?)
>>>
>>> Thanks a lot again for taking the time to answer my questions.
>>>
>>>> On Thu, Aug 5, 2021 at 9:40 PM Ondřej Surý <ond...@isc.org> wrote:
>>>> If you want to get your hands dirty, I would recommend looking at
>>>> https://github.com/dobin/ffw, but for useful fuzzing, this would also need
>>>> a more complicated client fuzzing support because you don’t only want to
>>>> fuzz the queries, but also responses given by “fake” authoritative servers
>>>> and you want to do that on various levels of DNS tree and for various
>>>> query types. It’s a state machine and by doing fuzzing on single level,
>>>> you might never hit all the states.
>>>>
>>>> Ondrej
>>>> --
>>>> Ondřej Surý (He/Him)
>>>> ond...@isc.org
>>>>
>>>> > On 5. 8. 2021, at 18:01, Ondřej Surý <ond...@isc.org> wrote:
>>>> >
>>>> >
>>>> > --
>>>> > Ondřej Surý (He/Him)
>>>> > ond...@isc.org
>>>> >
>>>> >> On 5. 8. 2021, at 14:37, Siva Kakarla <sivakesa...@gmail.com> wrote:
>>>> >>
>>>> >> Hello Everyone,
>>>> >>
>>>> >> I am trying to understand and set up a fuzzer for the Bind DNS
>>>> >> implementation. My current goal is to fuzz the authoritative server
>>>> >> with queries.
>>>> >>
>>>> >> I have looked around and came across different fuzzing engines, but I
>>>> >> have some trouble and some questions getting it to work. If anyone has
>>>> >> anything to comment on, please reply, and that would be really helpful.
>>>> >> • I configured with CC=/path/to/afl/afl-clang./configure
>>>> >> --enable-fuzzing=afl or afl-clang-fast to enable fuzzing. Then, I did
>>>> >> make and make install. I then tried fuzzing the named binary with
>>>> >> afl-fuzz -i fuzz/dns_message_parse.in/ -o findings
>>>> >> /usr/local/sbin/named -gbut then it stops immediately, sayingthe
>>>> >> program crashed with one of the test cases provided.
>>>> >> • How to fuzz the named binary with queries?
>>>> >
>>>> > Read bin/named/fuzz.c and associated code in bin/named/main.c — it’s
>>>> > more complicated to set it up (you need to pass -A extra option to
>>>> > `named`).
>>>> >
>>>> >> • How to get the seed input in raw format?
>>>> >> • Honggfuzz seems to fuzz the named binary, but it
>>>> >> produced too many files as crash reports within a minute. I have asked
>>>> >> about it on their GitHub. Anyone that worked with Honggfuzz, please
>>>> >> reply.
>>>> >
>>>> > I see, you got response from hongfuzz author directly.
>>>> >
>>>> >> • A separate fuzz folder contains functions to fuzz small sections
>>>> >> of the code.
>>>> >> • Was this created to improve coverage and modularity? (In
>>>> >> the sense, can't named be fuzzed directly using the above setup?)
>>>> >
>>>> > Fuzzing a daemon that depends on various internal state (state of the
>>>> > cache, authoritative zones present or not, various configuration options
>>>> > enabled or not) is difficult and also sometimes it’s also useless to
>>>> > fuzz the big blob and you want to fuzz just specific parts (zone parser,
>>>> > DNS message parsers, etc…)
>>>> >
>>>> >> • I could get them running with oss-fuzz but how to run
>>>> >> them with afl-fuzz? The README mentions linking the files; can you
>>>> >> please tell me how to do that?
>>>> >
>>>> > with AFL++ do
>>>> >
>>>> > CC=afl-clang-fast ./configure --enable-fuzzing=afl
>>>> > make -j
>>>> > cd fuzz
>>>> >
>>>> > and then for each test:
>>>> >
>>>> > make dns_message_parse
>>>> > LD_LIBRARY_PATH=../lib/isc/.libs:../lib/dns/.libs afl-fuzz -i
>>>> > dns_message_parse.in/ -o xxx ./.libs/dns_message_parse
>>>> >
>>>> >> • How to decode the packets given in
>>>> >> https://gitlab.isc.org/isc-projects/bind9/-/tree/main/fuzz/dns_message_parse.in?
>>>> >> How to add a new packet to the corpus? (How to convert into a raw
>>>> >> packet?)
>>>> >
>>>> > These are raw DNS messages. There’s bigger corpus f.e. here:
>>>> > https://github.com/CZ-NIC/dns-fuzzing
>>>> >
>>>> >> Thank you
>>>> >> Siva
>>>> >>
>>>> >> --
>>>> >> Siva Kakarla
>>>> >> (sivak.dev)
>>>> >> _______________________________________________
>>>> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> >> unsubscribe from this list
>>>> >>
>>>> >> ISC funds the development of this software with paid support
>>>> >> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>>> >> information.
>>>> >>
>>>> >>
>>>> >> bind-users mailing list
>>>> >> bind-users@lists.isc.org
>>>> >> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
