Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 7 Jun 2015 22:32:20 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Fuzzing Report on hashes

There are two approaches to fuzz hashes. One is fuzz.pl written by Solar.
The other one is afl using llvm-mode.

1. fuzz.pl
------------

The latest fuzz.pl is here:

http://www.openwall.com/lists/john-dev/2015/06/05/16

The fuzz.pl script mutates hashes based on the test cases in the source
code. There are 4 methods in fuzz.pl to mutate hashes.

It's amazing to find many bugs within several hours. It's very efficient!
Thanks for Solar's help.

I have analyzed the samples from Solar's fuzzing. There are 8 bugs.
I have submitted these bugs to jumbo.

https://github.com/magnumripper/JohnTheRipper/issues/1384
https://github.com/magnumripper/JohnTheRipper/issues/1385
https://github.com/magnumripper/JohnTheRipper/issues/1386
https://github.com/magnumripper/JohnTheRipper/issues/1387
https://github.com/magnumripper/JohnTheRipper/issues/1388
https://github.com/magnumripper/JohnTheRipper/issues/1389
https://github.com/magnumripper/JohnTheRipper/issues/1390
https://github.com/magnumripper/JohnTheRipper/issues/1391

2. afl
------

The fuzzing steps have been described here:

http://www.openwall.com/lists/john-dev/2015/04/24/4

There are 20 bugs found by afl. I have submitted them to jumbo.

https://github.com/magnumripper/JohnTheRipper/issues/1392
to
https://github.com/magnumripper/JohnTheRipper/issues/1412

The fuzzing status(without asan):
--------------------------------------------

start_time     : 1433337933
last_update    : 1433687305
fuzzer_pid     : 111919
cycles_done    : 0
execs_done     : 38789459
execs_per_sec  : 123.56
paths_total    : 4286
paths_found    : 4069
paths_imported : 0
max_depth      : 2
cur_path       : 109
pending_favs   : 712
pending_total  : 4204
variable_paths : 869
bitmap_cvg     : 17.32%
unique_crashes : 102
unique_hangs   : 23
last_path      : 1433683697
last_crash     : 1433660850
last_hang      : 1433672968
exec_timeout   : 200
afl_banner     : john
afl_version    : 1.79b
command_line   : afl-fuzz -m none -i input_cases/ -o out/ ../../john @@
--nolog --skip-self-test

The fuzzing status(with asan):
----------------------------------------

start_time     : 1433337926
last_update    : 1433687375
fuzzer_pid     : 106085
cycles_done    : 0
execs_done     : 11190917
execs_per_sec  : 7.72
paths_total    : 2899
paths_found    : 2682
paths_imported : 0
max_depth      : 2
cur_path       : 61
pending_favs   : 525
pending_total  : 2857
variable_paths : 1385
bitmap_cvg     : 16.63%
unique_crashes : 191
unique_hangs   : 73
last_path      : 1433647185
last_crash     : 1433643332
last_hang      : 1433674292
exec_timeout   : 240
afl_banner     : john
afl_version    : 1.79b
command_line   : afl-fuzz -m none -i input_cases/ -o out/ ../../john @@
--nolog --skip-self-test

3. conclusion
-----------------

The afl takes about 4 days to find these bugs. Compared to the fuzz.pl
script, afl is not that efficient but it can find different bugs. I think we
should make full use of both afl and fuzz.pl.


Thanks,

Kai

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ