Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 07 Mar 2015 19:12:39 +0300
From: Alexander Cherepanov <>
Subject: Re: Any advice on how to fuzz john jumbo by AFL

On 2015-03-07 16:22, Kai Zhao wrote:
> Hi, I fuzzed john jumbo two days but without find any crashes. The fuzz
> result indicates that john jumbo is robust or my fuzz test go somewhere
> wrong place.
> My fuzz testing steps as follows:
>    1. fuzz unshallow
>        1.1 fuzz time about 6 hours
>        1.2 no crash
>    2. fuzz john without any change
>        2.1 the input test is copy from the test cases in the src/*_fmt_plug.c
>        2.2 fuzz time about 20 hours
>        2.3 fuzz slow because the john try to crack the input files
>        2.4 no crash
>   3. fuzz john with change source code
>       3.1 I comment the line:  john_run() in src/john.c in order to only
> test the
>             john_init function which involves format valid
>       3.2 fuzz time about 6 hours
>       3.3 fuzz fast
>       3.4 no crash

How much exec/sec do you get with unmodified/modified john in afl? How 
much total paths discovered?

> Maybe you have some good advice on how to fuzz john. Thank you.

There are some john options to play with, e.g. --max-run-time=N and 
--skip-self-tests. Then there are some general things to try: build the 
program with hardening, build 32-bit version, try AddressSanitizer (but 
there are caveats -- see notes_for_asan.txt in afl) etc.

As for code reviews, don't forget code analyzers, e.g. cppcheck, Clang 
Static Analyzer.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.