Beacon Fuzz - Update #05

栏目: IT技术 · 发布时间: 4年前

内容简介:Beacon Fuzz - Progress Update #5Sigma Prime is leading the development and maintenance ofAs mentioned in our previous updates, one of the biggest challenges faced while working on Beacon Fuzz was the integration of the Prysm client alongside ZRNT, protolam

Beacon Fuzz - Progress Update #5

Beacon Fuzz - Update #05

Sigma Prime is leading the development and maintenance of beacon-fuzz , a differential fuzzing solution for Eth2 clients. This post is part of our series of status updates where we discuss current progress, interesting challenges encountered and direction for future work. See#00 and the repository's README for more context.

Summary

  • Prysm client integration and first bugs
  • Lodestar integration and first bugs
  • Lighthouse ENR crate bug
  • Dockerising Eth2fuzz
  • Next Steps

Prysm Integration

As mentioned in our previous updates, one of the biggest challenges faced while working on Beacon Fuzz was the integration of the Prysm client alongside ZRNT, protolambda's Go executable Eth2 specification. The issues encountered by the team were documented extensively in our previous posts ( #1 , #2 , #4 ).

Recently, Prysmatic Labs announced their "biggest feature of the year" , which allows developers to build the Prysm client using the native go build functionality, without the need of using Bazel . As mentioned by Preston in the related pull request , this removes a lot of friction for external contributors and developers wanting to integrate/build on top off the Eth2 Golang implementation. We requested this feature in this issue and were very happy to see it implemented, a big thank you to the Prysmatic Labs crew!

As a result, significant progress has been made in fuzzing Prysm (progress can be tracked in this branch ) which yielded the identification of the following vulnerabilities:

  • Panic due to an out-of-bands slice range : identified in in the go-ssz library, while fuzzing Attestation parsing. Refer to this issue for the detailed bug report and this pull request for the related fix.
  • Panic due to a *nil pointer derefence *: identified in ProposerSlashing processing while fuzzing the VerifyProposerSlashing function. Refer to this issue for the detailed bug report and this pull request for the related fix.

Lodestar Integration

A new Eth2 implementation has made it to Beacon Fuzz! We're glad to have been able to perform some fuzzing on, the JavaScript client developed by ChainSafe. We've been primarily targeting serialisation/deserialisation functions by leveraging jsfuzz , a coverage guided fuzzer for JS/NodeJS packages, heavily based on go-fuzz and AFL .

The first Lodestar fuzzing round lead to the identification of the four following bugs:

  • TypeError bug when SSZ decoding a BeaconBlock with an invalid BigInt parent scope (refer to this issue for more details);
  • RangeError bug when SSZ decoding an empty BeaconBlock container (refer to this issue for more details);
  • TypeError bug when decoding an invalid base64 ENR string (refer to this issue for more details);
  • TypeError bug when decoding an invalid ENR RLP encoded string (refer to this issue for more details).

We're looking forward to targeting the state transition functions next, when these bugs are resolved by the Lodestar development team.

Lighthouse ENR Crate Bug

While fuzzing the Lighthouse ENR crate , we identified a vulnerability that can be exploited when a non-utf8 string is attempted to be decoded as an ENR.

Specifically, Honggfuzz , the fuzzing engine used to identify this vulnerability, produced the string 49ŷ that caused a panic in the related crate. This bug is reproducible here .

This vulnerability was fixed by Age in this pull request .

Dockerising Eth2fuzz

We're currently in the process of dockerising our fuzzers to enable the community to participate in identifying bugs across the Eth2 implementations. Since each fuzzing instance uses a random seed , the more people run these fuzzers, the more chances we have to uncover bugs and vulnerabilities. We've been running our fuzzers on our local infrastructure and are exploring integrated, continuous fuzzing options (see section below), but would love to see these fuzzers running on other machines. We were hopping to have the dockerisation process ready for this blog post, but have been running into the following issues:

jsfuzz

We're hoping to have these resolved imminently and to start working on easy-to-follow instructions for the community to participate in the Eth2 fuzzing effort. Stay tuned for an exciting announcement over the coming days!

Next Steps

Over the next few weeks, the Beacon Fuzz team will be looking into:

  • Finalising the dockerisation process
  • Fuzzing the p2p networking stack of the Eth2 clients
  • Working on the FFI bindings to complete the revamp in Rust
  • Start deploying our work to continuous fuzzing environments (OSS Fuzz)

以上所述就是小编给大家介绍的《Beacon Fuzz - Update #05》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

CGI 程序设计自学通

CGI 程序设计自学通

(美)格里高利 / 徐丹/等 / 机械工业出版社 / 1998-08 / 28.00元

本书集中讨论CGI编程,以便利用一起来看看 《CGI 程序设计自学通》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

Base64 编码/解码
Base64 编码/解码

Base64 编码/解码