Beacon Fuzz - Update #05

栏目: IT技术 · 发布时间: 4年前

内容简介:Beacon Fuzz - Progress Update #5Sigma Prime is leading the development and maintenance ofAs mentioned in our previous updates, one of the biggest challenges faced while working on Beacon Fuzz was the integration of the Prysm client alongside ZRNT, protolam

Beacon Fuzz - Progress Update #5

Beacon Fuzz - Update #05

Sigma Prime is leading the development and maintenance of beacon-fuzz , a differential fuzzing solution for Eth2 clients. This post is part of our series of status updates where we discuss current progress, interesting challenges encountered and direction for future work. See#00 and the repository's README for more context.

Summary

  • Prysm client integration and first bugs
  • Lodestar integration and first bugs
  • Lighthouse ENR crate bug
  • Dockerising Eth2fuzz
  • Next Steps

Prysm Integration

As mentioned in our previous updates, one of the biggest challenges faced while working on Beacon Fuzz was the integration of the Prysm client alongside ZRNT, protolambda's Go executable Eth2 specification. The issues encountered by the team were documented extensively in our previous posts ( #1 , #2 , #4 ).

Recently, Prysmatic Labs announced their "biggest feature of the year" , which allows developers to build the Prysm client using the native go build functionality, without the need of using Bazel . As mentioned by Preston in the related pull request , this removes a lot of friction for external contributors and developers wanting to integrate/build on top off the Eth2 Golang implementation. We requested this feature in this issue and were very happy to see it implemented, a big thank you to the Prysmatic Labs crew!

As a result, significant progress has been made in fuzzing Prysm (progress can be tracked in this branch ) which yielded the identification of the following vulnerabilities:

  • Panic due to an out-of-bands slice range : identified in in the go-ssz library, while fuzzing Attestation parsing. Refer to this issue for the detailed bug report and this pull request for the related fix.
  • Panic due to a *nil pointer derefence *: identified in ProposerSlashing processing while fuzzing the VerifyProposerSlashing function. Refer to this issue for the detailed bug report and this pull request for the related fix.

Lodestar Integration

A new Eth2 implementation has made it to Beacon Fuzz! We're glad to have been able to perform some fuzzing on, the JavaScript client developed by ChainSafe. We've been primarily targeting serialisation/deserialisation functions by leveraging jsfuzz , a coverage guided fuzzer for JS/NodeJS packages, heavily based on go-fuzz and AFL .

The first Lodestar fuzzing round lead to the identification of the four following bugs:

  • TypeError bug when SSZ decoding a BeaconBlock with an invalid BigInt parent scope (refer to this issue for more details);
  • RangeError bug when SSZ decoding an empty BeaconBlock container (refer to this issue for more details);
  • TypeError bug when decoding an invalid base64 ENR string (refer to this issue for more details);
  • TypeError bug when decoding an invalid ENR RLP encoded string (refer to this issue for more details).

We're looking forward to targeting the state transition functions next, when these bugs are resolved by the Lodestar development team.

Lighthouse ENR Crate Bug

While fuzzing the Lighthouse ENR crate , we identified a vulnerability that can be exploited when a non-utf8 string is attempted to be decoded as an ENR.

Specifically, Honggfuzz , the fuzzing engine used to identify this vulnerability, produced the string 49ŷ that caused a panic in the related crate. This bug is reproducible here .

This vulnerability was fixed by Age in this pull request .

Dockerising Eth2fuzz

We're currently in the process of dockerising our fuzzers to enable the community to participate in identifying bugs across the Eth2 implementations. Since each fuzzing instance uses a random seed , the more people run these fuzzers, the more chances we have to uncover bugs and vulnerabilities. We've been running our fuzzers on our local infrastructure and are exploring integrated, continuous fuzzing options (see section below), but would love to see these fuzzers running on other machines. We were hopping to have the dockerisation process ready for this blog post, but have been running into the following issues:

jsfuzz

We're hoping to have these resolved imminently and to start working on easy-to-follow instructions for the community to participate in the Eth2 fuzzing effort. Stay tuned for an exciting announcement over the coming days!

Next Steps

Over the next few weeks, the Beacon Fuzz team will be looking into:

  • Finalising the dockerisation process
  • Fuzzing the p2p networking stack of the Eth2 clients
  • Working on the FFI bindings to complete the revamp in Rust
  • Start deploying our work to continuous fuzzing environments (OSS Fuzz)

以上所述就是小编给大家介绍的《Beacon Fuzz - Update #05》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

Ajax实战

Ajax实战

Dave Crane Eric Pascarello / 李锟(网名dlee) / 人民邮电出版社 / 2006年4月 / 69

本书是目前 Ajax 领域最为全面深入的一本著作,其中不仅有对于基础知识的介绍,还有对于 Ajax 开发中重大的体系架构问题的深入探讨,总结了大量 Ajax 开发中的设计模式,并讨论了框架、安全性与性能等等。书中提供了几个典型的例子,兼顾各种开发平台,这些例子的代码稍作修改就可以直接应用于项目开发之中,代码源文件可以从图灵网站下载。本书内容广泛且深入,同时适用于各个层次的 Web 应用开发人员。一起来看看 《Ajax实战》 这本书的介绍吧!

在线进制转换器
在线进制转换器

各进制数互转换器

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换