Beacon Fuzz - Update #06

栏目: IT技术 · 发布时间: 4年前

内容简介:Sigma Prime is leading the development and maintenance ofWe're happy to announce that the

Beacon Fuzz - Progress Update #6: Community fuzzing, new bugs and next steps

Beacon Fuzz - Update #06

Sigma Prime is leading the development and maintenance of beacon-fuzz , a differential fuzzing solution for Eth2 clients. This post is part of our series of status updates where we discuss current progress, interesting challenges encountered and direction for future work. See#00 and the repository's README for more context.

Summary

  • Community Fuzzing
  • New Bugs
  • Next Steps

Community Fuzzing

We're happy to announce that the dockerisation process of our eth2fuzz tool is now complete! If you'd like to help catch bugs on the major Eth2 implementations on your own hardware or cloud infrastructure, you can now follow these simple steps:

  1. Clone the beacon-fuzz repository:
    • git clone https://github.com/sigp/beacon-fuzz
  2. Change your current directory to eth2fuzz :
    • cd beacon-fuzz/eth2fuzz
  3. Make sure the Docker service is running on your machine
    • For Linux hosts using systemd : sudo systemctl start docker
  4. Build the fuzzing container for any given Eth2 client (we currently support Lighthouse, Nimbus, Prysm, Teku and Lodestar):
    • For example, if you want to fuzz Prysm: make prysm

Congratulations, you know have successfully built a Docker container that holds everything you need to fuzz the Prysm client's state transition functions! Use the help function to get a list of available commands:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm help

If you'd like to see all the fuzzing targets available on the Docker you've just built, run the following command:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm list

The output should be:

prysm_attestation
prysm_attester_slashing
prysm_block
prysm_block_header
prysm_deposit
prysm_proposer_slashing
prysm_voluntary_exit

For example, to start fuzzing the attestation processing function:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm target prysm_attestation

The eth2fuzz README contains detailed instructions and explanations on what is currently supported:

  • Continuous fuzzing : eth2fuzz can be configured to continuously fuzz all available targets for a given client, using the continuously CLI parameter. Alternatively, you can use the Makefile to fuzz all targets, each one running during 1 hour. For example, make fuzz-nimbus will build the relevant fuzzing container and exercise all fuzzing harnesses.
  • Fuzzing all clients : Want to fuzz all clients on all targets? Use the make fuzz-all command which will go through all clients and all implementations (and stop as soon as a bug is identified when using libFuzzer), dedicating 1 hour for each target, per client.
  • Different fuzzing engine support : For some clients, we support different fuzzing engines (Afl, Honggfuzz, libFuzzer). Depending on the implementation you're targeting, you can switch to a different fuzzer (libFuzzer is the default), which will enable different mutations. More fuzzing engines will be added in the near future!

We'd like to thank Justin Drake for suggesting this initiative and helping us with testing it!

If you find a bug during your fuzzing adventures, or if you encounter any issues with eth2fuzz , join our beacon-fuzz Discord channel on the Sigma Prime server and drop us a message!

New Bugs

Our fuzzing effort over the last month have resulted in the idenfitication of the following bugs:

  • Nimbus: IndexError bug in the the attester slashing processing function: Due to insufficient input validation when calling isValidAttestation() , this externally trigerrable vulnerability could lead to a crash of the client (refer to this issue for more details). This vulnerability has since been fixed by the Nimbus development team (see this Pull Request ).
  • Lodestar: Memory exhaustion vulnerability when parsing invalid ENRs: when providing a maliciously crafted ENR string, we can trigger a JavaScript heap out-of-memory error, which can lead to a Denial-of-Service condition (refer to this issue for more details).

Next Steps

As the Eth2 state transition specification can most likely now be considered final, we're shifting our efforts to the differential part of our fuzzing infrastructure.

eth2fuzz and eth2diff can now be considered complete (a few more features and improvements will however be added). These tools allowed us to identify 26 unique bugs across every Eth2 implementation.

Most of our time over the upcoming weeks will be spent on beacon-fuzz-2 , to leverage Foreign Function Interfaces (FFI) in order to identify state transition discrepancies that would cause network splits and chain forks. A detailed overview of our fuzzing architecture for Eth2 can be found in aprevious post.

We will also be accelerating our efforts on fuzzing the various p2p networking stacks.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

新零售新市场

新零售新市场

吴宇 / 人民邮电 / 2017-8

本书全面而实操地解析汽车后市场,帮助诸多正在或将要转型的企业科学转型,在竞争激烈的市场中赢得一席之地,真正实现“互联网+”的飞跃与升级。本书适合汽车后市场相关领域从业者、汽车后市场创业者,以及对汽车后市场有兴趣的读者阅读。一起来看看 《新零售新市场》 这本书的介绍吧!

JSON 在线解析
JSON 在线解析

在线 JSON 格式化工具

SHA 加密
SHA 加密

SHA 加密工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换