Beacon Fuzz - Update #06

栏目: IT技术 · 发布时间: 4年前

内容简介:Sigma Prime is leading the development and maintenance ofWe're happy to announce that the

Beacon Fuzz - Progress Update #6: Community fuzzing, new bugs and next steps

Beacon Fuzz - Update #06

Sigma Prime is leading the development and maintenance of beacon-fuzz , a differential fuzzing solution for Eth2 clients. This post is part of our series of status updates where we discuss current progress, interesting challenges encountered and direction for future work. See#00 and the repository's README for more context.

Summary

  • Community Fuzzing
  • New Bugs
  • Next Steps

Community Fuzzing

We're happy to announce that the dockerisation process of our eth2fuzz tool is now complete! If you'd like to help catch bugs on the major Eth2 implementations on your own hardware or cloud infrastructure, you can now follow these simple steps:

  1. Clone the beacon-fuzz repository:
    • git clone https://github.com/sigp/beacon-fuzz
  2. Change your current directory to eth2fuzz :
    • cd beacon-fuzz/eth2fuzz
  3. Make sure the Docker service is running on your machine
    • For Linux hosts using systemd : sudo systemctl start docker
  4. Build the fuzzing container for any given Eth2 client (we currently support Lighthouse, Nimbus, Prysm, Teku and Lodestar):
    • For example, if you want to fuzz Prysm: make prysm

Congratulations, you know have successfully built a Docker container that holds everything you need to fuzz the Prysm client's state transition functions! Use the help function to get a list of available commands:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm help

If you'd like to see all the fuzzing targets available on the Docker you've just built, run the following command:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm list

The output should be:

prysm_attestation
prysm_attester_slashing
prysm_block
prysm_block_header
prysm_deposit
prysm_proposer_slashing
prysm_voluntary_exit

For example, to start fuzzing the attestation processing function:

docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm target prysm_attestation

The eth2fuzz README contains detailed instructions and explanations on what is currently supported:

  • Continuous fuzzing : eth2fuzz can be configured to continuously fuzz all available targets for a given client, using the continuously CLI parameter. Alternatively, you can use the Makefile to fuzz all targets, each one running during 1 hour. For example, make fuzz-nimbus will build the relevant fuzzing container and exercise all fuzzing harnesses.
  • Fuzzing all clients : Want to fuzz all clients on all targets? Use the make fuzz-all command which will go through all clients and all implementations (and stop as soon as a bug is identified when using libFuzzer), dedicating 1 hour for each target, per client.
  • Different fuzzing engine support : For some clients, we support different fuzzing engines (Afl, Honggfuzz, libFuzzer). Depending on the implementation you're targeting, you can switch to a different fuzzer (libFuzzer is the default), which will enable different mutations. More fuzzing engines will be added in the near future!

We'd like to thank Justin Drake for suggesting this initiative and helping us with testing it!

If you find a bug during your fuzzing adventures, or if you encounter any issues with eth2fuzz , join our beacon-fuzz Discord channel on the Sigma Prime server and drop us a message!

New Bugs

Our fuzzing effort over the last month have resulted in the idenfitication of the following bugs:

  • Nimbus: IndexError bug in the the attester slashing processing function: Due to insufficient input validation when calling isValidAttestation() , this externally trigerrable vulnerability could lead to a crash of the client (refer to this issue for more details). This vulnerability has since been fixed by the Nimbus development team (see this Pull Request ).
  • Lodestar: Memory exhaustion vulnerability when parsing invalid ENRs: when providing a maliciously crafted ENR string, we can trigger a JavaScript heap out-of-memory error, which can lead to a Denial-of-Service condition (refer to this issue for more details).

Next Steps

As the Eth2 state transition specification can most likely now be considered final, we're shifting our efforts to the differential part of our fuzzing infrastructure.

eth2fuzz and eth2diff can now be considered complete (a few more features and improvements will however be added). These tools allowed us to identify 26 unique bugs across every Eth2 implementation.

Most of our time over the upcoming weeks will be spent on beacon-fuzz-2 , to leverage Foreign Function Interfaces (FFI) in order to identify state transition discrepancies that would cause network splits and chain forks. A detailed overview of our fuzzing architecture for Eth2 can be found in aprevious post.

We will also be accelerating our efforts on fuzzing the various p2p networking stacks.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

《10%创业家》

《10%创业家》

[美] 帕特里克•J.麦金尼斯 / 李文远 / 广东人民出版社 / 2017-4 / 45.00

还在打工和创业之间苦苦挣扎吗?麦金尼斯用亲身经历告诉你,不用辞职,只需投入10%的时间和资源,就能获得100%的财务自由。你不需要雄厚的资本,也不必占用工作时间,只要准确掌握本书所授的方法,就能立即开始创业。 麦金尼斯是世界银行风投顾问,同时也是一名10%创业家。在本书中,他结合自身的创业咨询经历,为读者讲解了移动互联时代的5种创业模式,还提供了创业基因测试、10%创业计划、自传模板等个性化......一起来看看 《《10%创业家》》 这本书的介绍吧!

HTML 压缩/解压工具
HTML 压缩/解压工具

在线压缩/解压 HTML 代码

在线进制转换器
在线进制转换器

各进制数互转换器

MD5 加密
MD5 加密

MD5 加密工具