FOSDEM '09 is a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet.

   

Interview: Victor Stinner

Victor Stinner will give a talk about Fusil at FOSDEM 2009.

Could you briefly introduce yourself?

I'm a 25 years old developer paid to write free software (GPL), but also hacking on free software in my free time. I help free projects to improve their security by fixing known bugs or finding new bugs.

What will your talk be about, exactly?

It's about fuzzing, my fuzzer Fusil, and the status of security in free software. Finding bugs is easy, but the problem is fixing them upstream.

What do you hope to accomplish by giving this talk ? What do you expect?

I will try to sensitize developers to security, because few developers are aware of security bugs. I also hope that some hackers will try Fusil (or any other fuzzer) on their programs!

What problem is Fusil trying to solve?

Using Fusil, it's easy to write a fuzzer. But Fusil has many features to collect many crashes during a night without human interaction. It stores all the information about the crash, generates a script to replay the crash and renames the directory with a very short description of the crash (e.g. "invalid_read-0x8fa0b4ff"). So it's easy to see duplicates and to reproduce a crash in gdb.

How difficult is it to write fuzzing programs?

Most fuzzers included in the Fusil project inject random bytes in files and try to open these files in the target program. Such fuzzers are simple and can be written in one hour. To improve the quality of such fuzzers (that is, to generate less false positives), you can add more rules to the existing probes (e.g. add a text pattern specific to the problem for the standard output).

Better fuzzers generate data using the specification of the format. There is for example a Python fuzzer generating random function calls with random arguments. Writing such fuzzers takes more time because you have to learn the format and implement an algorithm to generate the data. If you already know the format, it takes between one and four hours for a simple format.

But when the fuzzer is written, most of the time you will find bugs in less than one hour! And sometimes in less than one minute...

What kinds of faults can you find in programs with Fusil?

Don't expect automatic exploit generation :-) Fusil is dumb and just finds *bugs*: invalid memory read/write, timeout, deadlock, assertion/exception, etc. On a segfault (or other fatal error), the builtin debugger tries to analyze the error: it does for example display "invalid read from NULL (4 bytes)" instead of just "segfault".

You will have to read the source code of the target program to understand the problem and check the severity of the bug. Remember, on a server any denial of service is important because it slows down all applications!

Which bugs did you already find with Fusil?

The most funny was a bug in printf() in GNU libc. Funny because printf() is the most common function in the C language and the code is very old! Another nice bug was a denial of service in the ClamAV antivirus program. It's possible to write a loop in a block chain in the file system. Most programs detect such a loop, but not the old version of ClamAV. With a single small document (20 KB), ClamAV ate all memory and CPU time! See the crash list for a more complete list.

How active is the development of Fusil?

The last stable version was released two months ago. I'm working alone on the project in my free time, so the development is slow and depends on my motivation. E.g. last weeks I worked on different projets (hacking Python!).

How does Fusil compare with other fuzzing tools, e.g. Peach?

Most frameworks are specific to a program category or environment. PROTOS is for example dedicated to network stuff, Sulley targets closed source programs running on Windows, etc.

Fusil's typical target is a Linux command line program. It doesn't mean that it's impossible to write other fuzzers, but just that it will take more time :-) Fusil should work on any UNIX/BSD system, and maybe also on Windows. There are also fuzzers for the Linux kernel, MySQL server and Firefox.

Creative Commons License
This interview is licensed under a Creative Commons Attribution 2.0 Belgium License.

Mon, 2009-01-12 10:41