SharpFuzz is a tool that brings the power of afl-fuzz to .NET platform. If you want to learn more about fuzzing, my motivation for writing SharpFuzz, the types of bugs it can find, or the technical details about how the integration with afl-fuzz works, read my blog post SharpFuzz: Bringing the power of afl-fuzz to .NET platform.
AFL works on Linux and macOS. If you are using Windows, you can use any Linux distribution that works under the Windows Subsystem for Linux.
You will need GNU make and a working compiler (gcc or clang) in order to compile afl-fuzz. You will also need to have the .NET Core 2.1 or greater installed on your machine in order to instrument .NET assemblies with SharpFuzz.
You can install afl-fuzz and SharpFuzz.CommandLine global .NET tool by running the following script:
#/bin/sh
set -eux
# Download and extract the latest afl-fuzz source package
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xvf afl-latest.tgz
rm afl-latest.tgz
cd afl-2.52b/
# Patch afl-fuzz so that it doesn't check whether the binary
# being fuzzed is instrumented (we have to do this because
# we are going to run our programs with the dotnet run command,
# and the dotnet binary would fail this check)
wget https://github.com/Metalnem/sharpfuzz/raw/master/patches/RemoveInstrumentationCheck.diff
patch < RemoveInstrumentationCheck.diff
# Install afl-fuzz
make install
cd ..
rm -rf afl-2.52b/
# Install SharpFuzz.CommandLine global .NET tool
dotnet tool install --global SharpFuzz.CommandLineThe alternative to patching afl-fuzz in order to skip the instrumentation check is to set the AFL_SKIP_BIN_CHECK environment variable.
This tutorial assumes that you are somewhat familiar with afl-fuzz. If you don't know anything about it, you should first read the AFL quick start guide and the afl-fuzz README. If you have enough time, I would also recommend reading Understanding the status screen and Technical whitepaper for afl-fuzz.
As an example, we are going to instrument Jil, which is a fast JSON serializer and deserializer (see SharpFuzz.Samples for many more examples of complete fuzzing projects).
1. Download the package from the NuGet gallery.
You can do that by clicking the download package
link in the info section of the page. The downloaded
file will be called jil.2.16.0.nupkg.
2. Change the extension of the downloaded file
from nupkg to zip, and then extract it.
The location of the assembly we are going to instrument
will be jil.2.16.0/lib/netstandard2.0/Jil.dll.
We could have chosen some other .NET platform, such
as net45 or netstandard1.6, but the latest
version of .NET Standard is usually the best choice.
3. Instrument the assembly by running the
sharpfuzz tool with the path to the assembly
as a parameter. In our case, the exact command looks
like this:
sharpfuzz jil.2.16.0/lib/netstandard2.0/Jil.dllThe instrumentation is performed in place, which
means that jil.2.16.0/lib/netstandard2.0/Jil.dll
will contain the instrumented version of Jil after
running this command.
4. Create a new .NET console project, and add
the instrumented library to it, along with all of
its dependencies. To do that, copy Jil.dll
to the root directory of the project, and then add
the following element to your project file:
<ItemGroup>
<Reference Include="Jil">
<HintPath>Jil.dll</HintPath>
</Reference>
</ItemGroup>Jil depends on Sigil, which is why you also have to manually add the reference to Sigil. You can install it from NuGet with the following command:
dotnet add package Sigil --version 4.7.05. Add the SharpFuzz package to the project by running the following command:
dotnet add package SharpFuzz6. Now it's time to write some code. The Main function should call the SharpFuzz.Fuzzer.Run with the function that we want to test as a parameter. Here's the one possible way we could write this:
using System;
using System.IO;
using SharpFuzz;
namespace Jil.Fuzz
{
public class Program
{
public static void Main(string[] args)
{
Fuzzer.Run(stream =>
{
try
{
using (var reader = new StreamReader(stream))
{
JSON.DeserializeDynamic(reader);
}
}
catch (DeserializationException) { }
});
}
}
}We want to fuzz the deserialization capabilities of Jil, which is why we are calling the JSON.DeserializeDynamic method. The input data will be be provided to us via the stream parameter (if the code you are testing takes its input as a string, you can use an additional overload of Fuzzer.Run that accepts Action<string>).
If the code passed to Fuzzer.Run throws an exception, it will be reported to afl-fuzz as a crash. However, we want to treat only unexpected exceptions as bugs. DeserializationException is what we expect when we encounter an invalid JSON input, which is why we catch it in our example.
7. Create a directory with some test cases (one test is usually more than enough). Test files should contain some input that is accepted by your code as valid, and should also be as small as possible. For example, this is the JSON I'm using for testing JSON deserializers:
{"menu":{"id":1,"val":"X","pop":{"a":[{"click":"Open()"},{"click":"Close()"}]}}}8. You are now ready to go! Build the project
with dotnet build, and start the fuzzing with
the following command:
afl-fuzz -i testcases_dir -o findings_dir \
dotnet path_to_assemblyLet's say that our working directory is called Fuzzing.
If it contains the project Fuzzing.csproj, and the
directory called Testcases, the full command might
look like this:
afl-fuzz -i Testcases -o Findings \
dotnet bin/Debug/netcoreapp2.1/Fuzzing.dllFor formats such as HTML, JavaScript, JSON, or SQL,
the fuzzing process can be greatly improved with
the usage of a dictionary file. AFL comes with
bunch of dictionaries, which you can find after
installation in /usr/local/share/afl/dictionaries/.
With this in mind, we can improve our fuzzing of Jil like this:
afl-fuzz -i Testcases -o Findings \
-x /usr/local/share/afl/dictionaries/json.dict \
dotnet bin/Debug/netcoreapp2.1/Fuzzing.dllSometimes you may encounter the following error when running afl-fuzz:
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
This usually happens when some of your provided test inputs cause the fuzzing function to throw an exception, but sometimes this can happen due to low default memory limit (I see this very often in the cloud environment). You can fix it by increasing the memory limit for your program to some large value:
afl-fuzz -i testcases_dir -o findings_dir -m 10000 \
dotnet path_to_assembly9. Sit back and relax! You will often have some useful results within minutes, but sometimes it can take more than a day, so be patient.
The input files responsible for unhandled exceptions
will appear in findings_dir/crashes. The total
number of unique crashes will be displayed in red on
the afl-fuzz status screen.
In practice, the real number of unique exceptions will often be much lower than the reported number, which is why it's usually best to write a small program that just goes through the crashing inputs, runs the fuzzing function on each of them, and saves only the inputs that produce unique stack traces.
Adding a reasonable timeout parameter (e.g. -t 5000) to the afl-fuzz command is recommended,
as the automatic detection mechanism is unreliable when using sharpfuzz.
Otherwise you might see frequent and seemingly random error messages such as
[-] PROGRAM ABORT : Unable to communicate with fork server (OOM?)
Location : run_target(), afl-fuzz.c:2417
See: Metalnem#11
- CVE-2019-0980: .NET Framework and .NET Core Denial of Service Vulnerability
- CVE-2019-0981: .NET Framework and .NET Core Denial of Service Vulnerability
If you find some interesting bugs with SharpFuzz, and are comfortable with sharing them, I would love to add them to this list. Please send me an email, make a pull request for the README file, or file an issue.
- AngleSharp: HtmlParser.Parse throws InvalidOperationException fixed
- CoreFX: BigInteger.TryParse out-of-bounds access fixed
- CoreFX: BinaryFormatter.Deserialize throws many unexpected exceptions fixed
- CoreFX: DataContractJsonSerializer.ReadObject throws ArgumentOutOfRangeException
- CoreFX: DataContractJsonSerializer.ReadObject throws IndexOutOfRangeException
- CoreFX: DataContractSerializer.ReadObject throws ArgumentNullException
- CoreFX: Double.Parse throws AccessViolationException on .NET Core 3.0 fixed
- CoreFX: G17 format specifier doesn't always round-trip double values
- CoreFX: Uri.TryCreate throws IndexOutOfRangeException
- CoreFX: XmlReader.Create throws IndexOutOfRangeException fixed
- DotLiquid: Template.Parse throws ArgumentNullException instead of SyntaxException
- Esprima .NET: JavaScriptParser.ParseProgram throws ArgumentOutOfRangeException
- Esprima .NET: StackOverflowException when parsing a lot of starting parentheses fixed
- ExcelDataReader: ExcelReaderFactory.CreateBinaryReader can throw unexpected exceptions fixed
- ExcelDataReader: ExcelReaderFactory.CreateBinaryReader throws OutOfMemoryException fixed
- ExCSS: StylesheetParser.Parse throws ArgumentOutOfRangeException
- Fluid: FluidTemplate.TryParse and FluidTemplateExtensions.Render throw some unexpected exceptions fixed
- Fluid: FluidTemplateExtensions.Render hangs permanently fixed
- Google.Protobuf: MessageParser.ParseFrom throws unexpected exceptions (C#) fixed
- GraphQL-Parser: Parser.Parse takes around 18s to parse the 58K file fixed
- GraphQL-Parser: Parser.Parse throws ArgumentOutOfRangeException fixed
- Handlebars.Net: Handlebars.Compile hangs permanently fixed
- Handlebars.Net: Template engine throws some unexpected exceptions fixed
- Jil: JSON.DeserializeDynamic throws ArgumentException fixed
- Jint: Engine.Execute can throw many unexpected exceptions fixed
- Jint: Engine.Execute takes more than two minutes to complete (even with the 2s timeout) fixed
- Jint: Engine.Execute throws OutOfMemoryException after 45s (even with the 2s timeout) fixed
- Json.NET: JsonConvert.DeserializeObject can throw several unexpected exceptions
- Jurassic: ScriptEngine.Execute terminates the process with StackOverflowException
- Jurassic: ScriptEngine.Execute throws some unexpected exceptions fixed
- Jurassic: ScriptEngine.ExecuteFile hangs permanently instead of throwing JavaScriptException fixed
- Jurassic: ScriptEngine.ExecuteFile throws FormatException fixed
- LumenWorks CSV Reader: CsvReader.ReadNextRecord throws IndexOutOfRangeException
- Markdig: Markdown.ToHtml hangs permanently fixed
- Markdig: Markdown.ToHtml takes more than two minutes to complete when processing the 32K file fixed
- Markdig: Markdown.ToHtml throws ArgumentOutOfRangeException fixed
- Markdig: Markdown.ToHtml throws IndexOutOfRangeException fixed
- Markdig: Markdown.ToHtml throws IndexOutOfRangeException
- Markdig: Markdown.ToHtml throws NullReferenceException fixed
- MarkdownSharp: Markdown.Transform hangs permanently
- MessagePack for CLI: Unpacking.UnpackObject throws several unexpected exceptions
- Mono.Cecil: ModuleDefinition.ReadModule can throw many (possibly) unexpected exceptions
- Mono.Cecil: ModuleDefinition.ReadModule hangs permanently fixed
- NCrontab: CrontabSchedule.Parse throws OverflowException instead of CrontabException
- NUglify: Uglify.Js hangs permanently
- Open XML SDK: Add some security/fuzz testing
- OpenMCDF: OutOfMemoryException when parsing Excel document / endless while-loop fixed
- OpenMCDF: System.ArgumentOutOfRangeException take 2 fixed
- OpenMCDF: System.ArgumentOutOfRangeException when trying to open certain invalid files fixed
- OpenMCDF: System.OutOfMemoryException when reading corrupt Word document fixed
- PdfPig: StackOverflowException reading corrupt PDF document fixed
- protobuf-net: Serializer.Deserialize can throw many unexpected exceptions
- protobuf-net: Serializer.Deserialize hangs permanently
- Scriban: Template.ParseLiquid throws ArgumentOutOfRangeException fixed
- Scriban: Template.ParseLiquid throws NullReferenceException fixed
- Scriban: Template.Render throws InvalidCastException fixed
- SharpCompress: Enumerating ZipArchive.Entries collection throws NullReferenceException
- SharpZipLib: ZipInputStream.GetNextEntry hangs permanently fixed
- SixLabors.Fonts: FontDescription.LoadDescription throws ArgumentException fixed
- SixLabors.Fonts: FontDescription.LoadDescription throws NullReferenceException fixed
- SixLabors.ImageSharp: Image.Load terminates the process with AccessViolationException fixed
- SixLabors.ImageSharp: Image.Load throws AccessViolationException fixed
- SixLabors.ImageSharp: Image.Load throws ArgumentException fixed
- SixLabors.ImageSharp: Image.Load throws ArgumentOutOfRangeException fixed
- SixLabors.ImageSharp: Image.Load throws DivideByZeroException fixed
- SixLabors.ImageSharp: Image.Load throws DivideByZeroException fixed
- SixLabors.ImageSharp: Image.Load throws ExecutionEngineException fixed
- SixLabors.ImageSharp: Image.Load throws IndexOutOfRangeException fixed
- SixLabors.ImageSharp: Image.Load throws NullReferenceException fixed
- SixLabors.ImageSharp: Image.Load throws NullReferenceException fixed
- Utf8Json: JsonSerializer.Deserialize can throw many unexpected exceptions
- Web Markup Minifier: HtmlMinifier.Minify hangs permanently fixed
- Web Markup Minifier: HtmlMinifier.Minify throws InvalidOperationException fixed
- YamlDotNet: YamlStream.Load takes more than 60s to parse the 37K file
- YamlDotNet: YamlStream.Load terminates the process with StackOverflowException
- YamlDotNet: YamlStream.Load throws ArgumentException
- Michal Zalewski - american fuzzy lop
- Dmitry Vyukov - go-fuzz: randomized testing for Go
- Rody Kersten - Kelinci: AFL-based fuzzing for Java
- Jb Evain - Mono.Cecil
- 0xd4d - dnlib
- Guido Vranken - go-fuzz: libFuzzer support