Open
Bug 1302920
Opened 8 years ago
Updated 2 years ago
Port chromium IPC fuzzer to test Firefox sandbox
Categories
(Core :: Security: Process Sandboxing, defect)
Core
Security: Process Sandboxing
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: pauljt, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: sb+)
We currently use "Faulty" to do mutation fuzzing for IPDL (bug 777067). This approach is limited to fuzzing messages that are seen during usage, rather than targeted fuzzing of IPDL. As such we want to look into porting Google's IPC fuzzer: https://chromium.googlesource.com/chromium/src/+/master/docs/ipc_fuzzer.md Source: https://github.com/ChromiumWebApps/chromium/tree/master/tools/ipc_fuzzer
Reporter | ||
Updated•8 years ago
|
Component: Security → Security: Process Sandboxing
Reporter | ||
Updated•8 years ago
|
Whiteboard: sb+
Updated•8 years ago
|
Assignee: nobody → kmckinley
Status: NEW → ASSIGNED
Reporter | ||
Updated•8 years ago
|
Comment 1•7 years ago
|
||
Leaving some notes after a quick investigation: 1) The repo has been moved to [1] 2) The ipc_fuzzer will be separate process executed with different options like $ ipc_fuzzer --fuzzer-name=generate [2] or $ ipc_fuzzer --fuzzer-name=mutator [3] 3) The ipc_fuzzer binary (along with scripts) will be packaged for CloudFuzzer, which seems like our CI infrastructure. 4) The basic workflow is you can either generate new messages (would dump to a file) or mutate (would read from a file) messages and reply with ipc_fuzzer_replay [4] 5) All the possible IPCs would be enumerated [5] for testing. 6) The "file" mentioned in (4) will be read/write as a specific format [6] As for porting to firefox, the challenges are 1) How to enumerate all possible IPDL calls. This might be the most challenging part. 2) How to resolve the chromium dependencies. We can at least pull in all dependent files if no other good solution. 3) How to cowork with our CI infrastructure. For example, we can run the fuzzing on a daily basis or even on every try build. [1] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/ [2] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/scripts/ipc_fuzzer_gen.py#15 [3] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/scripts/ipc_fuzzer_mut.py#18 [4] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/message_replay/BUILD.gn#5 [5] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1836 [6] https://chromium.googlesource.com/chromium/src.git/+/398f8925ce0e684ef8fdcc62b06c20bbe7e2fa3f/tools/ipc_fuzzer/message_lib/message_file_format.h
Comment 2•7 years ago
|
||
BTW, Paul, I wonder how IPC fuzzer can be used to test sandboxing. Neither windows or linux sandboxing brokering makes use of chromium IPC facilities. They have their own lightweight ipc suite. What's your idea and plan about this? Thanks :)
Flags: needinfo?(ptheriault)
Reporter | ||
Comment 3•7 years ago
|
||
Kate might be able to answer better, but the goal here is to test Firefox IPDL, which is as I understand built on top of chromium IPC. My understanding is that the fuzzer will give us the ability to record and replay IPC, as a means to testing our parent code which handles IPC messages.
Flags: needinfo?(ptheriault)
Comment 4•7 years ago
|
||
Hey Kate, May I ask you how much you know about the chromium ipc fuzzer as Paul suggested in comment 3? Is that as what I investigated in comment 1? I hope to get some spare cycle to study if we are able to test firefox IPDL (and to what degree) with the chromium fuzzer before you come to Taipei.
Flags: needinfo?(kmckinley)
Comment 5•7 years ago
|
||
As discussed with Paul, Henry will take over this bug.
Assignee: kmckinley → hchang
Reporter | ||
Comment 6•7 years ago
|
||
Henry, just to note in response to comment 1, A list of all IPDL protocols is not too hard I think. Cr has a list here [1]. Cr or Julian could tell you how they came up with that. [1] https://docs.google.com/spreadsheets/d/1bxG9tf4bDri-zOWDbpynmy76rbAEEWkcijq0cISN-KQ/edit#gid=1623334041
Comment 7•7 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #6) > Henry, just to note in response to comment 1, A list of all IPDL protocols > is not too hard I think. Cr has a list here [1]. Cr or Julian could tell you > how they came up with that. > > > [1] > https://docs.google.com/spreadsheets/d/1bxG9tf4bDri- > zOWDbpynmy76rbAEEWkcijq0cISN-KQ/edit#gid=1623334041 A list of all IPDL protocols can be also grammatically obtained by including some generated headers, which is also how chromium's fuzzer does.
Comment 8•7 years ago
|
||
(In reply to Henry Chang [:henry][:hchang] from comment #7) > (In reply to Paul Theriault [:pauljt] from comment #6) > > Henry, just to note in response to comment 1, A list of all IPDL protocols > > is not too hard I think. Cr has a list here [1]. Cr or Julian could tell you > > how they came up with that. > > > > > > [1] > > https://docs.google.com/spreadsheets/d/1bxG9tf4bDri- > > zOWDbpynmy76rbAEEWkcijq0cISN-KQ/edit#gid=1623334041 > > A list of all IPDL protocols can be also grammatically obtained by including ^^^^^^^^^^^^^ programmatically, sorry > some generated headers, which is also how chromium's fuzzer does.
Comment 9•7 years ago
|
||
I gotta be away from fuzzer for while. Leaving some notes that I've studied so that I can continue the work more quickly. 1) The fuzzer enumerates messages [1] by including headers which are crafted by developer. As far as I know, chromium has legacy ipc messages and new mojo binding code (? not very assured). I haven't got to know if the fuzzer also enumerates mojo messages. 2) There are two kinds of ipc messages, both of which will be enumerated, fuzzed and replayed. The first one is control message and the other is routed. By a) overriding IPC_MESSAGE_DECL [2] b) instantiating FuzzerHelper<name>::Fuzz [3] we can obtain message factory functions to create all messages for testing. 3) 2.(b) is way too meta-programming to understand. It heavily uses C++ template features. In a nutshell, 2.(a) will derive - control/routed message class with input args - control/routed message class with input args and output args All of the above will be instantiated to FuzzerHelper in the form of either [4] or [5]. (depending on how the template parameters can be specialized) then the |MessageFactory| will be instantiated based on the message type (control or routed) 4) Since we have figured out what (3) is doing, as long as we find where the IPDL-generated messages are, we can just redo whatever the chromium fuzzer does to exhaustively create all ipc message for testing. [1] https://chromium.googlesource.com/chromium/src.git/+/780d18a4ff97455953384e4acb12d429b023a149/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1836 [2] https://chromium.googlesource.com/chromium/src.git/+/780d18a4ff97455953384e4acb12d429b023a149/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1834 [3] https://chromium.googlesource.com/chromium/src.git/+/780d18a4ff97455953384e4acb12d429b023a149/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1835 [4] https://chromium.googlesource.com/chromium/src.git/+/780d18a4ff97455953384e4acb12d429b023a149/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1769 [5] https://chromium.googlesource.com/chromium/src.git/+/780d18a4ff97455953384e4acb12d429b023a149/tools/ipc_fuzzer/fuzzer/fuzzer.cc#1795
Updated•7 years ago
|
Flags: needinfo?(kmckinley)
Updated•7 years ago
|
Assignee: hchang → nobody
Status: ASSIGNED → NEW
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•