Open
Bug 1359755
Opened 7 years ago
Updated 1 year ago
IPDL protocol fuzzing
Categories
(Core :: Fuzzing, enhancement)
Core
Fuzzing
Tracking
()
NEW
People
(Reporter: hchang, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: sb+)
Unlike what we already for low level IPC fuzzing, we would like to do fuzzing more IPDL-aware. In other words, we'd like to find vulnerable in the "handler" layer. (The handler is typically like PFooProtocolChild::RecvBarMessage() for PFooProtocol.barMessage)
|
||
Updated•7 years ago
|
Whiteboard: sb+
|
Reporter | |
Comment 1•7 years ago
|
||
https://github.com/elefant/gecko-dev/tree/ipdl-fuzzing/toolkit/ipdl_fuzzing I have been prototyping the ipdl fuzzer in the above branch since the end of this March. This current baby fuzzer consists of 1) A hook (window.alert) to trigger fuzzing (only for testing for sure lol) https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/dom/base/nsGlobalWindow.cpp#L7414 2) 3 fuzzers (for PHttpChannel/PCameras/PBrowser) are in place. Most of their to-parent messages are covered. https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/HttpChannelFuzzer.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/HttpChannelFuzzer.cpp https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/CamerasFuzzer.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/CamerasFuzzer.cpp https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/PBrowserFuzzer.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/PBrowserFuzzer.cpp 3) Tons of FuzzTraits for those types which are required for those 3 fuzzers. Note that those FuzzTraits are only capable of generating random data. They are supposed to be able to mutate the given objects. https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPrimitives.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsCommon.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsNeckoChannelParams.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPCameras.h https://github.com/elefant/gecko-dev/blob/ipdl-fuzzing/toolkit/ipdl_fuzzing/FuzzTraitsPBrowser.h I don't know the how far this project could go but I would expect at least 1) A client (in whatever form) to trigger/manipulate the fuzzing. 2) More fuzzers (either by hand-wring or codegen) 3) More FuzzTraits 4) Record the fuzzing trace for replay/reproduce purpose.
|
|
Reporter | |
Updated•7 years ago
|
Assignee: nobody → hchang
|
||
Updated•7 years ago
|
Blocks: sandbox-fuzzing
Summary: IPDL fuzzing → IPDL protocol fuzzing
|
||
Updated•7 years ago
|
See Also: Fuzz-IPDL → fuzzing-ipc-ipdl
|
|
Reporter | |
Updated•6 years ago
|
Assignee: hchang → nobody
|
||
Updated•3 years ago
|
Component: Security: Process Sandboxing → Fuzzing
|
||
Updated•1 year ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•