Skip to content

Improving security and resilience of WebAssembly VMs/runtimes/parsers using fuzzing

License

Notifications You must be signed in to change notification settings

FuzzingLabs/wasm_runtimes_fuzzing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

WARF - WebAssembly Runtimes Fuzzing project

Goal of this project is to improve security and resilience of WebAssembly VMs/runtimes/parsers using different fuzzing techniques.

Quick Start (using docker)

  • Clone the project
# Install WARF
$ git clone --depth 1 https://github.com/pventuzelo/wasm_runtimes_fuzzing
$ cd wasm_runtimes_fuzzing/warf

Build warf with docker:

# Build warf docker
$ make docker
# Optional: Create an alias
$ alias warf="docker run -it -v `pwd`/workspace:/warf/workspace warf"
# ==> workspace folder is shared between your host and docker container.

NOTE: If you are on running on Ubuntu, installation without docker can be found here.

  • Run warf cli:
$ warf help

WARF - WebAssembly Runtimes Fuzzing project
USAGE:
    warf <SUBCOMMAND>
FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
SUBCOMMANDS:
    benchmark-all    Run WebAssembly module on all targets with benchmark
    build            Build all targets for this specific fuzzer
    continuously     Run all fuzz targets
    debug            Debug one target
    execute-all      Run WebAssembly module on all targets
    help             Prints this message or the help of the given subcommand(s)
    list             List all available targets
    target           Run one target with specific fuzzer

NOTE: Details about the different warf subcommands here.

  • List available fuzzing targets:
$ warf list

wasmi_validate
wasmi_instantiate
parity_wasm_deserialize
[...]
binaryen_ffi
wabt_wasm2wat_all_feat_ffi
wabt_validate_ffi
  • Run fuzzing on a target:
$ warf target wasmer_validate

[...]

------------------------[  0 days 00 hrs 00 mins 02 secs ]----------------------
  Iterations : 272,647 [272.65k]
  Mode [3/3] : Feedback Driven Mode
      Target : hfuzz_target/x86_64-unknown-linux-gnu/release/wasmer_validate
     Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
       Speed : 171,238/sec [avg: 136,323]
     Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
    Timeouts : 0 [10 sec]
 Corpus Size : 754, max: 8,192 bytes, init: 1,126 files
  Cov Update : 0 days 00 hrs 00 mins 01 secs ago
    Coverage : edge: 3,194/58,784 [5%] pc: 2 cmp: 41,653
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.0 /-
Size:77 (i,b,hw,ed,ip,cmp): 0/0/0/1/0/0, Tot:0/0/0/3159/2/41623
[...]

Tests

Tests are documented inside the Makefile:

$ make help
Management commands for warf

Usage:
    make build                            Compile the project locally.
    make docker                           Build a docker image for this project.
    make corpora                          TODO

    make fmt                              Run Rust fmt.
    make clean                            Clean only warf binary.
    make clean-all                        Clean all (warf && compiled fuzz target harnesses).

    make test                                         Simple test to check warf and execute_all is working.
    make test-bench                                   Simple benchmark using execute_all.
    make test-debug                                   Test running a simple wasm to a debugging tool.
    make test-{libfuzzer, honggfuzz, afl}             Test one fuzzing hardness over choosen fuzzer.
    make test-continuously-{libfuzzer, hfuzz, afl}    Test all fuzzing hardness over choosen fuzzer.
    make test-all                                     Test all fuzzing hardness over all fuzzers.

If you are using docker, try:

make docker-test
make docker-test-all

Future of the project

Differents open-source projects (WebAssembly VMs/runtimes/parsers) will be integrated to WARF along the development:

  • Integration details here.
  • Global roadmap here.

Trophies

This tool helped to find the following bugs/vulnerabilities (crashing files are inside trophies folder):

Thanks

Trainings & Contact

Patrick Ventuzelo - @pat_ventuzelo

  • Independent Security Researcher / Trainer.
  • FREE online courses: here

About

Improving security and resilience of WebAssembly VMs/runtimes/parsers using fuzzing

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

Packages

No packages published