Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

[Announce] New Fusil fuzzer

From: Victor Stinner <victor.stinner () haypocalc com>
Date: Tue, 27 Nov 2007 23:09:45 +0100
Fusil is a fuzzing framework written in Python and distributed under GNU GPLv2 
license. 

It allows to easily write so-called "Fuzzing projects" from a set of functions 
and the power of Python: create a process, compile C program, watch a 
process, watch syslog, etc.

Available projects: gettext, clamav, libc_printf, php, linux_ioctl, mplayer, 
identify, etc.

Website: http://fusil.hachoir.org/trac



Example of gettext session:

   $ ./run_fusil.sh -p project/poppler.py ~/document.pdf
   [application] Fusil version 0.5 -- GNU GPL v2
   [application] http://fusil.hachoir.org/
   [application] Load project project/poppler.py
   [session 1][project] Start session
   (...)
   [session 994][watch:process:pdftotext] Process killed by signal SIGSEGV
   [session 994][project] End of session: score=75.0%, duration=0.378 second
   [session 994][session_dir] Success: keep directory 
      '/home/toady/local/scm/svn/fusil/project-0008/session-0005'
   [project] Project done: : 5 session in 0.9 second (181.6 ms per session),
      total 0.9 second
   [application] Exit Fusil

Last session (success) is stored in project-0003/session-0994/. We can 
reproduce the crash with:
   
   $ evince document.pdf
   Error (0): PDF file is damaged - attempting to reconstruct xref table...
   Error (44780): Dictionary key must be a name object
   (...)
   Segmentation fault



Fusil uses small "agents" which exchange messages to launch actions. Eg. 
MangleFile injects errors in valid file (PDF file, AVI movie, JPEG picture, 
etc.). And then Fusil uses generated filename to run a process.

Each project session has a score between -100% (application rejects fuzzy 
data) and 100% (success). Many probes exist to compute session score:
  +100% for process killed by a signal (WatchProcess)
  +100% for "segmentation fault" text pattern in process stdout (FileWatch)
  -100% if session is too fast (TimeWatch)
  etc.

For fuzzing safety, Fusil limits process memory, process priority, only copy 
few environment variables, create a temporary directory used as working 
directory, etc.


Victor Stinner aka haypo
http://hachoir.org/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: