Just for fun though, there's a footgun hidden in the example code, too. As the recv buffer has a hardcoded length limit of 1024 bytes, directly casting the input buffer into a struct that contains a user-controlled length field is not really a good idea. If somehow the codebase got updated in a certain way and the memcpy destination was a heap allocation, it may lead to information leak. E.g. ask the server to echo a 65535-byte data chunk from a 1024-byte input.
Well, the quicker way to ensure no crash here is just sanitize the input data. Then probably add a unit test for some edge cases. However - with much more complex example maybe using a fuzzer would be simpler, IDK. But THIS is probably the simplest explanation on how to use a fuzzer to begin with.
I love this type of videos where you show a useful tool and an example using this tool, and what's even cooler is the fact that using it you were able to detect a bug that wasn't intentional
I'm on the HDL/Hardware side where something like this is called Constrained Random Verification. Of course we do checks on boundary conditions in directed specific tests, but these devices have 30+ interfaces, so complex interactions can occur. Boundaries cover the 3 cases of too low, too high, or just right data inputs. But what if, say, if condition A AND Condition B And Condition C occur within x milliseconds to error out? A, B, and C are all within bounds, but this specific combination is deadly. For example, if on a server client 1 is somehow allowed to delete files in use by client 2 via an unsafe delete(file f) function, unless you know exactly how this exploit works you won't make a test for it. Two fake clients banging on a virtual keyboard, however, might find the right inputs over time to crash.
@@adissentingopinion848 I'm sold. I commented too early and using the Int vs unit is what did it, something that could be missed with the range. I have not used a tool like this so is it full path coverage or random? I wonder if the expense for full path doesn't become too high in terms of time....
@@millax-ev6yzIt's probably not going to get full code coverage UNLESS you explicitly get into a specific state for operation first. That "harness" mentioned for interfacing with the code can be very large and very customized. Simulations for hardware are terribly slow, but purely software testing ought to be rather fast up to a point. In hardware at least, you can set assertions that cover functional requirements such as message format. That way you don't have to error out, just capture the incorrect functionality from the harness itself.
Use -fsanitize=fuzzer,address and you should be able to find another bug in the parse code. If the input is less than the size of the struct you would read outside the memory. Does not always cause crash without address sanitizer. However not a bug in the program due to the receiving buffer size.
Ah, there's a name for it. I do this regularly the manual way in my own projects, though granted those are all smaller projects where my scope of potential issues is "is there some way a user can force invalid data down this thing's throat". Useful to know if I ever manage to get a real job, lol(being a dev without a college degree is the dark souls of job hunting, I swear)
That's why I used to use unsigned everywhere by default, until negative values are explicitly required by design. And yes, using e.g. -1 magic value to represent things like a non-existent index is a bad design. Don't do it.
@@joaquinnapan3237 Rust → Option C++ → std::optional C# → Nullable ... For languages with no option-like concept out of the box, you certainly can come up with something. E.g. in C you can utilize out parameter for the actual value and return the error code, or vice versa. Or return something like struct optional_uint32 { bool has_value; uint32_t value; }
It checks if len>64, to prevent writing more than the allocated buffer. But negative numbers are also smaller than 64, so they also pass the check. The program then crashes in the memcp again, because it tries to copy a negative number of bytes.
For an signed number we're using the two's complement to represent negative and positive numbers. Here the MSB decides whether the number is interpreted as an positive or negative number, where 0 = positive and 1 = negative. Looking at 7:45 for example, a hex value of 0xFF is represented in binary with 0b1111_1111. When assigned to a signed variable, this is actually a -1 in decimal. Since we use this variable "len" to access entries in an array, this will result in an error as it doesn't have negative entries to point at.
at first we code safely by yelling in time elaborate rituals involving chanting, holy oils and incense is necessary to please the machine spirit and banish demonic bugs
Well, because I am so good at messing up function calls by using function pointers and structs/unions, I need no help. The code would yell either way nevertheless.
Also, I am obsessed with keeping the memory usage low, so it's likely that I am gonna use a goofy assembly or stuff for my personal performance-intensive stuff. Especially on microcontrollers, but those don't count.
2:38 in, I expect your issue is that you didn't check the length argument in your payload. This should pop up with many static analyzers. But I get it, it's just an example. Fuzzing is more for discovering weird edge cases and undefined behaviors as I understand it. Or I'm totally wrong and length was not the issue :D
id love a video of you describing your linux setup. i use wsl and customize very few things but would love more insight into your setup for vim and tmux/whatever multi shell youre using
It reminds me some OOM error bug that got in project that was caused by using msgpack library (Java). The msgpack library deserializes byte stream into some objects - it was deserializing a base64 string to object. Apparently the library supports read a big array of bytes. Msgpack reads the message in sequence - does not know what data comes next - when the byte with flag for huge byte arrays comes in it pre-allocates array of 2^32-1 byte-elements. Found it because we had a malformed string that was not object we wanted to deserialize but rather random string. Later to confirm to architects that any idiot with msgpack documentation, paper and pencil can do it - prepared a base64 string on paper that mimic the good object to deserialize and then put the bytes of memory doom. They wanted to do some happy checking of first few bytes - after short demonstration - they changed their minds. With some java like fuzzer I would do that automatically (and probably the error could be found earlier), but fun of playing with bytes was awesome.
Those if statements are not very readable, but that is the prefered way, implementations details rather than intensions or requirements, if that is what people do then there is no alternative. Para pensar, señores.
While this tool is awesome as is, is there any way to get it into an IDE? I think productivity would go up a lot of you can just select a function and some extension can do all the work for you returning only the result. Maybe I'm overlooking something that'd make you not want to use an extension like that but I think it'd be cool
I presume this fuzzer actually looks at the soruce code of the program, to predict how to best gain different outputs? It is not just random text generator?
It doesn't exactly look at the source code. Instead, it memorizes which random inputs caused which if-branches to be taken, and randomly mutates those inputs to "cover" as many routes through the program as possible. They call it "coverage-guided fuzzing".
At 2:33 i see the bug. He copies data based on the user inputed length on a buffer that ia limited to 64 bytes. I will watch more to see if this is what the fuzzer finds
I'm partial to American Fuzzy Lop, which compiles C++ code so that it knows which branches were taken. Can Rust code be fuzzed the same way, and is there a way to fuzz Haskell code that does something similar?
Hi, sorry of the OT but I have a Rust/C question nobody was able to point me in the right direction. With redhook (unmaintained lib) I used LD_PRELOAD to override getenv which worked fine in NodeJs but Rust did not care about it at all. Do you know what is different or what should I read to understand how this all work? Thank you so much
This guy: "Make your code safer by yelling at it. That's right, LITERALLY yelling at your code, in a very literal sense, can make your code, literally, safer. Legit stretch those vocal chords, open your mouth all the way, and just let out the biggest scream at the very top of your lungs, at your code, to make it safer!" This guy 20 seconds later: "So this process involves feeding random data into your program and..."
This seems great. I expect those eagle eyed developers saw the h- >len value, and thought to themselves about how user input is always evil :p but hey, the unsigned one did surprise me too! Luckily i like writing u32 u64 et al.
Signed numbers include negative numbers which the program had no way to handle so they caused a crash. By making it unsigned, it forces all values to be positive integer values 0-255 which the program could easily check.
C++ and C languages have very interesting thing: "Undefined behavior". This doesn't mean that behavior would be randomly chosen from "a set of possible behaviors". This means that behavior would be completely undefined. It can run into segfault or start erasing data on your PC. Anything is possible. Nothing is guaranteed. And for this case: In "a+b" expression, computation of a and b is not sequenced. They can happen in any order. Side effects of unsequenced operations cause Undefined behavior. Once it happened - nothing is guaranteed.
Although slightly off-topic, I was wondering if you could make a video explaining how cheat codes function in games like GTA San Andreas or Vice City. How they interact with the memory and what processes occur behind the scenes. I'd really appreciate a deep dive into this. Thank you!
*Pauses video 29 seconds in* You can't say LITERALLY yelling at your code if you don't mean to actually YELL at it vocally. That's the opposite of what LITERALLY means. :/
at 0:24 you said tha it's about "literally yelling at your code", but i didnt hear any yelling, though. Literally yelling means moving your face muscles to produce loud noise, yet during all your vide you were very calm. Why did you lie about this technique?
I already yell around 5-10 times a day at my computer
Just for fun though, there's a footgun hidden in the example code, too. As the recv buffer has a hardcoded length limit of 1024 bytes, directly casting the input buffer into a struct that contains a user-controlled length field is not really a good idea. If somehow the codebase got updated in a certain way and the memcpy destination was a heap allocation, it may lead to information leak. E.g. ask the server to echo a 65535-byte data chunk from a 1024-byte input.
Seems like nearly every video I'm warning about magic numbers. He really needs to tighten up his examples.
Well, the quicker way to ensure no crash here is just sanitize the input data. Then probably add a unit test for some edge cases. However - with much more complex example maybe using a fuzzer would be simpler, IDK. But THIS is probably the simplest explanation on how to use a fuzzer to begin with.
Its always these hardcoded buffers that blow up in your face.
@@anon_y_mousse It's on purpose to get engagement from these comments.
@@MrAsddasdasda You may be right because I leave a comment every time just to say something about it.
"like literally yelling at the code" proceeds not to yell at the code
I love this type of videos where you show a useful tool and an example using this tool, and what's even cooler is the fact that using it you were able to detect a bug that wasn't intentional
Why is fuzzing better than boundary tests?...after watching I withdraw my question.
I'm on the HDL/Hardware side where something like this is called Constrained Random Verification. Of course we do checks on boundary conditions in directed specific tests, but these devices have 30+ interfaces, so complex interactions can occur. Boundaries cover the 3 cases of too low, too high, or just right data inputs. But what if, say, if condition A AND Condition B And Condition C occur within x milliseconds to error out? A, B, and C are all within bounds, but this specific combination is deadly.
For example, if on a server client 1 is somehow allowed to delete files in use by client 2 via an unsafe delete(file f) function, unless you know exactly how this exploit works you won't make a test for it. Two fake clients banging on a virtual keyboard, however, might find the right inputs over time to crash.
@@adissentingopinion848 I'm sold. I commented too early and using the Int vs unit is what did it, something that could be missed with the range. I have not used a tool like this so is it full path coverage or random? I wonder if the expense for full path doesn't become too high in terms of time....
@@millax-ev6yzIt's probably not going to get full code coverage UNLESS you explicitly get into a specific state for operation first. That "harness" mentioned for interfacing with the code can be very large and very customized. Simulations for hardware are terribly slow, but purely software testing ought to be rather fast up to a point.
In hardware at least, you can set assertions that cover functional requirements such as message format. That way you don't have to error out, just capture the incorrect functionality from the harness itself.
Use -fsanitize=fuzzer,address and you should be able to find another bug in the parse code. If the input is less than the size of the struct you would read outside the memory. Does not always cause crash without address sanitizer. However not a bug in the program due to the receiving buffer size.
Satisfied customer here, been doing this for the last 10 years
10/10 - my code has feared me ever since
It would be really funny if he said "there's no more bugs in this code" and libfuzzer just crashed.
I already do this every day
Ah, there's a name for it. I do this regularly the manual way in my own projects, though granted those are all smaller projects where my scope of potential issues is "is there some way a user can force invalid data down this thing's throat". Useful to know if I ever manage to get a real job, lol(being a dev without a college degree is the dark souls of job hunting, I swear)
That's why I used to use unsigned everywhere by default, until negative values are explicitly required by design.
And yes, using e.g. -1 magic value to represent things like a non-existent index is a bad design. Don't do it.
what could I do instead for non-existent index??
@@joaquinnapan3237 In rust you would do Option don't know about other languages.
Error-as-types. Like Rust
@@joaquinnapan3237
Rust → Option
C++ → std::optional
C# → Nullable
...
For languages with no option-like concept out of the box, you certainly can come up with something.
E.g. in C you can utilize out parameter for the actual value and return the error code, or vice versa.
Or return something like
struct optional_uint32 { bool has_value; uint32_t value; }
@@gigachad8810in C?
Amazing brother, you have the gift of communicate complex concepts into simple terms. Thanks! Glad to find your channel! ;)
I didn't quite catch why 7:45 is an issue. Would anyone mind please clarifying?
overflow probably, would be my first guess.
It checks if len>64, to prevent writing more than the allocated buffer. But negative numbers are also smaller than 64, so they also pass the check.
The program then crashes in the memcp again, because it tries to copy a negative number of bytes.
@@turun_ambartanen thanks so much!
For an signed number we're using the two's complement to represent negative and positive numbers. Here the MSB decides whether the number is interpreted as an positive or negative number, where 0 = positive and 1 = negative. Looking at 7:45 for example, a hex value of 0xFF is represented in binary with 0b1111_1111. When assigned to a signed variable, this is actually a -1 in decimal. Since we use this variable "len" to access entries in an array, this will result in an error as it doesn't have negative entries to point at.
@@loisI120 thanks so much for the thorough explanation 😁
why did i think we might actually be yelling at code?
the most reasonable action in the world of C programming
I yell at my code, but it doesn't usually fix any bugs lol
Because you're a fan of slamming desks.
Instructions unclear
I’ve been yelling at code this whole time
“Port 1337” that took me a second. Very funny
Segmentation fault (Core dumped)
at first we code safely by yelling
in time elaborate rituals involving chanting, holy oils and incense is necessary to please the machine spirit and banish demonic bugs
Well, because I am so good at messing up function calls by using function pointers and structs/unions, I need no help. The code would yell either way nevertheless.
Also, I am obsessed with keeping the memory usage low, so it's likely that I am gonna use a goofy assembly or stuff for my personal performance-intensive stuff. Especially on microcontrollers, but those don't count.
I was hoping for Torvalds kind of screaming at someone else code, but I guess this is fine.
0:05 should have been the end lmao
This is so cool, does something like this also exist in the Java world?
Jazzer does exactly that and is based on this.
oh it's basically baptising your code with fire
2:38 in, I expect your issue is that you didn't check the length argument in your payload. This should pop up with many static analyzers. But I get it, it's just an example. Fuzzing is more for discovering weird edge cases and undefined behaviors as I understand it. Or I'm totally wrong and length was not the issue :D
I yell at code all day.
Also related but not the same: Property-based testing, those who haven't tried it will be amazed at it's usefulness.
id love a video of you describing your linux setup. i use wsl and customize very few things but would love more insight into your setup for vim and tmux/whatever multi shell youre using
This is how that belt makes your child stronger
Interesting, I have no idea this type of testing exists. Thanks man
It reminds me some OOM error bug that got in project that was caused by using msgpack library (Java). The msgpack library deserializes byte stream into some objects - it was deserializing a base64 string to object. Apparently the library supports read a big array of bytes. Msgpack reads the message in sequence - does not know what data comes next - when the byte with flag for huge byte arrays comes in it pre-allocates array of 2^32-1 byte-elements. Found it because we had a malformed string that was not object we wanted to deserialize but rather random string.
Later to confirm to architects that any idiot with msgpack documentation, paper and pencil can do it - prepared a base64 string on paper that mimic the good object to deserialize and then put the bytes of memory doom. They wanted to do some happy checking of first few bytes - after short demonstration - they changed their minds. With some java like fuzzer I would do that automatically (and probably the error could be found earlier), but fun of playing with bytes was awesome.
As always chef's kiss!
1:09 I already can guess r will be less than REQ_SIZE because recv doesn't have WAIT_ALL flag.
Even with WAIT_ALL maliciously crafted input could cause errors or DoS
Those if statements are not very readable, but that is the prefered way, implementations details rather than intensions or requirements, if that is what people do then there is no alternative.
Para pensar, señores.
Flag '-g' makes stack traces of gdb or any sanitizer look pretty. Use it.
This was awesome.
Fuzz all the things.
I really like the terminal environment you're using, how can I get my setup to look like that?
Vim, prolly
Neovim *
i3wm
While this tool is awesome as is, is there any way to get it into an IDE? I think productivity would go up a lot of you can just select a function and some extension can do all the work for you returning only the result. Maybe I'm overlooking something that'd make you not want to use an extension like that but I think it'd be cool
I feel like everyone should pen test their code with many other techniques also
6:41 shell users everywhere are screaming at you there's no need to use cat, just use the
I presume this fuzzer actually looks at the soruce code of the program, to predict how to best gain different outputs? It is not just random text generator?
It doesn't exactly look at the source code. Instead, it memorizes which random inputs caused which if-branches to be taken, and randomly mutates those inputs to "cover" as many routes through the program as possible. They call it "coverage-guided fuzzing".
@@СергейМакеев-ж2н thanks for the explanation, it's pretty cool
My favorite part of testing is "cat /dev/urandom | ./a.out" But that's specifically for testing proper error handling.
I thought you were doing like me and really cursing while programming, well that will prevent me from cursing
I could see the bug even before the first test iteration...
At 2:33 i see the bug. He copies data based on the user inputed length on a buffer that ia limited to 64 bytes. I will watch more to see if this is what the fuzzer finds
Does it statically analyze the wrapped function to deduce how to do the fuzzing? I’m struck by how it got the magic word immediately.
Even faster with a switch statement? You are already using a switch statement!
how do i remove the path stuff inside my exe.. i see it exposes my directory in the exe.
I'm partial to American Fuzzy Lop, which compiles C++ code so that it knows which branches were taken. Can Rust code be fuzzed the same way, and is there a way to fuzz Haskell code that does something similar?
This is cool af
can you share the code with the bug ? thanks
Fuzzing is how Zenbleed was found!
2:30 not validated user input
How does this compare to concolic testing?
Hi, sorry of the OT but I have a Rust/C question nobody was able to point me in the right direction.
With redhook (unmaintained lib) I used LD_PRELOAD to override getenv which worked fine in NodeJs but Rust did not care about it at all. Do you know what is different or what should I read to understand how this all work? Thank you so much
This guy: "Make your code safer by yelling at it. That's right, LITERALLY yelling at your code, in a very literal sense, can make your code, literally, safer. Legit stretch those vocal chords, open your mouth all the way, and just let out the biggest scream at the very top of your lungs, at your code, to make it safer!"
This guy 20 seconds later: "So this process involves feeding random data into your program and..."
clickbate my beloved
What’s that you say? I’m not retarded I’m just left handed. This video just made me literally cry 😭
pretty cool.
This seems great. I expect those eagle eyed developers saw the h- >len value, and thought to themselves about how user input is always evil :p but hey, the unsigned one did surprise me too! Luckily i like writing u32 u64 et al.
Hi ! I don’t understand the unsigned problem. Could someone explain?
Signed numbers include negative numbers which the program had no way to handle so they caused a crash. By making it unsigned, it forces all values to be positive integer values 0-255 which the program could easily check.
Limit the stack size to zero.😂
simple good video
i = 4;
cout
C++ and C languages have very interesting thing: "Undefined behavior".
This doesn't mean that behavior would be randomly chosen from "a set of possible behaviors".
This means that behavior would be completely undefined. It can run into segfault or start erasing data on your PC. Anything is possible. Nothing is guaranteed.
And for this case:
In "a+b" expression, computation of a and b is not sequenced. They can happen in any order.
Side effects of unsequenced operations cause Undefined behavior.
Once it happened - nothing is guaranteed.
@@sudo-gera thanks
go fuzz 🎉
Although slightly off-topic, I was wondering if you could make a video explaining how cheat codes function in games like GTA San Andreas or Vice City. How they interact with the memory and what processes occur behind the scenes. I'd really appreciate a deep dive into this. Thank you!
They're just series of inputs that the game checks for and does something in response. Its not really complicated.
Yeah, you're probably thinking of Game Genie. Which I would like to see a video about how it works!
Wow, sharp transitions should be smoothed out, otherwise this is an ultra-useful video
You weren't yelling at the code wth
*Pauses video 29 seconds in*
You can't say LITERALLY yelling at your code if you don't mean to actually YELL at it vocally. That's the opposite of what LITERALLY means. :/
Rust is good, but confusing for me
I love Rust
I'll use Zig
at 0:24 you said tha it's about "literally yelling at your code", but i didnt hear any yelling, though. Literally yelling means moving your face muscles to produce loud noise, yet during all your vide you were very calm. Why did you lie about this technique?
You need a pump gun to fix your code.😂
Rust is silly.
a
goat
First..!!!!😁🤩😍💯💥✨💫🔥👍🏻👏🏻✊🏻🤜🏻🤛🏻🙌🏻🫶🏻🙏🏻👌🏻
23h ago
0:24 two incorrect uses of "literally" in less than half a minute. Congrats
This is too powerful... people should just stick to Python
third
first