Skip to content

htrgouvea/fuzzpm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

125 Commits

.github

.github

 
 

cases

cases

 
 

seeds

seeds

 
 

targets

targets

 
 

tools

tools

 
 

.editorconfig

.editorconfig

 
 

.gitignore

.gitignore

 
 

.perlcriticrc

.perlcriticrc

 
 

Dockerfile

Dockerfile

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

SECURITY.md

SECURITY.md

 
 

cpanfile

cpanfile

 
 

fuzzpm.pl

fuzzpm.pl

 
 

Repository files navigation

FuzzPM

Differential Fuzzing for Perl Modules

Summary

This project aims to demonstrate how we can use the differential fuzzing technique to conduct security analysis in an automated and large-scale way to find security issues in modern components used by applications developed in Perl. Full publication is avaible on: https://heitorgouvea.me/2021/12/08/Differential-Fuzzing-Perl-Libs.

Download and install

# Download
$ git clone https://github.com/htrgouvea/fuzzpm && cd fuzzpm

# Install libs and dependencies
$ cpanm --installdeps .

How it works

Differential fuzzing is an approach where we have our seeds being sent to two or more inputs, where they are consumed and should produce the same output. At the end of the test these outputs are compared, in case of divergence the fuzzer will signal a possible failure [[1]].(https://en.wikipedia.org/wiki/Differential_testing)

So basically we have 3 components:

  • Our targets;
  • Input seeds;
  • Test cases;

Here is a introduction about how you can create your own targets, seeds and test cases.

To create your entire fuzzing case, you first need to create your target library as a package, for example:

package Mojo_URI {
    use strict;
    use warnings;
    use Try::Tiny;
    use Mojo::URL;

    sub new {
        my ($self, $payload) = @_;

        try {
            my $url = Mojo::URL -> new($payload);
            
            return $url -> host;
        }

        catch {
            return undef;
        }
    }
}

Store at: ./targets/your-taget-name.pm.

So, you need store your seeds as a file at: ./seeds/your-seeds.txt. And the last part is your case as a YAML file, follow this structure:

test:
    seeds:
        - path/to/seeds-file.txt
    libs:
        - First_Target
        - Second_Target
        - Third_Target

For example, for our first case, the following YAML file was constructed and is supplied to the fuzzer via the parameter “--case”:

test:
    seeds:
        - seeds/urls-radamsa.txt
    libs:
        - Mojo_URI
        - Tiny_HTTP
        - Mojo_UA
        - Mechanize
        - Lib_Furl
        - Simple_URI

Fuzzing

$ perl fuzzer.pl --case cases/json-decode.yml
$ perl fuzzer.pl --case cases/parsing-url.yml

Docker container

$ docker build -t fuzzpm .
$ docker run -ti --rm fuzzpm --help

Contribution

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕)

License

This work is licensed under MIT License.

About

Differential Fuzzer to hunt for logic bugs on Perl Modules

heitorgouvea.me/2021/12/08/Differential-Fuzzing-Perl-Libs

Topics

fuzzing differential differential-fuzzing

Resources

Readme

License

View license

Security policy

Security policy
Activity

Stars

23 stars

Watchers

2 watching

Forks

5 forks
Report repository

Sponsor this project

 
Learn more about GitHub Sponsors

Contributors 2

  •  
  •  

Languages