-
-
Notifications
You must be signed in to change notification settings - Fork 853
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let's add fuzz testing! #1849
Comments
So the TimeoutMixin keeps hanging around because calling loseConnection() does not remove the timeout and the callLater() keeps hanging around. Removing the TimeoutMixin removes the issue, so it's definitely got to do with this. I'm building a PR to remediate this #1851 After applying this, the TimeoutMixin disappears, but other objects remain, so there's more going on. |
I think you are running into this issue: https://stackoverflow.com/questions/65321138/twisted-unittest-reactor-unclean-when-using-timeoutmixin |
The quick way to do your fuzzing (but not the greatest) is to remove the TimeoutMixin. This'll give you the same results, I don't expect the fuzzer to interact with the timeout code. You won't have issues then. |
@micheloosterhof , thank you for your replies :) |
So I've tried to use StringTransportWithDisconnection instead of simple StringTransport. What also worries me is the number of code paths atheris could discover: just 41 for an hour of testing. I find it way too little for SSH protocol and cmdlines of different emulated programs. |
Any results of your fuzzing or shall I close this issue? |
@micheloosterhof, fuzzing should be added to the project's code base and run regularly, otherwise it doesn't make much sense in the long run. So no "results" yet.
So if you're interested in making the application more secure, it would be great if you could help with the fuzzing implementation instead of closing the issue :) I'm sure you as the developer would do it much better than me. |
Hello!
I use cowrie and would like to ensure and improve its security.
Not being familiar with Twisted I tried implementing fuzz testing using the atheris fuzzer, but failed miserably :(
Here's my attempt: https://gist.github.com/fuzzah/9a91fd0b4725779fbcaae13edbb22596
This code leaks memory, so fuzzing stops after few minutes having taken 2 gigs of RAM. I tried to use tracemalloc and gc modules to no avail. The memory allocations happen somewhere in Twisted.
I suppose the main problem is that I create objects manually and not creating something responsible for object deletion.
Describe the solution you'd like
Please help me implement fuzzing for cowrie :)
I suppose we'd need to test both protocol and all available commands. In the gist above both things should be tested in theory, but more direct approach for commands would be better.
Describe alternatives you've considered
I tried fuzzing cowrie with radamsa. It works, but results are just not fruity at all, as radamsa isn't coverage-based (doesn't understand what code paths are taken in tested app). This means it fails somewhere in the early stages of server-client interaction.
Additional context
Yes, I realize cowrie is a honeypot software "intended" to be hacked, but I don't want it to crash with unhandled exceptions. Also there are class pollution attacks in Python allowing RCE. Of course hackers are contained somewhere in docker, but we should still limit their actions, as docker also had container escape vulnerabilities in the past.
You get my point: we should still protect the software, so let's add some fuzzing!
The text was updated successfully, but these errors were encountered: