Goal of this project is to improve security and resilience of WebAssembly VMs/runtimes/parsers using different fuzzing techniques.
- Clone the project
# Install WARF
$ git clone --depth 1 https://github.com/pventuzelo/wasm_runtimes_fuzzing
$ cd wasm_runtimes_fuzzing/warfBuild warf with docker:
# Build warf docker
$ make docker
# Optional: Create an alias
$ alias warf="docker run -it -v `pwd`/workspace:/warf/workspace warf"
# ==> workspace folder is shared between your host and docker container.NOTE: If you are on running on Ubuntu, installation without docker can be found here.
- Run warf cli:
$ warf help
WARF - WebAssembly Runtimes Fuzzing project
USAGE:
warf <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
benchmark-all Run WebAssembly module on all targets with benchmark
build Build all targets for this specific fuzzer
continuously Run all fuzz targets
debug Debug one target
execute-all Run WebAssembly module on all targets
help Prints this message or the help of the given subcommand(s)
list List all available targets
target Run one target with specific fuzzerNOTE: Details about the different warf subcommands here.
- List available fuzzing targets:
$ warf list
wasmi_validate
wasmi_instantiate
parity_wasm_deserialize
[...]
binaryen_ffi
wabt_wasm2wat_all_feat_ffi
wabt_validate_ffi- Run fuzzing on a target:
$ warf target wasmer_validate
[...]
------------------------[ 0 days 00 hrs 00 mins 02 secs ]----------------------
Iterations : 272,647 [272.65k]
Mode [3/3] : Feedback Driven Mode
Target : hfuzz_target/x86_64-unknown-linux-gnu/release/wasmer_validate
Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
Speed : 171,238/sec [avg: 136,323]
Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
Timeouts : 0 [10 sec]
Corpus Size : 754, max: 8,192 bytes, init: 1,126 files
Cov Update : 0 days 00 hrs 00 mins 01 secs ago
Coverage : edge: 3,194/58,784 [5%] pc: 2 cmp: 41,653
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.0 /-
Size:77 (i,b,hw,ed,ip,cmp): 0/0/0/1/0/0, Tot:0/0/0/3159/2/41623
[...]Tests are documented inside the Makefile:
$ make help
Management commands for warf
Usage:
make build Compile the project locally.
make docker Build a docker image for this project.
make corpora TODO
make fmt Run Rust fmt.
make clean Clean only warf binary.
make clean-all Clean all (warf && compiled fuzz target harnesses).
make test Simple test to check warf and execute_all is working.
make test-bench Simple benchmark using execute_all.
make test-debug Test running a simple wasm to a debugging tool.
make test-{libfuzzer, honggfuzz, afl} Test one fuzzing hardness over choosen fuzzer.
make test-continuously-{libfuzzer, hfuzz, afl} Test all fuzzing hardness over choosen fuzzer.
make test-all Test all fuzzing hardness over all fuzzers.
If you are using docker, try:
make docker-test
make docker-test-allDifferents open-source projects (WebAssembly VMs/runtimes/parsers) will be integrated to WARF along the development:
This tool helped to find the following bugs/vulnerabilities (crashing files are inside trophies folder):
- wasmer/wasmer_clif_fork_wasm: index out of bounds panic
- binaryen: segfault / out-of-bounds read in
WasmBinaryBuilder::readImports- FIXED - wabt: SIGABRT due to std::bad_alloc exception (resizing wasm br_table) - FIXED
- wasmtime: assertion failed in wasmtime_debug::transform::simulate::generate_simulated_dwarf - FIXED
- wasmtime: assertion failed or unimplemented panic when table type is not anyref - FIXED
- wabt: [wasm2wat] Assertion failure in
BinaryReaderIR::OnCallIndirectExpr- FIXED - wabt: [wasm2wat] Assertion failure in
BinaryReaderIR::OnReturnCallIndirectExpr- FIXED - wabt: Incorrect validation of module with malformed alignment by wabt - FIXED
- wabt: [wasm2wat] Incorrect rejection of valid module
- wain: unwrap panic while parsing invalid wasm module - FIXED
- wain: memory allocation failed error during parsing - FIXED
- wasm3: segfault / assertion failed in
GetStackTopIndex- FIXED - wasm3: segfault / null pointer dereference in
GetFunctionNumReturns- FIXED - wasm3: heap buffer overflow in
ParseSection_Export- FIXED - wasm3: SIGILL in
Compile_BlockStatements- FIXED - wain: "index out of bounds" in wain validate - FIXED
- wasmprinter: Resources exhaustion (CPU/MEM) using
wasmprinter::print_bytes()- FIXED - wasm3: heap-use-after-free in
ReadLebUnsigned- FIXED - wasm3: global-buffer-overflow in
Compile_BlockStatements- FIXED - wasm3: out of bound read in
Read_f64- FIXED - wasm3: heap-buffer-overflow in
Compile_BlockStatements(line 2169) - FIXED
- Web 3 Foundation for sponsoring this project.
- Rust Fuzzing Authority for Rust fuzzing tools.
Patrick Ventuzelo - @pat_ventuzelo
- Independent Security Researcher / Trainer.
- FREE online courses: here
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent