Fuzzing & Triage Platform

The Fuzzing & Triage Platform demonstrates the integration of REVEN with fuzzers.

The platform monitors a directory for input files leading to crashes (crash files), record/replay them in REVEN, classify the crash using the REVEN trace and give it an unique identifier. This unique identifier allows us to determine if the directory contains files leading to the same crash multiple times.

Outline of the platform

The way the platform works can be summarized with the following diagram:

Fuzzing platform step diagram

The platform can watch any directory for crash files. For each crash file appearing in the watched directory, the executor component of the platform will launch several steps:

  1. Record a fresh REVEN scenario from the test harness + the input file causing the crash
  2. Replay the recorded scenario
  3. Analyze the replayed scenario
    1. Find the crash point
    2. Find the origin of the data causing the crash
    3. Further minimize the number of "unique crashes"

The current status and the final report for each crash file can be monitored live in the visualizer view, a web page locally served by the platform.

Pre-requisites

  • The platform, with the exception of the analyzer, is only available in the Enterprise Edition.
  • Fuzzed binaries must be executable under Windows 10 x64.

Installation

1. In any environment

The recommended way to use the platform is from our integrated Jupyter Notebook server:

You can find the platform in the DOWNLOADS section of the Project Manager (find the link to that section in the footer of any Project Manager page). Extract the downloaded zip anywhere, then follow the instructions below to install the platform depending on your environment.

  1. In the footer of any Project Manager page, click the DOWNLOADS link. On the download page, save the Fuzzing platform - Quick start guide file.
  2. In the footer of any Project Manager page, click the NOTEBOOKS link to open Jupyter Notebook.
  3. In the Jupyter interface, create a new directory (e.g., "fuzzing").
  4. In the newly created directory, click the "upload" button and upload REVEN-2.11.0-fuzzing-platform.ipynb.
  5. From Jupyter, open the REVEN-2.11.0-fuzzing-platform.ipynb notebook, and follow the instructions in the notebook.

2. In a Python virtual environment on native Debian Buster

Optionally, if using REVEN in the native Debian Buster package, you can install the platform in any Python virtual environment that also contains the reven2 package. You can then start the platform with the python fuzzing_platform.py command from within the virtual environment.

  1. In the footer of any Project Manager page, click the DOWNLOADS link. On the download page, save the Fuzzing platform - Debian Buster Package file.
  2. Unzip the downloaded zip.
  3. Refers to the README.md inside of the zip for installation and usage instructions.

Configuration and basic usage

If using the Jupyter notebook, configuration and basic usage of the platform will be covered as part of the notebook.

If using a manual virtual environment, these topics are covered (albeit, in a less interactive way) in the README for the platform.

Supported workflows

Currently, only Windows x64 binaries are supported for analysis. This leaves 2 supported workflows for using the platform:

  1. Fuzzing under Windows, putting the discovered crashed input files in a shared directory with the platform, and recording/replaying/analyzing crashes under Windows.
  2. Fuzzing under Linux, and recording/replaying/analyzing crashes under Windows. This latter workflow requires that the target can be compiled both for Windows and Linux.

Visualizer

To make easier to have a global view of the crashes, a web visualizer is also launched during the startup, by default it should be available on your web browser at http://localhost:5000.

Note that if you are running REVEN in a docker or in a VM, you may need to use the external hostname of the VM/docker to access it from your browser, or otherwise to expose the port from the Docker/VM.

The visualizer

Standalone analyzer

To analyze already recorded scenarios, you can use the script analyze_scenario.py located inside the Fuzzing platform - Debian Buster Package zip file in the DOWNLOADS page of the Project Manager.

See its --help for more information about its usage.

©2019-2021 Tetrane