Skip to content

strozfriedberg/mbedtls-fuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
fuzz
fuzz
 
 
CMakeLists-2.patch
CMakeLists-2.patch
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config-2.h
config-2.h
 
 
crash-analysis.sh
crash-analysis.sh
 
 
selftls-2.c
selftls-2.c
 
 
setup.sh
setup.sh
 
 
time-2.patch
time-2.patch
 
 

Repository files navigation

About

This project provides code and tools which allow for fuzzing the mbed TLS library using the afl++ fuzzer. An integral part of this project is the code for a self-communicating instance (the client and server run in a single process) of mbed TLS.

More information about the project is available on the Gotham Digital Science blog:

Fuzzing the mbed TLS Library

Installation

  1. Grab the latest version of afl++ from the afl++ homepage.
  2. Build it instead of running it in Docker to maximize performance. At the time of writing, the latest version is afl++ v4.34c.
  3. Set environment variables. 3.1. export AFL_PATH=/usr/local/src/AFLplusplus # adjust to location of built afl++ 3.2. export PATH=$PATH:$AFL_PATH
  4. Run the following command which automatically downloads different versions of mbed TLS, patches them, compiles the code, and sets everything up for fuzzing:
./setup.sh

Fuzzing

Change to fuzz subdirectory inside the mbed TLS directory that you wish to fuzz. Run the ./fuzz.sh script.

Running the script without arguments creates the original client and server network packets to be fuzzed and prints the usage screen with a description of the tool.

To fuzz a specific network packet, execute the script with the packet number (minimum of 1) followed by the fuzzer instance number as command-line arguments:

  • Use 1 to initiate the primary fuzzer instance.
  • Unique numbers greater than 1 will start additional fuzzer instances.

In the following example, we launch a main fuzzer instance to fuzz network packet 3 of the self-communicating mbed TLS 2.28.10 binary:

cd mbedtls-mbedtls-2.28.10/fuzz/
./fuzz.sh 3 1

The fuzz.sh script mounts a tmpfs at /tmp/afl-ramdisk/mbedtls containing the fuzzing input and output files for performance reasons.

Crash Analysis

If you want to analyze crashes using gdb, generate a file containing the paths of the crash files (the path must contain the packet number) and update the constants in ./crash-analysis.sh accordingly. Finally, run ./crash-analysis.sh which allows you to debug the crash using gdb.

You can use a command such as the following command to create the file containing the paths of the crash files:

find . -name 'id*' -type f | grep crashes | sort > crash_files.txt

License

This project is licensed under the GNU General Public License v2.0. See LICENSE for details.

Copyright (C) 2015-2026 Fabian Foerg / Gotham Digital Science

About

No description, website, or topics provided.

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

26 stars

Watchers

76 watching

Forks

19 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages