Goal of this project is to improve security and resilience of WebAssembly VMs/runtimes/parsers using different fuzzing techniques.
- Clone the project
# Install WARF
$ git clone --depth 1 https://github.com/pventuzelo/wasm_runtimes_fuzzing
$ cd wasm_runtimes_fuzzing/warf
Build warf with docker:
# Build warf docker
$ make docker
# Optional: Create an alias
$ alias warf="docker run -it -v `pwd`/workspace:/warf/workspace warf"
# ==> workspace folder is shared between your host and docker container.
NOTE: If you are on running on Ubuntu
, installation without docker can be found here.
- Run warf cli:
$ warf help
WARF - WebAssembly Runtimes Fuzzing project
USAGE:
warf <SUBCOMMAND>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
SUBCOMMANDS:
benchmark-all Run WebAssembly module on all targets with benchmark
build Build all targets for this specific fuzzer
continuously Run all fuzz targets
debug Debug one target
execute-all Run WebAssembly module on all targets
help Prints this message or the help of the given subcommand(s)
list List all available targets
target Run one target with specific fuzzer
NOTE: Details about the different warf subcommands here.
- List available fuzzing targets:
$ warf list
wasmi_validate
wasmi_instantiate
parity_wasm_deserialize
[...]
binaryen_ffi
wabt_wasm2wat_all_feat_ffi
wabt_validate_ffi
- Run fuzzing on a target:
$ warf target wasmer_validate
[...]
------------------------[ 0 days 00 hrs 00 mins 02 secs ]----------------------
Iterations : 272,647 [272.65k]
Mode [3/3] : Feedback Driven Mode
Target : hfuzz_target/x86_64-unknown-linux-gnu/release/wasmer_validate
Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
Speed : 171,238/sec [avg: 136,323]
Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
Timeouts : 0 [10 sec]
Corpus Size : 754, max: 8,192 bytes, init: 1,126 files
Cov Update : 0 days 00 hrs 00 mins 01 secs ago
Coverage : edge: 3,194/58,784 [5%] pc: 2 cmp: 41,653
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.0 /-
Size:77 (i,b,hw,ed,ip,cmp): 0/0/0/1/0/0, Tot:0/0/0/3159/2/41623
[...]
Tests are documented inside the Makefile
:
$ make help
Management commands for warf
Usage:
make build Compile the project locally.
make docker Build a docker image for this project.
make corpora TODO
make fmt Run Rust fmt.
make clean Clean only warf binary.
make clean-all Clean all (warf && compiled fuzz target harnesses).
make test Simple test to check warf and execute_all is working.
make test-bench Simple benchmark using execute_all.
make test-debug Test running a simple wasm to a debugging tool.
make test-{libfuzzer, honggfuzz, afl} Test one fuzzing hardness over choosen fuzzer.
make test-continuously-{libfuzzer, hfuzz, afl} Test all fuzzing hardness over choosen fuzzer.
make test-all Test all fuzzing hardness over all fuzzers.
If you are using docker, try:
make docker-test
make docker-test-all
Differents open-source projects (WebAssembly VMs/runtimes/parsers) will be integrated to WARF along the development:
This tool helped to find the following bugs/vulnerabilities (crashing files are inside trophies
folder):
- wasmer/wasmer_clif_fork_wasm: index out of bounds panic
- binaryen: segfault / out-of-bounds read in
WasmBinaryBuilder::readImports
- FIXED - wabt: SIGABRT due to std::bad_alloc exception (resizing wasm br_table) - FIXED
- wasmtime: assertion failed in wasmtime_debug::transform::simulate::generate_simulated_dwarf - FIXED
- wasmtime: assertion failed or unimplemented panic when table type is not anyref - FIXED
- wabt: [wasm2wat] Assertion failure in
BinaryReaderIR::OnCallIndirectExpr
- FIXED - wabt: [wasm2wat] Assertion failure in
BinaryReaderIR::OnReturnCallIndirectExpr
- FIXED - wabt: Incorrect validation of module with malformed alignment by wabt - FIXED
- wabt: [wasm2wat] Incorrect rejection of valid module
- wain: unwrap panic while parsing invalid wasm module - FIXED
- wain: memory allocation failed error during parsing - FIXED
- wasm3: segfault / assertion failed in
GetStackTopIndex
- FIXED - wasm3: segfault / null pointer dereference in
GetFunctionNumReturns
- FIXED - wasm3: heap buffer overflow in
ParseSection_Export
- FIXED - wasm3: SIGILL in
Compile_BlockStatements
- FIXED - wain: "index out of bounds" in wain validate - FIXED
- wasmprinter: Resources exhaustion (CPU/MEM) using
wasmprinter::print_bytes()
- FIXED - wasm3: heap-use-after-free in
ReadLebUnsigned
- FIXED - wasm3: global-buffer-overflow in
Compile_BlockStatements
- FIXED - wasm3: out of bound read in
Read_f64
- FIXED - wasm3: heap-buffer-overflow in
Compile_BlockStatements
(line 2169) - FIXED
- Web 3 Foundation for sponsoring this project.
- Rust Fuzzing Authority for Rust fuzzing tools.
Patrick Ventuzelo - @pat_ventuzelo
- Independent Security Researcher / Trainer.
- FREE online courses: here