QuickFuzz, a tool written in Haskell designed for testing unexpected inputs of common file formats on third-party software, taking advantage of off-the-shelf, well known fuzzers. Unlike other generational fuzzers, QuickFuzz does not require to write specifications for the file formats in question since it relies on existing file-format-handling libraries available on the Haskell code repository. QuickFuzz is open-source (GPL3) and it can use other bug detection tools like zzuf, radamsa, honggfuzz and valgrind.
- We presented QuickFuzz in C◦mp◦se 2017 - NYC!
- QuickFuzz is now included in Gentoo!
- An academic article on QuickFuzz will be presented at the Haskell Symposium 2016 (preprint)!
lost and found
- Firefox (failed assert in gif loader, CVE-2016-1933, CVE-2015-7194, CVE-2015-7216, CVE-2015-7217)
- VLC (CVE-2016-3941)
- Libxml2 (CVE-2016-3627, CVE-2016-4483)
- Mxml (CVE-2016-4570, CVE-2016-4571)
- Cairo (CVE-2016-3190)
- GraphicsMagick ( CVE-2015-8808, CVE-2016-2317, CVE-2016-2318 )
- LibGD (CVE-2016-6132)
- Librsvg (CVE-2015-7557, CVE-2015-7558, CVE-2016-4348)
- Gdk-Pixbuf (CVE-2015-7552, CVE-2015-4491, CVE-2015-7674, CVE-2015-7673, CVE-2015-8875, undisclosed)
- Mplayer (CVE-2016-4352, lots of crashes and more)
- Jasper (CVE-2015-5203)
- Jq (CVE-2016-4074)
- Jansson (CVE-2016-4425)
- Unzip (CVE-2015-7696, CVE-2015-7697)
- CPIO (reads out-of-bound, CVE-2016-2037)
- GNU Tar (out-of-bound read)
- Optipng (CVE-2015-7802, CVE-2015-7801)
- Libtiff (CVE-2015-7313)
- Busybox (pointer misuse)
- Libarchive (big allocation in tar handling)
Quick introduction to QuickFuzz
In this example, we uncover a null pointer dereference in gif2webp from libwebp 0.5:
$ QuickFuzz gentest gif "./gif2webp @@ -o /dev/null" -l 1 -u 10 -f radamsa ... Test case number 4481 has failed. Moving to outdir/QuickFuzz.68419739009.4481.3692945303624111961.1.gif ...
We found a crash. We can inspect it manually to verify it is a null pointer issue:
$ ./gif2webp outdir/QuickFuzz.68419739009.4481.3692945303624111961.1.gif ==10953== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000403ff9 sp 0x7fffffffd6e0 bp 0x7fffffffded0 T0) AddressSanitizer can not provide additional info. #0 0x403ff8 (examples/gif2webp+0x403ff8) #1 0x7ffff437af44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44) #2 0x401b18 (examples/gif2webp+0x401b18) ==10953== ABORTING
Finally, we can shrink the crashing input to obtain a smaller file. We must re-generate the failing test case using the seed (3692945303624111961) and the size (1):
$ QuickFuzz gentest gif "./gif2webp @@ -o /dev/null" -l 1 -s 3692945303624111961 -f radamsa -r Test case number 1 has failed. Moving to outdir/QuickFuzz.68997856397.1.3692945303624111961.1.gif Shrinking over bytes has begun... Testing shrink of size 48 Testing shrink of size 47 ... Testing shrink of size 15 Shrinking finished Reduced from 48 bytes to 16 bytes After executing 554 shrinks with 33 failing shrinks. Saving to outdir/QuickFuzz.68997856397.1.3692945303624111961.1.gif.reduced Finished!
List of file types to generate
Pre-compiled and compressed (bzip2) binaries supporting all the file formats are available here:
You can join the QuickFuzz mailing group to get notifications of new features and releases. To join, you can send an empty email to QuickFuzzfirstname.lastname@example.org.
The QuickFuzz team
- Pablo Buiras (Harvard University)
- Martín Ceresa (CIFASIS-Conicet)
- Gustavo Grieco (CIFASIS-Conicet and VERIMAG)
- Agustín Mista (Universidad Nacional de Rosario)
- Franco Costantini
- Lucas Salvatore
- Martín Escarrá (Universidad Nacional de Rosario)