WARF - WebAssembly Runtimes Fuzzing project

Goal of this project is to improve security and resilience of WebAssembly VMs/runtimes/parsers using different fuzzing techniques.

Quick Start (using docker)

• Clone the project

# Install WARF
$ git clone --depth 1 https://github.com/pventuzelo/wasm_runtimes_fuzzing
$ cd wasm_runtimes_fuzzing/warf

Build warf with docker:

# Build warf docker
$ make docker
# Optional: Create an alias
$ alias warf="docker run -it -v `pwd`/workspace:/warf/workspace warf"
# ==> workspace folder is shared between your host and docker container.

NOTE: If you are on running on Ubuntu, installation without docker can be found here.

• Run warf cli:

$ warf help

WARF - WebAssembly Runtimes Fuzzing project
USAGE:
    warf <SUBCOMMAND>
FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
SUBCOMMANDS:
    benchmark-all    Run WebAssembly module on all targets with benchmark
    build            Build all targets for this specific fuzzer
    continuously     Run all fuzz targets
    debug            Debug one target
    execute-all      Run WebAssembly module on all targets
    help             Prints this message or the help of the given subcommand(s)
    list             List all available targets
    target           Run one target with specific fuzzer

NOTE: Details about the different warf subcommands here.

• List available fuzzing targets:

$ warf list

wasmi_validate
wasmi_instantiate
parity_wasm_deserialize
[...]
binaryen_ffi
wabt_wasm2wat_all_feat_ffi
wabt_validate_ffi

• Run fuzzing on a target:

$ warf target wasmer_validate

[...]

------------------------[  0 days 00 hrs 00 mins 02 secs ]----------------------
  Iterations : 272,647 [272.65k]
  Mode [3/3] : Feedback Driven Mode
      Target : hfuzz_target/x86_64-unknown-linux-gnu/release/wasmer_validate
     Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
       Speed : 171,238/sec [avg: 136,323]
     Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
    Timeouts : 0 [10 sec]
 Corpus Size : 754, max: 8,192 bytes, init: 1,126 files
  Cov Update : 0 days 00 hrs 00 mins 01 secs ago
    Coverage : edge: 3,194/58,784 [5%] pc: 2 cmp: 41,653
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.0 /-
Size:77 (i,b,hw,ed,ip,cmp): 0/0/0/1/0/0, Tot:0/0/0/3159/2/41623
[...]

Tests

Tests are documented inside the Makefile:

$ make help
Management commands for warf

Usage:
    make build                            Compile the project locally.
    make docker                           Build a docker image for this project.
    make corpora                          TODO

    make fmt                              Run Rust fmt.
    make clean                            Clean only warf binary.
    make clean-all                        Clean all (warf && compiled fuzz target harnesses).

    make test                                         Simple test to check warf and execute_all is working.
    make test-bench                                   Simple benchmark using execute_all.
    make test-debug                                   Test running a simple wasm to a debugging tool.
    make test-{libfuzzer, honggfuzz, afl}             Test one fuzzing hardness over choosen fuzzer.
    make test-continuously-{libfuzzer, hfuzz, afl}    Test all fuzzing hardness over choosen fuzzer.
    make test-all                                     Test all fuzzing hardness over all fuzzers.

If you are using docker, try:

make docker-test
make docker-test-all

Future of the project

Differents open-source projects (WebAssembly VMs/runtimes/parsers) will be integrated to WARF along the development:

• Integration details here.
• Global roadmap here.

Trophies

This tool helped to find the following bugs/vulnerabilities (crashing files are inside trophies folder):

• wasmer/wasmer_clif_fork_wasm: index out of bounds panic
• binaryen: segfault / out-of-bounds read in WasmBinaryBuilder::readImports - FIXED
• wabt: SIGABRT due to std::bad_alloc exception (resizing wasm br_table) - FIXED
• wasmtime: assertion failed in wasmtime_debug::transform::simulate::generate_simulated_dwarf - FIXED
• wasmtime: assertion failed or unimplemented panic when table type is not anyref - FIXED
• wabt: [wasm2wat] Assertion failure in BinaryReaderIR::OnCallIndirectExpr - FIXED
• wabt: [wasm2wat] Assertion failure in BinaryReaderIR::OnReturnCallIndirectExpr - FIXED
• wabt: Incorrect validation of module with malformed alignment by wabt - FIXED
• wabt: [wasm2wat] Incorrect rejection of valid module
• wain: unwrap panic while parsing invalid wasm module - FIXED
• wain: memory allocation failed error during parsing - FIXED
• wasm3: segfault / assertion failed in GetStackTopIndex - FIXED
• wasm3: segfault / null pointer dereference in GetFunctionNumReturns - FIXED
• wasm3: heap buffer overflow in ParseSection_Export - FIXED
• wasm3: SIGILL in Compile_BlockStatements - FIXED
• wain: "index out of bounds" in wain validate - FIXED
• wasmprinter: Resources exhaustion (CPU/MEM) using wasmprinter::print_bytes() - FIXED
• wasm3: heap-use-after-free in ReadLebUnsigned - FIXED
• wasm3: global-buffer-overflow in Compile_BlockStatements - FIXED
• wasm3: out of bound read in Read_f64 - FIXED
• wasm3: heap-buffer-overflow in Compile_BlockStatements (line 2169) - FIXED

Thanks

• Web 3 Foundation for sponsoring this project.
• Rust Fuzzing Authority for Rust fuzzing tools.

Trainings & Contact

Patrick Ventuzelo - @pat_ventuzelo

• Independent Security Researcher / Trainer.
• FREE online courses: here