Beacon Fuzz - Progress Update #6:
Community fuzzing, new bugs and next steps
Beacon Fuzz - Update #06
Sigma Prime is leading the development and maintenance of beacon-fuzz, a differential fuzzing solution for Eth2 clients. This post is part of our series of status updates where we discuss current progress, interesting challenges encountered and direction for future work. See #00 and the repository's README for more context.
Summary
- Community Fuzzing
- New Bugs
- Next Steps
Community Fuzzing
We're happy to announce that the dockerisation process of our eth2fuzz
tool is now complete! If you'd like to help catch bugs on the major Eth2 implementations on your own hardware or cloud infrastructure, you can now follow these simple steps:
- Clone the
beacon-fuzz
repository:git clone https://github.com/sigp/beacon-fuzz
- Change your current directory to
eth2fuzz
:cd beacon-fuzz/eth2fuzz
- Make sure the Docker service is running on your machine
- For Linux hosts using
systemd
:sudo systemctl start docker
- For Linux hosts using
- Build the fuzzing container for any given Eth2 client (we currently support Lighthouse, Nimbus, Prysm, Teku and Lodestar):
- For example, if you want to fuzz Prysm:
make prysm
- For example, if you want to fuzz Prysm:
Congratulations, you now have successfully built a Docker container that holds everything you need to fuzz the Prysm client's state transition functions! Use the help
function to get a list of available commands:
docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm help
If you'd like to see all the fuzzing targets available on the Docker you've just built, run the following command:
docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm list
The output should be:
prysm_attestation
prysm_attester_slashing
prysm_block
prysm_block_header
prysm_deposit
prysm_proposer_slashing
prysm_voluntary_exit
For example, to start fuzzing the attestation processing function:
docker run -it -v `pwd`/workspace:/eth2fuzz/workspace eth2fuzz_prysm target prysm_attestation
The eth2fuzz
README contains detailed instructions and explanations on what is currently supported:
- Continuous fuzzing:
eth2fuzz
can be configured to continuously fuzz all available targets for a given client, using thecontinuously
CLI parameter. Alternatively, you can use theMakefile
to fuzz all targets, each one running during 1 hour. For example,make fuzz-nimbus
will build the relevant fuzzing container and exercise all fuzzing harnesses. - Fuzzing all clients: Want to fuzz all clients on all targets? Use the
make fuzz-all
command which will go through all clients and all implementations (and stop as soon as a bug is identified when using libFuzzer), dedicating 1 hour for each target, per client. - Different fuzzing engine support: For some clients, we support different fuzzing engines (Afl, Honggfuzz, libFuzzer). Depending on the implementation you're targeting, you can switch to a different fuzzer (libFuzzer is the default), which will enable different mutations. More fuzzing engines will be added in the near future!
We'd like to thank Justin Drake for suggesting this initiative and helping us with testing it!
If you find a bug during your fuzzing adventures, or if you encounter any issues with eth2fuzz
, join our beacon-fuzz
Discord channel on the Sigma Prime server and drop us a message!
New Bugs
Our fuzzing effort over the last month have resulted in the idenfitication of the following bugs:
- Nimbus:
IndexError
bug in the the attester slashing processing function: Due to insufficient input validation when callingisValidAttestation()
, this externally trigerrable vulnerability could lead to a crash of the client (refer to this issue for more details). This vulnerability has since been fixed by the Nimbus development team (see this Pull Request). - Lodestar: Memory exhaustion vulnerability when parsing invalid ENRs: when providing a maliciously crafted ENR string, we can trigger a JavaScript heap out-of-memory error, which can lead to a Denial-of-Service condition (refer to this issue for more details).
Next Steps
As the Eth2 state transition specification can most likely now be considered final, we're shifting our efforts to the differential part of our fuzzing infrastructure.
eth2fuzz
and eth2diff
can now be considered complete (a few more features and improvements will however be added). These tools allowed us to identify 26 unique bugs across every Eth2 implementation.
Most of our time over the upcoming weeks will be spent on beacon-fuzz-2
, to leverage Foreign Function Interfaces (FFI) in order to identify state transition discrepancies that would cause network splits and chain forks. A detailed overview of our fuzzing architecture for Eth2 can be found in a previous post.
We will also be accelerating our efforts on fuzzing the various p2p networking stacks.