Nyx-Net: Network Fuzzing with Incremental Snapshots

Related tags

Networking nyx-net
Overview

Nyx-Net: Network Fuzzing with Incremental Snapshots

Nyx-Net is fast full-VM snapshot fuzzer for complex network based targets. It's built upon kAFL, Redqueen and Nyx. The approach is described in more detail in our paper.

Note:

This repository is serving only to capture the state as described in the paper. If you want to actually use Nyx, check out the maintained code released for the Nyx framework or it's Homepage.

@misc{nyxnet,
      title={Nyx-Net: Network Fuzzing with Incremental Snapshots}, 
      author={Sergej Schumilo and Cornelius Aschermann and Andrea Jemmett and Ali Abbasi and Thorsten Holz},
      year={2021},
      eprint={2111.03013},
      archivePrefix={arXiv},
      primaryClass={cs.CR}
}

Setup

Please note that the minimum requirements to get Nyx-Net running are a recent linux kernel installed (>= v5.11) and full access to KVM. Fast-Snapshots and compile-time based tracing is supported by an unmodified vanilla kernel. If you want to fuzz closed-source targets with Nyx-Net's intel-PT mode, you will need to install KVM-Nyx.

The following commands will install all dependencies and setup Nyx-Net an your machine (assuming an Ubuntu 21.04):

git clone https://github.com/RUB-SysSec/nyx-net
cd nyx-net
./setup.sh

ProFuzzBench

To setup all ProfuzzBench targets you can use a Dockerfile which we provide with this repository. Using Docker is necessary because most of the targets will not compile on more recent linux distributions. This process will take several minutes to finish. Because of that, we provide two ZIP-archives (ASAN and non-ASAN), which contain a prepared collection of all targets.

To unpack the PFB builds from one of the archives, move to the targets folder and run either decompress_packed_targets.sh or decompress_packed_targets_asan.sh.

Optional: to compile and pack the targets using the Dockerfile move to the targets folder and then run docker_pack.sh. Once the this process has successfully finished, use the decompress_packed_targets.sh or decompress_packed_targets_asan.sh to finish the setup process.

Super Mario

Run the following script to compile and prepare the Super Mario Demo. This scripts expects the NES ROM of Super Mario Bros. (MD5: 811b027eaf99c2def7b933c5208636de) to be located at targets/extra_folders/super_mario_extra_folder/Super Mario Bros. (JU) (PRG0) [!].nes:

cd targets/
./prepare_super_mario.sh

This script will compile the x86 version of Super Mario Bros and create a Nyx sharedir for each level. The Nyx sharedirs will be put into the targets/packed_targets/ folder.

Run the Fuzzer

Move to the fuzzer/rust_fuzzer folder and run the following command to start the fuzzer:

cargo run --release -- \
      -s ../../targets/packed_targets/
   
    /

   

Incremental snapshots are disabled by default (Nyx-Net-None) but you can enable them by adding an -p parameter with one of the two available policies (balanced or aggressive). Parallel-fuzzing can also be enabled be using the -t parameter. Nyx-Net will automatically create a crash report once a crash of the target has been observed during fuzzing. Those reports are stored in the working directory (corpus/crash/*.log).

Reproducabilty

The fuzzer will store each new interesting input in the working directory. However, those inputs are stored in a specific bytecode format and cannot easily be used to replay the communication with a target running outside of Nyx. To turn those inputs into a more usable format, you need to re-run each finding in the corpus by another tool which is stored in fuzzer/rust_fuzzer_debug:

cargo run --release -- \
      -s ../../targets/packed_targets/
   
    / \
      -d /tmp/workdir/corpus/crash/ \
      -t /tmp/workdir/corpus/crash_reproducible/

   

This tool will pick and re-execute each input form the crash folder and generate a more usable version which is then put into the crash_reproducible folder. To replay one of the files from the crash_reproducable folder, move to the packer/packer/ directory and use the nyx_net_payload_executor.py tool:

#supported modes: stdout, udp, tcp
python nyx_net_payload_executor.py /tmp/workdir/corpus/crash_reproducable/cnt_10.py stdout > /tmp/trace; hexdump -C /tmp/trace

ProfuzzBench

To reproduce the evaulation and results from the paper, you can use the scripts and tools located in profuzzbench-nyx/. More details on that can be found here.

License

The content of this repository is provided under AGPL license. However, this does only apply to this repository without any submodule. Please refer to each submodule from this repository to get more detailed information on each license used.

Free Software Hell Yeah!

Proudly provided by:

You might also like...
A Network tool kit for scanning active IP addresses and open ports
A Network tool kit for scanning active IP addresses and open ports

Network scanner A small project that I wrote on the fly for (IT351) Computer Networks University Course to identify and label the devices in my networ

Network-Shredder is a python based NIDS.
Network-Shredder is a python based NIDS.

Network-Shredder is a python based NIDS.

A non-custodial oracle and escrow system for the lightning network. Make LN contracts more expressive.
A non-custodial oracle and escrow system for the lightning network. Make LN contracts more expressive.

Hodl contracts A non-custodial oracle and escrow system for the lightning network. Make LN contracts more expressive. If you fire it up, be aware: (1)

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Automated network configuration backups using Github actions and git-scraping
Automated network configuration backups using Github actions and git-scraping

Network Config Scraper This repository demonstrates the use of Github Actions and git-scraping to build an automated backup solution for network confi

A simple, configurable application and set of services to monitor multiple raspberry pi's on a network.
A simple, configurable application and set of services to monitor multiple raspberry pi's on a network.

rpi-info-monitor A simple, configurable application and set of services to monitor multiple raspberry pi's on a network. It can be used in a terminal

Display ip2.network active live streams.

Display ip2.network active live streams.

Network Dynaimcs Simulation

A Final Year Project in CUHK, Autumn 2021 Network Dynaimcs Simulation Files param.h edit all the variables & settings here simulate.c the main program

A simple software which can use to make a server in local network

home-nas it is simple software which can use to make a server in local network, it has a web site on it which can use by multipale system, i use nginx

Comments
  • Few questions

    Few questions

    Appreciate releasing source code for this significant work. I can see packer is doing some of the work when preparing the VM. Are there step by step instructions/tutorial on setting up a new target, creating agent, IPC spec for agent and host communication, using packer etc. Please point to any reference you can if there are no documentation currently. Thanks

    opened by dbdante 1
  • HYPERCALL_KAFL_PANIC_EXTENDED: assert: setup_interpreter src/ld_preload_fuzz.c 325: offsets[0] == 1840245495844197195ULL

    HYPERCALL_KAFL_PANIC_EXTENDED: assert: setup_interpreter src/ld_preload_fuzz.c 325: offsets[0] == 1840245495844197195ULL

    I use sudo sh libnyx/libnyx/tesh.sh (https://github.com/nyx-fuzz/libnyx/blob/main/libnyx/test.sh) command to fuzz nyx_tinydtls (obtained from https://github.com/RUB-SysSec/nyx-net/tree/main/targets/packed_targets). But the result nyx_exec (C interface nyx_exec in https://github.com/nyx-fuzz/libnyx/blob/34679b90dcdcc3c9834e4a510e6fc3ebb77b2246/libnyx/src/lib.rs) is always equal to 1. And I use nyx_print_aux_buffer (C interface in https://github.com/nyx-fuzz/libnyx/blob/34679b90dcdcc3c9834e4a510e6fc3ebb77b2246/libnyx/src/lib.rs) to get the result which shows HYPERCALL_KAFL_PANIC_EXTENDED: assert: setup_interpreter src/ld_preload_fuzz.c 325: offsets[0] == 1840245495844197195ULL. Here are the results snapshot. I don't know how to solve this problem. Looking forward your reply. Thank you! image

    opened by lijunqiang123 0
Owner
Chair for Sys­tems Se­cu­ri­ty
Chair for Sys­tems Se­cu­ri­ty
A benchmark for stateful fuzzing of network protocols

A benchmark for stateful fuzzing of network protocols

null 3 Apr 25, 2022
This is a python based command line Network Scanner utility, which input as an argument for the exact IP address or the relative IP Address range you wish to do the Network Scan for and returns all the available IP addresses with their MAC addresses on your current Network.

This is a python based command line Network Scanner utility, which input as an argument for the exact IP address or the relative IP Address range you wish to do the Network Scan for and returns all the available IP addresses with their MAC addresses on your current Network.

Abhinandan Khurana 1 Feb 9, 2022
Nautobot is a Network Source of Truth and Network Automation Platform.

Nautobot is a Network Source of Truth and Network Automation Platform. Nautobot was initially developed as a fork of NetBox (v2.10.4). Nautobot runs as a web application atop the Django Python framework with a PostgreSQL database.

Nautobot 549 Dec 31, 2022
This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

This Tool can help enginners and biggener in network, the tool help you to find of any ip with subnet mask that can calucate them and show you ( Availble IP's , Subnet Mask, Network-ID, Broadcast-ID )

null 12 Dec 13, 2022
nettrace is a powerful tool to trace network packet and diagnose network problem inside kernel.

nettrace nettrace is is a powerful tool to trace network packet and diagnose network problem inside kernel on TencentOS. It make use of eBPF and BCC.

null 84 Jan 1, 2023
PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram

PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

Srinivas P G 1.4k Dec 28, 2022
ANalyse is a vehicle network analysis and attack tool.

CANalyse is a tool built to analyze the log files to find out unique datasets automatically and able to connect to simple user interfaces suc

0xh3nry 87 Dec 18, 2022
Flashes keyboard leds on incoming/outgoing network packets

LED Net Capture Flashes keyboard leds on incoming/outgoing network packets Usage Requires root priviledges to run usage: ledcapture.py [-h] --keyboard

Dan Habot 56 Oct 27, 2022
GNS3 Graphical Network Simulator

GNS3-gui GNS3 GUI repository.

GNS3 1.7k Dec 29, 2022
Share clipboards between two devices in a network

Shared Clipboard I felt the need for sharing clipboard texts between virtual machines but I didn't find any reliable solutions for this (I use HyperV)

Teja Swaroop 9 Jun 10, 2022