Skip to main content
IT Blog IT Blog
  1. All Posts/

FuzzManager

Tools HTML



What is FuzzManager

With this project, we aim to create a management toolchain for fuzzing. Unlike
other toolchains and frameworks, we want to be modular in such a way that you
can use those parts of FuzzManager that seem interesting to you without forcing
a process upon you that does not fit your requirements.

CrashManager

CrashManager is the part of FuzzManager responsible for managing crash results
submitted to the server. The main features are:

  • Store crash information gathered from various sources. See FTB.
  • Bucket crashes using flexible, human-readable signatures that can match a
    large number of symptoms of a crash, are proposed by the server but can be
    altered and tuned by the user. The server also includes semi-automatic
    optimization of signatures that helps you group duplicates into one bucket.
  • Report bugs directly to a bug tracker using the best testcase available. We
    support only Bugzilla as a bugtracker right now, but again the API is designed
    to be extendable.

FTB

FTB (Fuzzing Tool Box) is the underlying library that contains classes for parsing
crash output from various tools (CrashInfo), bucketing crashes (CrashSignature), and
parsing assertions (AssertionHelper). This can be used locally without having a
running FuzzManager server instance to support crash logging and bucketing. FTB already
supports a variety of tools like GDB, ASan and Minidumps but can be extended to support
any form of crash information you would like.

Collector

Collector is a command-line utility or a Python class that can be used to communicate
with a CrashManager server. Collector provides an easy client interface that allows
your clients to submit crashes as well as download and match existing signatures to
avoid reporting frequent issues repeatedly.

EC2SpotManager

EC2SpotManager is another (optional) part of FuzzManager that allows you to
manage large pools of spot instances in the Amazon Cloud. It supports hierachical
configurations to avoid configuration duplication and ensures that your
instances are always running in the desired quantity as well as in the cheapest
zone.

Questions

Please send any questions regarding the project to choller-at-mozilla-dot-com.

Getting Started

Client Setup

The client portion of FuzzManager (FTB and Collector) can be installed with
pip install FuzzManager. This is all you need if you just need to talk to a
FuzzManager server instance or use FTB locally.

Server Setup

The server part of FuzzManager is a Django application. Please note that it
requires the full repository to be checked out, not just the server directory.
Server dependencies are listed in server/requirements.txt. You can use pip to install
these dependencies using pip install -r server/requirements.txt and/or you can
use your distribution’s package management to fulfill them. A Redis
server is also required for EC2SpotManager, and can be installed on a Debian-based Linux
with: sudo apt-get install redis-server.
You can set the server up just like any other Django project. The Django
configuration file is found at server/server/settings.py. The default will
work, but for a production setup, you should at least review the database
settings.
Afterwards, you should run the following commands

$ cd server
$ python manage.py migrate

Create the fuzzmanager user.

$ python ./manage.py createsuperuser
Username (leave blank to use 'user'): fuzzmanager
Email address: fuzzmanager@internal.com
Password:
Password (again):
Superuser created successfully.

Get fuzzmanager authorization token

$ python manage.py get_auth_token fuzzmanager
4a253efa90f514bd89ae9a86d1dc264aa3133945

Since the fuzzmanager account is used as a service account, we need to set the http basic authentication password to the auth token.

htpasswd -cb .htpasswd fuzzmanager 4a253efa90f514bd89ae9a86d1dc264aa3133945`

This .htpasswd file can be stored anywhere on your hard drive.
Your Apache AuthUserFile line should be updated to reflect your path.
See examples/apache2/default.vhost for an example

Important changes in settings.py

It is important that you edit FuzzManager/server/settings.py and adjust the following variables according to your needs.

ALLOWED_HOSTS = ['host']
CSRF_TRUSTED_ORIGINS = ['scheme://host']

See ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS documentation.
You may also want to increase the maximum size in bytes allowed in a request body. The default of 2.5MB may not be enough
in some cases by adding the following variable.

DATA_UPLOAD_MAX_MEMORY_SIZE = <YOUR VALUE HERE>

See DATA_UPLOAD_MAX_MEMORY_SIZE

Local testing

For local testing, you can use the builtin debug webserver:
python manage.py runserver
For a production setup, see the next section about Apache+WSGI.

Using Apache+WSGI for a production setup

To properly run FuzzManager in a production setup, using Apache+WSGI is the
recommended way.
In the examples/apache2/ directory you’ll find an example vhost file that
shows you how to run FuzzManager in an Apache+WSGI setup. Of course you should
adjust the configuration to use HTTPs if you don’t plan to use any sort of
TLS load balancer in front of it.

Getting/Creating the authentication token for clients

Use the following command to get an authentication token for a Django user:
python manage.py get_auth_token username
You can use the user that you created during syncdb for simple setups.

Server Cronjobs

The following is an example crontab using cronic to run several important
FuzzManager jobs:

# Fetch the status of all bugs from our external bug tracker(s)
*/15 * * * * cd /path/to/FuzzManager/server && cronic python manage.py bug_update_status
# Cleanup old crash entries and signatures according to configuration
*/30 * * * * cd /path/to/FuzzManager/server && cronic python manage.py cleanup_old_crashes
# Attempt to fit recently added crash entries into existing buckets
*/5  * * * * cd /path/to/FuzzManager/server && cronic python manage.py triage_new_crashes
# Export all signatures to a zip file for downloading by clients
*/30 * * * * cd /path/to/FuzzManager/server && cronic python manage.py export_signatures files/signatures.new.zip mv files/signatures.new.zip files/signatures.zip

Run server with Docker

A docker image is available by building the Dockerfile.
You can easily run a local server (and Mysql database server) by using docker-composer:

docker-compose up

On a first run, you must execute the database migrations:

docker-compose exec backend python manage.py migrate

And create a super user to be able to login on http://localhost:8000

docker-compose exec backend python manage.py createsuperuser

By default the docker image uses Django settings set in Python module server.settings_docker, with the following settings:

  • DEBUG = False to enable production mode
  • ALLOWED_HOSTS = ["localhost", ] to allow development usage on http://localhost:8000

You can customize settings by mounting a file from your host into the container:

volumes:
  - "./settings_docker.py:/src/server/server/settings_docker.py:ro"

Client Usage

In order to talk to FuzzManager, your fuzzer should use the client interface provided, called the Collector. It can be used as a standalone command line tool or directly as a Python class in case your fuzzer is written in Python.
We’ll first describe how to use the class interface directly from Python. If you want to use the command line interface instead, I still suggest that you read on because the command line interface is very similar to the class interface in terms of functionality and configuration.
For simple cases where you can just (re)run a command with a testcase that produces a crash, we also provide an easy report class that runs your command and figures out all the crash information on its own. You will find the description of this mode at the end of this section as it still requires configuration files to be setup properly, but tl;dr, it can be as easy as:
$ python Collector.py --autosubmit mybadprogram --someopt yourtest
And you’re done…