浏览器 fuzz 工具 cross_fuzz

现在来写 cross_fuzz 似乎是有点晚了,毕竟基本上很多时候 cross_fuzz 已经广泛应用于 DOM fuzz 中了。比如 Chromium 中就内置了 cross_fuzz 工具。不过说回来,毕竟就是 Google 自己人做的不是。

最新的代码 (2011 年更新) 可以在:http://lcamtuf.coredump.cx/cross_fuzz/ 找到。

基本设计逻辑

cross_fuzz 就是一个 HTML 文件,因此看起来其实并不麻烦:简单的说,就是不停的打开两个窗口显示不同的 HTML/XHTML/SVG/swf 等等内容(当然,可以自己添加),通过不同的 DOM 操作(访问对象、回收操作)等等尝试出发 UAF 之类的问题。

1
2
3
4
5
6
7
8
9
10
11
12
13
14

1. Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default – although any other, possibly plugin-supported formats could be targeted instead.

2. Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.

3. Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded “interesting” values).

4. Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and “interesting” values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.

5. Randomly destroy first document using one of the several possible methods, toggle garbage collection.

6. Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.

7. Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.

使用方法

使用很简单,以 chrome 为例:

chrome --disable-popup-blocking --no-first-run --user-data-dir=$TEMPDIR --allow-file-access-from-files --noerrdialogs --disable-hang-monitor file://`pwd`/third_party/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#1234

其中 1234 是随机的 seed,可以自行更换。ie 也是相同的使用方法,记得允许弹出窗口即可。

实际运行效果

简单拿着跑了一下 XP/IE8,还是有一些少量 crash,并不是单纯的 IE 问题,但是说明发现效果还是不错的,对比了一下之前的 IE7 xday,恩,效果还是差一些才是。