Nyx-Net: Network Fuzzing with Incremental Snapshots

Related tags

Networkingnyx-net
Overview

Nyx-Net: Network Fuzzing with Incremental Snapshots

Nyx-Net is fast full-VM snapshot fuzzer for complex network based targets. It's built upon kAFL, Redqueen and Nyx. The approach is described in more detail in our paper.

Note:

This repository is serving only to capture the state as described in the paper. If you want to actually use Nyx, check out the maintained code released for the Nyx framework or it's Homepage.

@misc{nyxnet,
      title={Nyx-Net: Network Fuzzing with Incremental Snapshots}, 
      author={Sergej Schumilo and Cornelius Aschermann and Andrea Jemmett and Ali Abbasi and Thorsten Holz},
      year={2021},
      eprint={2111.03013},
      archivePrefix={arXiv},
      primaryClass={cs.CR}
}

Setup

Please note that the minimum requirements to get Nyx-Net running are a recent linux kernel installed (>= v5.11) and full access to KVM. Fast-Snapshots and compile-time based tracing is supported by an unmodified vanilla kernel. If you want to fuzz closed-source targets with Nyx-Net's intel-PT mode, you will need to install KVM-Nyx.

The following commands will install all dependencies and setup Nyx-Net an your machine (assuming an Ubuntu 21.04):

git clone https://github.com/RUB-SysSec/nyx-net
cd nyx-net
./setup.sh

ProFuzzBench

To setup all ProfuzzBench targets you can use a Dockerfile which we provide with this repository. Using Docker is necessary because most of the targets will not compile on more recent linux distributions. This process will take several minutes to finish. Because of that, we provide two ZIP-archives (ASAN and non-ASAN), which contain a prepared collection of all targets.

To unpack the PFB builds from one of the archives, move to the targets folder and run either decompress_packed_targets.sh or decompress_packed_targets_asan.sh.

Optional: to compile and pack the targets using the Dockerfile move to the targets folder and then run docker_pack.sh. Once the this process has successfully finished, use the decompress_packed_targets.sh or decompress_packed_targets_asan.sh to finish the setup process.

Super Mario

Run the following script to compile and prepare the Super Mario Demo. This scripts expects the NES ROM of Super Mario Bros. (MD5: 811b027eaf99c2def7b933c5208636de) to be located at targets/extra_folders/super_mario_extra_folder/Super Mario Bros. (JU) (PRG0) [!].nes:

cd targets/
./prepare_super_mario.sh

This script will compile the x86 version of Super Mario Bros and create a Nyx sharedir for each level. The Nyx sharedirs will be put into the targets/packed_targets/ folder.

Run the Fuzzer

Move to the fuzzer/rust_fuzzer folder and run the following command to start the fuzzer:

cargo run --release -- \
      -s ../../targets/packed_targets/
   
    /

   

Incremental snapshots are disabled by default (Nyx-Net-None) but you can enable them by adding an -p parameter with one of the two available policies (balanced or aggressive). Parallel-fuzzing can also be enabled be using the -t parameter. Nyx-Net will automatically create a crash report once a crash of the target has been observed during fuzzing. Those reports are stored in the working directory (corpus/crash/*.log).

Reproducabilty

The fuzzer will store each new interesting input in the working directory. However, those inputs are stored in a specific bytecode format and cannot easily be used to replay the communication with a target running outside of Nyx. To turn those inputs into a more usable format, you need to re-run each finding in the corpus by another tool which is stored in fuzzer/rust_fuzzer_debug:

cargo run --release -- \
      -s ../../targets/packed_targets/
   
    / \
      -d /tmp/workdir/corpus/crash/ \
      -t /tmp/workdir/corpus/crash_reproducible/

   

This tool will pick and re-execute each input form the crash folder and generate a more usable version which is then put into the crash_reproducible folder. To replay one of the files from the crash_reproducable folder, move to the packer/packer/ directory and use the nyx_net_payload_executor.py tool:

#supported modes: stdout, udp, tcp
python nyx_net_payload_executor.py /tmp/workdir/corpus/crash_reproducable/cnt_10.py stdout > /tmp/trace; hexdump -C /tmp/trace

ProfuzzBench

To reproduce the evaulation and results from the paper, you can use the scripts and tools located in profuzzbench-nyx/. More details on that can be found here.

License

The content of this repository is provided under AGPL license. However, this does only apply to this repository without any submodule. Please refer to each submodule from this repository to get more detailed information on each license used.

Free Software Hell Yeah!

Proudly provided by:

Owner
Chair for Sys­tems Se­cu­ri­ty
Chair for Sys­tems Se­cu­ri­ty
Uses machine learning to scan the similarity of two texts

PlagiarismChecker Uses machine learning to scan the similarity of two documents. End Points: http://localhost:3000/register (create a/c) http://localh

Elvis Chege 2 Aug 10, 2022
simple subdomain finder

Subdomain-finder Simple SubDomain finder using python which is easy to use just download and run it Wordlist you can use your own wordlist but here i

AsjadOwO 5 Sep 24, 2021
Exfiltrate files using the HTTP protocol version ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1)

http-protocol-exfil Use the HTTP protocol version to send a file bit by bit ("HTTP/1.0" is a 0 and "HTTP/1.1" is a 1). It uses GET requests so the Blu

Ricardo Ruiz 23 Apr 30, 2022
WebRTC and ORTC implementation for Python using asyncio

aiortc What is aiortc? aiortc is a library for Web Real-Time Communication (WebRTC) and Object Real-Time Communication (ORTC) in Python. It is built o

3.2k Jan 07, 2023
Building a Robust IOT device which is customizable, encrypted, secure and user friendly

Building a Robust IOT device which is customizable, encrypted, secure and user friendly, which uses a single GPIO pin to extract multiple sensor values

1 Jan 03, 2022
A project that forwards data it receives in a URL POST Request to a Discord Webhook link

Mailman Mailman is a project that basically just forwards data it receives in a URL POST Request to a Discord Webhook link and act as a sort of messag

Prakhar Trivedi 2 Mar 14, 2022
msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+

msgspec msgspec is a fast and friendly implementation of the MessagePack protocol for Python 3.8+. In addition to serialization/deserializat

Jim Crist-Harif 414 Jan 06, 2023
CloudProxy is to hide your scrapers IP behind the cloud

Hide your scrapers IP behind the cloud. Provision proxy servers across different cloud providers to improve your scraping success.

Christian Laffin 1.1k Jan 02, 2023
Equibles Stocks API for Python

Equibles Stocks API for Python Requirements. Python 2.7 and 3.4+ Installation & Usage pip install If the python package is hosted on Github, you can i

Equibles 3 Apr 15, 2022
A Simple but Powerful cross-platform port scanning & and network automation tool.

DEDMAP is a Simple but Powerful, Clever and Flexible Cross-Platform Port Scanning tool made with ease to use and convenience in mind. Both TCP

Anurag Mondal 30 Dec 16, 2022
Search ports in multiples hosts

Search Port ✨ Multiples Searchs ✨ Create list hosts Create list targets Start Require Python 3.10.0+. python main.py Struture Function Directory load_

Tux#3634 7 Apr 29, 2022
LGPL Pure Python OPC-UA Client and Server

LGPL Pure Python OPC-UA Client and Server

Free OPC-UA Library 1.2k Jan 04, 2023
boofuzz: Network Protocol Fuzzing for Humans

boofuzz: Network Protocol Fuzzing for Humans Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fi

Joshua Pereyda 1.7k Dec 31, 2022
An improved version of the original AutoDD

AutoDD = Automatically does the "due diligence" for you. If you want to know what stocks people are talking about on reddit, this little program might help you.

Steven Zhu 169 Oct 05, 2022
Web service load balancing simulation experiment.

Web service load balancing simulation experiment.

NicestZK 1 Nov 12, 2021
Simple python script for automated network scans with random name generator(useful for CTF boxes).

📄 Automated NMAP script Description Simple python script for automated network scans with random name generator(useful for CTF boxes). Requirements 1

Dhmos Funk 2 Oct 29, 2021
A working cloudflare uam bypass !!

Dark Utilities - Cloudflare Uam Bypass Our Website https://over-spam.space/ ! Additional Informations The proxies type are http,https ... You need fas

Inplex-sys 26 Dec 14, 2022
Tool for pretty printing and optimizing Lightning Network channels.

Suez Tool for pretty printing and optimizing Lightning Network channels. Installation Install poetry poetry install poetry run ./suez Channel fee poli

Pavol Rusnak 69 Nov 03, 2022
Share clipboards between two devices in a network

Shared Clipboard I felt the need for sharing clipboard texts between virtual machines but I didn't find any reliable solutions for this (I use HyperV)

Teja Swaroop 9 Jun 10, 2022
VRF-StarkNet - Contracts for verifiable randomness on StarkNet

VRF-StarkNet Contracts for verifiable randomness on StarkNet Motivation Deployed

Non 32 Oct 30, 2022