This project provides code and tools which allow for fuzzing the mbed TLS library using the afl++ fuzzer. An integral part of this project is the code for a self-communicating instance (the client and server run in a single process) of mbed TLS.
More information about the project is available on the Gotham Digital Science blog:
- Grab the latest version of afl++ from the afl++ homepage.
- Build it instead of running it in Docker to maximize performance. At the time of writing, the latest version is afl++ v4.34c.
- Set environment variables.
3.1.
export AFL_PATH=/usr/local/src/AFLplusplus# adjust to location of built afl++ 3.2.export PATH=$PATH:$AFL_PATH - Run the following command which automatically downloads different versions of mbed TLS, patches them, compiles the code, and sets everything up for fuzzing:
./setup.shChange to fuzz subdirectory inside the mbed TLS directory that you wish to fuzz.
Run the ./fuzz.sh script.
Running the script without arguments creates the original client and server network packets to be fuzzed and prints the usage screen with a description of the tool.
To fuzz a specific network packet, execute the script with the packet number (minimum of 1) followed by the fuzzer instance number as command-line arguments:
- Use 1 to initiate the primary fuzzer instance.
- Unique numbers greater than
1will start additional fuzzer instances.
In the following example, we launch a main fuzzer instance to fuzz network packet 3 of the self-communicating mbed TLS 2.28.10 binary:
cd mbedtls-mbedtls-2.28.10/fuzz/
./fuzz.sh 3 1The fuzz.sh script mounts a tmpfs at /tmp/afl-ramdisk/mbedtls containing the fuzzing input and output files for performance reasons.
If you want to analyze crashes using gdb, generate a file containing the paths of the crash files (the path must contain the packet number) and update the constants in ./crash-analysis.sh accordingly.
Finally, run ./crash-analysis.sh which allows you to debug the crash using gdb.
You can use a command such as the following command to create the file containing the paths of the crash files:
find . -name 'id*' -type f | grep crashes | sort > crash_files.txtFabian Foerg, Gotham Digital Science, 2015-2025