Our vulnerability researcher Sirko Höer recently found vulnerabilities while fuzzing the open-source Intrusion Detection System and Intrusion Prevention System (IDS/IPS) suricata with libFuzzer. Although the project already uses fuzzing with AFL extensively, he was able to find 14 more bugs in the program code, 12 of them being critical vulnerabilities (CVEs). Sirko has summarized his approach and the insights he has gained in an exclusive war story. You can find the full report as a whitepaper here:
The immense scope of the suricata project initially seemed daunting. Especially the process of writing a fuzz target was the biggest challenge for suricata. The interfaces suricata provides are not trivial to work with. When calling the interfaces, a series of initializations are necessary so that the function to be tested works correctly and shows a "normal" behavior. This means that you have to familiarize yourself very deeply with the project.
Expressed in numbers, Sirko has probably spent 7 weeks at the audit. The result is all the more impressive. With a total of 14 found bugs, 12 of which were recognized as CVEs, the effort to write fuzz targets for the libFuzzer was absolutely worth it. You can find a list of the CVEs here.
libFuzzer is a very powerful tool, but it has a certain complexity. If you are looking for a more user-friendly way to fuzz your software, read more about CI Fuzz or book a demo with one of our security experts. We will walk you through the fuzzing process and answer your questions.
Suricata is an open-source IDS / IPS system for detecting attacks and unwanted behavior in local networks. It contains about 500k lines of code distributed over 600 files. It is partly written in C and partly in Rust. Suricata is widely supported by the community as well as by official sponsors like DCSO (Deutsche Cyber-Sicherheitsorganisation GmbH).
As part of quality improvement measures, we tested suricata for vulnerabilities on behalf of DCSO. The focus was on using feedback-based fuzzing as an effective method to detect errors and vulnerabilities in the code.
About Sirko Höer
Sirko Höer is responsible for vulnerability research at Code Intelligence. In this role, he develops innovative methods to enable fuzzing on various systems and applies his knowledge to customer projects. With more than 10 years of professional experience in the field of cybersecurity and subsequent studies in Computer Science at the University of Bonn, he deepened his skills in the field of feedback-based fuzzing. He recently finished his master thesis on "Evaluation of Network Protocol Fuzzing" at the University of Bonn.