Use funfuzz to find new, unique security bugs in Mozilla for bounty rewards

Do you have spare computer cycles, and would like to help find security bugs in Mozilla products? If you discover new and unique security issues, you may be able to earn bounties within guidelines!

Recently, the Mozilla Platform Fuzzing team released funfuzz (fuzzers & fuzzing harness) and lithium (an updated version of a line-based reducer) on GitHub:

  1. funfuzz
    1. https://github.com/MozillaSecurity/funfuzz
    2. Repository of fuzzers and harness scripts to run them
    3. Jesse Ruderman wrote an excellent blogpost
    4. Components of funfuzz:
      1. jsfunfuzz – js fuzzer
      2. domfuzz – DOM fuzzer
      3. compareJIT – runs with different runtime flags and compares output
      4. randorderfuzz – adds in random tests from repository to jsfunfuzz
      5. compileShell – compiles js shells
      6. autoBisect – bisects Mercurial repositories to find regressors
  2. lithium

We have in-tree documentation to help you get started on your way to find new, unique security bugs.

Quick-start guide:

  1. Ensure you have build prerequisites installed
  2. Clone both repositories side-by-side (adjacent to each other)
    • e.g. into ~/lithium and ~/funfuzz
  3. Clone the Mercurial mozilla-central repository.
    • e.g. into ~/trees/mozilla-central
  4. Start the loopBot script!
    1. Example command:
      • python -u funfuzz/loopBot.py -b "--random" -t "js" --target-time 28800 | tee ~/log-loopBotPy.txt
    2. Use `-t “js”` to test SpiderMonkey shells only, `-t “dom”` for only Firefox DOM
    3. More documentation here.

Notes:

  1. The harness should work with most common platforms, e.g. Windows, Linux and Macs as well as on EC2.
  2. When fuzzing, the computer will use a large amount of computer resources. It is recommended not to use the computer heavily when it is fuzzing.
  3. Until FuzzManager integration arrives, the list of known bugs are in:
    1. assertion failures
    2. crashes
  4. For SpiderMonkey `-t “js”` mode, if you find an unknown crash or assertion failure, there are several files to look for, in the wtmp1 subfolder:
    1. *-reduced.js files usually contain a partially-reduced testcase
    2. *-orig.js files are the original unreduced testcase
    3. *-summary.txt shows the runtime flags needed to trigger the bug
    4. *-crash.txt files contain the crash stacktrace
    5. *-err.txt files contain stderr output
    6. *-out.txt files contain stdout output
    7. *-autobisect.txt files contain bisection information
    8. build-source.txt files contain the information on shell build type
    9. Follow the guidelines as listed in the “Claiming a bug bounty” section of the bug bounty document
  5. In case things go wrong, kill all the relevant Python processes.
    • Example command that kills all running Pythons on machine:
      1. $ killall python # Linux
      2. $ killall Python # Mac

Where you can help:

  1. Run funfuzz with dynamic analysis tools
    • ASan
      • Works on Mac
      • May have issues on Linux, especially EC2 VMs
    • Valgrind
    • TSan, LSan, UBSan not integrated yet
      • Volunteers welcome!
  2. Add to our fuzzers
  3. Improve our fuzzing harness
    • File an issue if something does not work
    • Send us a pull request for improvements!
  4. Help out in other Mozilla Security projects

Note that the final bounty reward amounts are up to the discretion of the bounty committee. Help us help everyone fuzz our way to a safer Gecko for everyone!

(This is part of a new category of posts related to fuzzing. Fuzzing is used extensively to find bugs, regressions and security issues in Gecko, which Firefox, Firefox OS and Thunderbird are based on)

Edit: Tweaked wordings throughout.