Discreet Log #7: UI Security Testing with Fuzzbot

14 May 2021

Welcome to Discreet Log! A fortnightly technical development blog to provide an in-depth look into the research, projects and tools that we work on at Open Privacy. For our seventh post Sarah Jamie Lewis dives into Cwtch security testing, and Fuzz Bot.

The user interface remains the largest and riskiest part of the Cwtch system. While we can (and do) strictly scope the code involved in the Cwtch protocol, we are at the mercy of large UI frameworks when it comes to displaying and interacting with the protocol in a way that is usable and cross-platform.

We can’t vet every single line of code in UI frameworks, and even if we did these frameworks often produce intermediate code during their compilation (e.g. to generate specific code that will work on Window, Linux, iOS or Android) which in turn invokes dynamic libraries that exist on those systems with their own security concerns and considerations.

Fuzz testing allows us to battle harden Cwtch against possible failure cases in a way that is efficient and scalable, and for that we have Fuzz Bot!

Fuzz Bot is a small Cwtch bot whose goal is to break Cwtch. As we expand the capabilities of the UI we also expand the capabilities of Fuzz Bot. As of today Fuzz Bot has several supported fuzz cases:

  • Message Content
  • UI Overlay Envelopes
  • Invitation Overlay Messages

The rest of this post will dive into the workings of each case.

Fuzz Bot in action. In response the the blns command Fuzz Bot begins sending fuzzed messages

Fuzzing Chat Message Content

Content injection bugs are any bugs that causes user-tainted input to be parsed outside of the widget and scope it was intended for - in many frameworks such bugs can be converted to deanonymization vulnerabilities (e.g. by inserting an element that requests a remote resource, like an image), and as such they are our primary UI security testing concern.

Fuzz Bot provides support for fuzzing “chat” message content via the blns command which stands for big list of naughty strings.

In response to this command FuzzBot sends every “naughty” string as a chat message which we can then check in the UI for rendering glitches, exceptions or content injection. As a side effect blns also tests emoji rendering, the UI handling of many, different unicode control characters, several unicode scripts and symbols, and the UIs response to receiving a large number of messages in quick succession.

Fuzz Bot also supports the blns-mutate variant of the command which randomly transforms the malicious input prior to sending it to the target (see below for more information on mutation).

Fuzzing Overlays and Functionality

Cwtch is intended to be a platform on which different kinds of applications can be implemented. Our original prototype supported chat, lists and a bulletin board.

In the new Cwtch UI group invites and peer recommendations are also implemented as overlays that display distinct actions in the chat pane.

Fuzz Bot fuzzing an invitation overlay

Different applications are specified in the protocol as “overlays”. The UI may respond to different overlay types in different ways. Some of this functionality may be non-trivial (e.g. a message on the list overlay might add an item to a list and also notify the parties in the chat that the list has been updated).

Starting at the most trivial, Fuzzbot provides the random command which constructs completely random envelopes. Fuzzing the overlay envelope itself, a malformed message should not result in arbitrary behaviour and should simply display a malformed message error in the UI.

Fuzzing Invitations

When it comes to fuzzing the specific overlays themselves, support for each overlay needs to be added to Fuzz Bot individually.

We recently added support for fuzzing group invites as these have been promoted to their own mini overlay in the Cwtch UI.

The invite-me <number> command will ask Fuzz Bot to generate a specified number of invitations, to which Fuzz Bot will randomly insert rogue strings from blns into the Group Name and Group ID.

The future of Fuzz Bot - Larger Corpuses, Overlay Grammars and Mutations

While various iterations of Fuzz Bot have existed throughout the lifetime of the Cwtch project, it is still a rather small bot with a limited feature set. As a Cwtch Beta release nears completion there are several expansions that I would like to add to grow its capabilities and usefulness.

Fuzz Bot currently lacks any way to tell if any fuzzed input resulted in undefined behaviour, and this has three large consequences:

The first is that a human is required to assess the output, watch log files and check to ensure that nothing weird happened.

The second is that Fuzz Bot has no basis on which to intelligently mutate corpus inputs; as such all mutation is random and unguided.

Screenshot of fuzzbot mutating invites

Finally, it means that Fuzz Bot has to ultimately rely on larger input corpuses and manually specified overlay constructions.

None of these are inherently bad, but they do limit our ability to deploy Fuzz Bot as part of our CI pipelines.

In the future I can imagine incorporating some additional debug capabilities into the Cwtch UI that can feed FuzzBot a stream of log messages so that it can better guide mutation choices.

In addition, one of our goals for the second half of this year is to more formally define the overlay protocols for lists and bulletins such that Cwtch clients (including Fuzz Bot) can treat them as a consistent standard, rather than a set of loosely related applications.

The Impact Of Fuzz Bot

Upfront investment in fuzzing infrastructure has paid for itself many times over. In addition to the countless UI glitches that Fuzz Bot has materialized over the years, it has also on occasion found actual security issues (from HTML rendering in our old QML UI to a server crash bug caused by a failure to check a length).

We were able to find these issues during development, rather than hitting them during testing or having people encounter them in the wild.

If you’d like to help us with Cwtch security testing initiatives like Fuzz Bot, then please consider donating! or checking out the code.

Donate to Open Privacy



Stickers!

Donations of $5 or more receive stickers as a thank-you gift, and $25 or more gets you one of our new sticker sheets! To celebrate our 4th anniversary, we'll even count cumulative pledges since November 2021 to our Patreon.


Open Privacy is an incorporated non-profit society in British Columbia, Canada. Donations are not tax deductible. You can Donate Once via Bitcoin, Monero, Zcash, and Paypal, or you can Donate Monthly via Patreon or Paypal. Please contact us to arrange a donation by other methods.


What is Discreet Log?

Discreet Log is a technical development blog to give a more in-depth look at the research, projects and tools that we work on at Open Privacy.


More Discreet Logs