SlideShare a Scribd company logo

Fuzzing Janus @ IPTComm 2019

L
Lorenzo Miniero

The document discusses fuzz testing applied to Janus, an open-source WebRTC server, highlighting vulnerabilities in real-time communications and tools created by Google's Project Zero to discover bugs. It covers the architecture of Janus, the fuzzing process and targets, and introduces the use of libFuzzer for automated testing to enhance security. The document shares insights on integrating fuzz testing in Janus, focusing on rtcp-related functions and streamlining compilation processes.

Technology
1 of 42
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Fuzzing Janus for Fun and Profit A. Amirante, T. Castaldi, L. Miniero, S.P. Romano, P. Saviano, A. Toppi IPTComm 2019 October 15th 2019, Chicago, IL, USA
A few words about me Lorenzo Miniero • Ph.D @ UniNA • Chairman @ Meetecho • Main author of Janus® Contacts and info • lorenzo@meetecho.com • https://twitter.com/elminiero • https://www.slideshare.net/LorenzoMiniero
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
Introducing the Janus WebRTC server Janus General purpose, open source WebRTC server • https://github.com/meetecho/janus-gateway • Demos and documentation: https://janus.conf.meetecho.com • Community: https://groups.google.com/forum/#!forum/meetecho-janus
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
Coverage-guided fuzzing
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
Integrating libFuzzer in Janus // fuzz-rtcp.c #include "janus/rtcp.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 8 || size > 1472) return 0; if (!janus_is_rtcp(data, size)) return 0; /* Initialize an empty RTCP context */ janus_rtcp_context ctx; janus_rtcp_parse(ctx, (char *)data, size); GSList *list = janus_rtcp_get_nacks((char *)data, size); ... if (list) g_slist_free(list); return 0; }
Presenting the code coverage
Corpora files: a shared effort https://github.com/RTC-Cartel/webrtc-fuzzer-corpora
Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
A detailed tutorial on how to setup all this https://webrtchacks.com/fuzzing-janus/
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
Thanks! Questions? Comments? Get in touch! • https://twitter.com/elminiero • https://twitter.com/meetecho • https://www.meetecho.com

More Related Content

PDF
Write a SocialTV app @ OpenSIPS 2021
Lorenzo Miniero
 
PDF
Janus/SIP @ OpenSIPS 2017
Lorenzo Miniero
 
PDF
SIP/WebRTC load testing @ KamailioWorld 2017
Lorenzo Miniero
 
PDF
Virtual IETF meetings with WebRTC @ IETF 109 MOPS
Lorenzo Miniero
 
PDF
WebRTC security+more @ KamailioWorld 2018
Lorenzo Miniero
 
PDF
WebRTC, RED and Janus @ ClueCon21
Lorenzo Miniero
 
PDF
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
PDF
Fuzzing RTC @ Kamailio World 2019
Lorenzo Miniero
 
Write a SocialTV app @ OpenSIPS 2021
Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2017
Lorenzo Miniero
 
SIP/WebRTC load testing @ KamailioWorld 2017
Lorenzo Miniero
 
Virtual IETF meetings with WebRTC @ IETF 109 MOPS
Lorenzo Miniero
 
WebRTC security+more @ KamailioWorld 2018
Lorenzo Miniero
 
WebRTC, RED and Janus @ ClueCon21
Lorenzo Miniero
 
IETF remote participation via Meetecho @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
Fuzzing RTC @ Kamailio World 2019
Lorenzo Miniero
 

What's hot (20)

PDF
Janus Workshop pt.2 @ ClueCon 2021
Lorenzo Miniero
 
PDF
Janus + Audio @ Open Source World
Lorenzo Miniero
 
PDF
Janus/HOMER/HEPIC @ OpenSIPS18
Lorenzo Miniero
 
PDF
Janus/SIP @ OpenSIPS 2019
Lorenzo Miniero
 
PDF
Can WebRTC help musicians? @ FOSDEM 2021
Lorenzo Miniero
 
PDF
Scaling WebRTC applications with Janus
Lorenzo Miniero
 
PDF
Can SFUs and MCUs be friends @ IIT-RTC 2020
Lorenzo Miniero
 
PDF
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Paolo Saviano
 
PDF
Insertable Streams and E2EE @ ClueCon2020
Lorenzo Miniero
 
PDF
Janus @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
PDF
Janus + NDI @ ClueCon 2021
Lorenzo Miniero
 
PDF
WHIP and Janus @ IIT-RTC 2021
Lorenzo Miniero
 
PDF
Janus Workshop @ ClueCon 2020
Lorenzo Miniero
 
PDF
FOSDEM2018 Janus Lua plugin presentation
Lorenzo Miniero
 
PDF
Turning live events to virtual with Janus
Lorenzo Miniero
 
PDF
Janus: an open source and general purpose WebRTC (gateway) server
DevDay
 
PDF
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
Lorenzo Miniero
 
PDF
WHIP WebRTC Broadcasting @ FOSDEM 2022
Lorenzo Miniero
 
PDF
Janus @ ClueCon 2019
Lorenzo Miniero
 
PDF
Simulcast/SVC @ IIT-RTC 2019
Lorenzo Miniero
 
Janus Workshop pt.2 @ ClueCon 2021
Lorenzo Miniero
 
Janus + Audio @ Open Source World
Lorenzo Miniero
 
Janus/HOMER/HEPIC @ OpenSIPS18
Lorenzo Miniero
 
Janus/SIP @ OpenSIPS 2019
Lorenzo Miniero
 
Can WebRTC help musicians? @ FOSDEM 2021
Lorenzo Miniero
 
Scaling WebRTC applications with Janus
Lorenzo Miniero
 
Can SFUs and MCUs be friends @ IIT-RTC 2020
Lorenzo Miniero
 
Talk@JanusCon2019: Janus, WebRTC and ML - Fantastic technologies and how to m...
Paolo Saviano
 
Insertable Streams and E2EE @ ClueCon2020
Lorenzo Miniero
 
Janus @ WebRTC Meetup Stockholm
Lorenzo Miniero
 
Janus + NDI @ ClueCon 2021
Lorenzo Miniero
 
WHIP and Janus @ IIT-RTC 2021
Lorenzo Miniero
 
Janus Workshop @ ClueCon 2020
Lorenzo Miniero
 
FOSDEM2018 Janus Lua plugin presentation
Lorenzo Miniero
 
Turning live events to virtual with Janus
Lorenzo Miniero
 
Janus: an open source and general purpose WebRTC (gateway) server
DevDay
 
Scaling WebRTC deployments with multicast @ IETF 110 MBONED
Lorenzo Miniero
 
WHIP WebRTC Broadcasting @ FOSDEM 2022
Lorenzo Miniero
 
Janus @ ClueCon 2019
Lorenzo Miniero
 
Simulcast/SVC @ IIT-RTC 2019
Lorenzo Miniero
 
Ad

Similar to Fuzzing Janus @ IPTComm 2019 (20)

PDF
Janus RTP forwarders @ FOSDEM 2020
Lorenzo Miniero
 
PDF
Janus @ DevDay Napoli
Lorenzo Miniero
 
PDF
Janus/Asterisk @ Astricon 2017
Lorenzo Miniero
 
PDF
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
PDF
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
PDF
WebRTC and SIP not just audio and video @ OpenSIPS 2024
Lorenzo Miniero
 
PDF
Janus conf'19: janus client side
Alexandre Gouaillard
 
PDF
Janus workshop @ RTC2019 Beijing
Lorenzo Miniero
 
PDF
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Greg Kawere
 
PDF
[workshop] The Revolutionary WebRTC
Giacomo Vacca
 
PPTX
DevCon5 (July 2014) - Intro to WebRTC
Crocodile WebRTC SDK and Cloud Signalling Network
 
PDF
WebRTC and Janus intro for FOSS Stockholm January 2019
Olle E Johansson
 
PDF
FOSDEM 2020: How can we make WebRTC Easier?
SeanDuBois3
 
PDF
WebRTC - Is it ready? 2013
Hank Huang
 
PDF
WebRTC: Mostly Video Bits
SeanDuBois3
 
PDF
Demuxed 2020
SeanDuBois3
 
PDF
DevCon 5 (December 2013) - WebRTC & WebSockets
Crocodile WebRTC SDK and Cloud Signalling Network
 
PPTX
DeveloperWeek 2015 - WebRTC - Where to start and how to scale
Dialogic Inc.
 
PDF
Webrtc
Mihály Mészáros
 
PDF
WebRTC Rockstars Asian Tour 2017
Lorenzo Miniero
 
Janus RTP forwarders @ FOSDEM 2020
Lorenzo Miniero
 
Janus @ DevDay Napoli
Lorenzo Miniero
 
Janus/Asterisk @ Astricon 2017
Lorenzo Miniero
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
Lorenzo Miniero
 
Janus conf'19: janus client side
Alexandre Gouaillard
 
Janus workshop @ RTC2019 Beijing
Lorenzo Miniero
 
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Greg Kawere
 
[workshop] The Revolutionary WebRTC
Giacomo Vacca
 
DevCon5 (July 2014) - Intro to WebRTC
Crocodile WebRTC SDK and Cloud Signalling Network
 
WebRTC and Janus intro for FOSS Stockholm January 2019
Olle E Johansson
 
FOSDEM 2020: How can we make WebRTC Easier?
SeanDuBois3
 
WebRTC - Is it ready? 2013
Hank Huang
 
WebRTC: Mostly Video Bits
SeanDuBois3
 
Demuxed 2020
SeanDuBois3
 
DevCon 5 (December 2013) - WebRTC & WebSockets
Crocodile WebRTC SDK and Cloud Signalling Network
 
DeveloperWeek 2015 - WebRTC - Where to start and how to scale
Dialogic Inc.
 
Webrtc
Mihály Mészáros
 
WebRTC Rockstars Asian Tour 2017
Lorenzo Miniero
 
Ad

More from Lorenzo Miniero (13)

PDF
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
PDF
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
PDF
WebRTC and QUIC: how hard can it be? @ RTC.ON 2024
Lorenzo Miniero
 
PDF
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
 
PDF
Getting AV1/SVC to work in the Janus WebRTC Server
Lorenzo Miniero
 
PDF
WebRTC Broadcasting @ TADSummit 2023
Lorenzo Miniero
 
PDF
BWE in Janus
Lorenzo Miniero
 
PDF
The challenges of hybrid meetings @ CommCon 2023
Lorenzo Miniero
 
PDF
Real-Time Text and WebRTC @ Kamailio World 2023
Lorenzo Miniero
 
PDF
Become a rockstar using FOSS!
Lorenzo Miniero
 
PDF
Janus SFU cascading @ IIT-RTC 2022
Lorenzo Miniero
 
PDF
SIP transfer with Janus/WebRTC @ OpenSIPS 2022
Lorenzo Miniero
 
PDF
JamRTC @ Wonder WebRTC unConference
Lorenzo Miniero
 
Multistream in SIP and NoSIP @ OpenSIPS Summit 2025
Lorenzo Miniero
 
RTP Over QUIC: An Interesting Opportunity Or Wasted Time?
Lorenzo Miniero
 
WebRTC and QUIC: how hard can it be? @ RTC.ON 2024
Lorenzo Miniero
 
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
 
Getting AV1/SVC to work in the Janus WebRTC Server
Lorenzo Miniero
 
WebRTC Broadcasting @ TADSummit 2023
Lorenzo Miniero
 
BWE in Janus
Lorenzo Miniero
 
The challenges of hybrid meetings @ CommCon 2023
Lorenzo Miniero
 
Real-Time Text and WebRTC @ Kamailio World 2023
Lorenzo Miniero
 
Become a rockstar using FOSS!
Lorenzo Miniero
 
Janus SFU cascading @ IIT-RTC 2022
Lorenzo Miniero
 
SIP transfer with Janus/WebRTC @ OpenSIPS 2022
Lorenzo Miniero
 
JamRTC @ Wonder WebRTC unConference
Lorenzo Miniero
 

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 

Fuzzing Janus @ IPTComm 2019

  • 1. Fuzzing Janus for Fun and Profit A. Amirante, T. Castaldi, L. Miniero, S.P. Romano, P. Saviano, A. Toppi IPTComm 2019 October 15th 2019, Chicago, IL, USA
  • 2. A few words about me Lorenzo Miniero • Ph.D @ UniNA • Chairman @ Meetecho • Main author of Janus® Contacts and info • lorenzo@meetecho.com • https://twitter.com/elminiero • https://www.slideshare.net/LorenzoMiniero
  • 3. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 4. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 5. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 6. Vulnerabilities in RTC communications • Project Zero is a team of security analysts employed by Google • https://googleprojectzero.blogspot.com/ • Recently focused on videoconferencing applications • Focus on end-to-end, and RTP testing • Malicious endpoint generating randomized input • Built new tools required for the task • Targeted many applications, and found dangerous bugs • Apple FaceTime • WhatsApp • WebRTC Philipp Hancke’s wakeup call https://webrtchacks.com/lets-get-better-at-fuzzing-in-2019-heres-how/
  • 7. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 8. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 9. What can cause trouble in WebRTC? • WebRTC is signalling agnostic, so typically not that • You can use SIP, XMPP, some JSON flavour, etc. • A lot of media-related protocols to worry about, though • STUN/TURN (NAT traversal) • DTLS/DTLS-SRTP (secure exchange of keys and data) • RTP/RTCP (or actually, SRTP/SRTCP), including RTP extensions • SCTP (data channels) • ... and codec specific payloads • Identifying keyframes (VP8, VP9, H.264) • Simulcast & SVC (inspecting payloads)
  • 10. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 11. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 12. Why can fuzz testing help? • Automated software testing technique • Unexpected or invalid data submitted to a program • Input pattern modified according to a defined strategy (e.g., for coverage) • Typical workflow 1 Engine generates input based on existing dataset (“Corpus”) 2 Input mutated slightly over time 3 Input data passed to target function and monitored (e.g., via sanitizers) 4 Coverage of new lines updates stats and Corpus (new pattern) 5 Repeat until it crashes • Repeatability can be ensured using the same seeds or previous dumps
  • 13. Introducing the Janus WebRTC server Janus General purpose, open source WebRTC server • https://github.com/meetecho/janus-gateway • Demos and documentation: https://janus.conf.meetecho.com • Community: https://groups.google.com/forum/#!forum/meetecho-janus
  • 14. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 15. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 16. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 17. Modular architecture • The core only implements the WebRTC stack • JSEP/SDP, ICE, DTLS-SRTP, Data Channels, Simulcast, VP9-SVC, ... • Plugins expose Janus API over different “transports” • Currently HTTP / WebSockets / RabbitMQ / Unix Sockets / MQTT / Nanomsg • “Application” logic implemented in plugins too • Users attach to plugins via the Janus core • The core handles the WebRTC stuff • Plugins route/manipulate the media/data • Plugins can be combined on client side as “bricks” • Video SFU, Audio MCU, SIP gatewaying, broadcasting, etc.
  • 18. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 19. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 20. Choosing the fuzzing targets • Many protocols via dependencies are fuzzed already • ICE/STUN/TURN (libnice) • DTLS/DTLS-SRTP (OpenSSL/LibreSSL/BoringSSL) • SRTP/SRTCP (libsrtp) • SCTP (usrsctplib) • Some other dependencies MAY need fuzzing (but not in Janus?) • Transports (HTTP, WebSockets, RabbitMQ, etc.) • JSON support (Jansson) • Custom code DEFINITELY needs fuzzing • RTCP parsing (e.g., compound packets) • RTP processing (e.g., RTP extensions, codec specific payloads) • SDP parsing and processing
  • 21. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 22. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 23. A quick intro to libFuzzer • Popular coverage-guided fuzzing engine, part of the LLVM project • https://llvm.org/docs/LibFuzzer.html • Used by several well known applications • glibc, OpenSSL/LibreSSL/BoringSSL, SQLite, FFmpeg and many more • A few key characteristics • Needs sources to be compiled with Clang • Works in-process (linked with the library/application under test) • Feeds inputs to the target via a fuzzing entrypoint (target function) • Execution of the target function is monitored with sanitizers tools (e.g., libasan)
  • 25. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 26. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 27. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 28. libFuzzer in (simplified) practice 1 Implement the method to receive and process the input data // my_fuzzer.c int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { ProcessData(Data, Size); return 0; } 2 Compile with Clang and the right flags > clang -g -O1 -fsanitize=fuzzer,address,undefined my_fuzzer.c 3 Launch passing the Corpus folder as the argument > ./my_fuzzer CORPUS_DIR 4 In case of crashes, pass the dumped input (e.g., via gdb, or to test regressions) > gdb --args ./my_fuzzer crash-file-dump
  • 29. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 30. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 31. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 32. Integrating libFuzzer in Janus • First step was Clang support (Janus normally built with gcc) • Streamlined compilation flags in the process • Got useful warnings that led to some fixes too • Next step was choosing what to fuzz • Decided to start with RTCP • Compound packets + length values + overflows = “fun”... • Then worked on the libFuzzer workflow 1 Fuzzing target with critical RTCP-related functions 2 Helper script to build the fuzzer 3 Helper script to run the fuzzer Original pull request (now merged, with RTP and SDP fuzzing as well) https://github.com/meetecho/janus-gateway/pull/1492
  • 33. Integrating libFuzzer in Janus // fuzz-rtcp.c #include "janus/rtcp.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size < 8 || size > 1472) return 0; if (!janus_is_rtcp(data, size)) return 0; /* Initialize an empty RTCP context */ janus_rtcp_context ctx; janus_rtcp_parse(ctx, (char *)data, size); GSList *list = janus_rtcp_get_nacks((char *)data, size); ... if (list) g_slist_free(list); return 0; }
  • 35. Corpora files: a shared effort https://github.com/RTC-Cartel/webrtc-fuzzer-corpora
  • 36. Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
  • 37. Scalable distributed fuzzing via OSS-Fuzz https://github.com/google/oss-fuzz/pull/2241 (Janus addition)
  • 38. A detailed tutorial on how to setup all this https://webrtchacks.com/fuzzing-janus/
  • 39. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 40. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 41. What’s next? • So far, we only fuzzed RTP, RTCP and in part SDP in the core • SDP fuzzing should be improved (maybe with structure-aware fuzzing?) • What about plugins and their custom interactions? • Definitely expand the corpora • The shared RTC-Cartel repo should help with that • Exchanging crash causes with other projects will make both more robust • libFuzzer is not the only option here • Some popular alternatives are AFL, Radamsa, Gasoline, etc. • KITE and its “weaponised” browsers can be very helpful as an orthogonal testing tool
  • 42. Thanks! Questions? Comments? Get in touch! • https://twitter.com/elminiero • https://twitter.com/meetecho • https://www.meetecho.com