Home

Awesome

softScheck Cloud Fuzzing Framework

The softScheck Cloud Fuzzing Framework (sCFF) is a set of tools, aiming to make Cloud fuzzing easy. It aims to become a framework where fuzzers and other cloud services can easily be added. At the moment it is still a rather hard coded tool set to save a lot of time when fuzzing in the Amazon cloud. It helps and guides the user through the deployment, fuzzing itself, as well as the post fuzzing phase, in which findings must be examined.

scff-ctrl

This readme just covers the basics. There is also a Tutorial showing how to identify real life vulnerabilities with sCFF and an paper which covers technical details.

Quickstart

This chapter covers the installation, AWS setup, first run and scff-demo to demonstrate the basic workflow.

Installation

Get sCFF from the GitHub repository:

git clone https://github.com/softscheck/scff.git
cd scff

If you have a Debian-based distribution, you can generate a Debian package (./mkdeb.sh) and install it aferwards. Some distributions won't have the python3-boto3 package, though, resulting in a failure. In this case, you have to use the method below.

pip3 install .
# OR
easy_install3 . 

Otherwise install python3-boto3 and run python3 ./setup.py install. In case installation will fail with a permission denied error, install as root.

AWS account creation and configuration

Because the only Cloud provider currently supported by sCFF is Amazon, an AWS account is required. You can create one at https://aws.amazon.com Once, finished you need to export your key_id and the corresponding aws_secrect_key aswell. It is recommended not to export the root keys and instead to create and export an IAM with the minimal set of required permissions (scff requires the EC2 policies).

Add the keys to the file .aws/credentials like that

[default]
aws_access_key_id = Access key id
aws_secret_access_key = Secret access key

Also, add your amazon region to .aws/config. If you don't know your region, open the amazon management console and look at the URL ;) Example contents of .aws/config:

[default]
region = eu-central-1
output = text

You should now be able to connect to AWS with sCFF. To check if everything is working without doing anything type: scff-ctrl

While we are now able to manage EC2 instance from within our tool, we are still not able to connect to an EC2 instance. Todo you have to create an SSH key pair first. Save the key pair as ~/.scff/aws-key-pair.pem.

Next, create a Security Group with the name SSH. Allow TCP traffic from port 22. Allow internal traffic and if you wish to see what your distributed fuzzers are doing allow traffic to your IP on TCP port 8000.

Get used to the workflow

Run scff-demo to get to know the typical sCFF workflow.

Fuzzing

Create a new directory and put the program you want to fuzz and a template file, for which the program does not crash, in it.

Then think about how much you are willing to spend and how long you want your machines to run. Execute scff-costcalc to get an idea of how much it will cost. Keep in mind that if you are new to the Amazon Cloud you can fuzz for free, if you select the t2.micro instance and keep the runtime below 750 hours.

Now run scff-mkcfg and answer the questions to create your project file. The default name of the configuration file is scff.proj. You can review and edit this file with a text editor of your choice. If everything seems fine, start scff-create-instances, which will create your instance(s). Wait for them to boot and bootstrap them with scff-ctrl scff.proj bootstrap. This will install necessary files on the remote machine and deploy your target. You are now ready to fuzz.

In scff, there are two fuzz modes. Single mode and distributed mode. In single mode, fuzzers on different machines run independently of each other. In distributed mode, they will share their corpus, leading to faster results. Distributed mode is, therefore, the recommended mode. To start distributed mode, run scff-ctrl scff.proj distributed.

To check if everything works fine, view the fuzzer status with scff-ctrl scff.proj status If the security group permits incoming traffic on port 8000, you can also view the status on your web-browser (SERVER_IP:8000).

Don't forget to stop or terminate the instance, once you are done, otherwise you can end up paying a lot very fast.

Programs

For more information about a single program, view the associated man page.

FAQ

Is it possible to fuzz another program on an existing machine?

Yes, create a new project file, stop the fuzzers and run scff-ctrl <INSTANCE(s)> clean && scff-ctrl <INSTANCE(s)> bootstrap.

I get errors connecting to the daemon, fuzzers exit immediately, etc.

View log with scff-ctrl <INSTANCES(s)> log and try scff-crtl <INSTANCE(s)> doctor.

I want to use a different fuzzer.

sCFF currently ships with an AFL module only, however you can easily create a new fuzzer module. Simply create a new python script in data/scff/fuzzers. Look at the existing afl and dummy module to get an idea how they should look.

Do I really have to bootstrap every machine?

No, we recommened to create an scff AMI. To do so, simply create a new instance and run scff-ctrl <YOU_NEW_INSTANCE> bake-image. This will create a sCFF ready image you can use next time for your machines. It should be at the bottom of the scff-mkcfg AMI selection. If you create a lot of AMIs, run scff-clean from time to time to remove unused images.

I don't like the Amazon cloud, what about Google Cloud, Azure, etc?

Currently not supported and it's unlikely that it will be in the next months. Sorry :(

I have no bash/zsh completions when installing with pip/easyinstall.

That is normal, pip and easyinstall are not designed to install files in system folders. You can copy the auto complete defintions manually.

cd data
sudo cp bash-completions/completions/sccf-ctrl /usr/share/bash-completions/completions
sudo cp zsh/vendor-completions/_sccf-ctrl /usr/share/zsh/vendor-completions

I have found a bug, what should I do?

Create a GitHub issue and/or write a mail to wilfried.kirsch@softscheck.com