This is the first of two articles that describe how to use the Defensics SDK to fuzz Bitcoin software. Specifically, you will learn how to model one of the Bitcoin protocol messages and use the Defensics SDK to perform fuzzing on the bitcoind process.
This is an advanced technical tutorial, and you will need some background knowledge:
- You should understand fuzz testing. For a high-level introduction, read What is Fuzzing? The Poet, the Courier, and the Oracle.
- You should understand the Defensics SDK and its basic use. At the very least, you should have read the Defensics SDK Developer Guide.
- You should be comfortable with virtual machines and Docker containers.
- You should have some knowledge of using Wireshark to examine network protocols.
- Knowledge of Bitcoin would be helpful, but is not essential. I’ll provide a brief introduction here.
This article shows how to set up a test bed with the bitcoind binaries and Wireshark. The next article describes how to model Bitcoin protocol messages using the Defensics SDK, and ultimately how to perform fuzzing on bitcoind using the Defensics SDK.
What is the Defensics SDK?
Defensics is a generational fuzz testing platform with over 250 test suites for a wide variety of network protocols and file formats.
The Defensics SDK gives you the ability to create your own test suites, which unleashes the full power of Defensics on any protocol or file format you wish. All you need to do is provide a data model. You can then create a full-fledged Defensics test suite and leverage the powerful generational test case engine as well as all the other features provided by the Defensics platform.
What is Bitcoin?
Bitcoin is a cryptocurrency, which means it is a currency supported by the mathematics of cryptography. Instead of being centrally managed, as government currencies are, a cryptocurrency is managed by the community, using a peer-to-peer network. Bitcoin and other cryptocurrencies are based on a blockchain, which is a list of all transactions. All peers in the network have a copy of the blockchain, which is cryptographically protected from tampering. The peers in the network use algorithms to agree on adding new transactions to the blockchain, allowing the entire network to come to a consensus about transactions without having to trust each other.
Cryptocurrencies are relatively new. Bitcoin was the first and was introduced in 2007. Despite the relatively experimental nature of these currencies, significant value is invested in them. As of mid-September 2018, the market capitalization of Bitcoin is about $112 billion.
For this article, you don’t need to know too many details about Bitcoin or any other protocol. All you really need to know is that Bitcoin peers run a process called bitcoind. The peers in the network exchange information using the Bitcoin network protocol.
Test bed architecture
The first step in fuzzing bitcoind is to create a test bed, a safe place where you can perform fuzzing without hurting anything. Fuzzing should never be performed on production systems, as it is likely to cause failures or trigger security alarms.
Bitcoin supports the production network (mainnet), a test network (testnet), and a regression test network (regtest). For fuzzing, I used the regtest network, as it allowed me to set up a private, isolated Bitcoin network, perfect for fuzzing.
I began by creating a virtual machine that holds my regtest peers, alice and bob. I used Ubuntu 14.04, but any Linux will do. This step was not strictly necessary—you could just create the Docker instances directly on your host OS—but I wanted the extra layer of isolation.
Through the magic of Docker, ports on the virtual machine are mapped to ports on the alice and bob containers. When it’s all up and running, it’ll look like this:
In the next article, I’ll use the Defensics SDK on a different virtual machine to fuzz one of the bitcoind instances.
Starting with the newly installed Linux machine, I first installed git and docker:
jonathan@bitcoinzz:~$ sudo apt-get install -y git docker.io
To get the most up-to-date Bitcoin protocol dissector, I installed Wireshark like this:
jonathan@bitcoinzz:~$ sudo add-apt-repository ppa:wireshark-dev/stable ... jonathan@bitcoinzz:~$ sudo apt-get update ... jonathan@bitcoinzz:~$ sudo apt-get install wireshark ...
Then I followed instructions compiled by Gerald Kaszuba for creating two bitcoind peers using docker: https://geraldkaszuba.com/creating-your-own-experimental-bitcoin-network/.
As described, you’ll need to clone Gerald’s repository, run make build to create the container, then run make alice_shell and make bob_shell to spin up two container instances. Just follow the instructions in the article. Finally, in the alice and bob shells, run bitcoind -regtest -daemon to start the bitcoind processes.
You’ll have two running bitcoind instances. If you want to prove that they work together, run Wireshark and listen on the docker0 interface. Then point one of the bitcoind instances at the other using its IP address.
I found the IP address of alice using hostname:
root@alice:~# hostname -I 172.17.0.12
Then I told bob’s bitcoind about alice like this (rt is an alias for bitcoin-cli -regtest):
root@bob:/# rt addnode 172.17.0.12 onetry
This rewarded me with a flurry of Bitcoin messages exchanged between alice’s and bob’s bitcoind processes.
Congratulations! You have your own private Bitcoin network!
Come back next time, when we’ll build a model for the Bitcoin network protocol, then use that model in the Defensics SDK to perform fuzzing on bitcoind.